CE - GRUPPO PER LA TUTELA DELLE PERSONE CON RIGUARDO AL TRATTAMENTO DEI DATI PERSONALI

Principi supplementari da applicare a casi specifici di trattamento sono:

dati sensibili: se il trattamento riguarda categorie di dati ‘sensibili' (elencate all'articolo 8 della direttiva), si introdurranno provvedimenti di salvaguardia supplementari, come ad esempio l'obbligo del consenso esplicito al trattamento da parte del titolare dei dati.

Il Gruppo di lavoro ritiene che la legge dell'Isola di Man soddisfi questo principio. In particolare, l'articolo 1 della legge definisce i "dati sensibili" (allegato, numero 13); l'allegato 1, parte 1, primo principio, lettera b) aggiunge che i dati sensibili non devono essere trattati a meno che non sia soddisfatta una delle condizioni previste dall'allegato 3. Questo principio è ulteriormente approfondito nello stesso allegato, e in particolare nella sezione 9 e seguenti (allegato, numero 14). L'allegato 3 precisa le condizioni per il trattamento dei dati sensibili (allegato, numero 15).

commercializzazione diretta: se il trasferimento dei dati avviene per finalità di commercializzazione diretta, il loro titolare deve poter decidere in qualsiasi momento di escludere i dati che lo riguardano da tale impiego.

Il Gruppo di lavoro nota che il principio è soddisfatto dall'articolo 9, che regola il diritto di impedire l'elaborazione volta alla commercializzazione diretta (allegato, numero 16).

decisioni individuali automatizzate: se la finalità del trasferimento consiste nell'adottare una decisione automatizzata ai sensi dell'articolo 15 della direttiva, la persona ha il diritto di conoscere la logica a cui risponde tale decisione e occorrono perciò provvedimenti atti a garantire la salvaguardia del suo legittimo interesse.

Il Gruppo di lavoro ritiene che la legge dell'Isola di Man soddisfi tale principio soprattutto con l'articolo 5, paragrafo 1, lettera d (allegato, numero 17) e l'articolo 10 che riguarda i diritti relativi alle decisioni automatizzate (allegato, numero 18).

2.2. Meccanismi di procedura/applicazione

Il parere del Gruppo di lavoro sul "Trasferimento di dati personali verso paesi terzi: applicazione degli articoli 25 e 26 della direttiva europea sulla tutela dei dati"⁵ indica che per valutare adeguatamente la tutela offerta dai paesi terzi è necessario individuare gli obiettivi di fondo di un sistema procedurale per la tutela dei dati e, da qui, esaminare i vari meccanismi procedurali, giudiziari e non, applicati nei paesi terzi.

In proposito, gli obiettivi di un sistema di tutela dei dati sono essenzialmente di tre tipi:

— garantire un buon livello di osservanza delle norme;

— fornire aiuto e sostegno ai singoli titolari dei dati nell'esercizio dei propri diritti;

— garantire un adeguato risarcimento alla parte lesa in caso di violazione delle norme.

Garantire un buon livello di osservanza delle norme - In un buon sistema, tra i responsabili del trattamento dei dati si rileva in genere un elevato grado di consapevolezza dei propri obblighi e tra le persone interessate la medesima consapevolezza dei propri diritti e degli strumenti per esercitarli. Di particolare importanza, al fine di garantire il rispetto delle norme, è l'esistenza di sanzioni efficaci e dissuasive, al pari, ovviamente, di sistemi di verifica diretta da parte di autorità, revisori o addetti indipendenti alla tutela dei dati.

Il Gruppo di lavoro ritiene che la legge dell'Isola di Man abbia introdotto una serie di elementi atti a conseguire tale obiettivo. In particolare:

(a) Supervisore della protezione dei dati

La carica, in precedenza detta Isle of Man Data Protection Registrar, è stata istituita dalla legge del 1986 e resta operativa ai fini della presente legge, con denominazione cambiata (Data Protection Supervisor); il "Registrar" diviene "Supervisor" nel testo della legge.

Le funzioni del supervisore sono precisate negli articoli da 47 a 49 e comprendono la promozione del rispetto delle disposizioni tramite linee direttrici e codici di pratiche volti ad agevolare l'interpretazione della legge.

Per garantire il rispetto delle disposizioni, il supervisore dispone di poteri di indagine e di esecuzione, definiti agli articoli da 36 a 42, compresa la facoltà di ingresso e ispezione di cui all'allegato 8.

Tra le competenze del supervisore rientrano la manutenzione del registro delle persone che hanno proceduto ad una notifica ai sensi dell'articolo 16.

