Rectification, erasure or restriction of processing (Section 39)
At a glance:
· Personal data can be rectified if it is inaccurate or incomplete.
· The right to erasure enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
· Individuals have a right to ‘block’ or suppress processing of personal data.
When should personal data be rectified, erased and restricted?
· Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
· If the controllers have disclosed the personal data in question to third parties, then they must inform them of the rectification where possible.
· Controller must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
· the data are no longerneeded for their originalpurpose (and no new lawful purpose exists);
· the lawful basis for theprocessing is the datasubject's consent, the data subject withdraws that consent, and no other lawful ground exists;
· the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing;
· the data have been processed unlawfully.
Data subjects have the right to restrict the processing of personal data where:
· theaccuracy of the data is contested (and only for as long as it takes to verify that accuracy);
· the controller no longer needs the data for their original purpose, but the individual requires the data to establish, exercise or defend a legal claim.
· the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or
· an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the controller is considering whether the organisation’s legitimate grounds override those of the individual.
When should the controller not comply to the request for rectification and erasure?
· For reasons of public interest in the field of public health;
· For the purpose of historical, statistical or scientific research;
· For compliance with a legal obligation to process the personal data to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
For the establishment, exercise or defence of a legal claim.