Skip to content

Part 9 » Rights of the Data Subject

58. Right of access and notification

  1. A data subject has the right to obtain from the data controller, confirmation as to whether or not personal data concerning that data subject is being processed.

  2. A data subject may, where that data subject’s personal data is being processed, access in a manner that the data subject understands the following information:

    1. the purpose of the processing, the category of data the processing relates to, and the categories of recipients the data is disclosed to;
    2. envisaged period for which the personal data shall be stored, where possible or if not possible, the criteria used to determine that period;
    3. data being processed, as well as the source of that data; and
    4. information about the basic logic involved in any automatic processing of data relating to the data in case of automated decision making.

  3. A data subject has the right to notification of all third parties to whom that data subject’s personal data has been disclosed and the measures put in place to safeguard personal information of that data subject.

  4. A data subject shall access that data subject’s personal data in accordance with the relevant written law relating to access to information.

  5. Where sensitive personal data is processed for the purpose of scientific research, informing the data subject may be postponed until the research is concluded, if —

    1. informing the data subject would significantly prejudice the research;
    2. there is no evident risk of infringement of the data subject’s right to protection of the data subject’s privacy; and
    3. the data was collected initially on the basis of consent.

  6. A data controller may provide a copy of the personal data undergoing processing at no cost for the initial data and at a reasonable fee based on administrative costs for additional copies of the data.

  7. Where the data subject makes a data request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.
  8. The right to obtain a copy of personal data under subsection (5) shall not be enforced where that enforcement prejudices the rights and freedoms of others.

59. Right to rectification

  1. The data subject has the right to, rectification of inaccurate personal data concerning the data subject as soon as practicable.
  2. A data subject shall taking into account the purposes of the processing, have the right to have incomplete personal data completed.

60. Right to erasure

  1. The data subject has the right to erasure of personal data of that data subject as soon as practicable and the data controller shall have the obligation to erase personal data without undue delay where the —

    1. personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
    2. data subject, or a person holding parental responsibility, where the data subject is a child, withdraws consent and there is no other legal ground for the processing;
    3. data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing unless the data controller is otherwise permitted by the provisions of this Act;
    4. personal data has been unlawfully processed; or
    5. personal data has to be erased for compliance with a legal obligation in the Republic to which the data controller is subject.

  2. A data controller shall, where the data controller has made the personal data public, take all reasonable steps to inform a data processor and third party processing that data by virtue of that publication, that the data subject has requested the erasure of any links to, or copy or replication of, that personal data.

61. Right of objection

  1. Subject to this Act, a data subject may object, to processing of that data subject’s personal data.
  2. A data controller shall not, where a data subject objects to the processing of that data subject’s personal data, process the personal data objected to under subsection (1) unless the data controller is permitted by the provisions of any other written law.
  3. A data subject may, where personal data is processed for direct marketing purposes, object to processing of that data subject’s personal data.
  4. Where a data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for that purpose but may be processed for any other lawful purpose.
  5. A data controller shall on the first communication with the data subject, expressly bring the rights of the data subject to the attention of the data subject and present the information clearly and separately from any other information.

62. Decision taken on basis of automatic data processing

  1. A data subject shall not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that data subject or similarly affects that data subject.

  2. Subsection (1) shall not apply if the decision is —

    1. necessary for entering into, or performance of, a contract between the data subject and a data controller;
    2. authorised by any written law; or
    3. based on the data subject’s explicit consent.

  3. A data controller shall, in cases under subsection (2), implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including the right to obtain human intervention on the part of the data controller for purposes of enabling the data subject to express the data subject’s point of view and contest the decision.

  4. Automated data processing shall not be undertaken where the processing involves sensitive personal data unless —

    1. the data subject has expressly consented to that processing;

    2. the processing is in the public interest; or

    3. the processing is permitted by any written law and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

63. Right to restriction of processing

  1. A data subject may restrict a data controller from processing that data subject’s personal data where the—

    1. accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data;
    2. data controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
    3. data subject has objected to processing pursuant to section 60(1)(c) pending the verification whether the legitimate grounds of the data controller override those of the data subject.

  2. Where processing has been restricted under subsection (1), that personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for reasons of important public interest or where the law compels that processing.

  3. A data subject who has obtained a restriction on the processing of that data subject’s personal data pursuant to subsection (1) shall be informed by the data controller before the restriction of processing that data is lifted.

64. Information when personal data collected directly from data subject

A data controller shall where personal data relating to the data subject is collected directly from the data subject, concurrently provide the data subject with the following information, unless it is established that the data subject is in receipt of that information:

  1. the name and address of the data controller;
  2. the purpose of the processing;
  3. if it is obtained for the purpose of direct marketing, existence of the right to object, to the intended processing of personal data relating to that data subject;
  4. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the safeguards put in place for that transfer;
  5. whether compliance with the request for information is compulsory or not, as well as what the consequences of the failure to comply are;
    6. taking into account the specific circumstances in which the data is collected, any supporting information, as necessary to ensure fair processing for the data subject, such as —
    1. the recipients or categories of recipients of the data; and
    2. the existence of the right to access and rectify the personal data relating to that data subject, except where that additional information, taking into account the specific circumstances in which the data is collected, is not necessary to guarantee accurate processing.

65. Right to data portability

  1. A data subject has the right to receive that data subject’s personal data in a structured, commonly used, machine readable or otherwise legible format and may transmit that data to another data controller.
  2. A data subject has the right to have the data subject’s personal data transmitted directly from one data controller to another, where technically or otherwise feasible.

66. Notification obligation

A data controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with this Act to each recipient to whom the personal data have been disclosed, where practicable.

67. Derogation from rights

The rights of a data subject under this Part shall, to the extent necessary, not apply where processing is —

  1. for compliance with a legal obligation which requires processing by any written law to which the data controller is subject;
  2. for the performance of a task carried out in the public interest;
  3. in the exercise of official authority vested in the data controller;
  4. for scientific or historical research purposes; or
  5. for the establishment, exercise or defence of legal claims.

68. Complaints

A data subject may lodge a complaint with the Data Protection Commissioner if the data subject considers that the processing of personal data by a data controller or data processor contravenes this Act.

69. Appeals

A person who is aggrieved with the decision of the Data Protection Commissioner may appeal to the High Court within thirty days of the Data Protection Commission’s decision.