(b) L'esistenza di mezzi esecutivi adeguati e di adeguate sanzioni

La legge contempla diverse infrazioni e una serie di mezzi esecutivi:

I reclami dei titolari dei dati al supervisore relativi a infrazioni di notifica ai sensi dell'articolo 18 o a rivelazioni non autorizzate ai sensi dell'articolo 50 possono dar luogo a procedimenti penali, reclami relativi alla non rispondenza ai principi vanno trattati come una richiesta di valutazione ai sensi dell'articolo 38.

Il supervisore può pubblicare una nota esecutiva laddove ritenga che un controllore non si sia conformato ai principi (articolo 36) o una nota informativa se gli occorrono più informazioni per completare una valutazione (articolo 39, articolo 40 in materia di note informative speciali). Il non conformarsi ad una nota informativa o esecutiva è un'infrazione ai sensi dell'articolo 43.

Il perseguimento delle infrazioni e le sanzioni sono trattate all'articolo 55 della legge. In linea di massima, nel procedimento sommario la multa non è superiore alle £5000, ma per infrazioni gravi portate dinnanzi alla High Court non è previsto limite per le multe. Se l'infrazione è commessa da una società, l'articolo 56 prevede che i direttori della società siano "allo stesso titolo della società ritenuti colpevoli dell'infrazione e processabili e condannati di conseguenza" . Inoltre, l'articolo 58 prevede che le amministrazioni pubbliche siano " ai sensi della presente legge soggette agli stessi obblighi e responsabilità cui sono soggetti i singoli".

Alla luce di queste considerazioni, il Gruppo di lavoro ritiene che la legge dell'Isola di Man contenga elementi atti a garantire un buon livello di rispondenza alle norme. Fornire aiuto e sostegno ai singoli titolari dei dati nell'esercizio dei propri diritti - Il singolo individuo deve fruire dei propri diritti in modo rapido, efficace e a costi non proibitivi. A tal fine, occorre un meccanismo istituzionale che consenta indagini indipendenti su reclami.

Il Gruppo di lavoro nota che la legge dell'Isola di Man ha introdotto vari elementi a tal fine. Per esempio, i cittadini possono chiedere che il supervisore effettui una valutazione, come previsto dall'articolo 38 della legge (allegato, numero 19).

La procedura di valutazione è descritta particolareggiatamente nel sito internet del supervisore, ed è gratuita per i singoli individui.

Alla luce di queste considerazioni, il Gruppo di lavoro ritiene che la legge dell'Isola di Man contenga elementi atti a sostenere ed aiutare i singoli titolari dei dati nell'esercizio dei loro diritti.

garantire un adeguato risarcimento alla parte lesa in caso di violazione delle norme - Si tratta di un elemento chiave, che presuppone l'esistenza di un sistema di conciliazione indipendente o di arbitrato che ammetta l'eventuale pagamento di indennizzi o l'imposizione di sanzioni.

La legge dell'Isola di Man prevede un regime di indennizzi all'articolo 11 (allegato, numero 20). Il singolo ha il diritto di chiedere un indennizzo in caso di inosservanza di talune prescrizioni.

Particolare interesse riveste l'articolo 11, paragrafo 2, lettera c), che permette al singolo di chiedere un indennizzo per i soli danni morali, laddove l'infrazione consiste nell'inosservanza di una richiesta ai sensi dell'articolo 5 (diritto di accesso ai dati personali). Inoltre, l'articolo 5, paragrafo 9, lettera b) stipula che la Corte può infliggere un'ammenda non superiore a £5000 al responsabile dei dati che non abbia dato seguito a una richiesta ai sensi dell'articolo 5.

Alla luce di queste considerazioni, il Gruppo di lavoro ritiene che la legge dell'Isola di Man contenga elementi atti a indennizzare adeguatamente la parte lesa in caso di non rispetto delle norme.

3. RISULTATI DELLA VALUTAZIONE

In conclusione, in base a quanto esposto sopra, il Gruppo di lavoro ritiene che l'Isola di Man offra livelli adeguati di tutela ai sensi dell'articolo 25, paragrafo 6 della direttiva 95/46/CE del Parlamento europeo e del Consiglio del 24 ottobre 1995 relativa alla tutela delle persone fisiche con riguardo al trattamento dei dati personali, nonché alla libera circolazione di tali dati.

Fatto a Bruxelles, il 21.11.2003

per il Gruppo di lavoro

il Presidente
Stefano RODOTÀ

Allegato: Principali disposizioni della legge dell'Isola di Man sulla protezione dei dati

(1)"13. The purpose or purposes for which personal data are obtained may in particular be specified –

(a) in a notice given for the purposes of paragraph 10 by the data controller to the data subject, or

(b) in a notification given to the Supervisor under Part 3 of this Act.

14. In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed."

(2) "15. The fourth principle is not to be regarded as being contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where –

(a) having regard to the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data, and

(b) if the data subject has notified the data controller of the data subject's view that the data are inaccurate, the data indicate that fact."

