Data Protection Act 2018

92

Right to rectification or erasure and restriction of processing

92. (1) Where a data subject is of the opinion that a controller is processing personal data relating to him or her that are inaccurate, the data subject may make a request in writing to the controller for the controller to rectify the data concerned.

(2) A controller that receives a request under subsection (1) shall, subject to subsections (6), (7) and (9) and section 93(4)(ii), where it is satisfied that the personal data to which the request relates are inaccurate, rectify the data as soon as may be and in any event no later than one month after the date on which the request is made.

(3) Where a data subject is of the opinion that a controller is processing personal data relating to him or her—

(a) in a manner that contravenes subsections (1) to (6) of section 71 or section 73(1), or

(b) that are required to be erased by the controller in accordance with a legal obligation to which the controller is subject,

the data subject may make a request in writing to the controller to erase the data concerned.

(4) A controller that receives a request under subsection (3) shall, subject to subsections (6), (7) and (9) and section 93(4)(ii), where it is satisfied that paragraph (a) or (b) of subsection (3) applies to the personal data to which the request relates, erase the data as soon as may be and in any event no later than one month after the date on which the request is made.

(5) When making a request under subsection (1) or (3), the data subject shall provide such information as the controller may reasonably require to—

(a) satisfy itself as to the identity of the data subject,

(b) locate any relevant personal data, and

(c) satisfy itself as to whether the personal data concerned are inaccurate or as to the basis on which the data should be erased, as the case may be.

(6) Where a controller—

(a) has reasonable doubts as to the identity of an individual making a request under subsection (1) or (3), or

(b) reasonably requires additional information—

(i) to locate any relevant personal data, or

(ii) to satisfy itself as to whether the personal data concerned are inaccurate or as to the basis on which the data should be erased, as the case may be,

it may request such additional information from the data subject as may be necessary to confirm his or her identity or to so locate or satisfy itself, as the case may be, and the period of time from the making of such a request for additional information until the request is complied with shall not be reckonable for the purposes of subsection (2) or (4), as the case may be.

(7) Where, taking into account the complexity of a request made under subsection (1) or (3) and the number of such requests received by the controller, the controller is of the opinion that it requires additional time to consider the request, it may, once only and within one month from the date of the receipt of the request, extend the time period referred to in subsection (2) or (4), as the case may be, by such further period not exceeding 2 months as it may specify by notice in writing to the data subject making the request.

(8) A notice in writing referred to in subsection (7) shall include the reason for which the controller is of the opinion that it requires additional time to consider the request made under subsection (1) or (3), as the case may be.

(9) Where a data subject makes a request under subsection (1) or (3), and—

(a) the accuracy of the data is contested by the data subject and it is not possible to ascertain whether the data are so inaccurate, or

(b) the personal data are required for the purposes of evidence in proceedings before a court or tribunal or in another form of official inquiry,

the controller shall restrict the processing of the data and shall not rectify or erase the data, as the case may be.

(10) Where a controller—

(a) complies with a request under subsection (1) or (3), or

(b) restricts the processing of personal data under subsection (9),

the controller shall, as soon as practicable, notify in writing—

(i) subject to section 94, the data subject concerned,

(ii) each controller from which the personal data concerned were received, and

(iii) each person to whom the personal data concerned were disclosed,

of the rectification, erasure or restriction concerned, as the case may be.

(11) Where a controller receives a request under subsection (1) or (3), and—

(a) the controller is not satisfied that, as the case may be,—

(i) in relation to a request under subsection (1), the personal data to which the request relates should be rectified pursuant to subsection (2), or

(ii) in relation to a request under subsection (3), the personal data to which the request relates should be erased pursuant to subsection (4),

and

(b) subsection (9) does not apply to the data,

the controller shall, subject to section 94, as soon as practicable, so notify the data subject in writing.

(12) A notification under subsection (11) shall include—

(a) the reasons for the controller’s decision under that subsection, and

(b) information relating to the data subject’s right under section 95 to request the Commission to verify the lawfulness of the processing concerned.

(13) Where a person to whom personal data were disclosed is notified under subsection (10) of—

(a) the rectification or erasure of the data pursuant to a request under subsection (1) or (3), as the case may be, or

(b) the restriction of the processing of the data under subsection (9),

the person shall rectify or erase, or restrict the processing of, as the case may be, any of the data concerned that the person has under his or her control in the same manner, and to the same extent, as the controller making the notification has rectified or erased, or restricted the processing of, as the case may be, the data concerned.

(14) Where a controller has restricted the processing of personal data pursuant to subsection (9) and proposes to lift the said restriction, the controller shall inform the data subject prior to the lifting of the restriction.

(15) Where a controller that restricted the processing of personal data pursuant to subsection (9) lifts the said restriction—

(a) the controller shall notify any person who was notified under subsection (10) of the said restriction of the lifting of the restriction as soon as practicable, and

(b) the person so notified shall lift any restriction of the processing of the data concerned implemented under subsection (13) in the same manner, and to the same extent, as the controller making the notification has lifted the restriction on the processing of the data concerned.

(16) This section shall not apply to personal data that are contained in witness statements.

(17) For the purposes of this section, personal data are inaccurate if—

(a) they are incorrect or misleading as to any matter of fact, or

(b) they are incomplete in a material manner.