Rights of the Data Subject
The right to information

  The Personal Data Protection Act provides that one of the rights of data subjects is the right to information.

The obligation to provide information

  The data controllers must discharge their legal obligations to ensure that their data subjects’ right to information is properly exercised; the fact that they collect personal data directly from data subjects, or indirectly through a third party does not matter. They must provide the following information unless the data subjects are already aware:

  1. Basic information
    1. The name of the data controller;
    2. The purposes of personal data processing (such as market research, recruitment, maintaining customer relations, etc.);
  2. Other information
    1. The name or type of the recipient if the personal data to be collected will be transferred to another institution;
    2. Where questionnaires or investigation are involved, indicate whether replies of the data subjects are obligatory and the consequences of making no response (e.g., an interviewee may refuse to provide his or her personal data to a company conducting a market research);
    3. The data subjects’ right of access and right to rectify, as well as the conditions of exercising such rights (e.g., data subjects must fill out certain forms and pay certain fees, etc.).

Other points to note

  Apart from providing the above information, the data controller should pay attention to the following:

  1. Where documents are used for collecting personal data, such as job application forms, new staff registration forms, customer data registration forms, etc., the documents used should contain the above-mentioned information.
  2. Where personal data are collected via the Internet, data subjects must be reminded of the risks of sending their data via the Internet, as doing so may expose their data to unauthorised access or abuse.

Advisory of the Office

  This Office advises that data controller should prepare their Personal Data Collection Statements. Doing so will help them better discharge their obligations and ensure the interests of the parties concerned. For samples of Personal Data Collection Statements, please visit the Office’s website.

(Note: For specific provisions of the law, please refer to Article 10 of the Personal Data Protection Act.)

top

The right of access and right to rectify

  The Personal Data Protection Act provides that data subjects are entitled to the right of access and right to rectify.

The right of access

  Data subjects have the right to seek the following information from the data controller within a reasonable timeframe, without excessive expense:

  1. Whether their personal data have been processed;
  2. The purposes for which their data are processed;
  3. What specific personal data are processed;
  4. Who or which institution will receive the data;
  5. Where the data controller obtains the data;
  6. Why process the data with computers.

The right to rectify

  Data subjects may well demand that their data pending processing be corrected, deleted or blocked, including any incomplete or inaccurate data therein.

Other points to note

  The Personal Data Protection Act provides that it requires competent authorities or persons to review certain types of data:

Types of data

Who should exercise the right to review

Data relating to security, crime prevention or crime detection

Competent authorities for the circumstance

Data processed specifically for journalistic purposes or the purposes of artistic or literary expression

The Office for Personal Data Protection

Health data (including genetic data)

Medical professionals appointed by the data subjects

(Note: For specific provisions of the law, please refer to Article 11 of the Personal Data Protection Act.)

top

The right to object

  The Personal Data Protection Act provides that data subjects have the right to object.

In general

  Data subjects have the right to object to processing their personal data at any time; and once objected, the processing entity may not continue processing their data as long as the following conditions are satisfied:

  1. Where the laws do not provide to the contrary;
  2. Where the reasons for objection are
    1. related to the data subjects’ particular situation;
    2. legitimate;
    3. significant;
  3. Where the reasons for objection are justified.

Direct marketing and other types of commercial researches

  1. Where personal data are processed for direct marketing or other forms of commercial researches, the data subjects have the right to object to the data processing, without incurring any charge;
  2. Where personal data are disclosed to a third party for direct marketing or in the interest of the third party, the data subjects have the right to
    1. demand for notification by the data controller before it disclose the data to the third party;
    2. explicitly object to the controller’s processing their personal data, without incurring any charge.

(Note: For specific provisions of the law, please refer to Article 12 of the Personal Data Protection Act.)

top

The right to indemnification

  The Personal Data Protection Act provides that data subjects have the right to indemnification. In other words, they have the right to demand compensation from the institutions that illegally process their personal data and thus cause damages to them.

Conditions of indemnification:

  1. The institution concerned has in fact committed illegal personal data processing or breached regulations of personal data protection;
  2. The data subjects have sustained damages because of the illegal data processing.

Burden of proof:

  Where the suspect institution intends to shed its liabilities partially or completely, it must prove that its data processing was not the cause of the damages.

Approaches:

  Data subjects may raise their claims directly to the institution, or by making a law suit through a court.

(Note: For specific provisions of the law, please refer to Article 14 of the Personal Data Protection Act.)

top