The Data Protection Bill, 2018
321
(2) A data subject may, pursuant to Article 35 (2) of
the Constitution, request an agency that holds personal data
relating to the data subject to correct, delete or destroy false
or misleading data.
(3) A request made under subsection (2) shall be in writing;
specify the information to be corrected or deleted;
and
in the case of a request for correction, specify the
manner in which such information should be
corrected.
(4) The agency shall consider the request and inform
the data subject of the decision within seven days of the
receipt of the request.
Where an agency rejects a request under
subsection (2), it shall inform the data subject of the
rejection and the reasons for the rejection in writing.
(5)
(6) An agency may reject a request under subsection
(2) on the basis that the request does not amount to a
request for the correction or deletion of data.
(7) Where an agency determines to correct or delete
the data, it shall do so within a period of seven days and
inform the data subject of the action taken within a period
of seven days from the date of the action.
19. (1) An agency that collects or processes personal
data shall not keep the data for a longer period than is
provided under any law or necessary to achieve the
purposes for which the data was collected or processed,
unless the data subject consents to the retention;
the retention of the data is authorised by law;
the retention of the data is reasonably necessary
for a lawful purpose related to a function or
activity or
the retention of the data is required by virtue of a
contract between the parties to the contract.
(2) Subsection (1) shall not apply to personal data
retained for purposes of-
Retention of
information.