!
30
Data Protection
No.
2019
processor has implemented appropriate security safeguards
which may include encryption of affected personal data.
(7) Where and to the extent that it is not possible to
provide all the information mentioned in subsection (5) at
the same time, the information may be provided in phases
without undue delay.
(8) The data controller shall record the following
information in relation to a personal data breach—
(a) the facts relating to the breach;
(b) its effects; and
(c) the remedial action taken.
PART V— GROUNDS FOR PROCESSING OF
SENSITIVE PERSONAL DATA
44. No category of sensitive personal data shall be
processed unless section 25 applies to that processing.
Processing of
sensitive personal
data.
45. Without prejudice to section 44, sensitive personal
data of a data subject may be processed where—
Permitted grounds
for processing
sensitive personal
data.
(a) the processing is carried out in the course of
legitimate activities with appropriate safeguards by
a foundation, association or any other not-forprofit body with a political, philosophical,
religious or trade union aim and on condition
that—
(i) the processing relates solely to the members of
the body or to persons who have regular
contact with it in connection with its purposes;
and
(ii) the personal data is not disclosed outside that
body without the consent of the data subject;
(b) the processing relates to personal data which is
manifestly made public by the data subject; or
(c) processing is necessary for—
(i) the establishment, exercise or defence of a
legal claim;
(ii) the purpose of carrying out the obligations
and exercising specific rights of the controller
or of the data subject; or