Regulation 31

SCHEDULE 1U.K.Modifications for the purposes of these Regulations to Part V [F1and sections 55A to 55E] of the Data Protection Act 1998 and Schedules 6 and 9 to that Act as extended by Regulation 31

[F2Modifications of the Data Protection Act 1998]U.K.

Textual Amendments

1.  In section 40—U.K.

(a)in subsection (1), for the words “data controller” there shall be substituted the word “ person ”, for the words “data protection principles” there shall be substituted the words “ requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (in this Part referred to as “the relevant requirements”) ” and for the words “principle or principles” there shall be substituted the words “ requirement or requirements ”;

(b)in subsection (2), the words “or distress” shall be omitted;

(c)subsections (3), (4), (5), (9) and (10) shall be omitted; and

(d)in subsection (6)(a), for the words “data protection principle or principles” there shall be substituted the words “ relevant requirement or requirements. ”

2.  In section 41(1) and (2), for the words “data protection principle or principles”, in both places where they occur, there shall be substituted the words “ relevant requirement or requirements ”.U.K.

[F32A.  Sections 41A to 41C shall be omitted.]U.K.

3.  Section 42 shall be omitted.U.K.

4.  In section 43—U.K.

(a)for subsections (1) and (2) there shall be substituted the following provisions—

(1) If the Commissioner reasonably requires any information for the purpose of determining whether a person has complied or is complying with the relevant requirements, he may serve that person with a notice (in this Act referred to as “an information notice”) requiring him, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to compliance with the relevant requirements as is so specified.

(2) An information notice must contain a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the person has complied or is complying with the relevant requirements and his reason for regarding it as relevant for that purpose.

(b)in subsection (6)(a), after the word “under” there shall be inserted the words “ the Privacy and Electronic Communications (EC Directive) Regulations 2003 or ”;

(c)in subsection (6)(b), after the words “arising out of” there shall be inserted the words “ the said Regulations or ”;

[F4(d)in subsection (8), for “under this Act” there shall be substituted “under the Privacy and Electronic Communications (EC Directive) Regulations 2003”;

(e)in subsection (8B), for “under this Act (other than an offence under section 47)” there shall be substituted “under the Privacy and Electronic Communications (EC Directive) Regulations 2003”; and

(f)subsection (10) shall be omitted.]

Textual Amendments

F4Sch. 1 para. 4(d)-(f) substituted for Sch. 1 para. 4(d) and word (26.5.2011) by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (S.I. 2011/1208), regs. 1(1), 14(c)

5.  Sections 44, 45 and 46 shall be omitted.U.K.

[F56.  In section 47—U.K.

(a)in subsection (1), “special information notice” there shall be substituted “third party information notice”; and

(b)in subsection (2), for “special information notice” there shall be substituted “third party information notice”.]

7.  In section 48—U.K.

(a)in subsections (1) and (3), for the words “an information notice or a special information notice”, in both places where they occur, there shall be substituted the words “ or an information notice ”;

(b)in subsection (3) for the words “43(5) or 44(6)” there shall be substituted the words “ or 43(5) ”; and

(c)subsection (4) shall be omitted.

8.  In section 49 subsection (5) shall be omitted.U.K.

[F68A.  [F7Except where paragraph 8AA applies, in section 55A—]U.K.

(a)in subsection (1)—

(i)for “data controller” there shall be substituted “person”, and

(ii)for “of section 4(4) by the data controller” there shall be substituted “of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003”;

(b)in subsection (3), for “data controller” there shall be substituted “person”;

(c)subsection (3A) shall be omitted;

(d)in subsection (4), for “data controller” there shall be substituted “person”;

(e)in subsection (9), the definition of “data controller” shall be omitted.

[F88AA.  In section 55A, when applied to regulations 19 to 24 of these Regulations—U.K.

(a)in subsection (1)—

(i)for “data controller” there shall be substituted “person”;

(ii)in paragraph (a), for “of section 4(4) by the data controller” there shall be substituted “of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and”; and

(iii)for paragraphs (b) and (c) there shall be substituted—

(b)subsection (2) or (3) applies.;

(b)in subsection (3)—

(i)for “data controller” there shall be substituted “person”; and

(ii)for paragraph (a) substitute—

(a)knew or ought to have known that there was a risk that the contravention would occur, but;

(c)subsection (3A) shall be omitted;

[F9(ca)before subsection (4) there shall be inserted the following subsections—

(3B) If a monetary penalty notice has been served under this section on a body, the Commissioner may also serve a monetary penalty notice on an officer of the body if the Commissioner is satisfied that the contravention in respect of which the monetary penalty notice was served on the body—

(a)took place with the consent or connivance of the officer, or

(b)was attributable to any neglect on the part of the officer.

