Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 15
Right to correction or erasure of Personal Data
- The Data Subject shall have the right to request the correction of his/her inaccurate Personal data, or request to complete the data held by the Controller without undue delay
- Without prejudice to the legislations in force in the State and what is required for the public interest, the Data Subject shall have the right to request erasure of his/ her Personal Data held by the Controller in any of the following cases:
a. His/her Personal Data is no longer necessary for the purposes for which it is collected or processed.
b. Withdrawal of the consent of Data Subject on which the processing is based.
c. The Data Subject’s objection to the processing, or the absence of legitimate reasons for the Controller to continue the processing.
d. The Personal Data is processed in violation of the provisions of this Decree by Law and the applicable legislations, and the erasure process is necessary to comply with the legislations and approved standards in force in this regard. - As an exception to what is stated in Paragraph (2) of this Article, the Data Subject is not entitled to request erasure of his/ her Personal Data held by the Controller in the following cases:
a. If the request is related to the erasure of his/her Personal Data related to public health in private facilities.
b. If the request affects the investigation procedures and claiming and defending rights.
c. If the request contradicts other legislations to which the Controller is subject.
d. Any other cases determined by the Executive Regulation of this Decree by Law.
FAQs
Data correction is required when the personal data held by a Controller is found to be inaccurate, incomplete, or outdated. Upon receiving a valid request from the Data Subject, the Controller must correct or update the data without undue delay. The Controller is also responsible for informing any third parties with whom the data was shared, if such notification is not unreasonably burdensome.
Erasure may be refused if retaining the data is necessary for compliance with a legal obligation, the establishment or defense of legal claims, or for reasons of public interest such as public health or scientific research. Additionally, if the data is anonymized or if erasure would infringe upon another person’s rights or freedoms, the Controller may deny the request while documenting the justification.
Once a valid erasure request is processed, the Controller must securely and permanently delete the data or anonymize it so that it can no longer be linked to the Data Subject. The Controller must also notify third parties who received the data unless this is disproportionate. The Data Subject should be informed that the erasure has been completed and provided with confirmation if requested.