Data Protection Act 2018

Data subject's right of access

45Right of access by the data subject

(1)A data subject is entitled to obtain from the controller—

(a)confirmation as to whether or not personal data concerning him or her is being processed, and

(b)where that is the case, access to the personal data and the information set out in subsection (2).

(2)That information is—

(a)the purposes of and legal basis for the processing;

(b)the categories of personal data concerned;

(c)the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);

(d)the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;

(e)the existence of the data subject’s rights to request from the controller—

(i)rectification of personal data (see section 46), and

(ii)erasure of personal data or the restriction of its processing (see section 47);

(f)the existence of the data subject’s right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

(g)communication of the personal data undergoing processing and of any available information as to its origin.

(3)Where a data subject makes a request under subsection (1), the information to which the data subject is entitled must be provided in writing —

(a)without undue delay, and

(b)in any event, before the end of the applicable time period (as to which see section 54).

(4)The controller may restrict, wholly or partly, the rights conferred by subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—

(a)avoid obstructing an official or legal inquiry, investigation or procedure;

(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)protect public security;

(d)protect national security;

(e)protect the rights and freedoms of others.

(5)Where the rights of a data subject under subsection (1) are restricted, wholly or partly, the controller must inform the data subject in writing without undue delay—

(a)that the rights of the data subject have been restricted,

(b)of the reasons for the restriction,

(c)of the data subject’s right to make a request to the Commissioner under section 51,

(d)of the data subject’s right to lodge a complaint with the Commissioner, and

(e)of the data subject’s right to apply to a court under section 167.

(6)Subsection (5)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.

(7)The controller must—

(a)record the reasons for a decision to restrict (whether wholly or partly) the rights of a data subject under subsection (1), and

(b)if requested to do so by the Commissioner, make the record available to the Commissioner.