4H.—(1) Where—

(a) a relevant body holds—

(i) the personal data of an employee or employer, or

(ii) the taxpayer information of a person, and

(b) the Minister considers the data or the information is necessary and proportionate for the performance of the Minister’s functions under section 4E or 4F, the Minister may request the data and the information from the relevant body.

(2) Where a relevant body holds data or information to which a request under subsection (1) relates, it shall disclose the information and the data, other than special categories of personal data, to the Minister as soon as practicable.

(3) The Minister shall enter into a data-sharing agreement with each relevant body relating to the disclosure of personal data under this section, and the agreement shall—

(a) specify the names of the parties to the agreement in a schedule to the agreement,

(b) specify the information to be disclosed,

(c) specify the purpose of the data-sharing,

(d) specify the function of the relevant body to which the purpose referred to in paragraph (c) relates,

(e) specify the legal basis for the data-sharing and for any further processing, by the parties to the agreement, of the information to be disclosed under the agreement,

(f) specify whether, where information is disclosed under the agreement, the disclosure will be of information in relation to individual data subjects or classes of data subjects,

(g) specify whether the disclosure of information under the agreement will be on a once-off or ongoing basis,

(h) specify how the information to be disclosed is to be processed following its disclosure,

(i) specify any restrictions on the disclosure of information after the processing referred to in paragraph (h),

(j) include an undertaking by the parties to the agreement to comply with Article 5 of the General Data Protection Regulation in disclosing information under the agreement,

(k) where a data protection impact assessment has been carried out in relation to the data-sharing, include a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation in a schedule to the agreement,

(l) specify the security measures to apply to the transmission, storage and accessing of personal data, in a manner that does not compromise those security measures,

(m) specify the requirements in relation to the retention of—

(i) the information to be disclosed, and

(ii) the information resulting from the processing of that information, for the duration of the agreement and in the event that the agreement is terminated,

(n) specify the method to be employed to destroy or delete—

(i) the information to be disclosed, and

(ii) the information resulting from the processing of that information, at the end of the period for which the information is to be retained in accordance with the agreement,

(o) specify the procedure in accordance with which a party may withdraw from the agreement, and

(p) include in a schedule to the agreement a statement summarising the grounds on which the Minister considers the disclosure of the information to be necessary and proportionate for the purpose of performing the functions under section 4E or 4F, as the case may be.

(4) In this section—

“data protection impact assessment” means an assessment carried out for the purposes of Article 35 of the General Data Protection Regulation;

“data subject” has the same meaning as it has in the General Data Protection Regulation;

“processing” has the same meaning as it has in the General Data Protection Regulation;

“relevant body” means the Registrar and the Revenue Commissioners, or either of them, as the case may be.]