(1)This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation in contravention of that legislation.
(2)A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
(a)to take steps specified in the order, or
(b)to refrain from taking steps specified in the order.
(3)The order may, in relation to each step, specify the time at which, or the period within which, it must be taken.
(4)In subsection (1)—
(a)the reference to an application by a data subject includes an application made in exercise of the right under Article 79(1) of the GDPR (right to an effective remedy against a controller or processor);
(b)the reference to the data protection legislation does not include Part 4 of this Act or regulations made under that Part.
(5)In relation to a joint controller in respect of the processing of personal data to which Part 3 applies whose responsibilities are determined in an arrangement under section 58, a court may only make an order under this section if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.