PART 3Law enforcement processing
CHAPTER 3Rights of the data subject
Information: controller's general duties
44Information: controller's general duties
1
The controller must make available to data subjects the following information (whether by making the information generally available to the public or in any other way)—
a
the identity and the contact details of the controller;
b
where applicable, the contact details of the data protection officer (see sections 69 to 71);
c
the purposes for which the controller processes personal data;
d
the existence of the rights of data subjects to request from the controller—
i
access to personal data (see section 45),
ii
rectification of personal data (see section 46), and
iii
erasure of personal data or the restriction of its processing (see section 47);
e
the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner.
2
The controller must also, in specific cases for the purpose of enabling the exercise of a data subject's rights under this Part, give the data subject the following—
a
information about the legal basis for the processing;
b
information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
c
where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations);
d
such further information as is necessary to enable the exercise of the data subject's rights under this Part.
3
An example of where further information may be necessary as mentioned in subsection (2)(d) is where the personal data being processed was collected without the knowledge of the data subject.
4
The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (2) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
a
avoid obstructing an official or legal inquiry, investigation or procedure;
b
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
c
protect public security;
d
protect national security;
e
protect the rights and freedoms of others.
5
Where the provision of information to a data subject under subsection (2) is restricted, wholly or partly, the controller must inform the data subject in writing without undue delay—
a
that the provision of information has been restricted,
b
of the reasons for the restriction,
c
of the data subject's right to make a request to the Commissioner under section 51,
d
of the data subject's right to lodge a complaint with the Commissioner, and
e
of the data subject's right to apply to a court under section 167.
6
Subsection (5)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.
7
The controller must—
a
record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (2), and
b
if requested to do so by the Commissioner, make the record available to the Commissioner.