(3) "6. Provisions supplementary to section 5

(1) The Council of Ministers may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 5 is to be treated as extending also to information under other provisions of that subsection.

(2) The obligation imposed by section 5(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless –

(a) the supply of such a copy is not possible or would involve disproportionate effort, or

(b) the data subject agrees otherwise; and where any of the information referred to in section 5(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.

(3) Where a data controller has previously complied with a request made under section 5 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(4) In determining for the purposes of subsection (3) whether requests under section 5 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.

(5) Section 5(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.

(6) The information to be supplied pursuant to a request under section 5 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(7) For the purposes of section 5(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.

7. Application of section 5: credit reference agencies

(1) Where the data controller is a credit reference agency, section 5 has effect subject to the provisions of this section.

(2) An individual making a request under section 5 may limit his request to personal data relevant to his financial standing, and shall be taken to have so limited his request unless the request shows a contrary intention.

(3) Where the data controller receives a request under section 5 in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information under that section includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the Council of Ministers by regulations, of such of the individual's rights under this Act as are specified in the form."

(4) "13. Preliminary

(1) In this Part "the registrable particulars", in relation to a data controller, means

(a) his name and address,

(b) if he has nominated a representative for the purposes of this Act, the name and address of the representative,

(c) a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate,

(d) a description of the purpose or purposes for which the data are being or are to be processed,

(e) a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data, and

(f) the names, or a description of, any countries or territories outside the Island to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data.

(2) In this Part – "fees regulations" means regulations made by the Treasury under section 15(5) or 16(4) or (7); "notification regulations" means regulations made by the Council of Ministers under the other provisions of this Part; "prescribed", except where used in relation to fees regulations, means prescribed by notification regulations.

(3) For the purposes of this Part, so far as it relates to the addresses of data controllers

(a) the address of a registered company is that of its registered office, and

(b) the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the Island.

14. Prohibition on processing without registration

(1) Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Supervisor under section 16 (or is treated by notification regulations made by virtue of section 16(3) as being so included).

(2) Except where the processing is assessable processing for the purposes of section 19, subsection (1) does not apply in relation to personal data consisting of information which falls within neither paragraph (a) nor paragraph (b) of the definition of "data" in section 1(1).

(3) If it appears to the Council of Ministers that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, notification regulations may provide that, in such cases as may be prescribed, subsection (1) is not to apply in relation to processing of that description.

(4) Subsection (1) does not apply in relation to any processing whose sole purpose is the maintenance of a public register.

15. Notification by data controllers

(1) Any data controller who wishes to be included in the register maintained under section 16 shall give a notification to the Supervisor under this section.

(2) A notification under this section must specify in accordance with notification regulations –

(a) the registrable particulars, and (b) a general description of measures to be taken for the purpose of complying with the seventh data protection principle (measures against misuse and loss of data).

(3) Notification regulations made by virtue of subsection (2) may provide for the determination by the Supervisor, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2)(b) are to be specified, including in particular the detail required for the purposes of section 13(1)(c), (d), (e) and (f) and subsection (2)(b).

(4) Notification regulations may make provision as to the giving of notification –

(a) by partnerships, or

(b) in other cases where 2 or more persons are the data controllers in respect of any personal data.

(5) The notification must be accompanied by such fee as may be prescribed by fees regulations.

(6) Notification regulations may provide for any fee paid under subsection (5) or section 16(4) to be refunded in prescribed circumstances.

16. Register of notifications

(1) The Supervisor shall –

(a) maintain a register of persons who have given notification under section 15, and

(b) make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register.

(2) Each entry in the register shall consist of –

(a) the registrable particulars notified under section 15 or, as the case requires, those particulars as amended in pursuance of section 17(4), and

(b) such other information as the Supervisor may be authorised or required by notification regulations to include in the register.

(3) Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated for the purposes of section 14 as having been made in the register.

(4) No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.

(5) In subsection (4) "the relevant time" means 12 months or such other period as may be prescribed by notification regulations.

(6) The Supervisor –

(a) shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b) may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.

(7) The Supervisor shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly Data Protection Act 2002 certified copy in writing of the particulars contained in any entry made in the register.

17. Duty to notify changes

(1) For the purpose specified in subsection (2), notification regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained under section 16 a duty to notify to the Supervisor, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the registrable particulars and measures taken as mentioned in section 15(2)(b) as may be prescribed.

(2) The purpose referred to in subsection (1) is that of ensuring, so far as practicable, that at any time –

(a) the entries in the register maintained under section 16 contain current names and addresses and describe the current practice or intentions of the data controller with respect to the processing of personal data, and

(b) the Supervisor is provided with a general description of measures currently being taken as mentioned in section 15(2)(b).

