A data controller has a duty of care regarding personal data to a data subject. This includes the collecting so from the start and the dealing with the data.
Section 2A of the DPACT states that Personal data shall not be processed by a data controller unless section 2 of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the following conditions is met.
Therefore a data controller from the get go cannot process data without one of the conditions in the legislation being met. This is a significant legal protection regarding ones personal data. The duty commences at an early time also.
There are legal obligations imposed on data controllers when they are collecting, processing, keeping data etc. It must be processed fairly, for a legitimate purpose, kept accurately, needs to be adequate only, relevant to the purpose it was obtained, not excessive either regarding the purpose it was obtained. This is on ongoing duty of the data controller. Keeping data for a rainy mentality will not suffice in our opinion. If the data is no longer necessary why is it retained etc.
The EU Charter on Fundamental Rights includes under article 8 the right of protection to ones personal data.
Right to Information
Section 3 of the 1998 DPACT states if a person believes a person keeps their personal data, can request in writing to be notified by the other party to confirm if personal data is retained, obtain a description of the data and the purpose of the retention. The data controller has 21 days from this request to comply. No fee should be charged.
Right to Access
Section 4 of the 1998 DPACT provides that an individual can request in writing from the holder of the data to be informed by the data controller, supplied with a description of the data and the categories being processed, seek the personal data itself, seek notification of the purpose of the data processed or being processed, seek information who the data was disclosed to etc. and the data controller has only within 40 days to comply. Released data in ineligible form is not appropriate. A fee may be payable to the data controller for this request. This fee sum should be reasonable.
Any refusal to a request should be in writing and should state the reasons for the refusal and give the person the notification right to seek the assistance of the data protection commissioners office.
Article 12 of directive 95/46 provides for a right of access to ones personal data.
To make a data access request under Section 4 just has to be made in writing.
Regarding responding to requests there is a clear burden on the data controller to respond to the request accordingly. The law arising from the charter of fundamental rights, directive 95/46 or DPACT 1998, as amended, will not be satisfied from only making best efforts. Evidently have a system in place from the start to avoid a problem is the way to go. The 40 day period for the data controller is not working days but calendar days. Data controllers should not use a fee payment to delay a request. Upon receipt of a request a data controller must first verify the identify of the person making the request.
Restrictions to a right of access are laid out in Section 5 of the DPACT 1998, as amended, and are specified at article 13 of directive 95/46.
Fair processing of personal data.
2D.—(1) Personal data shall not be treated, for the purposes of section 2(1)(a) of this Act, as processed fairly unless information is provided to the data subject which includes identify of the data controller, purpose of processing, if there is a nominated person dealing with the persons data. In essence fairness, transparency is of the utmost important and must be activated. This is a positive not passive duty.
Right to Rectify, Erase or Block data
A person can request in writing from a data controller to have their data erased, rectified or blocked.
There is a 40 day window period to comply with this request.
In the Google Spain case the CJEU found a controller could be required to rectify personal data even though it was accurate when the processing was inadequate, irrelevant, or excessive. The right of rectification would ‘’override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subjects name’’. This right of rectification is not absolute.
Right to Object
A data subject has a legal entitlement to send a notice to a data controller to stop processing their data if it is likely to cause distress or substantial damage to them and the damage is unwarranted.
This right does not apply if the data subject gave consent to the processing, if processing is necessary to perform a contract with the data subject, to comply with a legal obligation, to protect interests of the data subject etc.
The data controller upon receipt of the right to object request has only within 20 days to serve notice to the data subject that either he/she will comply with their request or deny this, but the data protection commissioner can issue an enforcement notice after 40 days for this matter type.
Need Legal Advice? No problem. Contact Us Today!
We can assist with legal advice on GDPR and Irish data protection law matters.
