Data Protection Act 2018
Right of access
91. (1) Subject to subsections (7), (9) and (12) and sections 93(4)(ii) and 94, an individual who believes that personal data relating to him or her have been or are being processed by or on behalf of a controller, if he or she so requests the controller by notice in writing shall—
(a) be informed by the controller whether personal data relating to him or her have been or are being processed by or on behalf of the controller, and
(b) where such data have been or are being so processed, be provided by the controller with the following information:
(i) a description of—
(I) the purpose of, and the legal basis for, the processing,
(II) the categories of personal data concerned,
(III) the recipients or categories of recipients to whom the personal data concerned have been disclosed, and
(IV) the period for which the personal data concerned will be retained, or where it is not possible to determine the said period at the time of the giving of the information, the criteria used to determine the said period;
(ii) information detailing the right of the data subject to request from the controller the rectification or erasure of the personal data concerned;
(iii) information detailing the right of the data subject to lodge a complaint with the Commission and the contact details of the Commission;
(iv) a communication of the personal data concerned;
(v) any available information as to the origin of the personal data concerned, unless the communication of that information is contrary to the public interest.
(2) A controller shall respond to a request made under subsection (1) and provide the information specified in paragraph (b) thereof to the data subject as soon as may be and, subject to subsections (4) and (5), in any event not later than one month after the date on which the request is made.
(3) When making a request under subsection (1), the individual making the request shall provide the controller with such information as the controller may reasonably require to satisfy itself of the identity of the individual and to locate any relevant personal data or information.
(4) Where a controller has reasonable doubts as to the identity of an individual making a request under subsection (1) or reasonably requires additional information to locate any relevant personal data, it may request such additional information from the data subject as may be necessary to confirm his or her identity or to enable it to locate such personal data or information, as the case may be, and the period of time from the making of such a request for additional information until the request is complied with shall not be reckonable for the purposes of subsection (2).
(5) Where, taking into account the complexity of a request made under subsection (1) and the number of such requests received by the controller, the controller is of the opinion that it requires additional time to consider the request, it may, once only and within one month from the date of the receipt of the request, extend the time period referred to in subsection (2) by such further period not exceeding 2 months as it may specify by notice in writing to the individual making the request.
(6) A notice in writing referred to in subsection (5) shall include the reason for which the controller is of the opinion that it requires additional time to consider the request made under subsection (1).
(7) Where information that a controller would otherwise be required to provide to a data subject pursuant to subsection (1) includes personal data relating to another individual that would reveal, or would be capable of revealing, the identity of the individual, the controller—
(a) shall not, subject to subsection (8), provide the data subject with the information that constitutes such personal data relating to the other individual, and
(b) shall provide the data subject with a summary of the personal data concerned that—
(i) in so far as is possible, permits the data subject to exercise his or her rights under this Part, and
(ii) does not reveal, or is not capable of revealing, the identity of the other individual.
(8) Subsection (7) shall not apply where the individual to whom the personal data that would reveal, or would be capable of revealing, his or her identity, relate consents to the provision of the information concerned to the data subject making a request pursuant to subsection (1).
(9) Subsection (1) shall not apply—
(a) in respect of personal data relating to the data subject that consists of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential, or
(b) to information specified in paragraph (b)(i)(III) of that subsection in so far as a recipient referred to therein is a public authority which may receive data in the context of a particular inquiry in accordance with the law of the State.
(10) Information provided pursuant to a request under subsection (1) may take account of any amendment of the personal data concerned made since the receipt of the request by the controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.
(11) The obligations imposed by subparagraphs (iv) and (v) of subsection (1)(b) shall be complied with by supplying the data subject with a copy of the information concerned in permanent form unless—
(a) the supply of such a copy is not possible or would involve disproportionate effort, or
(b) the data subject agrees otherwise.
(12) Where a controller has previously complied with a request under subsection (1), the controller is not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in the opinion of the controller, a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
(13) In determining for the purposes of subsection (12) whether the reasonable interval specified in that subsection has elapsed, regard shall be had to the nature of the personal data, the purpose for which the personal data are processed and the frequency with which the personal data are altered.
(14) Where a controller, pursuant to subsection (12) refuses to act upon a request under subsection (1), it shall, as soon as practicable, so notify the data subject in writing.