(1)The controller must, if so requested by a data subject, rectify without undue delay inaccurate personal data relating to the data subject.
(2)Where personal data is inaccurate because it is incomplete, the controller must, if so requested by a data subject, complete it.
(3)The duty under subsection (2) may, in appropriate cases, be fulfilled by the provision of a supplementary statement.
(4)Where the controller would be required to rectify personal data under this section but the personal data must be maintained for the purposes of evidence, the controller must (instead of rectifying the personal data) restrict its processing.
(1)The controller must erase personal data without undue delay where—
(a)the processing of the personal data would infringe section 35, 36(1) to (3), 37, 38(1), 39(1), 40, 41 or 42, or
(b)the controller has a legal obligation to erase the data.
(2)Where the controller would be required to erase personal data under subsection (1) but the personal data must be maintained for the purposes of evidence, the controller must (instead of erasing the personal data) restrict its processing.
(3)Where a data subject contests the accuracy of personal data (whether in making a request under this section or section 46 or in any other way), but it is not possible to ascertain whether it is accurate or not, the controller must restrict its processing.
(4)A data subject may request the controller to erase personal data or to restrict its processing (but the duties of the controller under this section apply whether or not such a request is made).
(1)Where a data subject requests the rectification or erasure of personal data or the restriction of its processing, the controller must inform the data subject in writing—
(a)whether the request has been granted, and
(b)if it has been refused—
(i)of the reasons for the refusal,
(ii)of the data subject’s right to make a request to the Commissioner under section 51,
(iii)of the data subject’s right to lodge a complaint with the Commissioner, and
(iv)of the data subject’s right to apply to a court under section 167.
(2)The controller must comply with the duty under subsection (1)—
(a)without undue delay, and
(b)in any event, before the end of the applicable time period (see section 54).
(3)The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1)(b)(i) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
(a)avoid obstructing an official or legal inquiry, investigation or procedure;
(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)protect public security;
(d)protect national security;
(e)protect the rights and freedoms of others.
(4)Where the rights of a data subject under subsection (1) are restricted, wholly or partly, the controller must inform the data subject in writing without undue delay—
(a)that the rights of the data subject have been restricted,
(b)of the reasons for the restriction,
(c)of the data subject’s right to lodge a complaint with the Commissioner, and
(d)of the data subject’s right to apply to a court under section 167.
(5)Subsection (4)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
(6)The controller must—
(a)record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (1)(b)(i), and
(b)if requested to do so by the Commissioner, make the record available to the Commissioner.
(7)Where the controller rectifies personal data, it must notify the competent authority (if any) from which the inaccurate personal data originated.
(8)In subsection (7), the reference to a competent authority includes (in addition to a competent authority within the meaning of this Part) any person that is a competent authority for the purposes of the Law Enforcement Directive in a member State other than the United Kingdom.
(9)Where the controller rectifies, erases or restricts the processing of personal data which has been disclosed by the controller—
(a)the controller must notify the recipients, and
(b)the recipients must similarly rectify, erase or restrict the processing of the personal data (so far as they retain responsibility for it).
(10)Where processing is restricted in accordance with section 47(3), the controller must inform the data subject before lifting the restriction.