Section 5 Rights of data subjects

  1. A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—
    1. to be notified that—
      1. personal information about him, her or it is being collected as provided for in terms of section 18; or
      2. his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
    2. to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
    3. to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
    4. to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
    5. to object to the processing of his, her or its personal information—
      1. at any time for purposes of direct marketing in terms of section 11(3)(b); or
      2. in terms of section 69(3)(c);
    6. not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
    7. not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
    8. to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
    9. to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.

Section 24 Correction of personal information

  1. A data subject may, in the prescribed manner, request a responsible party to—
    1. correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
    2. destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
  2. On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable
    1. correct the information;
    2. destroy or delete the information;
    3. provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
    4. where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
  3. If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
  4. The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.