Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data can be processed when the data subject has consented to the processing or when the processing is necessary in order to:

  • perform according to a contract with the data subject or to perform measures that the data subject requested to be implemented before a contract is made;
  • satisfy a legal obligation by the controller;
  • perform according to the vital interests of the data subject;
  • perform a work task in the public interest or in conjunction with the exercise of official authority; or
  • satisfy a purpose that concerns a justified interest for the controller, provided that this interest outweighs the data subject’s interest in protection against violation of personal integrity.

Personal data can also be processed if it is part of unstructured material or is for personal use.

The exception for unstructured material will not apply after the EU General Data Protection Regulation enters into force on May 25 2018.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

A basic requirement under the Data Protection Act is that personal data should not be retained for a longer period than is necessary for the purpose of processing.

If another legislation includes provisions on the preservation of personal data (eg, healthcare legislation), that legislation takes precedence over the Data Protection Act.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, under the Data Protection Act individuals can apply for a register extract from the controller. The controller must inform the data subject whether it processes personal data and, if so:

  • what data is processed;
  • where the data is retrieved; and
  • the purpose of the processing.

Do individuals have a right to request deletion of their data?

At present, individuals have no such right. However, an individual may demand that his or her data is corrected, blocked or deleted if the processing has no legal grounds.

After the EU General Data Protection Regulation enters into force, data subjects will have the right to be forgotten. This implies that the controller must delete all personal data about a data subject. However, the right to be forgotten is not an absolute right.

Consent obligations

Is consent required before processing personal data?

Generally, yes. However, there are other legal grounds for the processing of personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

Personal data can be processed when it is necessary in order to:

  • perform according to a contract with the data subject or to perform measures that the data subject requested to be implemented before a contract is made;
  • satisfy a legal obligation by the controller;
  • perform according to the vital interests of the data subject;
  • perform a work task in the public interest or in conjunction with the exercise of official authority; or
  • satisfy a purpose that concerns a justified interest for the controller, provided that this interest outweighs the data subject’s interest in protection against violation of personal integrity.

Personal data can also be processed if it is part of unstructured material or is for personal use. The exception for unstructured material will not apply after May 25 2018.

What information must be provided to individuals when personal data is collected?

The data subject must obtain clear and comprehensible information about the purposes of the processing, the controller’s contact information and other relevant information that the data subject should know about.

After May 25 2018 the information provided will need to be complete, comprehensible and accessible, provide the necessary transparency and include the identity of the controller and the legal grounds and purpose of the processing. Other requirements will depend on the legal ground that the controller uses.

Click here to view the full article.