Data Subjects, i.e. living individuals, have many rights under the data protection acts. The table below summarises these rights along with the relevant data controller obligations. This is a quick reference guide. Further details can be found on PrivacyEngine.
Data Subject’s Right | Controller Obligation | Conditions | Right of Appeal |
Confirmation of Processing | Controller must confirm details of any processing within 21 days, including source, purpose and other relevant information | Response in writing | Data Subject needs to provide proof of processing if Controller denies having data |
Data Subject’s Right of Access | Controller must respond asap, but within 40 calendar days (60 for uncorrected exam results). Several exemptions are available | Request must be in writing, max. fee of €6.35, Data Subject must provide verifiable identification | Appeal to DP Commissioner if deadline is not met, or response is considered inadequate |
Prevention of Processing causing damage or distress | Must provide a response in writing within 20 days | Controller may decline where they feel processing is in public interest, fulfils a lawful function, etc. | If Controller does not comply, Data Subject can complain to the Commissioner; Compensation only available via civil courts |
Automated Decision Making | Controller must explain decision-making mechanism within 21 calendar days of receipt of request | Can’t be used solely for evaluation reliability, credit worthiness, performance at work, etc. | Data Subject can challenge the decision further in court |
Opt out from Direct Marketing | Controller must respond within 40 days to confirm compliance | Option to opt out must be free, clearly offered, easy to use, and unambiguous | If direct marketing continues, Data Subject can complain to the Commissioner |
Rectification, Erasure or Blocking | Controller must confirm correction of data within 40 days or receipt of correct data | Data Subject must identify error, provide proof of correct information | Controller must notify Processors with whom data was shared in past 12 mths – they must also make the changes |
Assistance from Office of the DP Commissioner | On receipt of a valid request, Commissioner’s Office will investigate circumstances. Allow up to 15 working days for initial response | Data Subject must provide identification and evidence of processing, as well as any relevant details | Controller may appeal against findings of the Commissioner within 21 days of any formal Notice being issued |
Compensation | Entitled to compensation for damage or distress if proven; Difficult to prove actual causality | Controller is exempt if not directly responsible for distress caused | No guideline in DP legislation on the amount payable; Controller can appeal against any award |