Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights

Article 8 of the EU Charter of Fundamental Rights states:

  1. Everyone has the right to the protection of personal data concerning him or her.
  2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  3. Compliance with these rules shall be subject to control by an independent authority.

This means that every individual is entitled to have their personal information protected, used in a fair and legal way, and made available to them when they ask for a copy. If an individual feels that their personal information is wrong, they are entitled to ask for that information to be corrected.

The eight categories below will give you more detailed information your individual rights under data protection and how to exercise those rights for yourself.

You have the right to request a copy of the personal data that we hold about you. There are exceptions to this right, so that access may be denied if, for example, making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information. You are entitled to see the personal data held about you. If you wish to do this, please contact us using the contact details provided.

You have the right to obtain the following from the data controller:

  1. Confirmation of whether or not personal data concerning you is being processed
  2. Where personal data concerning you is being processed, a copy of your personal information
  3. Where personal data concerning you is being processed, other additional information as follows:
  1. Purpose(s) of the processing
  2. Categories of personal data
  3. Any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and information about appropriate safeguards
  4. The retention period or, if that is not possible, the criteria used to determine the retention period
  5. The existence of the following rights: 
    • Right to rectification
    • Right to erasure
    • Right to restrict processing
    • Right to object
    • and information on how to request these from the controller.
  6. The right to raise a concern with a supervisory authority (in Ireland this is the Data Protection Commission)
  7. Where personal data is not collected from the data subject, any available information as to their source
  8. The existence of automated decision making, including profiling and meaningful information about how decisions are made, the significance and the consequences of processing.

The GDPR states that the right to obtain a copy of your personal data must not adversely affect the rights and freedoms of others. This means that the right cannot be used to access the personal data of other persons, i.e. third parties.

There are also a number of other restrictions to the right of access, provided for by section 60 of the Data Protection Act 2018.

How can I make a request under the Right to Access my personal data? 

Please see the How to make a Subject Access Request page for the procedure to make a Subject Access Request.

When making a request, please be as specific as possible in relation to the personal data you wish to access. You may be asked to provide evidence of your identity. This is to make sure that personal information is not given to the wrong person.

Can the data controller charge a fee to provide a copy of the information? 

No, the data controller must provide a copy of the information for free. However, if any further copies are requested by the data subject, or if the request is manifestly unfounded or excessive, the controller may charge a reasonable fee based on the administration costs.

Any processing of personal data should be lawful, fair, and transparent. It should be clear and transparent to individuals that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The right to be informed, under Articles 13 and 14 of the GDPR, is a key part of the Courts Service obligation to be transparent.

The principle of transparency requires that any information or communication relating to the processing of personal data is easily accessible and easy to understand, and that clear and plain language be used. Any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Individuals should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data

If your personal data is inaccurate, you have the right to have the data rectified, by the controller, without undue delay.

If your personal data is incomplete, you have the right to have data completed, including by means of providing supplementary information.

The right of rectification is restricted in certain circumstances under Section 60 of the Data Protection Act 2018, which provides for restrictions that are necessary for important objectives of public interest, and by Section 43 of the Act which seeks to balance the right of rectification with the right of freedom of expression and information. More information about the restriction of individual rights can be found here.

You have the right to erase your personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data have been unlawfully processed. This is also known as the ‘right to be forgotten’.

You have the right to have your data erased, without undue delay, by the data controller, if one of the following grounds applies:

  1. Where your personal data are no longer necessary in relation to the purpose for which it was collected or processed
  2. Where you withdraw your consent to the processing and there is no other lawful basis for processing the data
  3. Where you object to the processing and there is no overriding legitimate grounds for continuing the processing (see point 6 below)
  4. Where you object to the processing and your personal data are being processed for direct marketing purposes (see point 6 below)
  5. Where your personal data have been unlawfully processed
  6. Where your personal data have to be erased in order to comply with a legal obligation
  7. Where your personal data have been collected in relation to the offer of information society services (e.g. social media) to a child

What happens when the data controller made your personal data public and is obliged to erase the data?

Where the data controller has made your personal data public and, on the basis of one of the above grounds, is obliged to erase the data:

  • The data controller must communicate any rectification or erasure of your personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort.
  • If you request information on recipients of your personal data, the data controller must inform you about the recipients.
  • The data controller shall take reasonable steps to inform other controllers who are processing your personal data that you have requested the erasure by them of any links to, or copies of, your data. (Reasonable steps means taking account of available technology and the cost of implementation including technical measures.) 

Are there circumstances in which the right to be forgotten will not apply?