(3) Section 15(3) has effect in relation to notification regulations made by virtue of subsection (1) as it has effect in relation to notification regulations made by virtue of section 15(2).

(4) On receiving any notification under notification regulations made by virtue of subsection (1), the Supervisor shall make such amendments of the relevant entry in the register maintained under section 16 as are necessary to take account of the notification.

18. Offences

(1) If section 14(1) is contravened, the data controller is guilty of an offence.

(2) Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 17(1) is guilty of an offence.

(3) It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty."

(5) "The seventh principle (measures against misuse and loss of data)

17. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to –

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected.

18. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

19. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle –

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures."

20. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless –

(a) the processing is carried out under a contract –

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle."

(6) "The sixth principle (rights of data subjects)

16. A person is to be regarded as contravening the sixth principle if, but only if –

(a) he contravenes section 5 by failing to supply information in accordance with that section,

(b) he contravenes section 8 by failing to comply with a notice given under section 8(1) to the extent that the notice is justified or by failing to give a notice under section 8(3),

(c) he contravenes section 9 by failing to comply with a notice given under section 9(1), or

(d) he contravenes section 10 by failing to comply with a notice given under section 10(1) or (2)(b) or by failing to give a notification under section 10(2)(a) or a notice under section 10(3)."

(7) "5. (1) Subject to the following provisions of this section and to sections 6 and 7, an individual is entitled –

(c) to have communicated to him in an intelligible form –

(i) the information constituting any personal data of which that individual is the data subject, and

(ii) any information available to the data controller as to the source of those data"

(8) "12. Rectification, blocking, erasure and destruction

(1) If the High Court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.

(2) Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then –

(a) if the requirements mentioned in paragraph 15 of Allegato 1 have been complied with, the High Court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and

(b) if all or any of those requirements have not been complied with, the High Court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).

(3) Where the High Court –

(a) makes an order under subsection (1), or

(b) is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate, it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(4) If the High Court is satisfied on the application of a data subject –

(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 11, and

(b) that there is a substantial risk of further contravention in respect of those data in such circumstances, the court may order the rectification, blocking, erasure or destruction of any of those data.

(5) Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify Data Protection Act 2002 third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6) In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the numero of persons who would have to be notified."

(9) "8. Right to prevent processing likely to cause damage or distress

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons –

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b) that damage or distress is or would be unwarranted.

(2) Subsection (1) does not apply –

(a) in a case where any of the conditions in paragraphs 1 to 4 of Allegato 2 is met, or

(b) in such other cases as may be prescribed by the Council of Ministers by order.

(3) The data controller must within 21 days of receiving a notice under subsection (1) ("the data subject notice") give the individual who gave it a written notice –

(a) stating that he has complied or intends to comply with the data subject notice, or

(b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

(4) If the High Court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(5) The failure by a data subject to exercise the right conferred by subsection (1) or section 9(1) does not affect any other right conferred on him by this Part."

(10) "PART 4 - EXEMPTIONS

23. Preliminary

(1) References in any of the data protection principles or any provision of Parts 2 and 3 to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2) In this Part "the subject information provisions" means –

(a) the first data protection principle (fair and lawful processing) to the extent to which it requires compliance with paragraph 10 of Allegato 1, and

(b) section 5.

(3) In this Part "the non-disclosure provisions" means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4) The provisions referred to in subsection (3) are –

(a) the first data protection principle (fair and lawful processing), except to the extent to which it requires compliance with the conditions in Allegatos 2 and 3,

(b) the second data protection principle (purpose for which data are obtained and processed),

(c) the third data protection principle (adequacy and relevance of data),

(d) the fourth data protection principle (accuracy of data),

(e) the fifth data protection principle (time for keeping data), and

(f) sections 8 and 12(1) to (3).

(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any statutory provision or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

24. National security

(1) Personal data are exempt from any of the provisions of –

(a) the data protection principles,

(b) Parts 2, 3 and 5, and

(c) section 50, if the exemption from that provision is required for the purpose of safeguarding national security.

(2) Subject to subsection (4), a certificate signed by the Chief Minister certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.

(3) A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.

(4) Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Tribunal against the certificate.

(5) If on an appeal under subsection (4), the Tribunal finds that, applying the principles applied by the High Court on a petition of doleance, the Chief Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.

(6) Where in any proceedings under or by virtue of this Act it is claimed by a data controller that a certificate under subsection (2) which identifies the personal data to which it applies by means of a general description applies to any personal data, then, subject to any determination under subsection (7), the certificate shall be conclusively presumed so to apply.

(7) Any other party to proceedings referred to in subsection (6) may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question, and the Tribunal may determine that the certificate does not so apply.

