(1)Where a data subject requests the rectification or erasure of personal data or the restriction of its processing, the controller must inform the data subject in writing—
(a)whether the request has been granted, and
(b)if it has been refused—
(i)of the reasons for the refusal,
(ii)of the data subject’s right to make a request to the Commissioner under section 51,
(iii)of the data subject’s right to lodge a complaint with the Commissioner, and
(iv)of the data subject’s right to apply to a court under section 167.
(2)The controller must comply with the duty under subsection (1)—
(a)without undue delay, and
(b)in any event, before the end of the applicable time period (see section 54).
(3)The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1)(b)(i) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
(a)avoid obstructing an official or legal inquiry, investigation or procedure;
(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)protect public security;
(d)protect national security;
(e)protect the rights and freedoms of others.
(4)Where the rights of a data subject under subsection (1) are restricted, wholly or partly, the controller must inform the data subject in writing without undue delay—
(a)that the rights of the data subject have been restricted,
(b)of the reasons for the restriction,
(c)of the data subject’s right to lodge a complaint with the Commissioner, and
(d)of the data subject’s right to apply to a court under section 167.
(5)Subsection (4)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
(6)The controller must—
(a)record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (1)(b)(i), and
(b)if requested to do so by the Commissioner, make the record available to the Commissioner.
(7)Where the controller rectifies personal data, it must notify the competent authority (if any) from which the inaccurate personal data originated.
(8)In subsection (7), the reference to a competent authority includes (in addition to a competent authority within the meaning of this Part) any person that is a competent authority for the purposes of the Law Enforcement Directive in a member State other than the United Kingdom.
(9)Where the controller rectifies, erases or restricts the processing of personal data which has been disclosed by the controller—
(a)the controller must notify the recipients, and
(b)the recipients must similarly rectify, erase or restrict the processing of the personal data (so far as they retain responsibility for it).
(10)Where processing is restricted in accordance with section 47(3), the controller must inform the data subject before lifting the restriction.