SCHEDULES
SCHEDULE 2Exemptions etc from the F2UK GDPR
PART 2Restrictions F3as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34
Words in Sch. 2 Pt. 2 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4UK GDPR provisions to be restricted: “the listed GDPR provisions”
Words in Sch. 2 para. 6 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(10) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
6
In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the F5UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the F5UK GDPR)—
a
Article 13(1) to (3) (personal data collected from data subject: information to be provided);
b
Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
c
Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
d
Article 16 (right to rectification);
e
Article 17(1) and (2) (right to erasure);
f
Article 18(1) (restriction of processing);
g
Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
h
Article 20(1) and (2) (right to data portability);
i
Article 21(1) (objections to processing);
j
Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).
Functions designed to protect the public etc
7
The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
a
is designed as described in column 1 of the Table, and
b
meets the condition relating to the function specified in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
Description of function design | Condition |
---|---|
1. The function is designed to protect members of the public against—
| The function is—
|
2. The function is designed to protect members of the public against—
| The function is—
|
3. The function is designed—
| The function is—
|
4. The function is designed—
| The function is—
|
5. The function is designed to protect members of the public against—
| The function is conferred by any enactment on—
|
6. The function is designed—
| The function is conferred on the Competition and Markets Authority by an enactment. |
Audit functions
8
1
The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
2
The functions are any function that is conferred by an enactment on—
a
the Comptroller and Auditor General;
b
the Auditor General for Scotland;
c
the Auditor General for Wales;
d
the Comptroller and Auditor General for Northern Ireland.
Functions of the Bank of England
9
1
The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
2
“Relevant function of the Bank of England” means—
a
a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);
b
a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;
c
a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.
Regulatory functions relating to legal services, the health service and children's services
10
1
The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
2
The functions are—
a
a function of the Legal Services Board;
b
the function of considering a complaint under the scheme established under Part 6 of the Legal Services Act 2007 (legal complaints);
c
the function of considering a complaint under—
i
section 14 of the NHS Redress Act 2006,
ii
section 113(1) or (2) or section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
iii
section 24D or 26 of the Children Act 1989, or
iv
Part 2A of the Public Services Ombudsman (Wales) Act 2005 F1or Part 5 of the Public Services Ombudsman (Wales) Act 2019;
d
the function of considering a complaint or representations under Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act 2014 (anaw 4).
Regulatory functions of certain other persons
C111
The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—
a
is a function of a person described in column 1 of the Table, and
b
is conferred on that person as described in column 2 of the Table,
to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
Person on whom function is conferred | How function is conferred |
---|---|
1. The Commissioner. | By or under—
|
2. The Scottish Information Commissioner. | By or under—
|
3. The Pensions Ombudsman. | By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland. |
4. The Board of the Pension Protection Fund. | By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
5. The Ombudsman for the Board of the Pension Protection Fund. | By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
6. The Pensions Regulator. | By an enactment. |
7. The Financial Conduct Authority. | By or under the Financial Services and Markets Act 2000 or by another enactment. |
8. The Financial Ombudsman. | By or under Part 16 of the Financial Services and Markets Act 2000. |
9. The investigator of complaints against the financial regulators. | By or under Part 6 of the Financial Services Act 2012. |
F6. . . | F6. . . |
11. The monitoring officer of a relevant authority. | By or under the Local Government and Housing Act 1989. |
12. The monitoring officer of a relevant Welsh authority. | By or under the Local Government Act 2000. |
13. The Public Services Ombudsman for Wales. | By or under the Local Government Act 2000. |
14. The Charity Commission. | By or under—
|
12
In the Table in paragraph 11—
F7...
F7...
the “Financial Ombudsman” means the scheme operator within the meaning of Part 16 of the Financial Services and Markets Act 2000 (see section 225 of that Act);
the “investigator of complaints against the financial regulators” means the person appointed under section 84(1)(b) of the Financial Services Act 2012;
“relevant authority” has the same meaning as in section 5 of the Local Government and Housing Act 1989, and “monitoring officer”, in relation to such an authority, means a person designated as such under that section;
“relevant Welsh authority” has the same meaning as “relevant authority” in section 49(6) of the Local Government Act 2000, and “monitoring officer”, in relation to such an authority, has the same meaning as in Part 3 of that Act.
Parliamentary privilege
13
The listed GDPR provisions and Article 34(1) and (4) of the F8UK GDPR (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.
Judicial appointments, judicial independence and judicial proceedings
14
1
The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for judicial office or the office of Queen's Counsel.
2
The listed GDPR provisions do not apply to personal data processed by—
a
an individual acting in a judicial capacity, or
b
a court or tribunal acting in its judicial capacity.
3
As regards personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.
Crown honours, dignities and appointments
I115
1
The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.
2
The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for any of the following offices—
a
archbishops and diocesan and suffragan bishops in the Church of England;
b
deans of cathedrals of the Church of England;
c
deans and canons of the two Royal Peculiars;
d
the First and Second Church Estates Commissioners;
e
lord-lieutenants;
f
Masters of Trinity College and Churchill College, Cambridge;
g
the Provost of Eton;
h
the Poet Laureate;
i
the Astronomer Royal.
3
The Secretary of State may by regulations amend the list in sub-paragraph (2) to—
a
remove an office, or
b
add an office to which appointments are made by Her Majesty.
4
Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.
Words in Sch. 2 heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 92(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)