Data subjects’ rights according to British data protection law

The British Data Protection Act (DPA) 1998 (ENG) contains 8 data protection principles in Schedule 1.

In accordance with the sixth principle, personal data must be processed in agreement with the data subject’s rights. These are governed in Part II, Articles 7-15 of the DPA:

  • the right to accessing a copy of the registered personal data (right to information);
  • the right to objection in the event of illegal processing;
  • the right to objection against direct advertising;
  • the right in the case of automated individual decisions;
  • the right to correct inaccurate data;
  • a right to compensation claims in the event of the data protection claims being breached.

Information obligation

The DPA does not contain any specific provisions, which list which information is to be made available.

In accordance with the first principle, processing the personal data vis-à-vis data subjects must take place fairly and lawfully. This is only possible if the data subject receives certain information. The Information Commissioner’s Office (ICO), www.ico.org.uk recommends that companies compile a declaration on data protection, which contains at least the following information:

  • Identity and contact details of the data controller;
  • Purpose of the data processing;
  • all other information, which is necessary for the data subject to be able to exercise his/her rights as part of the data being processed, i.e. information of the data’s recipients, on the right to information on the data and the right to it being corrected.

The ICO has drawn up a Code of Practice, which explains how a declaration on data protection can be compiled:

The data collector is exempt from the information requirement if the data subject already has the information and

  • if processing the data is provided for by law or
  • if informing is not possible or if it requires an unreasonable expense.

Right to information (Article 7)

The right to information gives the data subject the right to receive information about his/her personal data, but not about other people (unless this is done on behalf of another person). The right to information shall only apply to processing personal data and not to other information.

In accordance with Article 7(1), a data subject has the right:

  • to receive confirmation from the data controller that his/her data are being processed,
  • to receive a description of the categories of the data in question,
  • the purpose of the processing,
  • recipients or the categories of recipient that the data is forwarded to,

Furthermore, the data subject must receive the notification in an understandable form on the data, which is the subject of processing, as well as the available information on the origin of the data.

In accordance with Article 7(2), the data collector must only follow up an information inquiry under para. 1, if this has been issued in writing and the required fee (max £10) has been paid.

The DPA does not contain any restrictions in terms of the scope of number of inquiries that a data subject can make. Nevertheless, the data collector is assured a certain amount of discretion when handling inquiries. A responsible body is therefore not obliged to process identical or similar inquiries as long as they have already been dealt with, unless there is a reasonable period between the inquiries.

Exceptions to the right to information

The DPA contains several exceptions to the right to information. In summary, it is possible to say that these obligations do not apply if

  • providing information is not possible or if it requires an unreasonable expense,
  • it has been explicitly prescribed in a law,
  • a ruling or
  • in a decision, which is granted as part of a ruling,

that the information may not be passed on to the data subject.

Examples are processing personal data as part of the criminal legal system and taxation.

Right to objection (Article 10)

A person has a right to object to the processing if this causes unwarranted and substantial damage or distress. In this case, the data subject has the right to forbid processing.

To be able to take advantage of this right, the following conditions must be met:

  • the objection can only be directed to processing one’s own personal data,
  • processing the personal data must cause inappropriate and significant damages and impairments,
  • the objection must be justified.

A data subject cannot make use of this right, if:

  • he/she has agreed to the processing.
  • the processing is required for complying with the contract, which the data subject is party to or for carrying out pre-contractual measures, which occur at the request of the data subject;
  • processing is necessary for meeting a legal obligation, which the data collector is subject to
  • the transfer is necessary for the protection of the data subject’s vital interests.

In the event of the objection being justified, the processing carried out by the data controller may no longer relate to this data.

The ICO provides instructions as to what can be understood under inappropriate and substantial damages or distress:

  • “substantial damages” g. a financial loss or physical damage;
  • “substantial distress”: e.g. physical, mental and emotional suffering and pain brought about by immoral processing.

Right to object to direct advertising (Article 11)

A data subject shall, at any time, have the right to object to personal data for direct advertising purposes to be processed. As soon as a company receives a corresponding notification, this must be pursued.

Right in the case of automated individual decisions (Article 12)

The data subject is given certain rights for the automated processing of data for the purpose of assessing individual aspects of his/her person, such as professional capacity, creditworthiness, reliability or conduct. Subsequently, the data subject has the right:

  • to forbid processing of this nature in writing,
  • to receive information about processing of this nature (even if no objection has been raised to processing),

Right to entitlement (Article 14)

In accordance with the 4th principle, personal data must be accurate and, if necessary, updated (accurate data). In the event of inaccurate data, the data subject has the right to request for the competent court to order the correction, deletion or freezing of data.

Should damages arise on the part of someone as result of inaccurate data, the data subject may be able to bring damages.

Right to compensation

If material or non-material damage is caused to the data subject, he is entitled to compensation. This right can only be carried out before a court.

Guide

The ICO has published a guide, which describes the rights of data subjects in detail:

Guide to data protection