| |
Right to prevent processing for purposes of direct marketing. |
11. - (1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject. |
|
(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the requirement, the court may order him to take such steps for complying with the requirement as the court thinks fit. |
|
(3) In this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. |
Rights in relation to automated decision-taking. |
12. - (1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct. |
|
(2) Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)- |
|
(a) the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and |
|
(b) the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis. |
|
(3) The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) ("the data subject notice") give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice. |
|
(4) A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision. |
|
(5) In subsection (4) "exempt decision" means any decision- |
|
(a) in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or |
|
(b) which is made in such other circumstances as may be prescribed by the Secretary of State by order. |
|
(6) The condition in this subsection is that the decision- |
|
(a) is taken in the course of steps taken- |
|
(i) for the purpose of considering whether to enter into a contract with the data subject,
|
|
(ii) with a view to entering into such a contract, or
|
|
(iii) in the course of performing such a contract, or
|
|
(b) is authorised or required by or under any enactment. |
|
(7) The condition in this subsection is that either- |
|
(a) the effect of the decision is to grant a request of the data subject, or |
|
(b) steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations). |
|
(8) If a court is satisfied on the application of a data subject that a person taking a decision in respect of him ("the responsible person") has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision otherwise than on the basis referred to in subsection (1). |
|
(9) An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person. |
Compensation for failure to comply with certain requirements. |
13. - (1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage. |
|
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if- |
|
(a) the individual also suffers damage by reason of the contravention, or |
|
(b) the contravention relates to the processing of personal data for the special purposes. |
|
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. |
Rectification, blocking, erasure and destruction. |
14. - (1) If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data. |
|
(2) Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then- |
|
(a) if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and |
|
(b) if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a). |
|
(3) Where the court- |
|
(a) makes an order under subsection (1), or |
|
(b) is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate, |
|
it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction. |
|
(4) If a court is satisfied on the application of a data subject- |
|
(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and |
|
(b) that there is a substantial risk of further failure in respect of those data in such circumstances, |
|
the court may order the erasure, destruction or blocking of any of those data. |
|
(5) Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the erasure, destruction or blocking. |
|
(6) In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified. |
Jurisdiction and procedure. |
15. - (1) The jurisdiction conferred by sections 7 to 14 is exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff. |
|
(2) For the purpose of determining any question whether an applicant under subsection (9) of section 7 is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise. |