Data Protection Bill (HL Bill 66)

(5) For the purposes of sub-paragraph (3), a person who is an elected member
of the Common Council of the City of London and whose term of office
comes to an end at the end of the day preceding the annual Wardmotes is to
be treated as if he or she were such a member until the end of the fourth day
5after the day on which those Wardmotes are held.

Disclosure to elected representatives

19 (1) This condition is met if—

(a) the processing consists of the disclosure of personal data—

(i) to an elected representative or a person acting with the
10authority of such a representative, and

(ii) in response to a communication to the controller from that
representative or person which was made in response to a
request from an individual,

(b) the personal data is relevant to the subject matter of that
15communication, and

(c) the disclosure is necessary for the purpose of responding to that
communication,

subject to sub-paragraph (2).

(2) Where the request to the elected representative came from an individual
20other than the data subject, the condition in sub-paragraph (1) is met only if
the disclosure must be made without the consent of the data subject for one
of the following reasons—

(a) in the circumstances, consent to the processing cannot be given by
the data subject;

(b) 25in the circumstances, the elected representative cannot reasonably be
expected to obtain the consent of the data subject to the processing;

(c) obtaining the consent of the data subject would prejudice the action
taken by the elected representative;

(d) the processing is necessary in the interests of another individual and
30the data subject has withheld consent unreasonably.

(3) In this paragraph, “elected representative” has the same meaning as in
paragraph 18.

Informing elected representatives about prisoners

20 (1) This condition is met if—

(a) 35the processing consists of the processing of personal data about a
prisoner for the purpose of informing a member of the House of
Commons or a member of the Scottish Parliament about the prisoner,
and

(b) the member is under an obligation not to further disclose the
40personal data.

(2) The references in sub-paragraph (1) to personal data about, and to informing
someone about, a prisoner include personal data about, and informing
someone about, arrangements for the prisoner’s release.

(3) In this paragraph—

• 45“prison” includes a young offender institution, a remand centre, a
  secure training centre or a secure college;

• “prisoner” means a person detained in a prison.

Anti-doping in sport

21 (1) This condition is met if the processing is carried out—

(a) in connection with measures designed to eliminate doping which are
5undertaken by or under the supervision of a body with responsibility
for eliminating doping in a sport, at a sporting event or in sport
generally, or

(b) for the purposes of providing information about doping, or
suspected doping, to such a body.

(2) 10The reference in sub-paragraph (1)(a) to measures designed to eliminate
doping include measures designed to identify or prevent doping.

Part 3 Additional conditions relating to criminal convictions etc

Consent

22 15This condition is met if the data subject has given consent to the processing.

Protecting individual’s vital interests

23 This condition is met if—

(a) the processing is necessary to protect the vital interests of an
individual, and

(b) 20the data subject is physically or legally incapable of giving consent.

Processing by not-for-profit bodies

24 This condition is met if the processing is carried out—

(a) in the course of its legitimate activities with appropriate safeguards
by a foundation, association or other not-for-profit body with a
25political, philosophical, religious or trade union aim, and

(b) on condition that—

(i) the processing relates solely to the members or to former
members of the body or to persons who have regular contact
with it in connection with its purposes, and

(ii) 30the personal data is not disclosed outside that body without
the consent of the data subjects.

Personal data in the public domain

25 This condition is met if the processing relates to personal data which is
manifestly made public by the data subject.

35Legal claims and judicial acts

26 This condition is met if the processing is necessary for the establishment,
exercise or defence of a legal claim or whenever a court is acting in its
judicial capacity.

Administration of accounts used in commission of indecency offences involving children

27 (1) This condition is met if—

(a) the processing is of personal data about a conviction or caution for
an offence listed in sub-paragraph (2),

(b) 5the processing is necessary for the purpose of administering an
account relating to the payment card used in the commission of the
offence or cancelling that payment card, and

(c) when the processing is carried out, the controller has an appropriate
policy document in place (see paragraph 30 in Part 4 of this
10Schedule).

(2) Those offences are an offence under—

(a) section 1 of the Protection of Children Act 1978 (indecent
photographs of children),

(b) Article 3 of the Protection of Children (Northern Ireland) Order 1978
15(S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),

(c) section 52 of the Civic Government (Scotland) Act 1982 (indecent
photographs etc of children),

(d) section 160 of the Criminal Justice Act 1988 (possession of indecent
photograph of child),

(e) 20Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland)
Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent
photograph of child), or

(f) section 62 of the Coroners and Justice Act 2009 (possession of
prohibited images of children),

25or incitement to commit an offence under any of those provisions.

