Data Protection Bill (HL Bill 66)

Data Protection BillPage 160

providing for appropriate safeguards for the rights and freedoms of data
subjects”, substitute “domestic law (see section 9 of the 2017 Act)”.

Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)

14 In Article 12 (transparent information etc for the exercise of the rights of the
5data subject), omit paragraph 8.

Section 2 of Chapter III of the GDPR (rights of the data subject: information and access to
personal data)

15 In Article 13 (personal data collected from data subject: information to be
provided), in paragraph 1—

(a) 10in point (a), omit “and, where applicable, of the controller’s
representative”;

(b) in point (f), after “the Commission” insert “pursuant to Article 45(3)
of the GDPR”.

16 In Article 14 (personal data collected other than from data subject:
15information to be provided)—

(a) in paragraph 1—

(i) in point (a), omit “and, where applicable, of the controller’s
representative”;

(ii) in point (f), after “the Commission” insert “pursuant to
20Article 45(3) of the GDPR”;

(b) in paragraph 5(c), for “Union or Member State law to which the
controller is subject” substitute “a rule of domestic law”.

Section 3 of Chapter IV of the GDPR (rights of the data subject: rectification and erasure)

17 In Article 17 (right to erasure (‘right to be forgotten’))—

(a) 25in paragraph 1(e), for “in Union or Member State law to which the
controller is subject” substitute “under domestic law”;

(b) in paragraph 3(b), for “by Union or Member State law to which the
controller is subject” substitute “under domestic law”.

18 In Article 18 (right to restriction of processing), in paragraph 2, for “of the
30Union or of a Member State” substitute “of the United Kingdom”.

Section 4 of Chapter IV of the GDPR (rights of the data subject: right to object and automated
individual decision-making)

19 In Article 21 (right to object), in paragraph 5, omit “, and notwithstanding
Directive 2002/58/EC,”.

20 35In Article 22 (automated individual decision-making, including profiling),
for paragraph 2(b) substitute—

(b) is a “qualifying significant decision” for the
purposes of section 13 of the 2017 Act; or”.

Section 5 of Chapter III of the GDPR (rights of data the subject: restrictions)

21 40In Article 23 (restrictions), in paragraph 1—

Data Protection BillPage 161

(a) for “Union or Member State law to which the data controller or
processor is subject” substitute “In addition to the provision made by
section 14 of and Schedules 2, 3 and 4 to the 2017 Act, the Secretary
of State”;

(b) 5in point (e), for “of the Union or of a Member State”, in both places,
substitute “of the United Kingdom”;

(c) after point (j), insert—

“See section 15 of the 2017 Act.”

Section 1 of Chapter IV of the GDPR (controller and processor: general obligations)

22 10In Article 26 (joint controllers), in paragraph 1, for “Union or Member State
law to which the controllers are subject” substituted “domestic law”.

23 Omit Article 27 (representatives of controllers or processors not established
in the Union).

24 In Article 28 (processor)—

(a) 15in paragraph 3, in point (a), for “Union or Member State law to which
the processor is subject” substitute “domestic law”;

(b) in paragraph 3, in the second subparagraph, for “other Union or
Member State data protection provisions” substitute “any other rule
of domestic law relating to data protection”;

(c) 20in paragraph 6, for “paragraphs 7 and 8” substitute “paragraph 8”;

(d) omit paragraph 7;

(e) in paragraph 8, omit “and in accordance with the consistency
mechanism referred to in Article 63”.

25 In Article 30 (records of processing activities)—

(a) 25in paragraph 1, in the first sentence, omit “, and where applicable, the
controller’s representative”;

(b) in paragraph 1, in point (a), omit “, the controller’s representative”;

(c) in paragraph 1, in point (g), after “32(1)” insert “or section 26(3) of the
2017 Act”;

(d) 30in paragraph 2, in the first sentence, omit “and where applicable, the
processor’s representative”;

(e) in paragraph 2, in point (a), omit “the controller’s or the processor’s
representative, and”;

(f) in paragraph 2, in point (d), after “32(1)” insert “or section 26(3) of the
352017 Act;

(g) in paragraph 4 omit “and, where applicable, the controller’s or
processor’s representative”.