(3C) In subsection (3B)—

“body” means a body corporate or a Scottish partnership;

“officer” in relation to a body means—

(a)

in relation to a body corporate—

(i)

a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or

(ii)

where the affairs of the body are managed by its members, a member; or

(b)

in relation to a Scottish partnership, a partner or any person purporting to act as a partner.]

(d)in subsection (4), for “data controller” there shall be substituted “person [F10on whom it is served]”; and

(e)in subsection (9), the definition of “data controller” shall be omitted.]

8B.  In section 55B, for the words “data controller” (in subsections (1), (3) and (4)), there shall be substituted the word “person”.]U.K.

[F118C.  In section 55E, for the words “data controller” in subsection (2), there shall be substituted the word “person”.]U.K.

9.  In paragraph 4(1) of [F12Schedule 6], for the words “(2) or (4)” there shall be substituted the words “ or (2) ”.U.K.

10.  In paragraph 1 of Schedule 9—U.K.

(a)for subparagraph (1)(a) there shall be substituted the following provision—

(a)that a person has contravened or is contravening any of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (in this Schedule referred to as “the 2003 Regulations”) or

[F13(b)in subparagraph (1A) for “data controller” there shall be substituted “person”, and for “requirement imposed by an assessment notice” there shall be substituted “the audit provisions in regulations 5 and 5B of the 2003 Regulations”;

(c)in subparagraph (1B)—

(i)for “data controller” there shall be substituted “person”;

(ii)for “data protection principles” there shall be substituted “the requirements of the 2003 Regulations”;

(iii)for “assessment notice” there shall be substituted “audit notice”; and

(iv)the words “subparagraph (2) and” shall be omitted;

(d)subparagraph (2) shall be omitted;

(e)in subparagraphs (3)(d)(ii) and (3)(f) for the words “data controller” there shall be substituted “person”, and for the words “the data protection principles” there shall be substituted “the requirements of the 2003 Regulations”.]

Textual Amendments

F13Sch. 1 para. 10(b)-(e) substituted for Sch. 1 para. 10(b) and word (26.5.2011) by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (S.I. 2011/1208), regs. 1(1), 14(g)

[F1410A.  In paragraph 2(1A) of Schedule 9 for “assessment notice” there shall be substituted “audit notice”.]U.K.

11.  In paragraph 9 of Schedule 9—U.K.

(a)in subparagraph (1)(a) after the words “rights under” there shall be inserted the words “ the 2003 Regulations or ”; and

(b)in subparagraph (1)(b) after the words “arising out of” there shall be inserted the words “ the 2003 Regulations or ”.

[F15Modifications of secondary legislationU.K.

Textual Amendments

F15Sch. 1 paras. 12, 13 and cross-heading inserted (17.12.2018) by The Privacy and Electronic Communications (Amendment) Regulations 2018 (S.I. 2018/1189), regs. 1, 2(4)

Modification of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010U.K.

12.(1) The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are extended for the purposes of these Regulations and have effect subject to the following modifications.

(2) Regulation 1 applies as if in paragraph (2), at the end, there were inserted “as modified by regulation 31(1) of, and Schedule 1 to, the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

(3) Regulation 3 (notices of intent) applies as if—

(a)in paragraph (a) for “data controller” there were substituted “person”;

(b)paragraph (b)(i) were omitted;

(c)for paragraph (b)(ii) there were substituted—

(ii)the nature of the contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003,; and

(d)in a case where paragraph 8AA of Schedule 1 to the Privacy and Electronic Communications (EC Directive) Regulations 2003 applies—

(i)paragraph (b)(iv) were omitted, and

(ii)after paragraph (v) there were inserted—

(vi)if the notice is served on an officer of a body, the reason the Commissioner considers that the officer has responsibility for the contravention..

(4) Regulation 4 (monetary penalty notices) applies as if—

(a)in paragraphs (a), (b) and (g) for “data controller” there were substituted “person”;

(b)paragraph (d)(i) were omitted;

(c)for paragraph (d)(ii) there were substituted—

(ii)the nature of the contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003,; and

(d)in a case where paragraph 8AA of Schedule 1 to the Privacy and Electronic Communications Regulations 2003 applies—

(i)paragraph (d)(iv) were omitted, and

(ii)after paragraph (d)(v) there were inserted—

(vi)if the notice is served on an officer of a body, the reason the Commissioner considers that the officer has responsibility for the contravention;.

Modification of the Data Protection (Monetary Penalties) Order 2010U.K.

13.(1) The Data Protection (Monetary Penalties) Order 2010 is extended and has effect for the purposes of these Regulations subject to the following modifications.

(2) Article 1(2) (interpretation) applies as if at the end there were inserted “as modified by regulation 31(1) of, and Schedule 1 to, the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

(3) Article 5(2) (monetary penalty notices: cancellation) applies as if after “take any further action” there were inserted “against the person on whom that notice was served”.

(4) Article 6(c) (monetary penalty notices: enforcement) applies as if for “data controller” there were substituted “person on whom the notice is served.]