Jane Lambert |
The term the "applied GDPR" is defined by s.3 (11) of the Data Protection Act 2018 as the GDPR as applied by Chapter 3 of Part 2 of the Act. According to s.4 (3) Chapter 3 applies to certain types of processing of personal data to which the GDPR does not apply and makes provision for a regime broadly equivalent to the GDPR to apply to such processing. S.22 (1) of the Act provides that the GDPR applies to the processing of personal data to which Chapter 3 applies as if its articles were part of an Act of Parliament.
Processing to which Chapter 3 applies
S.21 provides that Chapter 3 applies to:
- automated or structured processing of personal data in the course of an activity that:
- falls outside the scope of EU law; or
- is carried out by a member state in relation to the EU's common foreign and security policy but does not fall within law enforcement as that is covered by Part 3 or processing by intelligence services which is covered by Part 4 (s.21 (1)); and
- manual unstructured processing of personal data held by certain public authorities (s.21 (2)).
S.22 (1) extends the GDPR to the processing of personal data to which Chapter 3 applies as if the GDPR's articles were part of an Act of Parliament for the whole UK. The explanatory note explains that Chapter 3 applies to manual unstructured processing of personal data held by certain public authorities because such processing was regulated by the Data Protection Act 1998 but not by the GDPR. The public authorities concerned are defined by s.21 (5) as public authorities as defined by the Freedom of Information Act 2000 or Scottish public authorities as defined by the Freedom of Information (Scotland) Act 2002.
Modifications to the GDPR
The GDPR that apply to the processing to which Chapter 3 applies are modified by Part I of Sched. 6 to the Act. That part consists of 72 paragraphs most of which modify articles of the GDPR. For instance, art 2 of the GDPR provides:
"Material scope1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.2. This Regulation does not apply to the processing of personal data:(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive."
Para 7 substitutes the following provision for art 2 of the GDPR in relation to the processing to which Chapter 3 applies:
As I noted in The Relationship between the Data Protection Act 2018 and the GDPR 20 June 2018, S.4 (2) of the Act provides for Chapter 2 of Part 2 to applies to the types of processing of personal data to which the GDPR applies by virtue of art 2 of the GDPR. I discussed the provisions of Chapter 2 in my article. Chapter 2 also applies to the applied GDPR as it applies to the GDPR by virtue of s.22 (2) but Part 2 of Sched. 6 modifies Chapter 2 of Part 2 in respect of those applied GDPR pursuant to s.22 (4) (b).
“2 This Regulation applies to the processing of personal data to which Chapter 3 of Part 2 of the 2018 Act applies (see section 21 of that Act).”Supplementary Provisions
As I noted in The Relationship between the Data Protection Act 2018 and the GDPR 20 June 2018, S.4 (2) of the Act provides for Chapter 2 of Part 2 to applies to the types of processing of personal data to which the GDPR applies by virtue of art 2 of the GDPR. I discussed the provisions of Chapter 2 in my article. Chapter 2 also applies to the applied GDPR as it applies to the GDPR by virtue of s.22 (2) but Part 2 of Sched. 6 modifies Chapter 2 of Part 2 in respect of those applied GDPR pursuant to s.22 (4) (b).
Interpretation of the Applied GDPR
S.22 (5) of the Act provides:
S.22 (5) of the Act provides:
"A question as to the meaning or effect of a provision of the applied GDPR, or the applied Chapter 2 , is to be determined consistently with the interpretation of the equivalent provision of the GDPR, or Chapter 2 of this Part, as it applies otherwise than by virtue of this Chapter, except so far as Schedule 6 requires a different interpretation."Rule Making Powers
S.23 (1) enables the Secretary of State to make regulations in relation to the processing of personal data to which Chapter 3 applies.
Manual Unstructured Data
S.24 makes certain modifications to the applied GDPR in relation to unstructured data held by public authorities as defined by the Freedom of Information Act 2000 or Scottish public authorities as defined by the Freedom of Information (Scotland) Act 2002.
Exemptions
Exemptions are made for manual unstructured data used in longstanding historical research by virtue of s.25, and national security and defence pursuant to s.26, s.27 and s.28.
Further Information
Anyone wishing to discuss this article or data protection generally should call me during office hours on +44 (0)20 7404 5252 or send me a message through my contact form.