26 In Article 31 (co-operation with the supervisory authority), omit “and,
where applicable, their representatives”.

40Section 3 of Chapter IV of the GDPR (controller and processor: data protection impact
assessment and prior consultation)

27 In Article 35 (data protection impact assessment), omit paragraphs 4, 5, 6
and 10.

28 In Article 36 (prior consultation)—

Data Protection BillPage 162

(a) for paragraph 4, substitute—

4 The Secretary of State must consult the Commissioner
during the preparation of any proposal for a legislative
measure which relates to processing.”;

(b) 5omit paragraph 5.

Section 4 of Chapter IV of the GDPR (controller and processor: data protection officer)

29 In Article 37 (designation of data protection officers), omit paragraph 4.

30 In Article 39 (tasks of the data protection officer), in paragraph 1(a) and (b),
for “other Union or Member State data protection provisions” substitute
10“other rules of domestic law relating to data protection”.

Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and
certification)

31 In Article 40 (codes of conduct)—

(a) in paragraph 1, for “The Member States, the supervisory authorities,
15the Board and the Commission shall” substitute “The Commissioner
must”;

(b) omit paragraph 3;

(c) in paragraph 6, omit “, and where the code of conduct concerned
does not relate to processing activities in several Member States”;

(d) 20omit paragraphs 7 to 11.

32 In Article 41 (monitoring of approved codes of conduct), omit paragraph 3.

33 In Article 42 (certification)—

(a) in paragraph 1—

(i) for “The Member States, the supervisory authorities, the
25Board and the Commission” substitute “The Commissioner”;

(ii) omit “, in particular at Union level,”;

(b) omit paragraph 2;

(c) in paragraph 5, omit “or by the Board pursuant to Article 63. Where
the criteria are approved by the Board, this may result in a common
30certification, the European Data Protection Seal”;

(d) omit paragraph 8.

34 In Article 43 (certification bodies)—

(a) in paragraph 1, in the second sentence, for “Member States shall
ensure that those certification bodies are” substitute “Those
35certification bodies must be”;

(b) in paragraph 2, in point (b), omit “or by the Board pursuant to Article
63;

(c) in paragraph 3, omit “or by the Board pursuant to Article 63”;

(d) in paragraph 6, omit the second and third sentences;

(e) 40omit paragraphs 8 and 9.

Chapter V of the GDPR (transfers of data to third countries or international organisations)

35 In Article 45 (transfers on the basis of an adequacy decision)—

Data Protection BillPage 163

(a) in for paragraph 1, after “decided” insert “in accordance with Article
45 of the GDPR”;]

(b) after paragraph 1, insert—

1A But a transfer of personal data to a third country or
5international organisation must not take place under
paragraph 1, if the Commission’s decision in relation to the
third country (including a territory or sector within it) or
the international organisation—

(a) is suspended,

(b) 10has been amended, or

(c) has been repealed,

by the Commission under Article 45(5) of the GDPR.”;

(c) omit paragraphs 2 to 8.

36 In Article 46 (transfers subject to appropriate safeguards)—

(a) 15in paragraph 1, for “Article 45(3)” substitute “Article 45(3) of the
GDPR”;

(b) in paragraph 2, omit point (c);

(c) in paragraph 2, in point (d), omit “and approved by the Commission
pursuant to the examination procedure referred to in Article 93(2)”;

(d) 20omit paragraph 4;

(e) in paragraph 5—

(i) in the first sentence, for “a Member State or supervisory
authority” substitute “the Commissioner”;

(ii) in the second sentence, for “this Article” substitute “Article 46
25of the GDPR”.

37 In Article 47 (binding corporate rules)—

(a) in paragraph 1, in the first sentence, omit “in accordance with the
consistency mechanism set out in Article 63”;

(b) in paragraph 2, in point (e), for “the competent courts of the Member
30States” substitute “a court”;

(c) in paragraph 2, in point (f), for “on the territory of a Member State”
substitute “in the United Kingdom”;

(d) omit paragraph 3.

