Rights of individuals under the Data Protection and Privacy Act, 2019

  1. Right to access personal data
    The Data Protection and Privacy Act provides that the data subject has the right to obtain from a data controller confirmation as to whether or not personal data that concerns him or her is being processed. Where that is the case, in addition to providing access to the personal data, the data subject is entitled to receive information on the purposes for processing the data, recipients to whom the data has been disclosed, amongst others.

    How do I exercise the right of access to personal data?
    The Data Protection and Privacy Regulations provide a form through which a data subject should make a request to access his or her personal data. This form (Form 8) can be downloaded from the “Forms Section” on this website.

  2. Right to rectification, blocking, erasure and destruction of personal data
    Data subjects have the right to rectification of inaccurate personal data, and data controllers must ensure that inaccurate or incomplete data is erased, amended or rectified.

    How do I exercise this right?
    To exercise this right, a data subject should inform the person, institution or public body that he or she is challenging the accuracy of his or her personal data and wants it corrected. The data subject should provide supporting documentation, where necessary to support this request. Where the person, institution or public body fails to rectify, block, erase or destroy the personal data as requested, the data subject can file a complaint with the Personal Data Protection Office as provided in Form 9 of the Regulations.

  3. Right to prevent processing of personal data for direct marketing
    A data subject may require a data controller to stop processing his or her personal data for purposes of direct marketing. “Direct marketing” includes communication by whatever means of any advertising or marketing material which is directed at an individual.

    How do I exercise my right to prevent processing of personal data for direct marketing?
    A data subject may by notice in writing to a data controller require the data controller to stop processing his or her personal data for purposes of direct marketing.

  4. Rights in relation to automated decision-taking
    When decisions are made about a data subject without any human being involved, this is called ‘automated decision-taking’, for example: an online decision after a data subject has applied for a loan, or a recruitment aptitude test using pre-programmed algorithms and criteria.
    A data subject has the right not to be subject to a decision that is based solely on automated decision-taking if the decision significantly affects the data subject.

    How do I exercise this right?
    To exercise this right, a data subject may by notice in writing to a data controller require the data controller to ensure that any decision taken by or on behalf of the data controller which significantly affects that data subject is not based solely on the processing by automatic means.

  5. The right to be informed Data subjects have the right to be provided with certain pieces of information that describe their relationship with the data collector or data controller. This includes the data collector or data controller’s identity and contact details, the reasons or purposes for processing their personal data, the legal basis for doing so, recipients of that data, and other relevant information necessary to ensure the fair and transparent processing of the data. This information is usually provided in form of a data protection notice/policy/statement or disclosure.

  6. Right to file a complaint against breach and non-compliance
    A data subject has the right to be confident that persons, institutions or public bodies handle their personal data responsibly and in compliance with the Data Protection and Privacy Act and Regulations thereunder.

    If a data subject has a concern about the way a person, institution or public body is handling his or her personal data especially in violation of the Act, the data subject may make a complaint to the Personal Data Protection Office.

    How do I exercise this right?
    To exercise this right, a data subject should file a complaint using Form 11 provided by the Data Protection and Privacy Regulations. A data subject can also exercise this right by moving a court of law to order a corporation found non-compliant to pay a fine of up to two percent of the corporation’s annual gross turnover.