Yes, the GDPR states that the right to be forgotten will not apply where processing is necessary for:

  • Exercising the right of freedom of expression and information
  • Compliance with a legal obligation, the performance of a task carried out in the public interest or in the exercise of official authority
  • Reasons of public interest in the area of public health (See Article 9(2)(h) & (i) and Article 9(3), GDPR)
  • Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • Establishment, exercise or defence of legal claims.

The right of erasure is also restricted in certain circumstances under Section 60 of the Data Protection Act 2018, which provides for restrictions that are necessary for important objectives of public interest, and by Section 43 of the Act which seeks to balance the right of erasure with the right of freedom of expression and information. More information about the restriction of individual rights can be found here

 

In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing without hindrance. This is referred to as the right to data portability.

When does the right to data portability arise?

This right only applies where processing of personal data (supplied by the data subject) is carried out by automated means, and where you have either consented to processing, or where processing is conducted on the basis of a contract between you and the data controller.

This right only applies to the extent that it does not affect the rights and freedoms of others.

When this right applies, how must data controllers provide and transmit data?

Where this right applies, data controllers must provide and transmit personal data in structured, commonly used and machine readable form. Data is structured and machine readable if it can be easily processed by a computer.

Under this right, you can ask a data controller to transmit your data to another data controller, if such transmission is technically feasible.

You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.

Automated processing includes profiling.

In respect of personal data, when is automated processing permitted?

Automated processing is permitted only with your express consent, when necessary for the performance of a contract or when authorised by Union or Member State law. Where one of these exceptions applies, suitable measures must be in place to safeguard your rights, freedoms and legitimate interests. This may include the right to obtain human intervention on the controller’s part, the right to present your point of view and the right to challenge the decision. 

In respect of special category personal data (‘sensitive’), when is automated processing permitted? 

Where automated processing relates to the special categories of personal data (outlined in the key definitions above), processing is only lawful where you have given your express consent to the processing, or where it is necessary for reasons of substantial public interest. 

In certain circumstances, you also have the right to object to processing of your personal data and to ask us to block, erase and restrict your personal data. If you would like us to stop using your personal data, please contact us by emailing us at the contact details provided. 

When do you have a right to object? 

You have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks:

  • in the public interest,
  • under official authority,
  • or in the legitimate interests of others.

You have a stronger right to object to processing of your personal data where the processing relates to direct marketing. Where a data controller is using your personal data for the purpose of marketing something directly to you, or profiling you for direct marketing purposes, you can object at any time, and the data controller must stop processing as soon as they receive your objection.

You may also object to processing of your personal data for research purposes, unless the processing is necessary for the performance of a task carried out in the public interest.

How do you object to processing? 

In order to object to processing, you must contact the data controller and state the grounds for your objection. These grounds must relate to your particular situation. Where you have made a valid objection, the data controller must cease processing your personal data, unless the data controller can provide compelling legitimate reasons to continue processing your data. Data controllers can also lawfully continue to process your personal data if it is necessary for certain types of legal claims. 

What obligations do data controllers have in relation to this right? 

Where the right to object applies, data controllers are obliged to notify you of this at the time of their first communication with you. Where processing is carried out online, data controllers must offer an online method to object.

Your rights in relation to automated decision making, including profiling (Article 22 of the GDPR)

You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.

Automated processing includes profiling. 

In respect of personal data, when is automated processing permitted? 

Automated processing is permitted only with your express consent, when necessary for the performance of a contract or when authorised by Union or Member State law. Where one of these exceptions applies, suitable measures must be in place to safeguard your rights, freedoms and legitimate interests. This may include the right to obtain human intervention on the controller’s part, the right to present your point of view and the right to challenge the decision.

In respect of special category personal data (‘sensitive’), when is automated processing permitted? 

Where automated processing relates to the special categories of personal data (outlined in the key definitions above), processing is only lawful where you have given your express consent to the processing, or where it is necessary for reasons of substantial public interest.

You have a limited right of restriction of processing of your personal data by a data controller. Where processing of your data is restricted, it can be stored by the data controller, but most other processing actions, such as deletion, will require your permission.

How does this right apply? 

This right applies in four ways. The first two types of restriction of processing apply where you have objected to processing of your data under Article 21, or where you have contested the accuracy of your data. In these cases, the restriction applies until the data controller has determined the accuracy of the data, or the outcome of your objection.

The third situation in which you can request restriction relates to processing which is unlawful. In these cases, if you do not want the data controller to delete your information, you can request restriction of the personal data instead.

The fourth type of restriction of processing applies where you require data for the purpose of a legal claim. In this case, you can request restriction even where the data controller no longer needs the data. 

When you have obtained restriction of processing, what obligations does the data controller have? 

Where you have obtained restriction of processing of your data, the data controller must inform you before lifting the restriction.

Contact Us

Contact Us

Please see the Contact Us page for further contact details if you have any queries in relation to the above.