United Kingdom

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Data Protection Bill

Status: Adopted

SME EXCEPTION

N/A

LAWFULNESS OF PROCESSING (ART 6)

SPECIFYING REQUIREMENT: Processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for: (1) the administration of justice, (2) the exercise of a function of either House of Parliament, (3) the exercise of a function conferred on a person by an enactment or rule of law, (4) the exercise of a function of the Crown, a Minister of the Crown or a government department, or (5) an activity that supports or promotes democratic engagement (Clause 8, UK Data Protection Act 2018)

CHILD'S CONSENT (ART 8)

VARYING REQUIREMENT: Minimum age to provide consent is lowered to 13 years old. Art 8 GDPR is not applicable to preventive and counselling services (Clause 9 UK Data Protection Act 2018)

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

SPECIFYING REQUIREMENT: Processing of this type of data is allowed other than under control of an official authority and only if one of the following conditions are met: (1) consent; (2) protecting the individual’s vital interests; (3) processing by not-for-profit bodies; (4) personal data is in the public domain; (5) legal claims or when a court is acting in its judicial capacity; (6) indecency offenses involving children; (7) substantial public interest condition; or (8) is necessary for an insurance purposes (Clauses 10(4), (5) and Schedule 1, Part 3 UK Data Protection Act 2018).

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

SPECIFYING REQUIREMENT: Most data subjects’ rights can be restricted when processing occurs for the following purposes: (1) crime and taxation (including risk assessment systems); (2) maintenance of effective immigration control; (3) the legal requirement to disclose information or in the context of legal proceedings; (4) discharging a function to protect the public; (5) discharging audit functions; (6) discharging a relevant function of the Bank of England; (7) discharging regulatory functions relating to legal, health, and children’s services; (8) functions of certain other regulatory bodies; (9) avoiding infringement of parliamentary privilege; (10) assessing a person’s suitability for judicial appointment or in the context of judicial independence and judicial proceedings; (11) in the context of Crown honors, dignities, and appointments; (12) protection of the rights of others; (13) for a purpose that meets the health data, social work data, or education data test if performed by a qualified health worker, social worker, or education worker; (14) legal professional privilege; (15) avoiding self-incrimination; (16) corporate finance service; (17) prejudiced business activity; (18) negotiations between the data subject and controller; (19) confidential references given to the controller; (20) information recorded in the context of exams; (21) incompatibility with the publication of journalistic, academic, literal, or artistic material in the public interest; (22) statistical or scientific and historical, or archiving in the public interest, in the case of health, social work, and education data; (23) when the data are processed by a court; (24) as a result of the data subject’s expectations or wishes; (25) when disclosure would lead to serious harm (for health data); (26) when an appropriate professional must give prior opinion; (27) in the case of child abuse data; (28) when it would not be in the best interests of the data subject to disclose; (29) human fertilization and embryology information; (30) adoption records and reports; (31) statements of special educational needs; (32) parental order records and reports; (33) information provided in the context of the Children’s Hearings Act; and (34) as enacted by way of regulations made by the Secretary of State where necessary and proportionate to safeguard certain objectives of general public interest (Clause 15-16 and Schedules 2–4 UK Data Protection Act 2018).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

ADDITIONAL REQUIREMENT: A record maintained by a controller or processor under Article 30 for the processing of data that requires an appropriate policy document must include the following information: (1) which condition is relied on; (2) to what extent processing is lawful under Art 6 GDPR; and (3) the erasure/retention policy and, where applicable, reasons for not complying with this policy. (Clause 41, UK Data Protection Act 2018)

SECURITY OF PROCESSING (ART 32)

VARYING REQUIREMENT: Article 32 GDPR does not apply when processing for national security or defence purposes. In these cases, the controller or processor must implement security measures appropriate to the risks arising from the processing of the personal data. (Clause 28 UK Data Protection Act 2018).

DATA BREACH (ART 33 & 34)

VARYING REQUIREMENT: There is no notification obligation to the data protection commissioner when: (1) the data breach also constitutes a relevant error within the meaning of Section 231(9) of the Investigatory Powers Act 2016 (Clause 106(6) UK Bill); (2) a crime can be prevented or detected; (3) information is required to be disclosed to the public by law; (4) there is infringement of parliamentary privilege; (5) the breach is likely to prejudice judicial proceedings; and (6) Crown honours and dignities are at risk. There is also no notification obligation when the following is at risk or prejudiced: (7) the armed forces; (8) the economic well-being of the UK; (9) legal professional privilege; and (10) negotiations with the data subject. There is also no notification obligation when the personal data concerned relates to: (11) confidential references by the controller; (12) exam scripts and marks; (13) research and statistics; and (14) archiving in the public interest (Schedule 11 UK Data Protection Act 2018).

