Privacy Notes – Right to Request for Information
Welcome to another edition of Privacy Notes!
In line with the celebration of the International Privacy Day, we promised we will be focused on discussing your rights as a Data Subject as provided under the Nigeria Data Protection Regulation (‘The NDPR’ or ‘The Regulation’) 2019.
In our previous edition, we discussed the “Right to be Forgotten”. You can read it here https://blog.ndpracademy.ng/privacy-note-january-31st/
This week, we will be discussing the “Right to Request for Information” (aka a Data Subject Access Request). This right entails that you, the Data Subject, can request from a Data Controller, the personal data you caused to be provided as well as the procedure and steps involved in the processing of your personal data. This request is not supposed to be of any cost to you, the Data Subject.
The Data Controller or Administrator is mandated to take appropriate measures to provide this information to you in a clear, concise, transparent, intelligible and easily accessible form, using clear and plain language. The Data Controller especially has to ensure that he does this particularly in cases involving information relating to children. The information requested by you, the Data Subject, is to be provided by the Data Controller in writing or by other means, including electronic means where appropriate. However, the Data Subject may request for this information to be given orally. In this case though, the Data Subject must prove his identity to the Data Controller by other means.
The NDPR goes further to specify that where a Data Subject requests for information regarding the processing of his personal data and the Data Controller does not take action, the Data Controller is required to inform the Data Subject without delay and within at most 1 (One) month of receipt of the request for such information the reasons for not taking action on the request as well as on the possibility of the Data Subject to lodge a complaint with a supervisory authority.
As mentioned above, this request is usually at no cost to the Data Subject. However, instances arise where the Data Controller is allowed to either charge the Data Subject a certain fee for providing the requested information or refuse to act on the request. A Data Controller may, when the request from a Data Subject is manifestly unfounded or excessive especially when it is repetitive in character:
- Charge a reasonable fee taking into account the administrative costs of providing the information or taking action as requested; or
- Write a letter to the Data Subject stating refusal to act on the request and put NITDA in copy on such occasion through a channel made for that purpose.
The Data Controller shall demonstrate that such request is manifestly unfounded or excessive. The NDPR further provides that where the Data Controller has reasonable doubts regarding the identity of the Data Subject, he may request for additional information to confirm his identity. The Regulation provides that the information to be provided to Data Subject may be provided in combination with standardized icons in order to give a meaningful overview of the intended processing in an easily visible, intelligible and clearly legible manner. Furthermore, it states that where the icons are presented electronically, they shall be machine-readable.
From this right, it is easy to note that the NDPR places focus not just on the right of the data subject to be informed on the processes through which his personal data will pass but also on the fact that this information must be clear and intelligible enough for the Data Subject to read, easily grasp and understand.
Thank you for reading to this point.
Till next week,
Uwemedimo Atakpo Jnr.