25
2019
Data Protection
No.
(b) is authorised to do so under any written law and
the data subject has been informed of such use
when collecting the data from the data subject.
(2) A data controller or data processor that uses
personal data for commercial purposes shall, where
possible, anonymise the data in such a manner as to ensure
that the data subject is no longer identifiable.
(3) The Cabinet Secretary, in consultation with the
Data Commissioner, may prescribe practice guidelines for
commercial use of personal data in accordance with this
Act.
38. (1) A data subject has the right to receive personal
data concerning them in a structured, commonly used and
machine-readable format.
(2) A data subject has the right to transmit the data
obtained under sub-section (1), to another data controller or
data processor without any hindrance.
(3) Where technically possible, the data subject shall
have the right to have the personal data transmitted directly
from one data controller or processor to another.
(4) Where data controller or data processor declines to
comply with a request under sub-section (3), the Data
Commissioner may make a determination on the technical
capacity of the data controller or data processor.
(5) The right under this section shall not apply in
circumstances where—
(a) processing may be necessary for the performance
of a task carried out in the public interest or in the
exercise of an official authority; or
(b) it may adversely affect the rights and freedoms of
others.
(6) A data controller or data processor shall comply
with data portability requests, at reasonable cost and within
a period of thirty days.
(7) Where the portability request is complex or
numerous, the period under sub-section (6) may be
extended for a further period as may be determined in
consultation with the Data Commissioner.
Right to data
portability.
!