(8) A document purporting to be a certificate under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(9) No power conferred by any provision of Part 5 may be exercised in relation to personal data which by virtue of this section are exempt from that provision.

(10) Allegato 6 shall have effect in relation to appeals under subsection (4) or (7) and the proceedings of the Tribunal in respect of any such appeal.

25. Crime and taxation

(1) Personal data processed for any of the following purposes –

(a) the prevention or detection of crime,

(b) the apprehension or prosecution of offenders, or

(c) the assessment or collection of any tax or duty or of any imposition of a similar nature, are exempt from the first data protection principle (fair and lawful processing) (except to the extent to which it requires compliance with the conditions in Allegatos 2 and 3) and section 5 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.

(2) Personal data which –

(a) are processed for the purpose of discharging statutory functions, and

(b) consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1), are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.

(3) Personal data are exempt from the non-disclosure provisions in any case in which

(a) the disclosure is for any of the purposes mentioned in subsection (1), and

(b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.

(4) Personal data in respect of which the data controller is a relevant authority and which –

(a) consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes –

(i) the assessment or collection of any tax or duty or any imposition of a similar nature, or

(ii) the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds, and

(b) are processed for either of those purposes, are exempt from section 5 to the extent to which the exemption is required in the interests of the operation of the system.

(5) In subsection (4) "relevant authority" means a Department, Statutory Board, local authority or joint board.

26. Health, education and social work

(1) The Council of Ministers may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health or condition of the data subject.

(2) The Council of Ministers may by order exempt from the subject information provisions, or modify those provisions in relation to personal data –

(a) in respect of which the data controller is the proprietor of, or a teacher at, a school or college, and which consist of information relating to persons who are or have been pupils at the school or college; or

(b) in respect of which the data controller is the Department of Education, and which consist of information relating to persons who are or have been pupils at a school or college maintained by that Department.

(3) The Council of Ministers may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information –

(a) processed by the Department of Health and Social Security or by voluntary organisations or other bodies designated by or under the order, and

(b) appearing to it to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals; but the Council of Ministers shall not under this subsection confer any exemption or make any modification except so far as it considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.

27. Regulatory activity

(1) Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.

(2) Subsection (1) applies to any relevant function which is designed for –

(a) protecting members of the public against –

(i) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate,

(ii) financial loss due to the conduct of discharged or undischarged bankrupts, or

(iii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity,

(b) protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration, protecting the property of charities from loss or misapplication, or the recovery of the property of charities,

(c) securing the health, safety and welfare of persons at work, or protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.

(3) In subsection (2) "relevant function" means –

(a) any function conferred on any person by or under any statutory provision, or

(b) any other function which is of a public nature and is exercised in the public interest.

(4) Personal data processed for the purpose of discharging any function of the Isola di Man Office of Fair Trading under the Fair Trading Act 1996 are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.

28. Journalism, literature and art

(1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if –

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

(2) Subsection (1) relates to the provisions of –

(a) the data protection principles except the seventh data protection principle (measures against misuse and loss of data),

(b) section 5,

(c) section 8,

(d) section 10, and

(e) section 12(1) to (3).

(3) In considering for the purposes of subsection (1)(b) whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice which –

(a) is relevant to the publication in question, and

(b) is designated by the Council of Ministers by order for the purposes of this subsection.

(4) Where at any time ("the relevant time") in any proceedings against a data controller under section 5(9), 8(4), 10(8) or 12 or by virtue of section 11 the data controller claims, or it appears to the High Court, that any personal data to which the proceedings relate are being processed –

(a) only for the special purposes, and

(b) with a view to the publication by any person of any journalistic, literary or artistic material which, at the time 24 hours immediately before the relevant time, had not previously been published by the data controller, the court shall stay the proceedings until either of the conditions in subsection (5) is met.

(5) Those conditions are –

(a) that a determination of the Supervisor under section 41 with respect to the data in question takes effect, or

(b) in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.

(6) For the purposes of this Act "publish", in relation to journalistic, literary or artistic material, means make available to the public or any section of the public.

29. Research, history and statistics

(1) In this section –"research purposes" includes statistical or historical purposes; "the relevant conditions", in relation to any processing of personal data, means the conditions –

(a) that the data are not processed to support measures or decisions with respect to particular individuals, and

(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

(2) For the purposes of the second data protection principle (purpose for which data are obtained and processed), the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained.

(3) Personal data which are processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle (time for keeping data), be kept indefinitely.

(4) Personal data which are processed only for research purposes are exempt from section 5 if –

(a) they are processed in compliance with the relevant conditions, and

(b) the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.

(5) For the purposes of subsections (2) to (4) personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed –

(a) to any person, for research purposes only,

(b) to the data subject or a person acting on his behalf,

(c) at the request, or with the consent, of the data subject or a person acting on his behalf, or

(d) in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).

