Annex B – LED Transposition Table
|
Article |
Recital(s) |
Copy out (yes/no) |
If no – reason for elaboration or non-transposition |
Corresponding clause |
|---|---|---|---|---|
|
1 |
1 to 11 |
No |
This article sets out the subject matter and overall objective of the LED and affords Member States scope to establish higher safeguards for the protection of data subjects. It does not impose additional obligations on Member States; as such, the article does not require separate implementation. However, a definition of law enforcement purposes is needed to reflect Article 2(1) (read with Article 1(1)). |
27 and 29 |
|
2 |
11, 14, 17, 18, 20, 19, 33, 34 |
In part |
The limitation on the scope of the LED in Article 2(1) and (2) is reflected in clause 26(1) and (2). Article 2(3)(a) has not been transposed as the provisions in Part 3 of the Bill apply to the domestic processing of data for law enforcement purposes as well as to the cross-border transfer of personal data; the former falls outside the scope of EU law. It is not necessary to transpose Article 2(3)(b) as Union institutions, bodies, offices and agencies do not constitute competent authorities for the purposes of Part 3 of the Bill. |
27 |
|
3 |
12, 13, 18, 23 & 24 |
In part |
The definition of "personal data" in clause 2(2) substantially copies out that in Article 3(1) but refers to a "living person" rather than a "natural person" for consistency with the approach taken in the GDPR (see recital 27). Linked to this, clause 2(5) includes a definition of "data subject" (the definition of "personal data" in Article 3(1) adopts the term "data subject" but (unlike the 1998 Act) leaves it undefined). For legal clarity Schedule 7 contains a list of the primary competent authorities to whom Part 3 of the Bill applies rather than adopt the definition in Article 3(7). Other competent authorities are caught by clause 28(1)(b). The definitions of "processor" and "recipient" refer to "any person", a term which covers "a natural or legal person, public authority, agency or [an] other body" (see Schedule 1 to the Interpretation Act 1978). It is not necessary to transpose the latter part of the definition of "recipient" in Article 3(10) as UK public authorities would be bound by the rules applicable to the processing in question. Part 3 of the Bill does not include a definition of "supervisory authority" (Article 3(15)); the Information Commissioner, as provided for in Part 5, is the supervisory authority for the LED. |
2(2), (4), (5) and (7), 28, 29, 30, 31, and 184 and Schedule 7 |
|
4 |
26 to 30 |
In part |
Clause 32 provides an overview of the six data protection principles set out in Article 4(1) and amplified in Articles 5 to 10 In transposing Article 4(4), clause 31(3) applies the general duty of the controller to the whole of Chapter 2 of Part 3 as, in demonstrating compliance with the data protection principles, a controller will need to comply with the associated Articles. In transposing Article 4(1)(e) the reference to personal data being kept "in a form which permits identification of data subjects" has not been transposed given that by definition (see Article 3(1)) personal data must permit the identification, either directly or indirectly, of data subjects. |
32, 33(1), 34, 35, 36(1), 37, 38, 39 and 40 |
|
5 |
26 and 41 |
In part |
Article 5 affords Member States the option of providing for appropriate time limits for either the erasure of personal data or for a periodic review of the need for storage of personal data. In transposing this Article, the Government has opted for review rather than erasure. |
37(2) |
|
6 |
31 |
In part |
For greater clarity, clause 36(3) in places adopts different language to that used in Article 6. In any event, the list of categories of data subject in this Article is an indicative rather than exhaustive one. |
36 |
|
7 |
32 |
Yes |
N/A |
36(2), (4) and (5) |
|
8 |
33 to 35 |
In part |
Part 3 of the Bill does not transpose Article 8(2) on the basis that is a matter for the relevant statute or case law regulating processing to specify the objectives of processing, the personal data to be processed and the purpose of the processing. |
33 |
|
9 |
36 |
No |
