Skip to content

Part 8 » Duties of Data Controller and Data Processor

45. Record of processing activities

  1. A data controller shall keep and maintain, in writing, a record of —

    1. processing activities and meta data under its responsibility in the prescribed manner and form; and
    2. all categories of processing activities carried out in the prescribed manner and form.

  2. A data controller shall make the record available to the Data Protection Commissioner on demand.

46. Data protection impact assessment

  1. A data controller shall, where a type of processing uses new technologies, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of an individual, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

  2. A data protection impact assessment under subsection (1) is required where —

    1. personal data is procecessed using an automated processing system, including profiling, which produces legal effects concerning the natural person or similarly significantly affects that natural person;
    2. processing on a large scale of sensitive personal data, or of personal data relating to criminal convictions and offences; or
    3. a systematic monitoring of a publicly accessible area on a large scale.

  3. Despite subsection (2), the Data Protection Commissioner shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment under subsection (1).

  4. An impact assessment under subsection (1) shall be in a prescribed manner and form.
  5. A data controller shall, where necessary, carry out a review to assess if processing is performed in accordance with the data protection impact assessment where there is a change of the risk represented by processing operations.

47. Security of processing

  1. A data controller or data processor, shall provide guarantees regarding the technical and organisational security measures employed to protect the personal data associated with the processing undertaken and ensure strict adherence to such measures.

  2. A data controller or the data processor shall, having regard to the nature, scope and purpose of processing personal data undertaken, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing, implement appropriate security safeguards including —

    1. maintaining integrity of personal data using methods including pseudonymisation and encryption;
    2. ensuring ongoing confidentiality, integrity and implementation of measures necessary to protect the integrity of personal data;
    3. measures necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data; and
    4. implementation of appropriate data protection policies.

  3. A data controller and data processor shall undertake a periodic review of security safeguard in accordance with guidelines issued by the Data Protection Commissioner.

  4. Where processing is to be carried out on behalf of a data controller, the data controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in a manner that ensures that the processing will meet the requirements of this Act and protect the rights of the data subject.

48. Appointment of data protection officer

  1. Subject to subsection (2), a data controller and data processor shall appoint a data protection officer.
  2. A data protection officer shall be appointed in accordance with the guidelines issued by the Data Protection Commissioner.

49. Notification of security breach

  1. A data controller shall notify the Data Protection Commissioner within twenty-four hours of any security breach affecting personal data processed.
  2. A data processor shall notify the data controller, as soon as practicable of any security breach affecting personal data processed on behalf of the data controller.
  3. A data controller or data processor shall notify the data subject, as soon as practicable of any security breach affecting personal data processed.

50. Accountability

A data controller and data processor shall —

  1. take necessary measures to comply with the principles and obligations specified in this Act; and
  2. have the necessary internal mechanisms in place for demonstrating such compliance to both data subjects and to the Data Protection Commissioner.

51. Data Retention

  1. Subject to the provisions of this Act, a data controller and data processor shall keep personal information for as long as that personal information is used for the specific purpose for which the personal information was collected and for as long as the personal information is relevant for that purpose and for a period of at least one year thereafter or other period that may be prescribed.
  2. A data controller and a data processor shall keep a record of the process and a record of the purpose for which the personal information was collected and third parties to whom and when the personal information was disclosed.

52. Duties of data processor

  1. A data processor shall not engage another data processor without prior specific or general written authorisation of the data controller.
  2. A data processor shall, where a data controller is granted general authorisation to engage another data processor, inform the data controller of any intended changes concerning the addition or replacement of other data processors, thereby giving the data controller the opportunity to object to those changes.
  3. Processing by a data processor shall be governed by a contract that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller and any other matter, as prescribed.
  4. The Data Protection Commissioner may, for the purposes of this section, issue guidelines specifying further obligations and any other matters regarding data processors.

53. Non-disclosure of personal data

  1. Except as otherwise provided in this Act, a person shall not disclose or otherwise cause any other person to receive the content or nature of any personal data that has been collected.
  2. Subject to subsection (3), a data controller or data processor who seeks to disclose personal data shall, prior to its disclosure, obtain the consent of the data subject.

  3. A data controller or data processor, who seeks to disclose personal data, shall inform the data subject, prior to a disclosure of personal data under this section, of the following details in respect of the data subject’s personal data:

    1. when and to whom it will be disclosed;
    2. the purpose of its disclosure;
    3. the security practices, privacy policies and other policies, if any, that will protect it; and
    4. the procedure for recourse in case of any grievance in relation to it.

  4. A data controller or data processor shall not disclose, without consent of the data subject, personal data unless it is necessary to prevent—

    1. a reasonable threat to national security, defence or public order; or
    2. investigate or prosecute a cognisable offence.

  5. A person who contravenes a provision of this section commits an offence and is liable on conviction to a fine not exceeding two hundred thousand penalty units or to imprisonment for a term not exceeding two years or to both.

54. Joint controllers

  1. Where two or more data controllers jointly determine the purposes and means of processing data, the joint controllers shall enter into an agreement which reflects the respective roles and relationships of the joint controllers’ as they relate to the data subject.
  2. An agreement entered into under subsection (1) shall be made available to the data subject.
  3. Joint data controllers shall be jointly and severally liable to the data subject.

55. Offence by data controller

  1. A body corporate that contravenes the provisions of this part commits an offence and is liable, on conviction, to two percent of annual turnover of the preceding financial year or to two million penalty units, whichever is higher.
  2. Where an offence under subsection (1) is committed by a natural person, that person shall be liable, on conviction, to a fine not exceeding one million penalty units or to imprisonment for a term not exceeding ten years, or to both.

A person shall not process personal data in legal proceedings, except —

  1. under the supervision of a public body discharging its duty if the processing is necessary for those legal proceedings;
  2. where the processing is necessitated by litigation; or
  3. by a legal practitioner to the extent that the processing is necessary for the protection of the legal practitioner’s clients’ interests.

57. Notification

A data controller or data processor shall notify the Data Protection Commissioner of any third party agreement that allows the third party to trade on the profile of a data subject.