As I mentioned on the index page for the Data Protection Act 2018, s.1 (1) of the Act states that the Act makes provision about the processing of personal data. As everyone knows, most processing of personal data is subject to the GDPR but the GDPR makes many references to national law. Even though the GDPR is directly applicable in the laws of each of the member states by virtue of art 288 of the Treaty on the Functioning of the European Union, the GDPR needs to be supplemented by national legislation to function effectively. That is why s.1 (3) provides that Part 2 of the Act supplements the GDPR.
The Legislative Scheme
S.1 (1) and (2) are amplified by s.2 (1) which provides:
"The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—S.4 (2) adds that Chapter 2 of Part 2 applies to the types of processing of personal data to which the GDPR applies by virtue of art 2 and that that Chapter supplements, and must be read with, the GDPR.
(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
(b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions."
Understanding the Scheme
Probably the best way to understand the scheme is to take an example.
Art 5 of the GDPR sets out a number of principles for the processing of personal data. The first of those principles is that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Art 6 (1) stipulates that processing shall be lawful only if and to the extent that one or more specified circumstances apply. One of those circumstances is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (point "e").
What constitutes the public interest and official authority are matters for the legislatures of the member states. S.8 of the Data Protection Act 2018 provides:
"In Article 6 (1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for—There are similar supplementary provisions on such matters as children's consent, special categories of personal data, powers to make regulations on the fees that can be charged by data controllers in exceptional circumstances, exemptions and transfers abroad.
(a) the administration of justice,
(b) the exercise of a function of either House of Parliament,
(c) the exercise of a function conferred on a person by an enactment or rule of law,
(d) the exercise of a function of the Crown, a Minister of the Crown or a government department, or
(e) an activity that supports or promotes democratic engagement."
Should anyone wish to discuss this article or data protection generally, he or she should call me on 020 7404 5252 during office hours or send me a message through my contact form.