General Data Protection
Regulation


Keeling Schedule



Showing changes which would be effected by the
Data Protection Bill (Bill 153, ordered, by the
House of Commons, to be printed, 18 January
2018)

This schedule has been prepared by the Department for Digital, Culture,
Media and Sport. It is intended for illustrative purposes only to assist the
reader of the Bill to understand the changes to the General Data
Protection Regulation ((EU) 2016/679), which would be made by
Schedule 6 to the Bill.
Note that Schedule 6 to the Bill only applies to data processing in the
course of an activity that is not subject to EU law. Where the activity is
subject to EU law the omissions, insertions and substitutions as set out
in this Keeling Schedule do not apply.

Notes
When the meaning of references to the GDPR, Union law and
Member State law are modified by paragraphs 2 and 3 of
Schedule 6 to the Bill, text is struck through and presented in
blue text.
When text is omitted by Schedule 6 to the Bill – text is struck
through and presented in red text.
When new text is inserted by Schedule 6 to the Bill
-
Text is surrounded with square brackets and inserted
in red text
When existing text is substituted by Schedule 6 to the Bill
-
Text to be replaced is struck through and presented in
red text. The text replacing it is presented straight
afterwards enclosed with square brackets and also in
red text
When the Bill exercises a relevant derogation, this is indicated
in footnotes.







I

(Legislative acts)

REGULATIONS

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 27 April 2016

on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(Text with EEA relevance)


CHAPTER I

General provisions

Article 1

Subject-matter and objectives

1.
This Regulation The applied GDPR lays down rules relating to the protection of natural persons with regard
to the processing of personal data and rules relating to the free movement of personal data.

2.
This Regulation The applied GDPR protects fundamental rights and freedoms of natural persons and in
particular their right to the protection of personal data.

3.
The free movement of personal data within the Union the United Kingdom shall be neither restricted nor
prohibited for reasons connected with the protection of natural persons with regard to the processing of
personal data.

Article 2

Material scope

1.
This Regulation applies to the processing of personal data wholly or partly by automated means and to the
processing other than by automated means of personal data which form part of a filing system or are intended
to form part of a filing system.

2.
This Regulation does not apply to the processing of personal data:


(a)
in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title
V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties, including the safeguarding against and
the prevention of threats to public security.

3.
For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC)
No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of
personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

4.
This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the
liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

[This Regulation The applied GDPR applies to the processing of personal data to which Chapter 3 of Part 2 of the 2018
Act applies (see section 21 of that Act).]

Article 3

Territorial scope

1.
This Regulation applies to the processing of personal data in the context of the activities of an establishment
of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or
not.

2.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller
or processor not established in the Union, where the processing activities are related to:
(a)
the offering of goods or services, irrespective of whether a payment of the data subject is required,
to such data subjects in the Union; or
(b)
the monitoring of their behaviour as far as their behaviour takes place within the Union.

3.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in
a place where Member State law applies by virtue of public international law.

[Article 3

Territorial application

Section 200 of the 2018 Act has effect for the purposes of this Regulation the applied GDPR as it has effect for the
purposes of that Act but as if it were modified as follows -
(a)
references to “this Act” have effect as references to this Regulation the applied GDPR;
(b)
in subsection (1), omit “, subject to subsection (3)”;
(c)
in subsection (2), omit “, subject to subsection (4)”;
(d) omit subsections (3) to (5);

(e)
in subsection (7), omit “or section 59(8) or 105(3) of this Act (processor to be treated as controller in
certain circumstances).”]

Article 4

Definitions

For the purposes of this Regulation the applied GDPR:
(1)
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person;
(2)
‘processing’ means any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction;
(3)
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their
processing in the future;
(4)
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects
concerning that natural person's performance at work, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements;
(5)
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no
longer be attributed to a specific data subject without the use of additional information, provided that such
additional information is kept separately and is subject to technical and organisational measures to ensure
that the personal data are not attributed to an identified or identifiable natural person;
(6)
‘filing system’ means any structured set of personal data which are accessible according to specific criteria,
whether centralised, decentralised or dispersed on a functional or geographical basis;
(7)
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data; where the purposes and
means of such processing are determined by Union or Member State law, the controller or the specific
criteria for its nomination may be provided for by Union or Member State law [, subject to section 6 of the
2018 Act (meaning of “controller”)];1
[(7A) “the 2018 Act” means the Data Protection Act 2018 as applied by section 22 of that Act and further
modified by section 3 of that Act.]
(8)
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal

1 Clause 6 of the Bill explains that when personal data is processed only for the purpose and
means for which it is required by legislation to be processed, the person who has the
obligation under that legislation to process the data is the controller. Clauses 202 and 203
clarify who is the controller when the personal data is processed by the Royal Household,
the Duchy of Lancaster, the Duchy of Cornwall, or either House of Parliament.

data on behalf of the controller;
(9)
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal
data are disclosed, whether a third party or not. However, public authorities which may receive personal data
in the framework of a particular inquiry in accordance with Union or Member State law domestic law shall
not be regarded as recipients; the processing of those data by those public authorities shall be in compliance
with the applicable data protection rules according to the purposes of the processing;
(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject,
controller, processor and persons who, under the direct authority of the controller or processor, are authorised
to process personal data;
(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the
data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement
to the processing of personal data relating to him or her;
(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural
person which give unique information about the physiology or the health of that natural person and which
result, in particular, from an analysis of a biological sample from the natural person in question;
(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person, which allow or confirm the unique
identification of that natural person, such as facial images or dactyloscopic data;
(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person,
including the provision of health care services, which reveal information about his or her health status;
(16) ‘main establishment’ means:
(a) as regards a controller with establishments in more than one Member State, the place of its central
administration in the Union, unless the decisions on the purposes and means of the processing of
personal data are taken in another establishment of the controller in the Union and the latter
establishment has the power to have such decisions implemented, in which case the establishment
having taken such decisions is to be considered to be the main establishment;
(b) as regards a processor with establishments in more than one Member State, the place of its central
administration in the Union, or, if the processor has no central administration in the Union, the
establishment of the processor in the Union where the main processing activities in the context of the
activities of an establishment of the processor take place to the extent that the processor is subject to
specific obligations under this Regulation;
(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or
processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective
obligations under this Regulation;
(18) ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form,
including partnerships or associations regularly engaged in an economic activity;
(19) ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
(20) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or
processor established on the territory of a Member State [in the United Kingdom] for transfers or a set of
transfers of personal data to a controller or processor in one or more third countries within a group of
undertakings, or group of enterprises engaged in a joint economic activity;

