Acts 2017
492
(4) Where the controller has not already communicated the
personal data breach to the data subject, the Commissioner may, after
having considered the likelihood of the personal data breach resulting in a
high risk, require it to do so.
27.
Duty to destroy personal data
(1) Where the purpose for keeping personal data has lapsed,
every controller shall –
(a)
destroy the data as soon as is reasonably practicable; and
(b)
notify any processor holding the data.
(2) Any processor who receives a notification under subsection (1)(b)
shall, as soon as is reasonably practicable, destroy the data specified by
the controller.
28.
Lawful processing
(1)
No person shall process personal data unless –
(a)
the data subject consents to the processing for one or
more specified purposes;
(b)
the processing is necessary –
(i)
for the performance of a contract to which the
data subject is a party or in order to take steps
at the request of the data subject before entering
into a contract;
(ii) for compliance with any legal obligation to
which the controller is subject;
(iii) in order to protect the vital interests of the data
subject or another person;
(iv) for the performance of a task carried out in
the public interest or in the exercise of official
authority vested in the controller;
(v) the performance of any task carried out by a
public authority;