151Enforcement notices: rectification and erasure of personal data etcU.K.
(1)Subsections (2) and (3) apply where an enforcement notice is given in respect of a failure by a controller or processor—
(a)to comply with a data protection principle relating to accuracy, or
(b)to comply with a data subject's request to exercise rights under Article 16, 17 or 18 of the [F1UK GDPR] (right to rectification, erasure or restriction on processing) or section 46, 47 or 100 of this Act.
(2)If the enforcement notice requires the controller or processor to rectify or erase inaccurate personal data, it may also require the controller or processor to rectify or erase any other data which—
(a)is held by the controller or processor, and
(b)contains an expression of opinion which appears to the Commissioner to be based on the inaccurate personal data.
(3)Where a controller or processor has accurately recorded personal data provided by the data subject or a third party but the data is inaccurate, the enforcement notice may require the controller or processor—
(a)to take steps specified in the notice to ensure the accuracy of the data,
(b)if relevant, to secure that the data indicates the data subject's view that the data is inaccurate, and
(c)to supplement the data with a statement of the true facts relating to the matters dealt with by the data that is approved by the Commissioner,
(as well as imposing requirements under subsection (2)).
(4)When deciding what steps it is reasonable to specify under subsection (3)(a), the Commissioner must have regard to the purpose for which the data was obtained and further processed.
(5)Subsections (6) and (7) apply where—
(a)an enforcement notice requires a controller or processor to rectify or erase personal data, or
(b)the Commissioner is satisfied that the processing of personal data which has been rectified or erased by the controller or processor involved a failure described in subsection (1).
(6)An enforcement notice may, if reasonably practicable, require the controller or processor to notify third parties to whom the data has been disclosed of the rectification or erasure.
(7)In determining whether it is reasonably practicable to require such notification, the Commissioner must have regard, in particular, to the number of people who would have to be notified.
(8)In this section, “data protection principle relating to accuracy” means the principle in—
(a)Article 5(1)(d) of the [F2UK GDPR],
(b)section 38(1) of this Act, or
(c)section 89 of this Act.
Textual Amendments
F1Words in s. 151(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 62 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in s. 151(8)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 62 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)