Acts 2017
502
PART VII – RIGHTS OF DATA SUBJECTS
37.
Right of access
(1) (a) Every controller shall, on the written request of a data
subject provide, at reasonable intervals, without excessive delay and,
subject to subsection (7), free of charge, confirmation as to whether or not
personal data relating to the data subject are being processed and forward
to him a copy of the data.
(b) Where a controller has a reasonable doubt concerning
the identity of a person making a request under paragraph (a), he or it may
request the provision of additional information to confirm the identity of
the data subject.
(2) Where personal data are being processed, the controller shall
provide to the data subject information relating to –
(a)
the purpose of the processing;
(b)
the categories of personal data concerned;
(c)
the recipients or categories of recipient to whom the
data have been or will be disclosed;
(d)
the period for which the data will be stored or, if this is
not possible, the criteria used to determine that period;
(e)
the existence of the right to request from the controller
rectification or erasure of personal data or restriction of
processing of personal data concerning the data subject
or to object to the processing of the data;
(f)
the right to lodge a complaint with the Commissioner;
(g)
where the personal data are not collected from the data
subject, any available information as to their source;
(h)
the existence of automated decision making, including
profiling, and information about the logic involved, as
well as the significance and envisaged consequences of
such processing for the data subject; and