38 In Article 49 (derogations for specific situations)—

(a) 35in paragraph 1, in the first sentence,—

(i) for “Article 45(3)” substitute “Article 45(3) of the GDPR”;

(ii) for “Article 46” substitute “Article 46 of this Regulation”;

(b) in paragraph 4, for “in Union law or in the law of the Member State
to which the controller is subject” substitute “domestic law (see
40section 17 of the 2017 Act)”;

(c) for paragraph 5, substitute—

5 Paragraph 1 is subject to any regulations made under
section 17(2) of the 2017 Act.”

39 In Article 50 (international co-operation for the protection of personal data)
45omit “the Commission and”.

Data Protection BillPage 164

Section 1 of Chapter VI of the GDPR (independent supervisory authorities)

40 In Article 51 (supervisory authority)—

(a) in paragraph 1—

(i) for “Each Member State shall provide for one or more
5independent public authorities to be” substitute “The
Commissioner is”;

(ii) omit “and to facilitate the free flow of personal data within
the Union (‘supervisory authority’)”;

(b) omit paragraphs 2 to 4.

41 10In Article 52 (independence)

(a) in paragraph 2—

(i) for “The member or members of each supervisory authority”
substitute “The Commissioner”;

(ii) for “their”, in both places, substitute “the Commissioner’s”;

(b) 15in paragraph 3—

(i) for “Member or members of each supervisory authority”
substitute “The Commissioner”;

(ii) for “their”, in both places, substitute “the Commissioner’s”;

(c) omit paragraphs 4 to 6.

42 20Omit Article 53 (general conditions for the members of the supervisory
authority).

43 Omit Article 54 (rules on the establishment of the supervisory authority).

Section 2 of Chapter VI of the GDPR (independent supervisory authorities: competence, tasks
and powers)

44 25In Article 55 (competence)—

(a) in paragraph 1, omit “on the territory of its own Member State”;

(b) omit paragraph 2.

45 Omit Article 56 (competence of the lead supervisory authority).

46 In Article 57 (tasks)—

(a) 30in paragraph 1, in the first sentence, for “each supervisory authority
on its territory shall” substitute “the Commissioner is to”,

(b) in paragraph 1, in point (e), omit “and, if appropriate, cooperate with
the supervisory authorities in other Member States to that end”;

(c) in paragraph 1, in point (f), omit “or coordination with another
35supervisory authority”;

(d) in paragraph 1, omit points (g), (k) and (t);

(e) after paragraph 1, insert—

1A In this Article and Article 58, references to “this
Regulation” have effect as references to this Regulation
40and section 26(3) of the 2017 Act.”

47 In Article 58 (powers)—

(a) in paragraph 1, in point (a), omit “, and, where applicable, the
controller’s or the processor’s representative”;

Data Protection BillPage 165

(b) in paragraph 1, in point (f), for “Union or Member State procedural
law” substitute “domestic law”;

(c) in paragraph 3, omit point (c);

(d) omit paragraphs 4 to 6.

48 5In Article 59 (activity reports)—

(a) for “, the government and other authorities as designated by Member
State law” substitute “and the Secretary of State”;

(b) omit “, to the Commission or to the Board”.

Chapter VII of the GDPR (co-operation and consistency)

49 10For Articles 60 to 76 substitute—

“Article 61

Co-operation with other supervisory authorities etc

The Commissioner may, in connection with carrying out the
Commissioner’s functions under this Regulation—

(a) 15co-operate with, provide assistance to and seek assistance
from other supervisory authorities;

(b) conduct joint operations with other supervisory
authorities, including joint investigations and joint
enforcement measures.

20The Commissioner must, in carrying out the Commissioner’s
functions under this Regulation, have regard to—

(a) decisions, advice, guidelines, recommendations and best
practices issued by the European Data Protection Board
established under Article 68 of the GDPR;

(b) 25any implementing acts adopted by the Commission under
Article 67 of the GDPR (exchange of information).”

