|
6A.—(1) Subject to subsection (3) and unless otherwise provided by any enactment, an individual is entitled at any time, by notice in writing served on a data controller, to request him or her to cease within a reasonable time, or not to begin, processing or processing for a specified purpose or in a specified manner any personal data in respect of which he or she is the data subject if the processing falls within subsection (2) of this section on the ground that, for specified reasons—
(a) the processing of those data or their processing for that purpose or in that manner is causing or likely to cause substantial damage or distress to him or her or to another person, and
(b) the damage or distress is or would be unwarranted.
(2) This subsection applies to processing that is necessary—
(a) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are or are to be disclosed, or
(b) for the purposes of the legitimate interests pursued by the data controller to whom the data are or are to be disclosed, unless those interests are overridden by the interests of the data subject in relation to fundamental rights and freedoms and, in particular, his or her right to privacy with respect to the processing of personal data.
(3) Subsection (1) does not apply—
(a) in a case where the data subject has given his or her explicit consent to the processing,
(b) if the processing is necessary—
(i) for the performance of a contract to which the data subject is a party,
(ii) in order to take steps at the request of the data subject prior to his or her entering into a contract,
(iii) for compliance with any legal obligation to which the data controller or data subject is subject other than one imposed by contract, or
(iv) to protect the vital interests of the data subject,
(c) to processing carried out by political parties or candidates for election to, or holders of elective political office, in the course of electoral activities, or
(d) in such other cases, if any, as may be specified in regulations made by the Minister after consultation with the Commissioner.
(4) Where a notice under subsection (1) of this section is served on a data controller, he or she shall, as soon as practicable and in any event not later than 20 days after the receipt of the notice, serve a notice on the individual concerned—
(a) stating that he or she has complied or intends to comply with the request concerned, or
(b) stating that he or she is of opinion that the request is unjustified to any extent and the reasons for the opinion and the extent (if any) to which he or she has complied or intends to comply with it.
(5) If the Commissioner is satisfied, on the application to him or her in that behalf of an individual who has served a notice under subsection (1) of this section that appears to the Commissioner to be justified, or to be justified to any extent, that the data controller concerned has failed to comply with the notice or to comply with it to that extent and that not less than 40 days have elapsed since the receipt of the notice by him or her, the Commissioner may, by an enforcement notice served on the data controller, order him or her to take such steps for complying with the request, or for complying with it to that extent, as the Commissioner thinks fit and specifies in the enforcement notice, and that notice shall specify the reasons for the Commissioner being satisfied as aforesaid.
|
