12. Rights in relation to automated decision-taking

12.—

1. This section applies to a decision, other than an exempt decision, taken by or on behalf of a data controller and which significantly affects a data subject.

2. An individual is entitled at any time, by notice in writing to the data controller, to require the data controller to ensure that no decision to which this section applies is based solely on the processing, by automatic means, of personal data in respect of the data subject for the purpose of evaluating matters relating to the data subject (for example, the individual’s performance at work, creditworthiness, reliability, or conduct).

3. In any case where a data controller who has not received a notice under subsection (2) in respect of an individual takes a decision to which this section applies—

(a) the data controller shall, as soon as is reasonably practicable, inform the individual that the decision was made on the basis described in subsection (2); and

(b) the individual is entitled to, within thirty days after receiving the information under paragraph (a), by notice in writing require the data controller to reconsider the decision or make a new decision otherwise than on that basis.

4. A data controller who receives a notice under subsection (3)(b) shall, within thirty days after receiving the notice, give the individual in question a written statement specifying the steps that the data controller intends to take to comply with the notice.

5. If the Commissioner is satisfied on the application of a data subject that a data controller has failed to comply with a notice under subsection (2) or (3)(b), the Commissioner may order the data controller to reconsider the decision, or to take a new decision, that is not based solely on such processing as is described in subsection (2).

6. An order under subsection (5) shall not affect the rights of any person other than the data subject and the data controller.

7. In this section “exempt decision” means any decision—

(a) in respect of which the conditions set out in subsection (8) are met; or

(b) made in such other circumstances as may be prescribed.

8. The conditions are that—

(a) the decision—

(i) is authorised or required by or under any enactment; or

(ii) is made in the course of steps taken—

(A) for the purpose of considering whether to enter into a contract with the data subject or with a view to entering into such a contract; or

(B) in the course of performing a contract entered into with the data subject; and

(b) either—

(i) the effect of the decision is to grant a request of the data subject; or

(ii) steps have been taken to safeguard the legitimate interest of the data subject (for example, by allowing the data subject to make representations).