Section 8Part 2 — RIGHTS AND RESPONSIBILITIES OF DATA SUBJECTS AND OTHERS
Fundamental rights of access to personal data
←→ Navigate · Click subsection badges to collapse · Press ? for help
A person is entitled to be informed by a data controller whether the personal data of which the person is the data subject are being processed by or on behalf of that data controller, and, if that is the case, to be given by that data controller a description of —
the data subject’s personal data;
the purposes for which they are being or are to be processed by or on behalf of that data controller;
the recipients or classes of recipients to whom the data are or may be disclosed by or on behalf of that data controller;
any countries or territories outside the Islands to which the data controller, whether directly or indirectly, transfers, intends to transfer or wishes to transfer the data;
general measures to be taken for the purpose of complying with the seventh data protection principle; and
such other information as the Commissioner may require the data controller to provide.
A data subject is entitled to communication in an intelligible form, by the relevant data controller, of —
the data subject’s personal data; and
any information available to the relevant data controller as to the source of those personal data.
If the processing by automatic means of the data subject’s personal data for the purpose of evaluating matters relating to the data subject, including the data subject’s performance at work, creditworthiness, reliability or conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting the data subject, the data subject is entitled to be informed by the relevant data controller of the reasons for that decision.
A data controller shall not be obliged under subsection (1), (2) or (3) to supply any personal data unless the data controller has received —
a request in writing; and
the fee that the data controller may require, such fee, being within the limits prescribed by regulations.
If a data controller reasonably requires further information in order to be satisfied as to the identity of the data subject making the request or to locate the information that the data subject seeks, and has informed the data subject in writing of the requirement, the data controller is not obliged to comply with the request unless supplied with that information, during which period the time specified in subsection (6) shall automatically stand suspended.
A data controller shall comply with a request under this section within thirty days (or such other period as may be prescribed by regulations) of the date on which the data controller receives both the request and fee referred to in subsection (4), but where the data controller has requested further information under subsection (5), the period shall not resume until the information has been supplied.
If a data controller cannot comply with the request without disclosing personal data relating to another data subject who can be identified from that personal data, the data controller is not obliged to comply with the request unless —
the other data subject has consented to the disclosure of the personal data to the person making the request; or
it is reasonable in all the circumstances to comply with the request without the consent of the other data subject.
In subsection (7), the reference to personal data relating to another data subject includes a reference to personal data identifying that other data subject as the source of the personal data sought in the request.
Subsection (7) shall not be construed as excusing a data controller from communicating so much of the personal data sought in the request as can be communicated without disclosing the identity of the other data subject concerned, whether by the omission of names or other identifying particulars or otherwise.
In determining for the purposes of subsection (7)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other data subject concerned, the data controller shall have regard to, in particular —
any duty of confidentiality owed to the other data subject;
any steps taken by the data controller to seek the consent of the other data subject;
whether the other data subject is capable of giving consent; and
any express refusal of consent by the other data subject.
If the Commissioner is satisfied on the application of a data subject who has made a request under this section that a data controller has contravened this section in failing to comply with the request, the Commissioner shall issue an enforcement order under section 45 ordering the data controller to comply with the request.
If personal data are being processed by or on behalf of a data controller who receives a request under this section from the data subject, the obligation to supply the personal data under this section includes an obligation to give the data subject a statement of the data subject’s rights under this Law in such form, and to such extent, as may be prescribed by regulations.
Cross References
- Section 45 of Data Protection Law 2017
Reference to enforcement order under section 45 for non-compliance with access requests.
Referenced By
- Section 19 — Crime, government fees and duties
Reference to section 8
- Section 23 — Research, history or statistics
Reference to section 8
- Section 43 — Complaints
Reference to making a request under section 8