(1) Article 9(1) of the UK GDPR (prohibition on processing of special categories of personal data) does not prohibit the processing of personal data to which the UK GDPR applies to the extent that the processing is carried out -
(a) for the purpose of safeguarding national security or for defence purposes, and
(b) with appropriate safeguards for the rights and freedoms of data subjects.
(2) Article 32 of the UK GDPR (security of processing) does not apply to a controller or processor to the extent that the controller or the processor (as the case may be) is processing personal data to which the UK GDPR applies for -
(a) the purpose of safeguarding national security, or
(b) defence purposes.
(3) Where Article 32 of the UK GDPR does not apply, the controller or the processor must implement security measures appropriate to the risks arising from the processing of the personal data.
(4) For the purposes of subsection (3), where the processing of personal data is carried out wholly or partl
…