Data Protection Act 2018 - Schedule 2 Part 2 Restrictions Based on Article 23(1): Restrictions of Rules in Articles 13 to 21 and 34

GDPR provisions to be restricted: “the listed GDPR provisions”

In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

  1. Article 13(1) to (3) (personal data collected from the data subject: information to be provided);
  2. Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
  3. Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third-country transfers);
  4. Article 16 (right to rectification);
  5. Article 17(1) and (2) (right to erasure);
  6. Article 18(1) (restriction of processing);
  7. Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
  8. Article 20(1) and (2) (right to data portability);
  9. Article 21(1) (objections to processing);
  10. Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).

Functions designed to protect the public etc

The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—

  1. is designed as described in column 1 of the Table, and
  2. meets the condition relating to the function specified in column 2 of the Table,
    to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE

Description of function design Condition
1. The function is designed to protect members of the public against— 

 

(a) financial loss due to dishonesty, malpractice
or other seriously improper conduct by, or the
unfitness or incompetence of, persons
concerned in the provision of banking,insurance,
investment or other financial services or in the
management of bodies corporate, or

(b) financial loss due to the conduct of
discharged or undischarged bankrupts.

The function is— 

 

(a) conferred on a person by an enactment,

(b) a function of the Crown, a Minister of the
Crown or a government department, or

(c) of a public nature, and is exercised in the
public interest.

2. The function is designed to protect members of the public against— 

 

(a) dishonesty, malpractice or other seriously
improper conduct, or

(b) unfitness or incompetence.

The function is— 

 

(a) conferred on a person by an enactment,

(b) a function of the Crown, a Minister of the
Crown or a government department, or

(c) of a public nature, and is exercised in the
public interest.

3. The function is designed— 

 

(a) to protect charities or community interest
companies against misconduct or
mismanagement (whether by trustees, directors
or other persons) in their administration,

(b) to protect the property of charities or
community interest companies from loss or
misapplication, or

(c) to recover the property of charities or
community interest companies

The function is— 

 

(a) conferred on a person by an enactment,

(b) a function of the Crown, a Minister of the
Crown or a government department, or

(c) of a public nature, and is exercised in the
public interest.

4. The function is designed— 

 

(a) to secure the health, safety and welfare of
persons at work, or

(b) to protect persons other than those at work
against risk to health or safety arising out of or
in connection with the action of persons at work.

The function is— 

 

(a) conferred on a person by an enactment,

(b) a function of the Crown, a Minister of the
Crown or a government department, or

(c) of a public nature, and is exercised in the
public interest.

5. The function is designed to protect members of the public against— 

 

(a) maladministration by public bodies,

(b) failures in services provided by public
bodies, or

(c) a failure of a public body to provide a service
which it is a function of the body to provide.

The function is conferred by any enactment on— 

 

(a) the Parliamentary Commissioner for

Administration,

(b) the Commissioner for Local Administration in
England,

(c) the Health Service Commissioner for
England,

(d) the Public Services Ombudsman for Wales,

(e) the Northern Ireland Public Services
Ombudsman,

(f) the Prison Ombudsman for Northern Ireland,
or

(g) the Scottish Public Services Ombudsman.

6. The function is designed— 

 

(a) to protect members of the public against
conduct which may adversely affect their
interests by persons carrying on a business,

(b) to regulate agreements or conduct which
have as their object or effect the prevention,
restriction or distortion of competition in
connection with any commercial activity, or

(c) to regulate conduct on the part of one or
more undertakings which amounts to the abuse
of a dominant position in a market.

The function is conferred on the Competition and Markets Authority by an enactment.

Audit functions

  1. The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
  2. The functions are any function that is conferred by an enactment on—
    1. the Comptroller and Auditor General;
    2. the Auditor General for Scotland;
    3. the Auditor General for Wales;
    4. the Comptroller and Auditor General for Northern Ireland.

Functions of the Bank of England

  1. The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
  2. “Relevant function of the Bank of England” means—
    1. a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);
    2. a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;
    3. a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.

Regulatory functions relating to legal services, the health service and children’s services

  1. The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
  2. The functions are—
    1. a function of the Legal Services Board;
    2. the function of considering a complaint under the scheme established under Part 6 of the Legal Services Act 2007 (legal complaints);
    3. the function of considering a complaint under—
      1. section 14 of the NHS Redress Act 2006,
      2. section 113(1) or (2) or section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
      3. section 24D or 26 of the Children Act 1989, or
      4. Part 2A of the Public Services Ombudsman (Wales) Act 2005;
    4. the function of considering a complaint or representations under Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act 2014 (anaw 4).