30. Information available to the public by or under statutory provision Personal data are exempt from –

(a) the subject information provisions,

(b) the fourth data protection principle (accuracy of data) and section 12(1) to (3), and

(c) the non-disclosure provisions, if the data consist of information which the data controller is obliged by or under any statutory provision to make available to the public, whether by publishing it, by making it available for inspection, or otherwise and whether gratuitously or on payment of a fee.

31. Disclosures required by law or made in connection with legal proceedings etc.

(1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any statutory provision, by any rule of law or by the order of a court.

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary –

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

32. Tynwald privilege

Personal data are exempt from •

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Allegatos 2 and 3,

(b) the second, third, fourth and fifth data protection principles,

(c) section 5, and

(d) sections 8 and 12(1) to (3), if the exemption is required for the purpose of avoiding an infringement of the privileges of Tynwald, the Council or the Keys.

33. Domestic purposes

Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts 2 and 3.

34. Miscellaneous exemptions

Allegato 7 (which confers further miscellaneous exemptions) has effect.

35. Powers to make further exemptions by order

(1) The Council of Ministers may by order exempt from the subject information provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any statutory provision if and to the extent that it considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the prohibition or restriction ought to prevail over those provisions.

(2) The Council of Ministers may by order exempt from the nondisclosure provisions any disclosures of personal data made in circumstances specified in the order, if it considers the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual."

(11) "The eighth principle (transfer of data abroad)

21. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to –

(a) the nature of the personal data,

(b) the country or territory of origin of the information contained in the data,

(c) the country or territory of final destination of that information,

(d) the purposes for which and period during which the data are intended to be processed,

(e) the law in force in the country or territory in question,

(f) the international obligations of that country or territory,

(g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

(h) any security measures taken in respect of the data in that country or territory.

22. The eighth principle does not apply to a transfer falling within any paragraph of

Allegato 4, except in such circumstances and to such extent as the Council of Ministers may by order provide.

23. (1) Where in any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory within the European Economic Area, it shall be conclusively presumed that that requirement is met in relation to that transfer.

(2) Where:

(a) in any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and

(b) a Community finding has been made in relation to transfers of the kind in question, that question is to be determined in accordance with that finding.

(3) In sub-paragraph (2) "Community finding" means a finding of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive."

(12) "ALLEGATO 4 - CASES WHERE THE EIGHTH PRINCIPLE DOES NOT

APPLY

1. The data subject has given his consent to the transfer.

2. The transfer is necessary –

(a) for the performance of a contract between the data subject and the data controller,or

(b) for the taking of steps at the request of the data subject with a view to his enteringinto a contract with the data controller.

3. The transfer is necessary –

(a) for the conclusion of a contract between the data controller and a person otherthan the data subject which –

(i) is entered into at the request of the data subject, or

(ii) is in the interests of the data subject, or

(b) for the performance of such a contract.

4. (1) The transfer is necessary for reasons of substantial public interest.

(2) The Council of Ministers may by order specify –

(a) circumstances in which a transfer is to be taken for the purposes of subparagraph (1) to be necessary for reasons of substantial public interest, and

(b) circumstances in which a transfer which is not required by or under a statutory provision is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.

5. The transfer –

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

6. The transfer is necessary in order to protect the vital interests of the data subject.

7. The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.

8. The transfer is made on terms which are of a kind approved by the Supervisor as ensuring adequate safeguards for the rights and freedoms of data subjects.

9. The transfer has been authorised by the Supervisor as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects."

(13) "sensitive personal data" means personal data consisting of information as to –

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Unions Act 1991),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings;"

(14) "The first principle (fair and lawful processing)

9. (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.

(2) Subject to paragraph 10, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who –

(a) is authorised by or under any statutory provision to supply it, or

(b) is required to supply it by or under any statutory provision or by any convention or other instrument imposing an international obligation on the United Kingdom and extending to the Island.

10. (1) Subject to paragraph 11, for the purposes of the first principle personal data are not to be treated as processed fairly unless –

(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and

(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in subparagraph (3).

(2) In sub-paragraph (1)(b) "the relevant time" means –

(a) the time when the data controller first processes the data, or

(b) in a case where at that time disclosure to a third party within a reasonable period is envisaged –

(i) if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed,

(ii) if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware, or

(iii) in any other case, the end of that period.

(3) The information referred to in sub-paragraph (1) is as follows, namely –

(a) the identity of the data controller,

(b) if he has nominated a representative for the purposes of this Act, the identity of that representative,

(c) the purpose or purposes for which the data are intended to be processed, and

(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

11. (1) Paragraph 10(1)(b) does not apply where either of the primary conditions in sub-paragraph (2), together with such of the further conditions in sub-paragraphs (3) to (7) as are relevant, are met.

