Amendments made: 18, page 29, line 29, after first “of” insert “high risk”.

This amendment is consequential on Amendment 21.

Amendment 19, page 29, line 34, after “individuals” insert “(‘high risk processing’)”.

See the explanatory statement for Amendment 21.

Amendment 20, page 29, line 35, leave out “such” and insert “high risk”.

This amendment is consequential on Amendment 19.

Amendment 21, page 30, line 1, leave out “processing of personal data” and insert

“high risk processing that is being”.

This amendment, read with Amendment 19, provides that, in relation to processing of personal data to which the UK GDPR applies, controllers are only required to keep records of processing currently being carried out that is likely to result in a high risk to the rights and freedoms of individuals.

Amendment 22, page 30, leave out lines 4 and 5.

This amendment is consequential on Amendment 21.

Amendment 23, page 30, line 6, after “data” insert

“undergoing the high risk processing”.

This amendment is consequential on Amendment 21.

Amendment 24, page 30, line 8, leave out

“controller is processing the personal data”

and insert

“high risk processing is being carried out”.

This amendment and Amendments 25 and 26 are consequential on Amendment 21 and are also made for consistency with the reference in new Article 30A(2) of the UK GDPR to processing carried out on behalf of, as well as by, the controller.

Amendment 25, page 30, line 10, leave out from second “the” to “(including” in line 11 and insert

“personal data undergoing the high risk processing has been, or is intended to be, shared by or on behalf of the controller”.

See the explanatory statement for Amendment 24.

Amendment 26, page 30, line 13, leave out

“to retain the personal data”

and insert

“the high risk processing to be carried out”.

See the explanatory statement for Amendment 24.

Amendment 27, page 30, leave out lines 14 to 18 and insert—

“(e) whether the high risk processing includes processing described in Article 9(1) (processing of special categories of personal data) and, if so, which type of such processing, and

(f) whether the high risk processing includes processing described in Article 10(1) (processing of personal data relating to criminal convictions etc) and, if so, which type of such processing.”

This amendment is partly consequential on Amendment 21. It also adjusts the current wording of points (e) and (f) to reflect the terms of Articles 9(1) and 10(1).

Amendment 28, page 30, line 20, after “data” insert “undergoing high risk processing”.

This amendment is consequential on Amendment 21.

Amendment 29, page 30, line 21, leave out

“its processing of personal data”

and insert

“high risk processing that it is carrying out”.

This amendment, read with Amendment 19, provides that, in relation to processing of personal data to which the UK GDPR applies, processors are only required to keep records of processing currently being carried out that is likely to result in a high risk to the rights and freedoms of individuals.

Amendment 30, page 30, leave out lines 24 and 25.

This amendment is consequential on Amendment 29.

Amendment 31, page 30, line 27, leave out “acting” and insert

“carrying out high risk processing”.

This amendment is consequential on Amendment 29.

Amendment 32, page 30, line 28, after “data” insert

“undergoing the high risk processing”.

This amendment is consequential on Amendment 29.

Amendment 33, page 30, line 31, after “data” insert

“undergoing high risk processing”.

This amendment is consequential on Amendment 29.

Amendment 34, page 30, line 36, after “of” insert “high risk”.

This amendment is consequential on Amendments 21 and 29.

Amendment 35, page 31, line 9, after “data” insert “that is being”.

This amendment and Amendment 42 make clear that the duty to keep records of processing of personal data to which Part 3 of the Data Protection Act 2018 applies only to processing currently being carried out.

Amendment 36, page 31, leave out lines 11 and 12.

This amendment and Amendments 37, 38, 39 and 40 to provisions to be inserted in the Data Protection Act 2018 are for consistency with Amendments 22, 23, 24, 25 and 26 which amend provisions to be inserted in the UK GDPR.

Amendment 37, page 31, line 13, after “data” insert “undergoing the processing”.

See the explanatory statement for Amendment 36.

Amendment 38, page 31, line 15, leave out

“the controller is processing the personal data”

and insert

“the processing is being carried out”.

See the explanatory statement for Amendment 36.

Amendment 39, page 31, line 17, leave out from second “the” to “(including” in line 18 and insert

“personal data has been, or is intended to be, shared by or on behalf of the controller”.

See the explanatory statement for Amendment 36.

Amendment 40, page 31, line 20, leave out

“to retain the personal data”

and insert

“the personal data to be retained”.

See the explanatory statement for Amendment 36.

Amendment 41, page 31, leave out lines 22 and 23 and insert—

“(e) whether the processing of the personal data includes sensitive processing (as defined in section 35(8)) and, if so, which type of such processing.”

This technical amendment changes new section 61A(2)(e) of the Data Protection Act 2018 so that it makes provision by reference to “sensitive processing”, rather than to personal data described in section 35(8).

Amendment 42, page 31, line 26, leave out

“its processing of personal data”

and insert

“the processing that it is carrying out”.

See the explanatory statement for Amendment 35.

Amendment 43, page 31, leave out lines 29 and 30.

This amendment is proposed for consistency with the change proposed by Amendment 36.

Amendment 44, page 31, line 33, after “data” insert “undergoing the processing”.—(Sir John Whittingdale.)

This amendment is proposed for consistency with the change proposed by Amendment 37.