Clause 33(4) gives effect to the provision in the first sentence of Article 9(1). As Part 3 only applies in relation to processing for law enforcement purposes, the effect of the overall scheme in the Bill would be for a competent authority to process data for any other lawful purpose under the provisions of the GDPR or applied GDPR as appropriate. As the ambit of Articles 9(3) and (4) is unclear, clause 78 is considered necessary to provide clarity and give effect to these provisions by providing the controller must consider if the personal data would be subject to any restrictions by virtue of enactment or rule of law, and where this is the case, the controller must inform the EU and non EU recipient, that the data is made available with the same restrictions. |
34(2)-(4) and 78 |
|
10 |
37 |
Yes |
N/A |
33(3)-(5) and Schedule 8 |
|
11 |
38 and 51 |
Yes |
N/A |
45 and 46 |
|
12 |
39 and 40 |
In part |
Article 12(1) requires, "as a general rule", a controller to provide information to a data subject in the same form as the request. Rather than adopt the qualification in Article 12(1), clause 49(3) sets aside the requirement where it would be impractical to provide the information in the same form as the request, for example, where the request was made orally. Clause 50(4)(b) amplifies Article 12(5) to make it clear that, in a case where there is doubt about the identity of a person making a request in accordance with Article 14 or 16, the controller is not required to act on the request until the person’s identity has been confirmed. Article 12(4) enables a controller to charge a reasonable fee where a request from a data subject is manifestly unfounded or excessive; clause 51(4) and (5) augments this provision by providing for a power, by regulations, to prescribe a maximum fee. |
42, 43, 44, 50, 51 and 52 |
|
13 |
42 |
In part |
Article 13(4) enables Member States to adopt measures in order to determine categories of processing which may fall under any of the points in Article 13(3); the Government has not given effect to this derogation. |
42 and 43 |
|
14 |
43 |
Yes |
N/A |
42(1) and (2) |
|
15 |
44 to 46 |
In Part |
Article 15(2) enables Member States to adopt measures in order to determine categories of processing which may fall under any of the points in Article 15(1); the Government has not given effect to this derogation. |
43(4) |
|
16 |
47 |
In part |
Article 16(1) confers a right to obtain rectification and Article 16(2) confers a right to obtain erasure; although there is no express mention of a right to obtain a restriction on processing such a right is implied by Articles 13(1)(e), 14(e) and 16(4). Clause 45(2) therefore requires a controller to respond to a request of this kind. The additional words in brackets in clause 44(4) clarify that the duty to erase in Article 16(2) does not depend on any request being made by the data subject, in contrast to the duty to rectify in Article 16(1). Article 16(5) requires a controller to communicate the rectification of inaccurate personal data to the competent authority from which the inaccurate personal data originate. The addition of the words "if any" in clause 46(7) recognises that there could be cases where there is no competent authority from which the inaccurate personal data originates. |
44 to 46 |
|
17 |
48 |
Yes |
N/A |
49 |
|
18 |
49 |
Yes |
N/A |
41(3) and (4) |
|
19 |
53 |
In part |
The reference to risks "of varying likelihood and severity" in Article 19(1) has not been reproduced as it is sufficient to state that all risks are taken into account. |
54 |
|
20 |
52, 53 |
In part |
The reference to risks "of varying likelihood and severity" in Article 20(1) has not been reproduced as it is sufficient to state that all risks are taken into account. The references to "pseudonymisation" and "data minimisation" have not been reproduced as these are intended only as examples and, as such, more appropriately referred to in guidance. It is not considered necessary to transpose the closing words of Article 20(1) as they do not add anything of substance to the duty placed on controllers. |
55 |
|
21 |
54 |
In part |
It is not considered necessary to transpose the wording "in particular as regards the exercise of the rights of the data subject and their respective duties to provide the information referred to in Article 13" in Article 21(1) as it simply elaborates rather than alters the nature of the duty on joint controllers. Article 21(2) confers a discretion on Member States, this has been exercised by a provision (in clause 56(3)) enabling a data subject to exercise his or her rights against any joint controller. |
56 |
|
22 |
55 |