Chapter VIII of the GDPR (remedies, liability and penalties)

50 In Article 77 (right to lodge a complaint with a supervisory authority)—

(a) in paragraph 1, omit “in particular in the Member State of his or her
30habitual residence, place of work or place of the alleged
infringement”;

(b) in paragraph 2, for “The supervisory authority with which the
complaint has been lodged” substitute “The Commissioner”.

51 In Article 78 (right to an effective judicial remedy against a supervisory
35authority)—

(a) omit paragraph 2;

(b) for paragraph 3 substitute—

3 Proceedings against the Commissioner are to be brought
before a court in the United Kingdom.”;

(c) 40omit paragraph 4.

52 In Article 79 (right to an effective judicial remedy against a controller or

Data Protection BillPage 166

processor), for paragraph 2, substitute—

2 Proceedings against a controller or a processor are to be brought
before a court (see section 167 of the 2017 Act).”

53 In Article 80 (representation of data subjects)—

(a) 5in paragraph 1, omit “where provided for by Member State law”;

(b) omit paragraph 2.

54 Omit Article 81 (suspension of proceedings).

55 In Article 82 (right to compensation and liability), for paragraph 6,
substitute—

6 10Proceeding for exercising the right to receive compensation are to
be brought before a court (see section 167 of the 2017 Act).”

56 In Article 83 (general conditions for imposing administrative fines)—

(a) in paragraph 7, for “each Member State” substitute “the Secretary of
State”;

(b) 15for paragraph 8, substitute—

8 Section 113(9) of the 2017 Act makes provision about the
exercise of the Commissioner’s powers under this Article.

  Part 6 of the 2017 Act (enforcement) makes further
provision in connection with administrative penalties
20(including provision about appeals).”

(c) omit paragraph 9.

57 In Article 84 (penalties)—

(a) for paragraph 1, substitute—

1 The rules on other penalties applicable to infringements of
25this Regulation are set out in the 2017 Act (see in particular
Part 6 (enforcement)).”;

(b) omit paragraph 2.

Chapter IX of the GDPR (provisions relating to specific processing situations)

58 In Article 85 (processing and freedom of expression and information)—

(a) 30omit paragraph 1;

(b) in paragraph 2, for “Member States shall” substitute “the Secretary of
State, in addition to the relevant provisions, may by way of
regulations (see section 15 of the 2017 Act),”;

(c) after paragraph 2, insert—

35“In this paragraph, “the relevant provisions” means
section 14 of and Part 5 of Schedule 2 to the 2017 Act.”;

(d) omit paragraph 3.

59 In Article 86 (processing and public access to official documents) for “Union
or Member State law to which the public authority or body is subject”
40substitute “domestic law”.

60 Omit Article 87 (processing of national identification number).

61 Omit Article 88 (processing in the context of employment).

Data Protection BillPage 167

62 In Article 89 (safeguards and derogations relating to processing for
archiving purposes etc)—

(a) in paragraph 2, for “Union or Member State law may” substitute “the
Secretary of State, in addition to the relevant provisions, may in
5regulations (see section 15 of the 2017 Act)”;

(b) in paragraph 3, for “Union or Member State law” substitute “the
Secretary of State, in addition to the relevant provisions, may in
regulations (see section 15 of the 2017 Act)”;

(c) after paragraph 3, insert—

3A 10In this Article “the relevant provisions” means section 14 of
and Part 6 of Schedule 2 to the 2017 Act.”

63 Omit Article 90 (obligations of secrecy).

64 Omit Article 91 (existing data protection rules of churches and religious
associations).

15Chapter X of the GDPR (delegated acts and implementing acts)

65 Omit Article 92 (exercise of the delegation).

66 Omit Article 93 (committee procedure).

Chapter XI of the GDPR (final provisions)

67 Omit Article 94 (repeal of Directive 95/46/EC).

68 20Omit Article 95 (relationship with Directive 2002/58/EC).

69 In Article 96 (relationship with previously concluded Agreements), for “by
Member States” substitute “the United Kingdom or the Commissioner”.

