Acts 2017
490
(ii) the recording or disclosure of the data is laid
down by law.
(4) Where data are not collected directly from the data subject
concerned, the controller or any person acting on his or its behalf shall
ensure that the data subject is informed of the matters specified in
subsection (2).
24.
Conditions for consent
(1) The controller shall bear the burden of proof for establishing a
data subject’s consent to the processing of his personal data for a specified
purpose.
(2) The data subject shall have the right to withdraw his consent
at any time.
(3) In determining whether consent was freely given, account
shall be taken of whether, inter alia, the performance of a contract, including
the provision of a service, is conditional on consent to the processing of
personal data that is not necessary for the performance of that contract.
25.
Notification of personal data breach
(1) (a) In the case of a personal data breach, the controller
shall without undue delay and, where feasible, not later than 72 hours
after having become aware of it, notify the personal data breach to the
Commissioner.
(b) Where the controller fails to notify the personal data
breach within the time limit specified in paragraph (a), he shall provide the
Commissioner with the reasons for the delay.
(2) Where a processor becomes aware of a personal data breach,
he shall notify the controller without any undue delay.
(3)
The notification referred to in subsection (1) shall –
(a)
describe the nature of the personal data breach, including
where possible, the categories and approximate number
of data subjects and the categories and approximate
number of personal data records concerned;