Rights of Data Subjects

  • Not to receive request. A person can request not to receive direct marketing communications from an organisation that uses or discloses personal information about the individual for the purpose of direct marketing. Likewise, the person can request an organisation that uses or disclose personal information for the purpose of facilitating direct marketing by other organisations, not to use or disclose the information for that purpose. In any case, the person may request the organisation to provide its source of the information.

The person has the right not to be charged for the making of, or to give effect to, the aforementioned requests. The organisation must give effect to the request within a reasonable period after the request is made.  If the request is about the source of the information the organisation must, within a reasonable period after the request is made, notify the data subject of its source unless it is impracticable or unreasonable to do so.

  • Access to information. An entity that holds personal information about an individual must give the individual access to the information at his/her request.

The organisation must respond to the request for access to the personal information within a reasonable period after the request is made, and give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.

Refusal:

  • If the organisation refuses to give access to the personal information on the grounds of the legal exception to access, the organisation must take such steps as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual. The entity must give the individual a written notice that sets out: the reasons for the refusal (unless it is unreasonable to do so); the mechanisms available to complain about the refusal; and any other matter prescribed by the regulations.
  • If the organisation refuses to give access in the manner requested by the individual, the entity must give the individual a written notice as mentioned above.
  • If the organisation refuses on the grounds that giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision‑making process, the reasons for the refusal may include an explanation for the commercially sensitive decision.

 

If the organisation charges the individual for giving access to the personal information, the charge must not be excessive and must not apply to the making of the request.

  • Correction of personal information. An organisation must correct the information when it considers it is inaccurate, out-of-date, incomplete, irrelevant or misleading; or at the request of the individual.

 

The organisation must also, at the request of the individual, notify of the correction (unless is impracticable or unlawful to do so) to another organisation to which the information has been previously disclosed.

If the organisation refuses to correct the personal information as requested by the individual, the first must give to the latter a written notice that sets out the reasons for the refusal (unless it would be unreasonable to do so), the mechanisms available to complain about the refusal, and any other matter prescribed by the regulations; and, if requested by the individual, to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

The organisation must respond to the request of correction or the request to associate a statement within a reasonable period after the request is made, and must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information.

  • Anonymity/pseudonymity. Individuals have the right not to identify themselves or to use pseudonyms unless this prevents an organisation to deal with them in that way.