70 Omit Article 97 (Commission reports)

71 Omit Article 98 (Commission reviews).

72 25Omit Article 99 (entry into force and application).

Part 2 Modifications to Chapter 2 of Part 2

Introductory

73 In its application by virtue of section 20(2), Chapter 2 of the Part has effect as
30if it were modified as follows.

General modifications

74 (1) References to Chapter 2 of this Part and the provisions of that Chapter have
effect as references to the applied Chapter 2 and the provisions of the
applied Chapter 2.

(2) 35References to the GDPR and to the provisions of the GDPR have effect as
references to the applied GDPR and to the provisions of the applied GDPR,
except in section 17(2)(a).

Data Protection BillPage 168

(3) References to the processing of personal data to which Chapter 2 applies
have effect as references to the processing of personal data to which Chapter
3 applies.

Exemptions

75 5In section 15 (power to make further exemptions etc by regulations), in
subsection (1)(a) and (d), for “Member State law” substitute “the Secretary of
State”.

Section 28

SCHEDULE 7 Competent authorities

1 10Any United Kingdom government department other than a non-ministerial
government department.

2 The Scottish Ministers.

3 The Department of Justice in Northern Ireland.

Chief officers of police and other policing bodies

4 15The chief constable of a police force maintained under section 2 of the Police
Act 1996.

5 The Commissioner of Police of the Metropolis.

6 The Commissioner of Police for the City of London.

7 The Chief Constable of the Police Service of Northern Ireland.

8 20The chief constable of the Police Service of Scotland.

9 The chief constable of the British Transport Police.

10 The chief constable of the Civil Nuclear Constabulary.

11 The chief constable of the Ministry of Defence Police.

12 The Provost Marshal of the Royal Navy Police.

13 25The Provost Marshal of the Royal Military Police.

14 The Provost Marshal of the Royal Air Force Police.

15 The chief officer of—

(a) a body of constables appointed under provision incorporating
section 79 of the Harbours, Docks, and Piers Clauses Act 1847;

(b) 30a body of constables appointed under an order made under section
14 of the Harbours Act 1964;

(c) the body of constables appointed under section 154 of the Port of
London Act 1968 (c.xxxii).

16 A body established in accordance with a collaboration agreement under
35section 22A of the Police Act 1996.

17 The Independent Office for Police Conduct.

Data Protection BillPage 169

18 The Police Investigations and Review Commissioner.

19 The Police Ombudsman for Northern Ireland.

Other authorities with investigatory functions

20 The Commissioners for Her Majesty’s Revenue and Customs.

21 5The Director General of the National Crime Agency.

22 The Director of the Serious Fraud Office.

23 The Director of Border Revenue.

24 The Financial Conduct Authority.

25 The Health and Safety Executive.

26 10The Criminal Cases Review Commission.

27 The Scottish Criminal Cases Review Commission.

Authorities with functions relating to offender management

28 A provider of probation services (other than the Secretary of State), acting in
pursuance of arrangements made under section 3(2) of the Offender
15Management Act 2007.

29 The Youth Justice Board for England and Wales.

30 The Parole Board for England and Wales.

31 The Parole Board for Scotland.

32 The Parole Commissioners for Northern Ireland.

33 20The Probation Board for Northern Ireland.

34 The Prisoner Ombudsman for Northern Ireland.

35 A person who has entered into a contract for the running of, or part of—

(a) a prison or young offender institution under section 84 of the
Criminal Justice Act 1991, or

(b) 25a secure training centre under section 7 of the Criminal Justice and
Public Order Act 1994.

36 A person who has entered into a contract with the Secretary of State—

(a) under section 80 of the Criminal Justice Act 1991 for the purposes of
prisoner escort arrangements, or

(b) 30under paragraph 1 of Schedule 1 to the Criminal Justice and Public
Order Act 1994 for the purposes of escort arrangements.

37 A person who is, under or by virtue of any enactment, responsible for
securing the electronic monitoring of an individual.

38 A youth offending team established under section 39 of the Crime and
35Disorder Act 1998.