(21) ‘supervisory authority’ means an independent public authority which is established by a Member State [(other
than the United Kingdom)] pursuant to Article 51 [of the GDPR];2
[(21A) “the Commissioner” means the Information Commissioner (see section 114 of the 2018 Act);]
(22) ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of
personal data because:
(a)
the controller or processor is established on the territory of the Member State of that supervisory
authority;
(b) data subjects residing in the Member State of that supervisory authority are substantially affected or
likely to be substantially affected by the processing; or
(c) a complaint has been lodged with that supervisory authority;
(23) ‘cross-border processing’ means either:
(a) processing of personal data which takes place in the context of the activities of establishments in
more than one Member State of a controller or processor in the Union where the controller or
processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment
of a controller or processor in the Union but which substantially affects or is likely to substantially
affect data subjects in more than one Member State.
(24) ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement
of this Regulation, or whether envisaged action in relation to the controller or processor complies with this
Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the
fundamental rights and freedoms of data subjects and, where applicable, the free f low of personal data within
the Union;
(25) ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU)
2015/1535 of the European Parliament and of the Council (1);
(26) ‘international organisation’ means an organisation and its subordinate bodies governed by public international
law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
[(27) “the GDPR” has the meaning given in section 3(10) of the 2018 Act.]
[(28) “domestic law” has the meaning given in paragraph 3(3) of Schedule 6 to the 2018 Act.]3

(1) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the
provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p.
1).




2 Clause 115(1) of the Bill states that the supervisory authority in the United Kingdom is the
Information Commissioner.
3 Clause 7 of the Bill provides definitions of “public authority” and “public body” which are
not otherwise defined in the GDPR.

CHAPTER II

Principles

Article 5

Principles relating to processing of personal data

1.
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness,
fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that
is incompatible with those purposes; further processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes shall, in accordance with
Article 89(1) of the applied GDPR, not be considered to be incompatible with the initial purposes
(‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the purposes for which they are processed, are
erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed; personal data may be stored for longer periods
insofar as the personal data will be processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of
the applied GDPR subject to implementation of the appropriate technical and organisational
measures required by this Regulation the applied GDPR in order to safeguard the rights and
freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1
(‘accountability’).

Article 6

Lawfulness of processing

1.
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a)
the data subject has given consent to the processing of his or her personal data for one or more specific
purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order
to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural
person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;4
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a
third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the data
subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the
performance of their tasks.

2.
Member States may maintain or introduce more specific provisions to adapt the application of the rules of this
Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining
more precisely specific requirements for the processing and other measures to ensure lawful and fair processing
including for other specific processing situations as provided for in Chapter IX.

3.
The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
(a)
Union law; or
(b)
Member State law to which the controller is subject.

[In addition to the provision made in section 15 of and Part 1 of Schedule 2 to the 2018 Act, a legal basis for
the processing referred to in point (c) and (e) of paragraph 1 may be laid down by the Secretary of State in
regulations (see section 16 of the 2018 Act).]

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to
in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to
adapt the application of rules of this Regulation the applied GDPR, inter alia: the general conditions governing
the lawfulness of processing by the controller; the types of data which are subject to the processing; the data
subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose
limitation; storage periods; and processing operations and processing procedures, including measures to ensure
lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX
of the applied GDPR. The Union or the Member State law shall [The regulations must] meet an objective of
public interest and be proportionate to the legitimate aim pursued.5

4.
Where the processing for a purpose other than that for which the personal data have been collected is not based
on the data subject's consent or on a Union or Member State law domestic law which constitutes a necessary
and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) of
the applied GDPR, the controller shall, in order to ascertain whether processing for another purpose is

4 Clause 8 of the Bill provides a non-exhaustive list of examples of processing carried out in
the public interest.
5 Part 1 of Schedule 2 to the Bill makes adaptations to the principles in Article 5(1)(a) and (b)
as permitted by Article 6(3). Clause 16(1)(a) contains a power to provide further adaptations
through regulations.

compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a)
any link between the purposes for which the personal data have been collected and the purposes
of the intended further processing;
(b)
the context in which the personal data have been collected, in particular regarding the relationship
between data subjects and the controller;
(c)
the nature of the personal data, in particular whether special categories of personal data are
processed, pursuant to Article 9 of the applied GDPR, or whether personal data related to criminal
convictions and offences are processed, pursuant to Article 10 of the applied GDPR;
(d)
the possible consequences of the intended further processing for data subjects;
(e)
the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Article 7

Conditions for consent

1.
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has
consented to processing of his or her personal data.

2.
If the data subject's consent is given in the context of a written declaration which also concerns other matters,
the request for consent shall be presented in a manner which is clearly distinguishable from the other matters,
in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration
which constitutes an infringement of this Regulation the applied GDPR shall not be binding.

3.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent
shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent,
the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the
performance of a contract, including the provision of a service, is conditional on consent to the processing of
personal data that is not necessary for the performance of that contract.

Article 8

Conditions applicable to child's consent in relation to information society services

1.
Where point (a) of Article 6(1) of the applied GDPR applies, in relation to the offer of information society
services directly to a child, the processing of the personal data of a child shall be lawful where the child is at
least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to
the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not
below 13 years. [This paragraph is subject to section 9 of the 2018 Act.]6


6 Clause 9 of the Bill sets the age at which a child can give consent to the processing of data
for the purposes of the provision of information society services at 13 years old.

2.
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the
holder of parental responsibility over the child, taking into consideration available technology.

3.
Paragraph 1 shall not affect the general contract law of Member States [the general law of contract as it operates
in domestic law] such as the rules on the validity, formation or effect of a contract in relation to a child.

Article 9

Processing of special categories of personal data

1.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of
uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or
sexual orientation shall be prohibited.

2.
Paragraph 1 shall not apply if one of the following applies:7

(a)
the data subject has given explicit consent to the processing of those personal data for one or more
specified purposes, except where Union or Member State law provide that the prohibition referred to
in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights
of the controller or of the data subject in the field of employment and social security and social
protection law in so far as it is authorised by Union or Member State law [domestic law (see section
10 of the 2018 Act)] or a collective agreement pursuant to Member State law domestic law providing
for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person
where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a
foundation, association or any other not-for-profit body with a political, philosophical, religious or
trade union aim and on condition that the processing relates solely to the members or to former
members of the body or to persons who have regular contact with it in connection with its purposes
and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts
are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member
State law which shall be proportionate to the aim pursued, respect the essence of the right to data
protection and provide for suitable and specific measures to safeguard the fundamental rights and the
interests of the data subject;
[(g) processing is necessary for reasons of substantial public interest and is authorised by domestic law
(see section 10 of the 2018 Act);]
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment
of the working capacity of the employee, medical diagnosis, the provision of health or social care or
treatment or the management of health or social care systems and services on the basis of Union or
Member State law [domestic law (see section 10 of the 2018 Act)] or pursuant to contract with a

7 Clause 10 and Schedule 1 to the Bill contains provision to permit the processing of special
categories of personal data in certain circumstances, and a power to amend Schedule 1
through regulations.

health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting
against serious cross-border threats to health or ensuring high standards of quality and safety of health
care and of medicinal products or medical devices, on the basis of Union or Member State law
[domestic law (see section 10 of the 2018 Act)] which provides for suitable and specific measures to
safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State
law which shall be proportionate to the aim pursued, respect the essence of the right to data protection
and provide for suitable and specific measures to safeguard the fundamental rights and the interests
of the data subject.
[(j) processing is necessary for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1) of the applied GDPR (as supplemented
by section 19 of the 2018 Act) and is authorised by domestic law (see section 10 of that Act).]

3.
Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph
2 when those data are processed by or under the responsibility of a professional subject to the obligation of
professional secrecy under Union or Member State law domestic law or rules established by national
competent bodies [a national competent body of the United Kingdom] or by another person also subject to an
obligation of secrecy under Union or Member State law domestic law or rules established by national
competent bodies [a national competent body of the United Kingdom].

4.
Member States may maintain or introduce further conditions, including limitations, with regard to the
processing of genetic data, biometric data or data concerning health.


Article 10

Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article
6(1) of the applied GDPR shall be carried out only under the control of official authority or when the processing is
authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data
subjects [domestic law (see section 10 of the 2018 Act). Any comprehensive register of criminal convictions shall be
kept only under the control of official authority.8





8 Clause 10 and Schedule 1 to the Bill contains provision to permit the processing of criminal
conviction data in certain circumstances, and a power to amend Schedule 1 through
secondary legislation.

Article 11

Processing which does not require identification

1.
If the purposes for which a controller processes personal data do not or do no longer require the identification
of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional
information in order to identify the data subject for the sole purpose of complying with this Regulation the
applied GDPR.

2.
Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in
a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In
such cases, Articles 15 to 20 of the applied GDPR shall not apply except where the data subject, for the purpose
of exercising his or her rights under those articles, provides additional information enabling his or her
identification.





CHAPTER III

Rights of the data subject


Section 1

Transparency and modalities

Article 12

Transparent information, communication and modalities for the exercise of the rights of the data subject

1.
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 of
the applied GDPR and any communication under Articles 15 to 22 and 34 of the applied GDPR relating to
processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and
plain language, in particular for any information addressed specifically to a child. The information shall be
provided in writing, or by other means, including, where appropriate, by electronic means. When requested by
the data subject, the information may be provided orally, provided that the identity of the data subject is proven
by other means.

2.
The controller shall facilitate the exercise of data subject rights under Articles 15 to 22 of the applied GDPR.
In the cases referred to in Article 11(2) of the applied GDPR, the controller shall not refuse to act on the request
of the data subject for exercising his or her rights under Articles 15 to 22 of the applied GDPR, unless the
controller demonstrates that it is not in a position to identify the data subject.

3.
The controller shall provide information on action taken on a request under Articles 15 to 22 of the applied
GDPR to the data subject without undue delay and in any event within one month of receipt of the request.
That period may be extended by two further months where necessary, taking into account the complexity and
number of the requests. The controller shall inform the data subject of any such extension within one month
of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by
electronic form means, the information shall be provided by electronic means where possible, unless otherwise
requested by the data subject.

4.
If the controller does not take action on the request of the data subject, the controller shall inform the data
subject without delay and at the latest within one month of receipt of the request of the reasons for not taking
action and on the possibility of lodging a complaint with a supervisory authority the Commissioner and seeking
a judicial remedy.

5.
Information provided under Articles 13 and 14 of the applied GDPR and any communication and any actions
taken under Articles 15 to 22 and 34 of the applied GDPR shall be provided free of charge. Where requests
from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character,
the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or
communication or taking the action requested; or
(b)
refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the

request.9

6.
Without prejudice to Article 11 of the applied GDPR, where the controller has reasonable doubts concerning
the identity of the natural person making the request referred to in Articles 15 to 21 of the applied GDPR, the
controller may request the provision of additional information necessary to confirm the identity of the data
subject.

7.
The information to be provided to data subjects pursuant to Articles 13 and 14 of the applied GDPR may be
provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly
legible manner a meaningful overview of the intended processing. Where the icons are presented electronically
they shall be machine-readable.

8.
The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of
determining the information to be presented by the icons and the procedures for providing standardised icons.


Section 2

Information and access to personal data

Article 13

Information to be provided where personal data are collected from the data subject

1.
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the
time when personal data are obtained, provide the data subject with all of the following information:
(a)
the identity and the contact details of the controller and, where applicable, of the controller's
representative;
(b)
the contact details of the data protection officer, where applicable;
(c)
the purposes of the processing for which the personal data are intended as well as the legal basis for
the processing;
(d) where the processing is based on point (f) of Article 6(1) of the applied GDPR, the legitimate interests
pursued by the controller or by a third party;
(e)
the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or
international organisation and the existence or absence of an adequacy decision by the Commission
[pursuant to Article 45(3) of the GDPR], or in the case of transfers referred to in Article 46 or 47 of
the applied GDPR, or the second subparagraph of Article 49(1) of the applied GDPR, reference to
the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they
have been made available.


9 Clause 12 of the Bill provides a power for the Secretary of State to specify limits on the fees
that a controller may charge for manifestly unfounded or excessive requests for information
by a data subject.

2.
In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data
are obtained, provide the data subject with the following further information necessary to ensure fair and
transparent processing:
(a)
the period for which the personal data will be stored, or if that is not possible, the criteria used to
determine that period;
(b)
the existence of the right to request from the controller access to and rectification or erasure of
personal data or restriction of processing concerning the data subject or to object to processing as
well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) of the applied
GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness
of processing based on consent before its withdrawal;
(d)
the right to lodge a complaint with a supervisory authority the Commissioner;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement
necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal
data and of the possible consequences of failure to provide such data;
(f)
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4)
of the applied GDPR and, at least in those cases, meaningful information about the logic involved,
as well as the significance and the envisaged consequences of such processing for the data subject.

3.
Where the controller intends to further process the personal data for a purpose other than that for which the
personal data were collected, the controller shall provide the data subject prior to that further processing with
information on that other purpose and with any relevant further information as referred to in paragraph 2.

4.
Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

Article 14

Information to be provided where personal data have not been obtained from the data subject


1.
Where personal data have not been obtained from the data subject, the controller shall provide the data subject
with the following information:
(a)
the identity and the contact details of the controller and, where applicable, of the controller's
representative;
(b)
the contact details of the data protection officer, where applicable;
(c)
the purposes of the processing for which the personal data are intended as well as the legal basis for
the processing;
(d)
the categories of personal data concerned;
(e)
the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country
or international organisation and the existence or absence of an adequacy decision by the
Commission [pursuant to Article 45(3) of the GDPR], or in the case of transfers referred to in Article
46 or 47 of the applied GDPR, or the second subparagraph of Article 49(1) of the applied GDPR,
reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where
they have been made available.


2.
In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the
following information necessary to ensure fair and transparent processing in respect of the data subject:
(a)
the period for which the personal data will be stored, or if that is not possible, the criteria used to
determine that period;
(b) where the processing is based on point (f) of Article 6(1) of the applied GDPR, the legitimate interests
pursued by the controller or by a third party;
(c)
the existence of the right to request from the controller access to and rectification or erasure of
personal data or restriction of processing concerning the data subject and to object to processing as
well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) of the applied GDPR or point (a) of Article
9(2) of the applied GDPR, the existence of the right to withdraw consent at any time, without
affecting the lawfulness of processing based on consent before its withdrawal;
(e)
the right to lodge a complaint with a supervisory authority the Commissioner;
(f)
from which source the personal data originate, and if applicable, whether it came from publicly
accessible sources;
(g)
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4)
of the applied GDPR and, at least in those cases, meaningful information about the logic involved,
as well as the significance and the envisaged consequences of such processing for the data subject.

3.
The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having
regard to the specific circumstances in which the personal data are processed;
(b)
if the personal data are to be used for communication with the data subject, at the latest at the time
of the first communication to that data subject; or
(c)
if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

4.
Where the controller intends to further process the personal data for a purpose other than that for which the
personal data were obtained, the controller shall provide the data subject prior to that further processing with
information on that other purpose and with any relevant further information as referred to in paragraph 2.

5.
Paragraphs 1 to 4 shall not apply where and insofar as:
(a)
the data subject already has the information;
(b)
the provision of such information proves impossible or would involve a disproportionate effort, in
particular for processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1)
of the applied GDPR or in so far as the obligation referred to in paragraph 1 of this Article is likely
to render impossible or seriously impair the achievement of the objectives of that processing. In such
cases the controller shall take appropriate measures to protect the data subject's rights and freedoms
and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller
is subject [a rule of domestic law] and which provides appropriate measures to protect the data
subject's legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy
regulated by Union or Member State law domestic law, including a statutory obligation of secrecy.




Article 15

Right of access by the data subject

1.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal
data concerning him or her are being processed, and, where that is the case, access to the personal data and the
following information:
(a)
the purposes of the processing;
(b)
the categories of personal data concerned;
(c)
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in
particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible,
the criteria used to determine that period;
(e)
the existence of the right to request from the controller rectification or erasure of personal data or
restriction of processing of personal data concerning the data subject or to object to such processing;
(f)
the right to lodge a complaint with a supervisory authority the Commissioner;
(g) where the personal data are not collected from the data subject, any available information as to their
source;
(h)
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4)
of the applied GDPR and, at least in those cases, meaningful information about the logic involved,
as well as the significance and the envisaged consequences of such processing for the data subject.

2.
Where personal data are transferred to a third country or to an international organisation, the data subject shall
have the right to be informed of the appropriate safeguards pursuant to Article 46 of the applied GDPR relating
to the transfer.

3.
The controller shall provide a copy of the personal data undergoing processing. For any further copies
requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where
the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the
information shall be provided in a commonly used electronic form.10

4.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.




10 Clause 12 of the Bill provides a power for the Secretary of State to specify limits on the
fees that a controller may charge for the provision of further copies of information already
provided.

Section 3

Rectification and erasure

Article 16

Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate
personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the
right to have incomplete personal data completed, including by means of providing a supplementary statement.


Article 17

Right to erasure (‘right to be forgotten’)

1.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him
or her without undue delay and the controller shall have the obligation to erase personal data without undue
delay where one of the following grounds applies:
(a)
the personal data are no longer necessary in relation to the purposes for which they were collected or
otherwise processed;
(b)
the data subject withdraws consent on which the processing is based according to point (a) of Article
6(1) of the applied GDPR, or point (a) of Article 9(2) of the applied GDPR, and where there is no
other legal ground for the processing;
(c)
the data subject objects to the processing pursuant to Article 21(1) of the applied GDPR and there
are no overriding legitimate grounds for the processing, or the data subject objects to the processing
pursuant to Article 21(2) of the applied GDPR;
(d)
the personal data have been unlawfully processed;
(e)
the personal data have to be erased for compliance with a legal obligation in Union or Member State
law to which the controller is subject [under domestic law];
(f)
the personal data have been collected in relation to the offer of information society services referred
to in Article 8(1) of the applied GDPR.

2.
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the
personal data, the controller, taking account of available technology and the cost of implementation, shall take
reasonable steps, including technical measures, to inform controllers which are processing the personal data
that the data subject has requested the erasure by such controllers of any links to, or copy or replication of,
those personal data.

3.
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a)
for exercising the right of freedom of expression and information;
(b)
for compliance with a legal obligation which requires processing by Union or Member State law to
which the controller is subject [under domestic law] or for the performance of a task carried out in

the public interest or in the exercise of official authority vested in the controller;
(c)
for reasons of public interest in the area of public health in accordance with points (h) and (i) of
Article 9(2) as well as Article 9(3) of the applied GDPR;
(d)
for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) of the applied GDPR in so far as the right referred to in
paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of
that processing; or
(e)
for the establishment, exercise or defence of legal claims.

Article 18

Right to restriction of processing

1.
The data subject shall have the right to obtain from the controller restriction of processing where one of the
following applies:
(a)
the accuracy of the personal data is contested by the data subject, for a period enabling the controller
to verify the accuracy of the personal data;
(b)
the processing is unlawful and the data subject opposes the erasure of the personal data and requests
the restriction of their use instead;
(c)
the controller no longer needs the personal data for the purposes of the processing, but they are
required by the data subject for the establishment, exercise or defence of legal claims;
(d)
the data subject has objected to processing pursuant to Article 21(1) of the applied GDPR pending
the verification whether the legitimate grounds of the controller override those of the data subject.

2.
Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage,
only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims
or for the protection of the rights of another natural or legal person or for reasons of important public interest
of the Union or of a Member State [of the United Kingdom].

3.
A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the
controller before the restriction of processing is lifted.

Article 19

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in
accordance with Article 16, Article 17(1) and Article 18 of the applied GDPR to each recipient to whom the personal
data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform
the data subject about those recipients if the data subject requests it.




Article 20

Right to data portability


1.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has
provided to a controller, in a structured, commonly used and machine-readable format and have the right to
transmit those data to another controller without hindrance from the controller to which the personal data have
been provided, where:
(a)
the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of
the applied GDPR or on a contract pursuant to point (b) of Article 6(1) of the applied GDPR; and
(b)
the processing is carried out by automated means.

2.
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to
have the personal data transmitted directly from one controller to another, where technically feasible.

3.
The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of
the applied GDPR. That right shall not apply to processing necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested in the controller.

4.
The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Section 4

Right to object and automated individual decision-making

Article 21

Right to object

1.
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time
to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the
applied GDPR, including profiling based on those provisions. The controller shall no longer process the
personal data unless the controller demonstrates compelling legitimate grounds for the processing which
override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of
legal claims.

2.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object
at any time to processing of personal data concerning him or her for such marketing, which includes profiling
to the extent that it is related to such direct marketing.

3.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer
be processed for such purposes.

4.
At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1
and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately
from any other information.


5.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data
subject may exercise his or her right to object by automated means using technical specifications.

6.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant
to Article 89(1) of the applied GDPR, the data subject, on grounds relating to his or her particular situation,
shall have the right to object to processing of personal data concerning him or her, unless the processing is
necessary for the performance of a task carried out for reasons of public interest.

Article 22

Automated individual decision-making, including profiling

1.
The data subject shall have the right not to be subject to a decision based solely on automated processing,
including profiling, which produces legal effects concerning him or her or similarly significantly affects him
or her.

2.
Paragraph 1 shall not apply if the decision:
(a)
is necessary for entering into, or performance of, a contract between the data subject and a data
controller;
(b)
is authorised by Union or Member State law to which the controller is subject and which also lays
down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests;
or
[(b) is a “qualifying significant decision” for the purposes of section 14 of the 2018 Act; or]11
(c)
is based on the data subject's explicit consent.

3.
In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable
measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain
human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4.
Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in
Article 9(1) of the applied GDPR, unless point (a) or (g) of Article 9(2) of the applied GDPR applies and
suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.




11 Clause 14 of the Bill provides additional safeguards that apply where the automated
decision making is authorised by law to which the data controller is subject.

Section 5

Restrictions

Article 23

Restrictions

1.
Union or Member State law to which the data controller or processor is subject [In addition to the provision
made by section 15 of and Schedules 2, 3 and 4 to the 2018 Act, the Secretary of State] may restrict by way of
a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 of the applied
GDPR and Article 34 of the applied GDPR, as well as Article 5 of the applied GDPR in so far as its provisions
correspond to the rights and obligations provided for in Articles 12 to 22 of the applied GDPR, when such a
restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate
measure in a democratic society to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d)
the prevention, investigation, detection or prosecution of criminal offences or the execution of
criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State [of the United
Kingdom], in particular an important economic or financial interest of the Union or of a Member
State [of the United Kingdom], including monetary, budgetary and taxation a matters, public health
and social security;
(f)
the protection of judicial independence and judicial proceedings;
(g)
the prevention, investigation, detection and prosecution of breaches of ethics for regulated
professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of
official authority in the cases referred to in points (a) to (e) and (g);
(i)
the protection of the data subject or the rights and freedoms of others;
(j)
the enforcement of civil law claims.
[See section 16 of the 2018 Act.]12

2.
In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least,
where relevant, as to:
(a)
the purposes of the processing or categories of processing;
(b)
the categories of personal data;
(c)
the scope of the restrictions introduced;

12 Clause 15, Parts 1 to 4 of Schedule 2, Schedule 3 and Schedule 4 to the Bill provide
restrictions on data subject’s rights. Clause 16(1)(b) contains a power to make further
restrictions through regulations.

(d)
the safeguards to prevent abuse or unlawful access or transfer;
(e)
the specification of the controller or categories of controllers;
(f)
the storage periods and the applicable safeguards taking into account the nature, scope and purposes
of the processing or categories of processing;
(g)
the risks to the rights and freedoms of data subjects; and
(h)
the right of data subjects to be informed about the restriction, unless that may be prejudicial to the
purpose of the restriction.




CHAPTER IV

Controller and processor

Section 1

General obligations

Article 24

Responsibility of the controller

1.
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying
likelihood and severity for the rights and freedoms of natural persons, the controller shall implement
appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is
performed in accordance with this Regulation the applied GDPR. Those measures shall be reviewed and
updated where necessary.

2.
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include
the implementation of appropriate data protection policies by the controller.

3.
Adherence to approved codes of conduct as referred to in Article 40 of the applied GDPR or approved
certification mechanisms as referred to in Article 42 of the applied GDPR may be used as an element by which
to demonstrate compliance with the obligations of the controller.

Article 25

Data protection by design and by default

1.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes
of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons
posed by the processing, the controller shall, both at the time of the determination of the means for processing
and at the time of the processing itself, implement appropriate technical and organisational measures, such as
pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in
an effective manner and to integrate the necessary safeguards into the processing in order to meet the
requirements of this Regulation the applied GDPR and protect the rights of data subjects.

2.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default,
only personal data which are necessary for each specific purpose of the processing are processed. That
obligation applies to the amount of personal data collected, the extent of their processing, the period of their
storage and their accessibility. In particular, such measures shall ensure that by default personal data are not
made accessible without the individual's intervention to an indefinite number of natural persons.

3.
An approved certification mechanism pursuant to Article 42 of the applied GDPR may be used as an element
to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.




Article 26

Joint controllers

1.
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint
controllers. They shall in a transparent manner determine their respective responsibilities for compliance with
the obligations under this Regulation the applied GDPR, in particular as regards the exercising of the rights of
the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of the
applied GDPR, by means of an arrangement between them unless, and in so far as, the respective
responsibilities of the controllers are determined by Union or Member State law to which the controllers are
subject [domestic law]. The arrangement may designate a contact point for data subjects.

2.
The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint
controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data
subject.

3.
Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her
rights under this Regulation the applied GDPR in respect of and against each of the controllers.

Article 27

Representatives of controllers or processors not established in the Union

1.
Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the
Union.

2.
The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories
of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions
and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of
natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.

3.
The representative shall be established in one of the Member States where the data subjects, whose personal
data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored,
are.

4.
The representative shall be mandated by the controller or processor to be addressed in addition to or instead of
the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related
to processing, for the purposes of ensuring compliance with this Regulation.

5.
The designation of a representative by the controller or processor shall be without prejudice to legal actions
which could be initiated against the controller or the processor themselves.




Article 28

Processor

1.
Where processing is to be carried out on behalf of a controller, the controller shall use only processors
providing sufficient guarantees to implement appropriate technical and organisational measures in such a
manner that processing will meet the requirements of this Regulation the applied GDPR and ensure the
protection of the rights of the data subject.

2.
The processor shall not engage another processor without prior specific or general written authorisation of the
controller. In the case of general written authorisation, the processor shall inform the controller of any intended
changes concerning the addition or replacement of other processors, thereby giving the controller the
opportunity to object to such changes.

3.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law
domestic law, that is binding on the processor with regard to the controller and that sets out the subject-matter
and duration of the processing, the nature and purpose of the processing, the type of personal data and
categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall
stipulate, in particular, that the processor:
(a) processes the personal data only on documented instructions from the controller, including with
regard to transfers of personal data to a third country or an international organisation, unless required
to do so by Union or Member State law to which the processor is subject [domestic law]; in such a
case, the processor shall inform the controller of that legal requirement before processing, unless that
law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to
confidentiality or are under an appropriate statutory obligation of confidentiality;
(c)
takes all measures required pursuant to Article 32 of the applied GDPR;
(d)
respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e)
taking into account the nature of the processing, assists the controller by appropriate technical and
organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to
respond to requests for exercising the data subject's rights laid down in Chapter III of the applied
GDPR;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the
applied GDPR taking into account the nature of processing and the information available to the
processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of
the provision of services relating to processing, and deletes existing copies unless Union or Member
State law domestic law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the
obligations laid down in this Article and allow for and contribute to audits, including inspections,
conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in
its opinion, an instruction infringes this Regulation the applied GDPR or other Union or Member State data
protection provisions [any other rule of domestic law relating to data protection].


4.
Where a processor engages another processor for carrying out specific processing activities on behalf of the
controller, the same data protection obligations as set out in the contract or other legal act between the
controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a
contract or other legal act under Union or Member State law domestic law, in particular providing sufficient
guarantees to implement appropriate technical and organisational measures in such a manner that the
processing will meet the requirements of this Regulation the applied GDPR. Where that other processor fails
to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the
performance of that other processor's obligations.

5.
Adherence of a processor to an approved code of conduct as referred to in Article 40 of the applied GDPR or
an approved certification mechanism as referred to in Article 42 of the applied GDPR may be used as an
element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6.
Without prejudice to an individual contract between the controller and the processor, the contract or the other
legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard
contractual clauses referred to in paragraphs 7 and 8 [paragraph 8] of this Article, including when they are part
of a certification granted to the controller or processor pursuant to Articles 42 and 43 of the applied GDPR.

7.
The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4
of this Article and in accordance with the examination procedure referred to in Article 93(2).

8.
A supervisory authority The Commissioner may adopt standard contractual clauses for the matters referred to
in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article
63.

9.
The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic
form.

10.
Without prejudice to Articles 82, 83 and 84 of the applied GDPR, if a processor infringes this Regulation the
applied GDPR by determining the purposes and means of processing, the processor shall be considered to be
a controller in respect of that processing.

Article 29

Processing under the authority of the controller or processor


The processor and any person acting under the authority of the controller or of the processor, who has access to personal
data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member
State law domestic law.





Article 30

Records of processing activities

1.
Each controller and, where applicable, the controller's representative, shall maintain a record of processing
activities under its responsibility. That record shall contain all of the following information:
(a)
the name and contact details of the controller and, where applicable, the joint controller, the
controller's representative and the data protection officer;
(b)
the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d)
the categories of recipients to whom the personal data have been or will be disclosed including
recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation,
including the identification of that third country or international organisation and, in the case of
transfers referred to in the second subparagraph of Article 49(1) of the applied GDPR, the
documentation of suitable safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred
to in Article 32(1) of the applied GDPR [or section 28(3) of the 2018 Act].

2.
Each processor and, where applicable, the processor's representative shall maintain a record of all categories
of processing activities carried out on behalf of a controller, containing:
(a)
the name and contact details of the processor or processors and of each controller on behalf of which
the processor is acting, and, where applicable, of the controller's or the processor's representative,
and the data protection officer;
(b)
the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation,
including the identification of that third country or international organisation and, in the case of
transfers referred to in the second subparagraph of Article 49(1) of the applied GDPR, the
documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security measures referred
to in Article 32(1) of the applied GDPR [or section 28(3) of the 2018 Act].

3.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4.
The controller or the processor and, where applicable, the controller's or the processor's representative, shall
make the record available to the supervisory authority the Commissioner on request.

5.
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing
fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms
of data subjects, the processing is not occasional, or the processing includes special categories of data as
referred to in Article 9(1) of the applied GDPR or personal data relating to criminal convictions and offences
referred to in Article 10 of the applied GDPR.



Article 31

Cooperation with the supervisory authority the Commissioner

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the
supervisory authority the Commissioner in the performance of its tasks.

Section 2

Security of personal data

Article 32


Security of processing

1.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes
of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural
persons, the controller and the processor shall implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a)
the pseudonymisation and encryption of personal data;
(b)
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services;
(c)
the ability to restore the availability and access to personal data in a timely manner in the event of a
physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing.

2.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented
by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure
of, or access to personal data transmitted, stored or otherwise processed.

3.
Adherence to an approved code of conduct as referred to in Article 40 of the applied GDPR or an approved
certification mechanism as referred to in Article 42 of the applied GDPR may be used as an element by which
to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the
controller or the processor who has access to personal data does not process them except on instructions from
the controller, unless he or she is required to do so by Union or Member State law domestic law.




Article 33

Notification of a personal data breach to the supervisory authority the Commissioner

1.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later
than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority
competent in accordance with Article 55 the Commissioner, unless the personal data breach is unlikely to
result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority
the Commissioner is not made within 72 hours, it shall be accompanied by reasons for the delay.

2.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3.
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and
approximate number of data subjects concerned and the categories and approximate number of
personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point
where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data
breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be
provided in phases without undue further delay.

5.
The controller shall document any personal data breaches, comprising the facts relating to the personal data
breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority the
Commissioner to verify compliance with this Article.

Article 34

Communication of a personal data breach to the data subject

1.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons,
the controller shall communicate the personal data breach to the data subject without undue delay.

2.
The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and
plain language the nature of the personal data breach and contain at least the information and measures referred
to in points (b), (c) and (d) of Article 33(3) of the applied GDPR.

3.
The communication to the data subject referred to in paragraph 1 shall not be required if any of the following
conditions are met:
(a)
the controller has implemented appropriate technical and organisational protection measures, and
those measures were applied to the personal data affected by the personal data breach, in particular
those that render the personal data unintelligible to any person who is not authorised to access it, such
as encryption;

(b)
the controller has taken subsequent measures which ensure that the high risk to the rights and
freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
(c)
it would involve disproportionate effort. In such a case, there shall instead be a public communication
or similar measure whereby the data subjects are informed in an equally effective manner.

4.
If the controller has not already communicated the personal data breach to the data subject, the supervisory
authority the Commissioner, having considered the likelihood of the personal data breach resulting in a high
risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Section 3

Data protection impact assessment and prior consultation

Article 35

Data protection impact assessment

1.
Where a type of processing in particular using new technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural
persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data. A single assessment may address a set of similar
processing operations that present similar high risks.

2.
The controller shall seek the advice of the data protection officer, where designated, when carrying out a data
protection impact assessment.

3.
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based
on automated processing, including profiling, and on which decisions are based that produce legal
effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1) of the applied
GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of
the applied GDPR; or
(c) a systematic monitoring of a publicly accessible area on a large scale.

4.
The supervisory authority shall establish and make public a list of the kind of processing operations which are
subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory
authority shall communicate those lists to the Board referred to in Article 68.

5.
The supervisory authority may also establish and make public a list of the kind of processing operations for
which no data protection impact assessment is required. The supervisory authority shall communicate those
lists to the Board.

6.
Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall
apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which
are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several

Member States, or may substantially affect the free movement of personal data within the Union.

7.
The assessment shall contain at least:
(a)
a systematic description of the envisaged processing operations and the purposes of the
processing, including, where applicable, the legitimate interest pursued by the controller;
(b)
an assessment of the necessity and proportionality of the processing operations in relation to the
purposes;
(c)
an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1;
and
(d)
the measures envisaged to address the risks, including safeguards, security measures and
mechanisms to ensure the protection of personal data and to demonstrate compliance with this
Regulation the applied GDPR taking into account the rights and legitimate interests of data
subjects and other persons concerned.

8.
Compliance with approved codes of conduct referred to in Article 40 of the applied GDPR by the relevant
controllers or processors shall be taken into due account in assessing the impact of the processing operations
performed by such controllers or processors, in particular for the purposes of a data protection impact
assessment.

9.
Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended
processing, without prejudice to the protection of commercial or public interests or the security of processing
operations.

10.
Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the
Member State to which the controller is subject, that law regulates the specific processing operation or set of
operations in question, and a data protection impact assessment has already been carried out as part of a general
impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless
Member States deem it to be necessary to carry out such an assessment prior to processing activities.

11.
Where necessary, the controller shall carry out a review to assess if processing is performed in accordance
with the data protection impact assessment at least when there is a change of the risk represented by processing
operations.

Article 36

Prior consultation

1.
The controller shall consult the supervisory authority the Commissioner prior to processing where a data
protection impact assessment under Article 35 of the applied GDPR indicates that the processing would result
in a high risk in the absence of measures taken by the controller to mitigate the risk.

2.
Where the supervisory authority the Commissioner is of the opinion that the intended processing referred to
in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified
or mitigated the risk, the supervisory authority the Commissioner shall, within period of up to eight weeks of
receipt of the request for consultation, provide written advice to the controller and, where applicable to the
processor, and may use any of its powers referred to in Article 58 of the applied GDPR. That period may be

extended by six weeks, taking into account the complexity of the intended processing. The supervisory
authority The Commissioner shall inform the controller and, where applicable, the processor, of any such
extension within one month of receipt of the request for consultation together with the reasons for the delay.
Those periods may be suspended until the supervisory authority has obtained information it has requested for
the purposes of the consultation.