It is required to communicate the nature of a data breach to the data subject (Clause 68(2)(a) UK Data Protection Act 2018). The controller may restrict communication of this information to the data subject when it is necessary and proportionate to avoid obstruction of an official or legal inquiry, investigation, or procedure; to avoid prejudice of prevention and detection of criminal offenses or execution of criminal penalties; or to protect public or national security or the rights and freedoms of others (Clause 68(7) UK Data Protection Act 2018).

DATA PROTECTION IMPACT ASSESSMENT (ART 35)

VARYING REQUIREMENT: The supervisory authority does not have the authority to establish a public list of the kinds of processing operations which are or are not subject to a data protection impact assessment. (Schedule 6 Clause 27, UK Data Protection Act 2018)

DATA PROTECTION OFFICER (ART 37(4))

VARYING REQUIREMENT: An exception for designation of a DPO is also made for “other judicial authorities” (i.e., other than courts) acting in their judicial capacity (Clause 69(1) UK Data Protection Act 2018). Clause 71(2) UK Bill lays down a non-exhaustive list of specific tasks to be performed by the DPO when monitoring compliance with controller policies.

CERTIFICATION (ART 42)

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

VARYING REQUIREMENT: The commissioner’s powers under the GDPR are subject to safeguards provided for in the Act: (1) powers over information requests are exercisable only upon written information notice by the commissioner to the controller/processor; (2) investigatory powers and powers allowing access to premises and personal data are exercisable only upon a written assessment notice;(3) powers to order compliance with the data subject’s requests, to render processing compliant, to communicate a breach to the data subject, to impose a limitation or ban on processing activities, to order the rectification or erasure of personal data, and to withdraw a certification are exercisable only upon enforcement notice; (4) the power to impose an administrative fine is exercisable only upon penalty notice (Clause 115 UK Data Protection Act 2018). The commissioner has the power to inspect personal data in accordance with international obligations (Clause 119 UK Data Protection Act 2018). The commissioner has the power to issue information, assessment, enforcement, and penalty notices (Clauses 142-153 and 155-159 UK Data Protection Act 2018). The commissioner’s powers of entry and inspection may only be exercised upon court approval or warrant (Schedule 15 UK Data Protection Act 2018). The commissioner has the power to inspect personal data where the inspection is necessary to discharge an international obligation of the UK, and if the personal data is either (a) processed wholly or partly by automated means, or (b) if it forms or is intended to form part of a filing system (Clause 119, UK Data Protection Act 2018).

CLASS ACTIONS (ART 80 (2))

SPECIFYING REQUIREMENT: The Secretary of State may only provide that a body, organization, or association may, independently of a data subject’s mandate, have the right to lodge in the UK a complaint with the commissioner by making regulations under the UK Act (Part 7 Clause 190, Schedule 6 Part 1 Clause 53, UK Data Protection Act 2018)

ADMINISTRATIVE SANCTIONS (ART 83)

No Deviation

PENALTIES (ART 84)

No Deviation

FREEDOM OF EXPRESSION & INFORMATION (ART 85)

No Deviation

HR PROCESSING (ART 88)

VARYING REQUIREMENT: The UK Bill omits Art 88 GDPR (see Schedule 6, Clause 61 UK Data Protection Act 2018).

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

VARYING REQUIREMENT: The UK Bill restricts the derogations made according to Art 89(2) GDPR for processing for research and statistics purposes to Art 15(1)–(3), Art 16, Art 18(1), and Art 21(1) GDPR. The UK Bill restricts the derogations made according to Art 89(3) GDPR for processing for archiving purposes to Art 15(1)–(3), Art 16, Art 18(1), Art 19, Art 20(1), and Art 21(1) GDPR. (Schedule 2 Part 6, UK Data Protection Act 2018)

OBLIGATIONS OF SECRECY (ART 90)

VARYING REQUIREMENT: The UK Bill omits Art 90 GDPR (see Schedule 6, Clause 63, UK Data Protection Act 2018)

REMARKS

The UK Data Protection Bill also contains processing activities that do not fall within EU law or the GDPR, such as processing related to immigration and national security and parts implementing the EU Law Enforcement Directive.