In part |
The reference, in Article 22(4), to a contract between a processor and controller being in writing is considered sufficient without the added reference to "including in an electronic form". |
57 |
|
23 |
50 |
Yes |
N/A |
58 |
|
24 |
56 |
In part |
It is not considered necessary to transpose the requirement, in Article 24(3), that the records of processing activity must be in writing as this is implicit. The requirement in Article 24(3) for the record to be in electronic form has not been provided for. |
59 |
|
25 |
57 |
In part |
Clause 60(1) makes it clear that the duty to keep logs falls on the processor, and not the controller, where a processor is processing personal data on behalf of the controller. |
60 |
|
26 |
59 |
Yes |
N/A |
61 |
|
27 |
58 |
In part |
It is not considered necessary to transpose the wording "in particular, using new technologies" in Article 27(1) as it simply elaborates rather than alters the nature of the duty on controllers. |
62 |
|
28 |
59 |
In part |
Article 28(1) provides the controller or processor must consult the Information Commissioner, in certain cases, prior to processing; clause 63(1) places this duty only on the controller only. Any advice provided by the Information Commissioner would, however, be provided to the controller and any processor. This approach better reflects the intended responsibilities of controllers and processors. It is not considered necessary to reproduce the words from "in particular" in Article 28(4). |
63 |
|
29 |
53, 56 and 60 |
In part |
The reference to risks "of varying likelihood and severity" in Article 29(1) has not been reproduced as it is sufficient to state that all risks are taken into account. It is not considered necessary to transpose the wording "in particular as regards the processing of special categories of personal data referred to in Article 10" in Article 29(1) as it simply elaborates rather than alters the nature of the duty on controllers and processors. Clause 64(2) provides for a more streamlined list of the outcomes to be secured by the adoption of appropriate security measures compared with that in Article 29(2). |
64 |
|
30 |
61 |
Yes |
N/A |
65 |
|
31 |
62 |
Yes |
N/A |
66 |
|
32 |
63 |
In part |
It is unnecessary to refer to "independent" judicial authorities as in Article 32(1) as all UK judicial authorities are considered to be independent. |
67 |
|
33 |
63 |
In part |
Clause 68(3) to (5) makes provision akin to that set out in Article 38(3) to (6) of the GDPR, which is not mirrored in the LED, to ensure consistency between the two regimes insofar as it relates to data protection officers. |
68 |
|
34 |
63 |
In part |
Clause 69(3) makes provision akin to that in Article 39(2) of the GDPR, which is not mirrored in the LED, to ensure consistency between the two regimes insofar as it relates to data protection officers performing their tasks. |
69 |
|
35 |
64 and 65 |
In part |
It is not considered necessary to transpose the reference to personal data "undergoing processing or are intended for processing" in Article 35(1). Article 35(1)(e) refers to the seriousness of the criminal offence, clause 76(3)(a) generalises the wording as the law enforcement purposes are not confined to activities relating to criminal offences. Article 35(3) is a purpose provision which does not require specific transposition. |
71 and 76 |
|
36 |
66 |
In part |
Article 36(2) to (6) and (8) do not require transposition as they place obligations on the European Commission rather than the Member State. Article 36(7) provides that the suspension or repeal of an adequacy decision in respect of a third country does not affect the ability to transfer data to that third country in reliance on Articles 37 or 38; clause 71(3) achieves this without the need for more in clause 72. |
72 |
|
37 |
67 to 71 |
In part |
Clause 73(3)(c)(iv) clarifies that the duty, in Article 37(3), to document the personal data transferred should be read as a duty to provide a description of the personal data transferred, rather than the data itself. |
73 |
|
38 |
72 |
In part |
It is not considered necessary to transpose the words "where the law of the Member State transferring the personal data so provides" in Article 38(1)(b) as to do so may be taken to narrow the class of "legitimate interests". Clause 74(4) adopts the definition of a "legal purpose" in paragraph 5 of Schedule 4 to the 1998 Act. . |
74 |
|
39 |
73 |
