In accordance with Article 37 of the Personal Data Act 2022 referred to above, Any processing of personal data can only take place if the person concerned, the data subject, has expressed his consent in a free, specific, informed, and unambiguous manner. The processing of personal data is considered legitimate if the data subject gives his / her prior express consent.

Article 37 also waives the requirement for prior consent where the controller is duly authorised and the processing is necessary for:

• the performance of a contract to which the data subject is party or in order to take pre-contractual measures at his request;
• complying with a legal obligation to which the controller is subject to;
• protecting the interests or fundamental rights and freedoms of the data subject; and
• the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.

The collection and processing of personal data must comply with the principles provided for in articles 39, 40 and 41 of the aforementioned 2022 law on personal data, namely:

• The principles of lawfulness, fairness and transparency: Data must be processed fairly, lawfully, and transparently. The lawfulness of the processing refers to its legal basis (legal obligation, contractual obligation, etc.). Fairness of processing refers to the manner in which the data are collected. This principle refers to the individual's right to information. Data must not have been collected and must not be processed without the knowledge of the data subject. This principle also requires providing data subjects with several pieces of information (on the processing of their data, but also on their rights);
• The principle of proportionality: Data must be adequate, relevant, and not excessive in relation to the purposes for which they are collected and further processed. The data controller must not collect more data than it actually needs. Thus, only data strictly necessary for the achievement of the specified purpose must be collected;
• The principle of accuracy: The data must also be accurate and, where necessary, updated. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they are collected and further processed, are erased or rectified.

The obligations of the Data controller include among other things:

• data is collected and processed fairly and lawfully;
• data is collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is compatible with such purposes;
• data is adequate, relevant and not excessive in relation to the purposes for which it was collected;
• collected data is accurate, complete;
• collected data is retained in a form that allows the identification of the data subjects for a period that is no longer than necessary for the purposes for which it was collected;
• data subjects are informed of the data processing;
• data subjects have given their consents to the data processing;
• data subjects have the right to access the data and request amendments or deletions;
• persons with access to the system can only access the data they are allowed to;
• non-authorised persons cannot read, copy, modify, destroy, or move data;
• all data introduced in the system is authorised;
• non-authorised persons will not use data transmission facilities to enter into the data processing system;
• the identities of third parties having access to personal data will be checked;
• data is backed up with security copies; and
• data is renewed and converted to preserve it.

In accordance with the provisions of the Personal Data Act 2022, the processing of personal data is subject to a prior notification to the HAPDP. The notification must include an undertaking that the processing meets the requirements of the Law.

However, for certain types of personal data processing, the prior authorisation of the HAPDP is required. This is particularly the case for the processing of personal data relating to genetic, medical data, and scientific research

By contrast, the Data subject is entitled to an number of rights of which some are listed below:

Right of information

Pursuant to Article 68 of the Personal Data Act 2022, the data controller must inform the data subject of:

• the identity and, where applicable, that of its duly authorised representative;
• the specific purposes of the processing for which the data is intended;
• the categories of data concerned;
• the recipient(s) to whom the data may be communicated;
• the possibility of refusing to appear on the file;
• the existence of a right of access to data concerning the person and a right to rectify this data; and
• the possibility of any data transfer to a third party.

Right of access

Pursuant to Article 69 of the Personal Data Act 2022 , the data subjects can obtain from the data controller the following:

• information allowing to know and dispute the processing of personal data;
• confirmation of whether his / her personal data forms part of the processing;
• a copy of the data subject's personal data, as well as any available information on the data's origin; and
• information relating to the purposes of the processing, the categories of personal data processed and the recipients or categories of recipients to whom the data are communicated.

Right to rectification

Under the provisions of Article 71 of the Personal Data Act 2022 , any natural person who can prove his or her identity may require the data controller to rectify, complete, update, block, or delete, as the case may be, any personal data concerning him or her that is inaccurate, incomplete, ambiguous, out of date, or whose collection, use, communication, or storage is prohibited.

Right to erasure

Under the provisions of Article 73 of the Personal Data Act 2022 , the data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her and the cessation of the dissemination of such data, in particular with regard to personal data which the data subject made available when he / she was a minor, or for one of the following reasons:

• the data is no longer necessary for the purposes for which they were collected or processed;
• the data subject has withdrawn the consent on which the processing is based or where the authorised retention period has expired and there are no other legal grounds for processing the data;
• the data subject objects to the processing of personal data relating to him or her where there is no legal ground for such processing;
• the data processing does not comply with the provisions of this Law; or
  for any other legitimate reason.

Right to object

In light of Article of the Personal Data Act 2022 , any data subject has the right to:

• oppose the processing of their personal data;
• oppose the processing of their personal data for prospecting purposes; and
• be informed before his / her personal data is communicated to third parties.

Interconnection of personal data shall: 

• not discriminate against or limit the fundamental rights, freedoms, and guarantees of data holders; 
• ensure the use of appropriate safety measures; and 
• take into account the principle of relevance (Article of the Personal Data Act 2022).