We are currently consulting on this draft guidance.
| UK GDPR | Part 3 DPA 2018: Law Enforcement processing | Part 4 DPA 2018: Intelligence Services processing | |
| The principles of processing |
✔ Articles 5-11 |
✔ Sections 34-42 |
✔ Sections 85-91 |
| Data subject rights | ✔ Articles 12-22 |
✔ Sections 43-54 |
✔ Sections 92-100 |
| Obligations imposed on controllers or processors | ✔ Articles 25-39 |
✔ Section 64 or Section 65 |
✘ |
| The requirement to communicate a personal data breach to the Commissioner or a data subject | ✔ Articles 33-34 |
✔ Section 67 or Section 68 |
✔ Section 108 |
| The principles for transfers of personal data to third countries, non-Convention countries and international organisations | ✔ Articles 44-49 |
✔ Sections 73-78 |
✔ Sections 73-78 |
| Specific failures of a monitoring body (monitoring approved code of conduct) 99 | ✔ | N/A | N/A |
| Specific failures of a certification provider 100 |
✔ |
N/A | N/A |
| A failure to comply with regulations under section 137 DPA 2018 |
✔ |
✔ | ✔ |
| A failure to comply with the terms of an information notice, assessment notice or enforcement notice 101 |
✔ |
✔ | ✔ |
99 s149(3) DPA 2018: Where the monitoring body has failed, or is failing, to comply with an obligation under Article 41 UK GDPR.
100 s149(4) DPA 2018: Where a certification provider does not meet the requirements for accreditation; has failed, or failing, to comply with an obligation under Articles 42 or 43 UK GDPR; or has failed or is failing to comply with any other provision of the UK GDPR (whether in the person’s capacity as a certification provider or otherwise).