!
No.
26
Data Protection
39. (1) A data controller or data processor shall retain
personal data only as long as may be reasonably necessary
to satisfy the purpose for which it is processed unless the
retention is —
2019
Limitation to
retention of
personal data.
(a) required or authorised by law;
(b) reasonably necessary for a lawful purpose;
(c) authorised or consented by the data subject; or
(d) for historical, statistical, journalistic literature and
art or research purposes.
(2) A data controller or data processor shall delete,
erase, anonymise or pseudonymise personal data not
necessary to be retained under sub-section (1) in a manner
as may be specified at the expiry of the retention period.
40. (1) A data subject may request a data controller or
data processor —
(a) to rectify without undue delay personal data in its
possession or under its control that is inaccurate,
out-dated, incomplete or misleading; or
(b) to erase or destroy without undue delay personal
data that the data controller or data processor is no
longer authorised to retain, irrelevant, excessive or
obtained unlawfully.
(2) Where the data controller has shared the personal
data with a third party for processing purposes, the data
controller or data processor shall take all reasonable steps
to inform third parties processing such data, that the data
subject has requested—
(a) the rectification of such personal data in their
possession or under their control that is inaccurate,
out-dated, incomplete or misleading; or
(b) the erasure or destruction of such personal data
that the data controller is no longer authorised to
retain, irrelevant, excessive or obtained
unlawfully.
(3) Where a data controller or data processor is
required to rectify or erase personal data under sub-section
(1), but the personal data is required for the purposes of
evidence, the data controller or data processor shall, instead
Right of
rectification and
erasure.