s.12Rights in relation to automated decision-making
12
Section 12Part 2RIGHTS AND RESPONSIBILITIES OF DATA SUBJECTS AND OTHERS

Rights in relation to automated decision-making

←→ Navigate  ·  Click subsection badges to collapse  ·  Press ? for help

A data subject is entitled at any time, by notice in writing to a data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller that significantly affects the data subject is based solely on the processing by automatic means of the data subject’s personal data for the purpose of evaluating the data subject’s performance at work, creditworthiness, reliability, conduct or any other matters relating to the data subject.
If no notice has been given under subsection (1) and a decision that significantly affects a data subject is based solely on processing specified in that subsection —
the data controller shall as soon as reasonably practicable notify the data subject that the decision was taken on that basis; and
the data subject is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing, to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.
The data controller shall, within twenty-one days of receiving a notice under subsection (2)(b), give the data subject a written notice specifying the steps that the data controller intends to take to comply with the notice.
A notice under subsection (1) does not have effect in relation to, and nothing in subsection (2) applies to, a decision —
in respect of which one condition in each of subsections (5) and (6) is satisfied; or
that is made in such other circumstances as may be prescribed by regulations.
The first condition is that the decision —
is taken in the course of steps taken —
for the purpose of considering whether to enter into a contract with the data subject;
with a view to entering into such a contract; or
in the course of performing such a contract; or
is authorized or required by or under any enactment.
The second condition is that —
the effect of the decision is to grant a request of the data subject; or
steps have been taken to safeguard the legitimate interests of the data subject including by allowing the data subject to make representations.
If the Commissioner is satisfied on the application of a data subject that a person taking a decision in respect of the data subject has failed to comply with a notice under subsection (1) or (2)(b), the Commissioner may, among other things, issue an enforcement order directing the data controller to reconsider the decision where that decision is not based solely on the processing mentioned in subsection (1).

Cross References