Regulatory functions of certain other persons

The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—

  1. is a function of a person described in column 1 of the Table, and
  2. is conferred on that person as described in column 2 of the Table,
    to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE

Person on whom function is conferred How function is conferred
1. The Commissioner. By or under— 

 

(a) the data protection legislation;

(b) the Freedom of Information Act 2000;

(c) section 244 of the Investigatory Powers
Act 2016;

(d) the Privacy and Electronic Communications
(EC Directive) Regulations 2003
(S.I. 2003/2426);

(e) the Environmental Information Regulations
2004 (S.I. 2004/3391);

(f) the INSPIRE Regulations 2009
(S.I. 2009/3157);

(g) Regulation (EU) No 910/ 2014 of the
European

Parliament and of the Council of 23 July 2014

on electronic identification and trust

services for electronic transactions in the

internal market and repealing Directive

1999/93/EC;

(h) the Re-use of Public Sector Information

Regulations 2015 (S.I. 2015/1415);

(i) the Electronic Identification and Trust

Services for Electronic Transactions Regulations

2016 (S.I. 2016/696).

2. The Scottish Information Commissioner. By or under— 

 

(a) the Freedom of Information (Scotland)

Act 2002 (asp 13);

(b) the Environmental Information (Scotland)

Regulations 2004 (S.S.I. 2004/520);

(c) the INSPIRE (Scotland) Regulations 2009
(S.S.I. 2009/440).

3. The Pensions Ombudsman. 

 

 

By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.
4. The Board of the Pension Protection Fund. 

 

 

By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation 

 

having equivalent effect in Northern
Ireland.

5. The Ombudsman for the Board of the Pension Protection Fund. By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding 

 

legislation having equivalent effect in
Northern Ireland.

6. The Pensions Regulator. By an enactment.
7. The Financial Conduct Authority. By or under the Financial Services and Markets Act 2000 or by another enactment.
8. The Financial Ombudsman. By or under Part 16 of the Financial Services and Markets Act 2000.
9. The investigator of complaints against the financial regulators. By or under Part 6 of the Financial Services Act 2012.
10. A consumer protection enforcer, other than the Competition and Markets Authority. By or under the CPC Regulation.
11. The monitoring officer of a relevant authority. By or under the Local Government and Housing Act 1989.
12. The monitoring officer of a relevant Welsh authority. By or under the Local Government Act 2000.
13. The Public Services Ombudsman for Wales. By or under the Local Government Act 2000.
14. The Charity Commission. By or under— 

 

(a) the Charities Act 1992;

(b) the Charities Act 2006;

(c) the Charities Act 2011.

In the Table in paragraph 11—

“consumer protection enforcer” has the same meaning as “CPC enforcer” in section 213(5A) of the Enterprise Act 2002;

the “CPC Regulation” has the meaning given in section 235A of the Enterprise Act 2002;

the “Financial Ombudsman” means the scheme operator within the meaning of Part 16 of the Financial Services and Markets Act 2000 (see section 225 of that Act);

the “investigator of complaints against the financial regulators” means the person appointed under section 84(1)(b) of the Financial Services Act 2012;

“relevant authority” has the same meaning as in section 5 of the Local Government and Housing Act 1989, and “monitoring officer”, in relation to such an authority, means a person designated as such under that section;

“relevant Welsh authority” has the same meaning as “relevant authority” in section 49(6) of the Local Government Act 2000, and “monitoring officer”, in relation to such an authority, has the same meaning as in Part 3 of that Act.

Parliamentary privilege

The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

Judicial appointments, judicial independence and judicial proceedings

  1. The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel.
  2. The listed GDPR provisions do not apply to personal data processed by—
    1. an individual acting in a judicial capacity, or
    2. a court or tribunal acting in its judicial capacity.
  3. As regards, personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.

Crown honours, dignities and appointments

  1. The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.
  2. The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for any of the following offices—
    1. archbishops and diocesan and suffragan bishops in the Church of England;
    2. deans of cathedrals of the Church of England;
    3. deans and canons of the two Royal Peculiars;
    4. the First and Second Church Estates Commissioners;
    5. lord-lieutenants;
    6. Masters of Trinity College and Churchill College, Cambridge;
    7. the Provost of Eton;
    8. the Poet Laureate;
    9. the Astronomer Royal.
  3. The Secretary of State may by regulations amend the list in sub-paragraph (2) to—
    1. remove an office, or
    2. add an office to which appointments are made by Her Majesty.
  4. Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.