In part |
It is not considered necessary to refer to both an "individual" and "specific" case on the basis that "specific" by itself conveys the intention. |
75 |
|
40 |
74 and 83 |
In part |
This Article replicates the GDPR Article 50 which is considered and provided for in Part 5 of the Bill. |
116 |
|
41 |
76 |
No |
Article 41 requires Member States to provide for one or more supervisory authorities responsible for monitoring the application of the LED. A supervisory authority established under the GDPR may also discharge the functions of a supervisory authority under the LED. The Bill provides for the Information Commissioner to be the supervisory authority for the purposes of the GDPR and LED. As the Information Commissioner is the sole UK supervisory authority, nothing is required in respect of Article 41(4). |
112 |
|
42 |
75, 78 |
No |
No express legislative provisions are considered to be required in relation to Article 42(1) to (3). The independence of the Information Commissioner derives from the totality of the legislative framework under which she operates, including the absence of any powers for a Minister of the Crown to direct the Commissioner (subject to the limited exception in clause 124). Provision in respect of conflicts of interest (Article 42(3)) would be included in Commissioner’s terms of appointment. Paragraph 5 of Schedule 12 makes provision for the appointment of staff of the Information Commissioner (Article 42(4) and (5)) and paragraphs 9 to 11 of Schedule 12 makes provision for the funding of the Information Commissioner the treatment of fee income and accounts (Article 42(6)). |
Schedule 12 |
|
43 |
79 |
No |
Article 43(1) confers discretion on Member States, subject to specified parameters, to determine the person responsible for appointing each member of the supervisory authority; paragraph 2 of Schedule 12 provides for the Information Commissioner to be appointed by Her Majesty (on the recommendation of the Secretary of State for Digital, Culture, Media and Sport). Article 43(2) does not require legislative provision; the appropriate qualifications, experience and skills would be set out in the role profile when recruiting an Information Commissioner and candidates will be judged against the role profile. Article 43(3) does not require legislative provision; the duties of the Information Commissioner automatically terminate once an individual no long holds that office. Paragraph 3 of Schedule 12 provides for an exhaustive list of grounds for the removal of the Information Commissioner. |
Schedule 12, paragraph 3 |
|
44 |
77 |
No |
Clause 112 provides for the continuance of the office of Information Commissioner (Article 44(1)(a)). Article 44(1)(b) does not require legislative provision; the appropriate qualifications, experience and skills would be set out in the role profile when recruiting an Information Commissioner and candidates will be judged against the role profile. Paragraph 2 of Schedule 12 provides for the appointment of the Information Commissioner; the procedure for making an appointment is set down in a Governance Code . Paragraph 2(3) and (4) of Schedule 12 provides for the Commissioner to be appointed for a single term of up to seven years (Article 44(1)(d) and (e)). Provision in respect of conflicts of interest and duty of professional secrecy (Article 44(1)(f) and (2)) would be included in the terms and conditions of appointment of the Commissioner and members of staff. In addition, clause 127 provides for an offence of unlawful disclosure by Information Commissioner staff. |
127 and Schedule 12 |
|
45 |
80 |
No |
It is not considered necessary to transpose Article 45(1) on the basis that the measures in Part 5 of the Bill relating to the functions and powers of the Information Commissioner satisfy the requirements of this provision. |
115 |
|
46 |
80 and 81 |
In part |
It is not considered necessary to transpose Article 46(3). As a corporation sole the Information Commissioner will only have the powers conferred on her by statute. So, in the absence of an express power to charge fees, she will not be able to do so. Clause 129 enables the Commissioner to charge fees to persons other than data subjects and data protection officers. |
114, 118 and 130, Schedule 13 and Part 1 of Schedule 14 |
|
47 |
82 |
No |
Article 47 requires Member States to provide for the national supervisory authority to have effective investigative, corrective, advisory and enforcement powers, but otherwise leaves it to Member States as to the precise form of such powers. |
Part 5 |
|
48 |
82 and 61 |
Yes |
N/A |
79 |
|
49 |
N/A |
In part |
Clause 134 provides for the Information Commission to make an annual report to Parliament; it is not considered necessary to give examples of the matters that may be addressed in the report (as in Article 49). The duty to publish the annual report satisfies the requirement to make it available to the public and others. |
134 |
|
50 |
83 |
In Part |
Article 50 provides for how the EEA supervisory authorities shall cooperate. Article 50 (8) has not been transposed because of the role of it gives to the European Commission in specifying what and how the supervisory authorities cooperate. |
Part 1 of Schedule 14 |
|
51 |
84 |
No |
This Article adds to the functions of the European Data Protection Board established by the GDPR. As an EU body, domestic legislation is not required to give effect to this Article. |
N/A |
|
52 |
85 and 81 |
Yes |
N/A |
156 |
|
53 |
86 |
No |
This Article requires Member States to provide for a judicial remedy against decisions of the supervisory authority. Such a remedy needs to reflect the judicial systems of each Member State. |
154, 155 and 157 |
|
54 |
87 |
No |
This Article requires Member States to provide for a judicial remedy against actions of a controller or processor. Such a remedy needs to reflect the judicial systems of each Member State. |
158 |
|
55 |
87 |
Yes |
Article 55 allows for data subject to mandate a not-for-profit body to lodge a complaint on his or her behalf. In this context the article has been interpreted so as to allow for charities and not for profit bodies with a data protection mandate and public interest objectives to take forward complaints. |
173 |
|
56 |
88 |
Yes |
Article 56 provides for compensation to be made available if contravention of the Directive leads to damage to a data subject. The article sets out the liability of each of the controller and the processor and when the right to compensation does not apply. |
160 |
|
57 |
89 |
No |
Article 57 requires Member States to provide for effective, proportionate and dissuasive penalties for infringements of the provisions of the LED, but otherwise leaves it to Member States to determine the appropriate penalties. |
142 to 146, 148 to152, 154 and 155 |
|
58 |
90, 91 and 92 |
No |
This Article extends the remit of the committee established under Article 93 of the GDPR to assist the Commission. As an EU body, domestic legislation is not required to give effect to this Article. |
N/A |
|
59 |
98 |
No |
Part 4 of the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 gave effect to Framework Decision 2008/977/JHS – Part 4 of the Regulations is repealed by Schedule 18. |
Paragraph 23 of Schedule 18 |
|
60 |
97 |
No |
Article 60 specifies that EU legal provisions relating to the protection of personal data in judicial or police cooperation and criminal matters which regulate the processing between member states (or designated authorities) that entered into force on or before 6 May 2016, will remain unaffected. Domestic provision is not required to give effect to this Article. |
N/A |
|
61 |
94 and 95 |
No |
Article 61 provides for the lawfulness of international agreements made prior to 06 May 2016 for cooperation in criminal matters. Domestic provision is not required to give effect to this Article. |
N/A |
|
62 |
No |
Article 62 (GDPR Article 97) places a duty of the European Commission to review the Directive every 4 years and produce a report on the effectiveness of the Directive. Domestic provision is not required to give effect to this Article. |
N/A |
|
|
63 |
93, 96, 99, 100, 101, 102, 103, 104 and 105 |
No |
This Article requires Member States to transpose the LED into domestic law by 6 May 2018. The provisions of the Bill giving effect to the LED will be brought into force by commencement regulations made under clause 191. Clause 192 enables regulations to make transitional provision as provided for in Article 63(2) and (3) |
191 and 192 |
|
64 |
96 |
No |
Relates to the coming into Force of the Directive. Domestic provision is not required to give effect to this Article. |
N/A |
|
65 |
No |
Article 65 provides the addresses for the European Parliament and European Council. Domestic provision is not required to give effect to this Article. |
N/A |