(2) The primary conditions referred to in sub-paragraph (1) are –

(a) that the provision of that information would involve a disproportionate effort, or

(b) that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

(3) Where either of the primary conditions in sub-paragraph (2) is met, a further condition is that set out in sub-paragraph (6).

(4) Where the primary condition in sub-paragraph (2)(a) is met, a further condition is that the data controller shall record the reasons for his view that that primary condition is met in respect of the data.

(5) Where the primary condition in sub-paragraph (2)(b) is met by virtue of the fact that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller •

(a) is not a function conferred on him by or under any statutory provision or an obligation imposed on him by order of a court, but

(b) is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract, a further condition is that set out in sub-paragraph (6).

(6) The condition referred to in sub-paragraphs (3) to (5) is that, in respect of any particular data subject, either •

(a) no notice in writing has been received at any time by the data controller from an individual, requiring that data controller to provide the information set out in paragraph 10(3) before the relevant time (as defined in paragraph 10(2)) or as soon as practicable after that time; or

(b) where such notice in writing has been received but the data controller does not have sufficient information about the individual in order readily to determine whetherhe is processing personal data about that individual, the data controller shall send tothe individual a written notice stating that he cannot provide the information set outin paragraph 10(3) because of his inability to make that determination, andexplaining the reasons for that inability.

(7) The requirement in sub-paragraph (6) that notice should be in writing is satisfiedwhere the text of the notice:

(a) is transmitted by electronic means,

(b) is received in legible form, and

(c) is capable of being used for subsequent reference.

(8) The Council of Ministers may by order amend sub-paragraphs (1) to (7).

12. (1) Personal data which contain a general identifier falling within a description prescribed by the Council of Ministers by order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description.

(2) In sub-paragraph (1) "a general identifier" means any identifier (such as, for example, a numero or code used for identification purposes) which –

(a) relates to an individual, and

(b) forms part of a set of similar identifiers which is of general application."

(15) "ALLEGATO 3 - CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF SENSITIVE PERSONAL DATA

1. The data subject has given his explicit consent to the processing of the personal data.

2. (1) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.

(2) The Council of Ministers may by order –

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in subparagraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

3. The processing is necessary –

(a) in order to protect the vital interests of the data subject or another person, in a case where –

(i) consent cannot be given by or on behalf of the data subject, or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or

(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4. The processing –

(a) is carried out in the course of its legitimate activities by any body or association which –

(i) is not established or conducted for profit, and

(ii) exists for political, philosophical, religious or trade-union purposes,

(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,

(c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and

(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6. The processing –

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

7. (1) The processing is necessary –

(a) for the administration of justice,

(b) for the exercise of any functions of Tynwald, the Council or the Keys;

(c) for the exercise of any functions conferred on any person by or under any statutory provision, or

(d) for the exercise of any functions of the Crown, a Department or a Statutory Board.

(2) The Council of Ministers may by order –

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in subparagraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

8. (1) The processing is necessary for medical purposes and is undertaken by –

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph "medical purposes" includes the purposes of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

9. (1) The processing –

(a) is of sensitive personal data consisting of information as to racial or ethnic origin,

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(c) is carried out with appropriate safeguards for the rights and freedoms of data subjects.

(2) The Council of Ministers may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

10. (1) The processing •

(a) is in the substantial public interest;

(b) is necessary for the purposes of the prevention or detection of any unlawful act; and

(c) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes.

(2) In this paragraph, "act" includes a failure to act.

11. The processing •

(a) is in the substantial public interest;

(b) is necessary for the discharge of any function which is designed for protecting members of the public against •

(i) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person, or

(ii) mismanagement in the administration of, or failures in services provided by, any body or association; and

(c) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the discharge of that function.

12. (1) The disclosure of personal data •

(a) is in the substantial public interest;

(b) is in connection with •

(i) the commission by any person of any unlawful act (whether alleged or established),

(ii) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or

(iii) mismanagement in the administration of, or failures in services provided by, any body or association (whether alleged or established);

(c) is for the special purposes as defined in section 1(1); and

(d) is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

(2) In this paragraph, "act" includes a failure to act.

13. The processing •

(a) is in the substantial public interest;

(b) is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and

(c) is carried out without the explicit consent of the data subject because the processing •

(i) is necessary in a case where consent cannot be given by the data subject,

(ii) is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject, or

(iii) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counselling, advice, support or other service.

