Data Protection Act 2018

113.

Complaint to which Article 60 applies

113. (1) This section applies to a complaint in respect of which the Commission is the lead supervisory authority.

(2) Where section 109(4)(a) applies, the Commission shall—

(a) in accordance with subsection (3), make a draft decision in respect of the complaint (or, as the case may be, part of the complaint) and, where applicable, as to the envisaged action to be taken in relation to the controller or processor concerned, and

(b) in accordance with Article 60 and, where appropriate, Article 65, adopt its decision in respect of the complaint or, as the case may be, part of the complaint.

(3) In making a draft decision under subsection (2)(a), the Commission shall, where applicable, have regard to—

(a) the information obtained by the Commission in its examination of the complaint, including, where an inquiry has been conducted in respect of the complaint, the information obtained in the inquiry, and

(b) any draft for a decision that is submitted to the Commission by a supervisory authority in accordance with Article 56(4).

(4) Where the Commission adopts a decision under subsection (2)(b) to the effect that an infringement by the controller or processor concerned has occurred or is occurring, it shall, in addition, make a decision—

(a) where an inquiry has been conducted in respect of the complaint—

(i) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(ii) where it decides to so exercise a corrective power, the corrective power that is to be exercised,

or

(b) where an inquiry has not been conducted in respect of the complaint—

(i) as to whether an action specified in subsection (6) should be taken in respect of the controller or processor concerned, and

(ii) where it decides to take such an action, the action that is to be taken.

(5) The Commission, in making its decision under subsection (4), shall have due regard to the decision as to the envisaged action to be taken in relation to the controller or processor included in the Commission’s draft decision under subsection (2)(a) or, as the case may be, its revised draft decision under Article 60.

(6) The actions referred to in subsection (4)(b) include either or both of the following:

(a) the serving on the controller or processor concerned of an enforcement notice, requiring it to do one or more than one of the following:

(i) comply with the data subject’s request to exercise his or her rights pursuant to a relevant enactment;

(ii) where the enforcement notice is given to the controller, communicate a personal data breach to the data subject;

(iii) rectify or erase personal data or restrict processing pursuant to Article 16, 17 or 18, and, in respect of that action, to comply with Article 19 and, where applicable, Article 17(2);

(b) the taking of such other action in respect of the complaint as the Commission considers appropriate.

(7) The Commission—

(a) where it makes a decision referred to in subsection (4)(a)(ii), shall exercise the corrective power concerned, and

(b) where it makes a decision referred to in subsection (4)(b)(ii), shall take the action concerned.