//

Data Protection Act 2018 - Schedule 2 Part 4 Restrictions Based on Article 23(1): Restrictions of Rules in Articles 13 to 15

GDPR provisions to be restricted: “the listed GDPR provisions”

In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

  1. Article 13(1) to (3) (personal data collected from the data subject: information to be provided);
  2. Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
  3. Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third-country transfers);
  4. Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (c).

Legal professional privilege

The listed GDPR provisions do not apply to personal data that consists of—

  1. information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
  2. information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

Self-incrimination

  1. A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.
  2. The reference to an offence in sub-paragraph (1) does not include an offence under—
    1. this Act,
    2. section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
    3. section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or
    4. Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/ 1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
  3. Information disclosed by any person in compliance with Article 15 of the GDPR is not admissible against the person in proceedings for an offence under this Act.

Corporate finance

  1. The listed GDPR provisions do not apply to personal data processed for the purposes of or in connection with a corporate finance service provided by a relevant person to the extent that either Condition A or Condition B is met.
  2. Condition A is that the application of the listed GDPR provisions would be likely to affect the price of an instrument.
  3. Condition B is that—
    1. the relevant person reasonably believes that the application of the listed GDPR provisions to the personal data in question could affect a decision of a person—
      1. whether to deal in, subscribe for or issue an instrument, or
      2. whether to act in a way likely to have an effect on a business activity (such as an effect on the industrial strategy of a person, the capital structure of an undertaking or the legal or beneficial ownership of a business or asset), and
    2. the application of the listed GDPR provisions to that personal data would have a prejudicial effect on the orderly functioning of financial markets or the efficient allocation of capital within the economy.
  4. In this paragraph—
    “corporate finance service” means a service consisting in—

    1. underwriting in respect of issues of, or the placing of issues of, any instrument,
    2. services relating to such underwriting, or
    3. advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings;
      “instrument” means an instrument listed in section C of Annex 1 to Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments, and references to an instrument include an instrument not yet in existence but which is to be or may be created;
      “price” includes value;
      “relevant person” means—

      1. a person who, by reason of a permission under Part 4A of the Financial Services and Markets Act 2000, is able to carry on a corporate finance service without contravening the general prohibition;
      2. an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which has qualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service;
      3. a person who is exempt from the general prohibition in respect of any corporate finance service—
        1. as a result of an exemption order made under section 38(1) of that Act, or
        2. by reason of section 39(1) of that Act (appointed representatives);
      4. a person, not falling within paragraph (a), (b) or (c), who may lawfully carry on a corporate finance service without contravening the general prohibition;
      5. a person who, in the course of employment, provides to their employer a service falling within paragraph (b) or (c) of the definition of “corporate finance service”;
      6. a partner who provides to other partners in the partnership a service falling within either of those paragraphs.
  5. In the definition of “relevant person” in sub-paragraph (4), references to “the general prohibition” are to the general prohibition within the meaning of section 19 of the Financial Services and Markets Act 2000.

Management forecasts

The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned.

Negotiations

The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations.

Confidential references

The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—

  1. the education, training or employment (or prospective education, training or employment) of the data subject,
  2. the placement (or prospective placement) of the data subject as a volunteer,
  3. the appointment (or prospective appointment) of the data subject to any office, or
  4. the provision (or prospective provision) by the data subject of any service.

Exam scripts and exam marks

  1. The listed GDPR provisions do not apply to personal data consisting of information recorded by candidates during an exam.
  2. Where personal data consists of marks or other information processed by a controller—
    1. for the purposes of determining the results of an exam, or
    2. in consequence of the determination of the results of an exam,
      the duty in Article 12(3) or (4) of the GDPR for the controller to provide information requested by the data subject within a certain time period, as it applies to Article 15 of the GDPR (confirmation of processing, access to data and safeguards for third country transfers), is modified as set out in subparagraph (3).
  3. Where a question arises as to whether the controller is obliged by Article 15 of the GDPR to disclose personal data, and the question arises before the day on which the exam results are announced, the controller must provide the information mentioned in Article 12(3) or (4)—
    1. before the end of the period of 5 months beginning when the question arises, or
    2. if earlier, before the end of the period of 40 days beginning with the announcement of the results.
  4. In this paragraph, “exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity.
  5. For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.