14. (1) The processing •

(a) is necessary for the purpose of •

(i) carrying on insurance business, or

(ii) making determinations in connection with eligibility for, and benefits payable under, an occupational pension scheme as defined in section 1 of the Pension Schemes Act 1993 (an Act of Parliament)21, as it has effect in the Island;

(b) is of sensitive personal data consisting of information as to the physical or mental health or condition of a data subject who is the parent, grandparent, great grandparent or sibling of the insured person or the member of the scheme, as the case may be;

(c) is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of that data subject and the data controller is not aware of the data subject withholding his consent; and

(d) does not support measures or decisions with respect to that data subject.

(2) In this paragraph •

(a) "insurance business" means insurance business, as defined in section 34 of the Insurance Act 198623, falling within such classes as are prescribed by the Council of Ministers by regulations, and

(b) "insured" and "member" includes an individual who is seeking to become an insured person or member of the scheme respectively.

15. The processing •

(a) is of sensitive personal data in relation to any particular data subject that are subject to processing which was already under way immediately before the ommencement of this Allegato;

(b) is necessary for the purpose of •

(i) carrying on insurance business, as defined in section 34 of the Insurance Act 1986, falling within such classes as are prescribed by the Council of Ministers by regulations; or

(ii) establishing or administering an occupational pension scheme as defined in section 1 of the Pension Schemes Act 1993 (an Act of Parliament), as it has effect in the Island; and

(c) either •

(i) is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject and that data subject has not informed the data controller that he does not so consent, or

(ii) must necessarily be carried out even without the explicit consent of the data subject so as not to prejudice those purposes.

16. (1) Subject to the provisions of sub-paragraph (2), the processing •

(a) is of sensitive personal data consisting of information falling within paragraph (c) or (e) of the definition of that expression in section 1(1);

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons •

(i) holding different beliefs as described in paragraph (c) of that definition, or

(ii) of different states of physical or mental health or different physical or mental conditions as described in paragraph (e) of that definition, with a view to enabling such equality to be promoted or maintained;

(c) does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and

(d) does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

(2) Where any individual has given notice in writing to any data controller who is processing personal data under the provisions of sub-paragraph (1) requiring that data controller to cease processing personal data in respect of which that individual is the data subject at the end of such period as is reasonable in the circumstances, that data controller must have ceased processing those personal data at the end of that period.

17. The processing •

(a) is in the substantial public interest;

(b) is necessary for research purposes (within the meaning of section 29);

(c) does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and

(d) does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

18. The processing is necessary for the exercise of any functions conferred on a constable by any rule of law.

19. The personal data are processed in circumstances specified in an order made by the Council of Ministers for the purposes of this paragraph."

(16) "9. Right to prevent processing for purposes of direct marketing

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

(2) If the High Court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

(3) In this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals."

(17) "5. (1) Subject to the following provisions of this section and to sections 6 and 7, an individual is entitled –

(d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking."

(18) "10. Rights in relation to automated decision-taking

(1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

(2) Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1) –

(a) the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis,and

(b) the individual is entitled, within 21 days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.

(3) The data controller must, within 21 days of receiving a notice under subsection (2)(b) ("the data subject notice") give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.

(4) A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.

(5) In subsection (4) "exempt decision" means any decision –

(a) in respect of which the conditions in subsections (6) and (7) are met, or

(b) which is made in such other circumstances as may be prescribed by the Council of Ministers by order.

(6) The condition in this subsection is that the decision –

(a) is taken in the course of steps taken –

(i) for the purpose of considering whether to enter into a contract with the data subject,

(ii) with a view to entering into such a contract, or

(iii) in the course of performing such a contract, or

(b) is authorised or required by or under any enactment.

(7) The condition in this subsection is that either –

(a) the effect of the decision is to grant a request of the data subject, or

(b) steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).

(8) If the High Court is satisfied on the application of a data subject that a person taking a decision in respect of him ("the responsible person") has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).

(9) An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person."

(19) "38. Request for assessment

(1) A request may be made to the Supervisor by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.

(2) On receiving a request under this section, the Supervisor shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to –

(a) satisfy himself as to the identity of the person making the request, and

(b) enable him to identify the processing in question.

(3) The matters to which the Supervisor may have regard in determining in what manner it is appropriate to make an assessment include –

(a) the extent to which the request appears to him to raise a matter of substance,

(b) any undue delay in making the request, and

(c) whether or not the person making the request is entitled to make an application under section 5 in respect of the personal data in question.

(4) Where the Supervisor has received a request under this section he shall notify the person who made the request –

(a) whether he has made an assessment as a result of the request, and

(b) to the extent that he considers appropriate, having regard in particular to any exemption from section 5 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request."

(20) "11. Compensation for failure to comply with certain requirements

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if –

(a) the individual also suffers damage by reason of the contravention, or

(b) the contravention relates to the processing of personal data for the special purposes, or

(c) the contravention consists of a failure to comply with a request under section 5 in the circumstances specified in section 5(9)(b).

(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned."