Data Protection Act 2018 DATA PROTECTION ACT 2018 CHAPTER 12 Explanatory Notes have been produced to assist in the understanding of this Act and are available separately Published by TSO (The Stationery Office), part of Williams Lea Tag, and available from: Online www.tsoshop.co.uk Mail, Telephone, Fax & E-mail TSO PO Box 29, Norwich, NR3 1GN Telephone orders/General enquiries: 0333 202 5070 Fax orders: 0333 202 5080 E-mail: customer.services@tso.co.uk Textphone: 0333 202 5077 £39.25 TSO@Blackwell and other Accredited Agents ukpgacvr_20180012_en.indd 1 24/05/2018 10:47 Data Protection Act 2018 CHAPTER 12 CONTENTS PART 1 PRELIMINARY 1 2 3 Overview Protection of personal data Terms relating to the processing of personal data PART 2 GENERAL PROCESSING CHAPTER 1 SCOPE AND DEFINITIONS 4 5 Processing to which this Part applies Definitions CHAPTER 2 THE GDPR Meaning of certain terms used in the GDPR 6 7 Meaning of “controller” Meaning of “public authority” and “public body” Lawfulness of processing 8 9 Lawfulness of processing: public interest etc Child’s consent in relation to information society services ii Data Protection Act 2018 (c. 12) Special categories of personal data 10 11 Special categories of personal data and criminal convictions etc data Special categories of personal data etc: supplementary Rights of the data subject 12 13 14 Limits on fees that may be charged by controllers Obligations of credit reference agencies Automated decision-making authorised by law: safeguards Restrictions on data subject's rights 15 16 Exemptions etc Power to make further exemptions etc by regulations Accreditation of certification providers 17 Accreditation of certification providers Transfers of personal data to third countries etc 18 Transfers of personal data to third countries etc Specific processing situations 19 Processing for archiving, research and statistical purposes: safeguards Minor definition 20 Meaning of “court” CHAPTER 3 OTHER GENERAL PROCESSING Scope 21 Processing to which this Chapter applies Application of the GDPR 22 23 Application of the GDPR to processing to which this Chapter applies Power to make provision in consequence of regulations related to the GDPR Exemptions etc 24 25 26 27 28 Manual unstructured data held by FOI public authorities Manual unstructured data used in longstanding historical research National security and defence exemption National security: certificate National security and defence: modifications to Articles 9 and 32 of the applied GDPR iii Data Protection Act 2018 (c. 12) PART 3 LAW ENFORCEMENT PROCESSING CHAPTER 1 SCOPE AND DEFINITIONS Scope 29 Processing to which this Part applies Definitions 30 31 32 33 Meaning of “competent authority” “The law enforcement purposes” Meaning of “controller” and “processor” Other definitions CHAPTER 2 PRINCIPLES 34 35 36 37 38 39 40 41 42 Overview and general duty of controller The first data protection principle The second data protection principle The third data protection principle The fourth data protection principle The fifth data protection principle The sixth data protection principle Safeguards: archiving Safeguards: sensitive processing CHAPTER 3 RIGHTS OF THE DATA SUBJECT Overview and scope 43 Overview and scope Information: controller's general duties 44 Information: controller’s general duties Data subject's right of access 45 Right of access by the data subject Data subject's rights to rectification or erasure etc 46 47 48 Right to rectification Right to erasure or restriction of processing Rights under section 46 or 47: supplementary iv Data Protection Act 2018 (c. 12) Automated individual decision-making 49 50 Right not to be subject to automated decision-making Automated decision-making authorised by law: safeguards Supplementary 51 52 53 54 Exercise of rights through the Commissioner Form of provision of information etc Manifestly unfounded or excessive requests by the data subject Meaning of “applicable time period” CHAPTER 4 CONTROLLER AND PROCESSOR Overview and scope 55 Overview and scope General obligations 56 57 58 59 60 61 62 63 64 65 General obligations of the controller Data protection by design and default Joint controllers Processors Processing under the authority of the controller or processor Records of processing activities Logging Co-operation with the Commissioner Data protection impact assessment Prior consultation with the Commissioner Obligations r