(3) See also the additional safeguards in Part 4 of this Schedule.

(4) In this paragraph—

• “caution” means a caution given to a person in England and Wales or
  Northern Ireland in respect of an offence which, at the time when the
  30caution is given, is admitted;

• “conviction” has the same meaning as in the Rehabilitation of
  Offenders Act 1974 or the Rehabilitation of Offenders (Northern
  Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));

• “payment card” includes a credit card, a charge card and a debit card.

35Extension of certain conditions under Part 2 of this Schedule

28 (1) This condition is met if—

(a) the processing would meet a condition in Part 2 of this Schedule but
for an express requirement for the processing to be necessary for
reasons of substantial public interest, and

(b) 40when the processing is carried out, the controller has an appropriate
policy document in place (see paragraph 30 in Part 4 of this
Schedule).

(2) See also the additional safeguards in Part 4 of this Schedule.

Part 4 Appropriate policy document and additional safeguards

Application of this Part

29 This Part of this Schedule makes provision about the processing of personal
5data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule
which requires the controller to have an appropriate policy document in
place when the processing is carried out.

Requirement to have an appropriate policy document in place

30 The controller has an appropriate policy document in place in relation to the
10processing of personal data in reliance on a condition described in
paragraph 29 if the controller has produced a document which—

(a) explains the controller’s procedures for securing compliance with
the principles in Article 5 of the GDPR (principles relating to
processing of personal data) in connection with the processing of
15personal data in reliance on the condition in question, and

(b) explains the controller’s policies as regards the retention and erasure
of personal data processed in reliance on the condition, giving an
indication of how long such personal data is likely to be retained.

Additional safeguard: retention of appropriate policy document

31 (1) 20Where personal data is processed in reliance on a condition described in
paragraph 29, the controller must during the relevant period—

(a) retain the appropriate policy document,

(b) review and (if appropriate) update it from time to time, and

(c) make it available to the Commissioner, on request, without charge.

(2) 25“Relevant period”, in relation to the processing of personal data in reliance
on a condition described in paragraph 29, means a period which—

(a) begins when the controller starts to carry out processing of personal
data in reliance on that condition, and

(b) ends at the end of the period of 6 months beginning on the day the
30controller ceases to carry out such processing.

Additional safeguard: record of processing

32 A record maintained by the controller, or the controller’s representative,
under Article 30 of the GDPR in respect of the processing of personal data in
reliance on a condition described in paragraph 29 must include the
35following information—

(a) which condition is relied on,

(b) how the processing satisfies Article 6 of the GDPR (lawfulness of
processing), and

(c) whether the personal data is retained and erased in accordance with
40the policies described in paragraph 30(b) and, if it is not, the reasons
for not following those policies.

Section 14

SCHEDULE 2 Exemptions etc from the GDPR

Part 1 Adaptations and restrictions based on Articles 6(3) and 23(1)

5GDPR provisions to be adapted or restricted: “the listed GDPR provisions”

1 In this Part “the listed GDPR provisions” means—

(a) the following provisions of the GDPR (the rights and obligations in
which may be restricted by virtue of Article 23(1) of the GDPR)—

(i) Article 13(1) to (3) (personal data collected from data subject:
10information to be provided);

(ii) Article 14(1) to (4) (personal data collected other than from
data subject: information to be provided);

(iii) Article 15(1) to (3) (confirmation of processing, access to data
and safeguards for third country transfers);

(iv) 15Article 16 (right to rectification);

(v) Article 17(1) and (2) (right to erasure);

(vi) Article 18(1) (restriction of processing);

(vii) Article 20(1) and (2) (right to data portability);

(viii) Article 21(1) (objections to processing);

(ix) 20Article 5 (general principles) so far as its provisions
correspond to the rights and obligations provided for in the
provisions mentioned in sub-paragraphs (i) to (viii); and

(b) the following provisions of the GDPR (the application of which may
be adapted by virtue of Article 6(3) of the GDPR)—

(i) 25Article 5(1)(a) (lawful, fair and transparent processing), other
than the lawfulness requirements set out in Article 6;

(ii) Article 5(1)(b) (purpose limitation).

Crime and taxation: general

2 (1) The listed GDPR provisions do not apply to personal data processed for any
30of the following purposes—

(a) the prevention or detection of crime,

(b) the apprehension or prosecution of offenders, or

(c) the assessment or collection of a tax or duty or an imposition of a
similar nature,

35to the extent that the application of those provisions would be likely to
prejudice any of the matters mentioned in paragraphs (a) to (c).

(2) Sub-paragraph (3) applies where—

(a) personal data is processed by a person (“Controller 1”) for any of the
purposes mentioned in sub-paragraph (1)(a) to (c), and

(b) 40another person (“Controller 2”) obtains the data from Controller 1 for
the purpose of discharging statutory functions and processes it for
the purpose of discharging statutory functions.

(3) Controller 2 is exempt from the obligations in the following provisions of the
GDPR—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided),

(b) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided),

(c) 5Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers), and

(d) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
paragraphs (a) to (c),

10to the same extent that Controller 1 is exempt from those obligations by
virtue of sub-paragraph (1).

Crime and taxation: risk assessment systems

3 (1) The GDPR provisions listed in sub-paragraph (3) do not apply to personal
data which consists of a classification applied to the data subject as part of a
15risk assessment system falling within sub-paragraph (2) to the extent that the
application of those provisions would prevent the system from operating
effectively.

(2) A risk assessment system falls within this sub-paragraph if—

(a) it is operated by a government department, a local authority or
20another authority administering housing benefit, and

(b) it is operated for the purposes of—

(i) the assessment or collection of a tax or duty or an imposition
of a similar nature, or

(ii) the prevention or detection of crime or apprehension or
25prosecution of offenders, where the offence concerned
involves the unlawful use of public money or an unlawful
claim for payment out of public money.

(3) The GDPR provisions referred to in sub-paragraph (1) are the following
provisions of the GDPR (the rights and obligations in which may be
30restricted by virtue of Article 23(1) of the GDPR)—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided);

(b) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided);

(c) 35Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);

(d) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
paragraphs (a) to (c).

40Immigration

4 (1) The listed GDPR provisions do not apply to personal data processed for any
of the following purposes—

(a) the maintenance of effective immigration control, or

(b) the investigation or detection of activities that would undermine the
45maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to
prejudice any of the matters mentioned in paragraphs (a) and (b).

(2) Sub-paragraph (3) applies where—

(a) personal data is processed by a person (“Controller 1”), and

(b) another person (“Controller 2”) obtains the data from Controller 1 for
any of the purposes mentioned in sub-paragraph (1)(a) and (b) and
5processes it for any of those purposes.

(3) Controller 1 is exempt from the obligations in the following provisions of the
GDPR—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided),

(b) 10Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided),

(c) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers), and

(d) Article 5 (general principles) so far as its provisions correspond to the
15rights and obligations provided for in the provisions mentioned in
paragraphs (a) to (c),

to the same extent that Controller 2 is exempt from those obligations by
virtue of sub-paragraph (1).

Information required to be disclosed by law etc or in connection with legal proceedings

5 (1) 20The listed GDPR provisions do not apply to personal data consisting of
information that the controller is obliged by an enactment to make available
to the public, to the extent that the application of those provisions would
prevent the controller from complying with that obligation.

(2) The listed GDPR provisions do not apply to personal data where disclosure
25of the data is required by an enactment, a rule of law or an order of a court,
to the extent that the application of those provisions would prevent the
controller from making the disclosure.

(3) The listed GDPR provisions do not apply to personal data where disclosure
of the data is necessary—

(a) 30for the purpose of, or in connection with, legal proceedings
(including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice or otherwise establishing,
exercising or defending legal rights,

to the extent that the application of those provisions would prevent the
35controller from making the disclosure.

Part 2 Restrictions based on Article 23(1): Restrictions of rules in Articles 13 to 21

GDPR provisions to be restricted: “the listed GDPR provisions”

6 In this Part “the listed GDPR provisions” means the following provisions of
40the GDPR (the rights and obligations in which may be restricted by virtue of
Article 23(1) of the GDPR)—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided);

(b) Article 14(1) to (4) (personal data collected other than from data
45subject: information to be provided);

(c) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);

(d) Article 16 (right to rectification);

(e) Article 17(1) and (2) (right to erasure);

(f) 5Article 18(1) (restriction of processing);

(g) Article 20(1) and (2) (right to data portability);

(h) Article 21(1) (objections to processing);

(i) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
10sub-paragraphs (a) to (h).

Functions designed to protect the public etc

7 The listed GDPR provisions do not apply to personal data processed for the
purposes of discharging a function that—

(a) is designed as described in column 1 of the Table, and

(b) 15meets the condition relating to the function specified in column 2 of
the Table,

to the extent that the application of those provisions would be likely to
prejudice the proper discharge of the function.