3.
When consulting the supervisory authority the Commissioner pursuant to paragraph 1, the controller shall
provide the supervisory authority the Commissioner with:
(a) where applicable, the respective responsibilities of the controller, joint controllers and processors
involved in the processing, in particular for processing within a group of undertakings;
(b)
the purposes and means of the intended processing;
(c)
the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to
this Regulation the applied GDPR;
(d) where applicable, the contact details of the data protection officer;
(e)
the data protection impact assessment provided for in Article 35 of the applied GDPR; and
(f) any other information requested by the supervisory authority the Commissioner.

4.
Member States shall consult the supervisory authority during the preparation of a proposal for a legislative
measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure,
which relates to processing.

[4
The Secretary of State must consult the Commissioner during the preparation of any proposal for a legislative
measure which relates to processing.]

5.
Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior
authorisation from, the supervisory authority in relation to processing by a controller for the performance of a
task carried out by the controller in the public interest, including processing in relation to social protection and
public health.

Section 4

Data protection officer

Article 37

Designation of the data protection officer

1.
The controller and the processor shall designate a data protection officer in any case where:
(a)
the processing is carried out by a public authority or body, except for courts acting in their judicial
capacity;
(b)
the core activities of the controller or the processor consist of processing operations which, by virtue
of their nature, their scope and/or their purposes, require regular and systematic monitoring of data
subjects on a large scale; or
(c)
the core activities of the controller or the processor consist of processing on a large scale of special

categories of data pursuant to Article 9 of the applied GDPR and personal data relating to criminal
convictions and offences referred to in Article 10 of the applied GDPR.

2.
A group of undertakings may appoint a single data protection officer provided that a data protection officer is
easily accessible from each establishment.

3.
Where the controller or the processor is a public authority or body, a single data protection officer may be
designated for several such authorities or bodies, taking account of their organisational structure and size.

4.
In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies
representing categories of controllers or processors may or, where required by Union or Member State law
shall, designate a data protection officer. The data protection officer may act for such associations and other
bodies representing controllers or processors.

5.
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert
knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 of the
applied GDPR.

6.
The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis
of a service contract.

7.
The controller or the processor shall publish the contact details of the data protection officer and communicate
them to the supervisory authority the Commissioner.

Article 38

Position of the data protection officer

1.
The controller and the processor shall ensure that the data protection officer is involved, properly and in a
timely manner, in all issues which relate to the protection of personal data.

2.
The controller and processor shall support the data protection officer in performing the tasks referred to in
Article 39 of the applied GDPR by providing resources necessary to carry out those tasks and access to personal
data and processing operations, and to maintain his or her expert knowledge.

3.
The controller and processor shall ensure that the data protection officer does not receive any instructions
regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the
processor for performing his tasks. The data protection officer shall directly report to the highest management
level of the controller or the processor.

4.
Data subjects may contact the data protection officer with regard to all issues related to processing of their
personal data and to the exercise of their rights under this Regulation the applied GDPR.

5.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or
her tasks, in accordance with Union or Member State law domestic law.

6.
The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any

such tasks and duties do not result in a conflict of interests.

Article 39

Tasks of the data protection officer

1.
The data protection officer shall have at least the following tasks:
(a)
to inform and advise the controller or the processor and the employees who carry out processing of
their obligations pursuant to this Regulation the applied GDPR and to other Union or Member State
data protection provisions [other rules of domestic law relating to data protection];
(b)
to monitor compliance with this Regulation the applied GDPR, with other Union or Member State
data protection provisions [other rules of domestic law relating to data protection] and with the
policies of the controller or processor in relation to the protection of personal data, including the
assignment of responsibilities, awareness-raising and training of staff involved in processing
operations, and the related audits;
(c)
to provide advice where requested as regards the data protection impact assessment and monitor its
performance pursuant to Article 35 of the applied GDPR;
(d)
to cooperate with the supervisory authority the Commissioner;
(e)
to act as the contact point the supervisory authority the Commissioner on issues relating to
processing, including the prior consultation referred to in Article 36 of the applied GDPR, and to
consult, where appropriate, with regard to any other matter.

2.
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated
with processing operations, taking into account the nature, scope, context and purposes of processing.

Section 5

Codes of conduct and certification

Article 40

Codes of conduct

1.
The Member States, the supervisory authorities, the Board and the Commission shall [The Commissioner
must] encourage the drawing up of codes of conduct intended to contribute to the proper application of this
Regulation the applied GDPR, taking account of the specific features of the various processing sectors and the
specific needs of micro, small and medium-sized enterprises.

2.
Associations and other bodies representing categories of controllers or processors may prepare codes of
conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation the
applied GDPR, such as with regard to:
(a)
fair and transparent processing;
(b)
the legitimate interests pursued by controllers in specific contexts;
(c)
the collection of personal data;

(d)
the pseudonymisation of personal data;
(e)
the information provided to the public and to data subjects;
(f)
the exercise of the rights of data subjects;
(g)
the information provided to, and the protection of, children, and the manner in which the consent of
the holders of parental responsibility over children is to be obtained;
(h)
the measures and procedures referred to in Articles 24 and 25 of the applied GDPR and the
measures to ensure security of processing referred to in Article 32 of the applied GDPR;
(i)
the notification of personal data breaches to supervisory authorities the Commissioner and the
communication of such personal data breaches to data subjects;
(j)
the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between
controllers and data subjects with regard to processing, without prejudice to the rights of data
subjects pursuant to Articles 77 and 79 of the applied GDPR.

3.
In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved
pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may
also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in
order to provide appropriate safeguards within the framework of personal data transfers to third countries or
international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or
processors shall make binding and enforceable commitments, via contractual or other legally binding
instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4.
A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body
referred to in Article 41(1) of the applied GDPR to carry out the mandatory monitoring of compliance with its
provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and
powers of supervisory authorities competent pursuant to Article 55 or 56 the Commissioner.

5.
Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of
conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the
supervisory authority which is competent pursuant to Article 55 the Commissioner. The supervisory authority
The Commissioner shall provide an opinion on whether the draft code, amendment or extension complies with
this Regulation the applied GDPR and shall approve that draft code, amendment or extension if it finds that it
provides sufficient appropriate safeguards.

6.
Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the
code of conduct concerned does not relate to processing activities in several Member States, the supervisory
authority the Commissioner shall register and publish the code.

7.
Where a draft code of conduct relates to processing activities in several Member States, the supervisory
authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or
extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on
whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to
in paragraph 3 of this Article, provides appropriate safeguards.

8.
Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies