Data Protection Act 2018

CHAPTER 3Rights of the data subject

Overview

92Overview

(1)This Chapter sets out the rights of the data subject as follows—

(a)section 93 deals with the information to be made available to the data subject;

(b)sections 94 and 95 deal with the right of access by the data subject;

(c)sections 96 and 97 deal with rights in relation to automated processing;

(d)section 98 deals with the right to information about decision-making;

(e)section 99 deals with the right to object to processing;

(f)section 100 deals with rights to rectification and erasure of personal data.

(2)In this Chapter, “the controller”, in relation to a data subject, means the controller in relation to personal data relating to the data subject.

Rights

93Right to information

(1)The controller must give a data subject the following information—

(a)the identity and the contact details of the controller;

(b)the legal basis on which, and the purposes for which, the controller processes personal data;

(c)the categories of personal data relating to the data subject that are being processed;

(d)the recipients or the categories of recipients of the personal data (if applicable);

(e)the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

(f)how to exercise rights under this Chapter;

(g)any other information needed to secure that the personal data is processed fairly and transparently.

(2)The controller may comply with subsection (1) by making information generally available, where the controller considers it appropriate to do so.

(3)The controller is not required under subsection (1) to give a data subject information that the data subject already has.

(4)Where personal data relating to a data subject is collected by or on behalf of the controller from a person other than the data subject, the requirement in subsection (1) has effect, in relation to the personal data so collected, with the following exceptions—

(a)the requirement does not apply in relation to processing that is authorised by an enactment;

(b)the requirement does not apply in relation to the data subject if giving the information to the data subject would be impossible or involve disproportionate effort.

94Right of access

(1)An individual is entitled to obtain from a controller—

(a)confirmation as to whether or not personal data concerning the individual is being processed, and

(b)where that is the case—

(i)communication, in intelligible form, of the personal data of which that individual is the data subject, and

(ii)the information set out in subsection (2).

(2)That information is—

(a)the purposes of and legal basis for the processing;

(b)the categories of personal data concerned;

(c)the recipients or categories of recipients to whom the personal data has been disclosed;

(d)the period for which the personal data is to be preserved;

(e)the existence of a data subject’s rights to rectification and erasure of personal data (see section 100);

(f)the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

(g)any information about the origin of the personal data concerned.

(3)A controller is not obliged to provide information under this section unless the controller has received such reasonable fee as the controller may require, subject to subsection (4).

(4)The Secretary of State may by regulations—

(a)specify cases in which a controller may not charge a fee;

(b)specify the maximum amount of a fee.

(5)Where a controller—

(a)reasonably requires further information—

(i)in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or

(ii)to locate the information which that individual seeks, and

(b)has informed that individual of that requirement,

the controller is not obliged to comply with the request unless the controller is supplied with that further information.

(6)Where a controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, the controller is not obliged to comply with the request unless—

(a)the other individual has consented to the disclosure of the information to the individual making the request, or

(b)it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(7)In subsection (6), the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request.

(8)Subsection (6) is not to be construed as excusing a controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(9)In determining for the purposes of subsection (6)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard must be had, in particular, to—

(a)any duty of confidentiality owed to the other individual,

(b)any steps taken by the controller with a view to seeking the consent of the other individual,

(c)whether the other individual is capable of giving consent, and

(d)any express refusal of consent by the other individual.

(10)Subject to subsection (6), a controller must comply with a request under subsection (1)—

(a)promptly, and

(b)in any event before the end of the applicable time period.

(11)If a court is satisfied on the application of an individual who has made a request under subsection (1) that the controller in question has failed to comply with the request in contravention of this section, the court may order the controller to comply with the request.

(12)A court may make an order under subsection (11) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.

(13)The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.

(14)In this section—

• “the applicable time period” means—

  (a)

  the period of 1 month, or

  (b)

  such longer period, not exceeding 3 months, as may be specified in regulations made by the Secretary of State,

  beginning with the relevant time;

• “the relevant time”, in relation to a request under subsection (1), means the latest of the following—

  (a)

  when the controller receives the request,

  (b)

  when the fee (if any) is paid, and

  (c)

  when the controller receives the information (if any) required under subsection (5) in connection with the request.

(15)Regulations under this section are subject to the negative resolution procedure.

95Right of access: supplementary

(1)The controller must comply with the obligation imposed by section 94(1)(b)(i) by supplying the data subject with a copy of the information in writing unless—

(a)the supply of such a copy is not possible or would involve disproportionate effort, or

(b)the data subject agrees otherwise;

and where any of the information referred to in section 94(1)(b)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.

(2)Where a controller has previously complied with a request made under section 94 by an individual, the controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(3)In determining for the purposes of subsection (2) whether requests under section 94 are made at reasonable intervals, regard must be had to—

(a)the nature of the data,

(b)the purpose for which the data is processed, and

(c)the frequency with which the data is altered.

(4)The information to be supplied pursuant to a request under section 94 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(5)For the purposes of section 94(6) to (8), an individual can be identified from information to be disclosed to a data subject by a controller if the individual can be identified from—

(a)that information, or

(b)that and any other information that the controller reasonably believes the data subject making the request is likely to possess or obtain.

96Right not to be subject to automated decision-making

(1)The controller may not take a decision significantly affecting a data subject that is based solely on automated processing of personal data relating to the data subject.

(2)Subsection (1) does not prevent such a decision being made on that basis if—

(a)the decision is required or authorised by law,

(b)the data subject has given consent to the decision being made on that basis, or

(c)the decision is a decision taken in the course of steps taken—

(i)for the purpose of considering whether to enter into a contract with the data subject,

(ii)with a view to entering into such a contract, or

(iii)in the course of performing such a contract.

(3)For the purposes of this section, a decision that has legal effects as regards an individual is to be regarded as significantly affecting the individual.

97Right to intervene in automated decision-making

(1)This section applies where—

(a)the controller takes a decision significantly affecting a data subject that is based solely on automated processing of personal data relating to the data subject, and

(b)the decision is required or authorised by law.

(2)This section does not apply to such a decision if—

(a)the data subject has given consent to the decision being made on that basis, or

(b)the decision is a decision taken in the course of steps taken—

(i)for the purpose of considering whether to enter into a contract with the data subject,

(ii)with a view to entering into such a contract, or

(iii)in the course of performing such a contract.

(3)The controller must as soon as reasonably practicable notify the data subject that such a decision has been made.

(4)The data subject may, before the end of the period of 1 month beginning with receipt of the notification, request the controller—

(a)to reconsider the decision, or

(b)to take a new decision that is not based solely on automated processing.

(5)If a request is made to the controller under subsection (4), the controller must, before the end of the period of 1 month beginning with receipt of the request—

(a)consider the request, including any information provided by the data subject that is relevant to it, and

(b)by notice in writing inform the data subject of the outcome of that consideration.

(6)For the purposes of this section, a decision that has legal effects as regards an individual is to be regarded as significantly affecting the individual.

98Right to information about decision-making

(1)Where—

(a)the controller processes personal data relating to a data subject, and

(b)results produced by the processing are applied to the data subject,

the data subject is entitled to obtain from the controller, on request, knowledge of the reasoning underlying the processing.

(2)Where the data subject makes a request under subsection (1), the controller must comply with the request without undue delay.

99Right to object to processing

(1)A data subject is entitled at any time, by notice given to the controller, to require the controller—

(a)not to process personal data relating to the data subject, or

(b)not to process such data for a specified purpose or in a specified manner,

on the ground that, for specified reasons relating to the situation of the data subject, the processing in question is an unwarranted interference with the interests or rights of the data subject.

(2)Where the controller—

(a)reasonably requires further information—

(i)in order that the controller be satisfied as to the identity of the individual giving notice under subsection (1), or

(ii)to locate the data to which the notice relates, and

(b)has informed that individual of that requirement,

the controller is not obliged to comply with the notice unless the controller is supplied with that further information.

(3)The controller must, before the end of 21 days beginning with the relevant time, give a notice to the data subject—

(a)stating that the controller has complied or intends to comply with the notice under subsection (1), or

(b)stating the controller’s reasons for not complying with the notice to any extent and the extent (if any) to which the controller has complied or intends to comply with the notice under subsection (1).

(4)If the controller does not comply with a notice under subsection (1) to any extent, the data subject may apply to a court for an order that the controller take steps for complying with the notice.

(5)If the court is satisfied that the controller should comply with the notice (or should comply to any extent), the court may order the controller to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(6)A court may make an order under subsection (5) in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for compliance with the obligation to which the order relates.

(7)The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.

(8)In this section, “the relevant time”, in relation to a notice under subsection (1), means—

(a)when the controller receives the notice, or

(b)if later, when the controller receives the information (if any) required under subsection (2) in connection with the notice.

100Rights to rectification and erasure

(1)If a court is satisfied on the application of a data subject that personal data relating to the data subject is inaccurate, the court may order the controller to rectify that data without undue delay.

(2)If a court is satisfied on the application of a data subject that the processing of personal data relating to the data subject would infringe any of sections 86 to 91, the court may order the controller to erase that data without undue delay.

(3)If personal data relating to the data subject must be maintained for the purposes of evidence, the court may (instead of ordering the controller to rectify or erase the personal data) order the controller to restrict its processing without undue delay.

(4)If—

(a)the data subject contests the accuracy of personal data, and

(b)the court is satisfied that the controller is not able to ascertain whether the data is accurate or not,

the court may (instead of ordering the controller to rectify or erase the personal data) order the controller to restrict its processing without undue delay.

(5)A court may make an order under this section in relation to a joint controller whose responsibilities are determined in an arrangement under section 104 only if the controller is responsible for carrying out the rectification, erasure or restriction of processing that the court proposes to order.

(6)The jurisdiction conferred on a court by this section is exercisable by the High Court or, in Scotland, by the Court of Session.