the possession of the data subject who made the request.
Credit bureau as data controller
36. (1) Where the data controller is a credit bureau within the meaning
of the Credit Reporting Act, 2007 (Act 726) a request for information
by a data subject shall in addition to the requirements specified under the
Credit Reporting Act, be subject to this section.
(2) A data subject who makes a request for information from a
data controller may limit the request to personal data relevant to the data
subject’s
(a) financial standing,
(b) history for the period which precedes twelve months after
the date of the request,
and shall be considered to have limited the request of the data subject
unless the request shows a contrary intention.
(3) An individual shall not request information which is held beyond
the retention period specified in section 30 of the Credit Reporting Act, 2007 (Act
726) unless the credit bureau has provided the information to third parties
beyond the retention period.
(4) Where a data controller receives a request from a data subject under
this section, the obligation to supply information shall include an obligation to
provide the data subject with a statement in a form pro- vided by Regulations
which deal with the rights of a data subject
(a) under the Credit Reporting Act, 2007 (Act 726);
(b) to seek legal redress against a credit bureau set out under
the Credit Reporting Act, 2007 (Act 726); and
(c) to enable a credit bureau which acts as a data controller or processor
to acknowledge its obligations to comply with this Act.
Processing of special personal data
Processing of special personal data prohibited
37. (1) Unless otherwise provided by this Act, a person shall not process
personal data which relates to
(a) a child who is under parental control in accordance with the law,
or
(b) the religious or philosophical beliefs, ethnic origin, race, trade
union membership, political opinions, health, sexual life or
criminal behavior of an individual.
(2) A data controller may process special personal data in accor- dance
with this Act where
(a) processing is necessary, or
(b) the data subject consents to the processing.