Skip to content

Part 5 » Regulation of Data Controllers, Data Processors and Data Auditors

19. Prohibition from controlling or processing personal data without registration

  1. A person shall not control or process personal data without registering as a data controller or a data processor under this Act.
  2. A person who contravenes subsection (1) commits an offence and is liable, on conviction to a fine not exceeding five hundred thousand penalty units or to imprisonment for a term not exceeding five years or both.

20. Application for registration as data processor or data controller

  1. A person who intends to process personal data shall apply to the Data Protection Commissioner for registration as a data controller or data processor in a prescribed manner and form on payment of a prescribed fee.
  2. The Data Protection Commissioner may, within fourteen days of receipt of an application under subsection (1), grant or reject the application.
  3. The Data Protection Commissioner shall, where it rejects an application under subsection (2), inform the applicant, in writing and give reasons for the decision.

21. Registration of data controller and data processor

  1. The Data Protection Commissioner shall, within fourteen days of the approval of an application under section 20, issue the applicant with a certificate of registration, if the applicant meets the prescribed requirements.
  2. A registered data controller or data processor shall display the certificate of registration issued under this Act in a conspicuous place at the registered data controller’s or data processor’s principal place of business and a certified copy of the certificate of registration at every subsidiary premises where the registered data controller or data processor carries on business.

22. Renewal of certificate of registration

  1. A registered data controller or data processor may three months before the expiration of the validity of the certificate, apply to the Authority for renewal of a certificate of registration in a prescribed manner and form on payment of a prescribed fee.
  2. The Data Protection Commissioner shall, within thirty days of receiving an application for the renewal of a certificate of registration, approve or reject the application and give reasons where it rejects the application for renewal of the certificate.
  3. A holder of a certificate of registration who submits an application for the renewal of a certificate of registration in accordance with subsection (1), shall continue to operate the business or activity until a decision is made by the Data Protection Commissioner on the application.

23. Change in details of data controller or data processor

A registered data controller or data processor under this Act shall notify the Data Protection Commissioner of any change in the particulars relating to the registration within seven days of the change.

24. Suspension or cancellation of registration

  1. Subject to other provisions of this Act, the Data Protection Commissioner may suspend or cancel the registration of a data controller or data processor if the registered data controller or data processor —

    1. obtained the registration on the basis of fraud, misrepresentation or concealment of a material fact;
    2. has ceased to carry on business in the data processing or controlling industry for a prescribed period;
    3. fails to comply with any term or condition of the certificate of registration; or
    4. operates the registered business activity in contravention of this Act or any other relevant written law.

  2. The Data Protection Commissioner shall, not less than thirty days before suspending or cancelling registration of a data controller or data processor in accordance with subsection (1), notify the registered data controller or data processor of the intention to suspend or cancel the registration giving reasons for its decision and requesting the registered data controller or data processor to show cause, within a period as the Data Protection Commissioner shall specify in the notice, why the registration of the data controller or data processor shall not be suspended or cancelled.

  3. Where the Data Protection Commissioner is not satisfied with the reasons advanced by the data controller or data processor under subsection (2), the Data Protection Commissioner shall proceed to suspend or cancel, the registration stating the reasons for the suspension or cancellation.

  4. Where a certificate of registration is cancelled or suspended, the Data Protection Commissioner shall prescribe conditions with which the data collected from the data subjects will be processed.

  5. A data controller or data processor who contravenes subsection (4) commits an offence and is liable, on conviction, to a fine not exceeding one million penalty units or to imprisonment for a term of five years.

25. Re-registration

Where a certificate of registration is cancelled or suspended under section 24, the holder of the certificate of registration may apply to the Data Protection Commissioner for re-registration in a prescribed form and manner on payment of a prescribed fee.

26. Surrender of certificate of registration

  1. Where a registered data controller or data processor decides not to continue providing the services, the data controller or data processor shall notify the Data Protection Commissioner in writing.
  2. The Data Protection Commissioner shall prescribe terms and conditions on which the certificate of registration shall be surrendered.
  3. Where a certificate of registration is surrendered under sub section (1), the certificate of registration shall lapse, and the data controller or data processor shall cease to be entitled to any benefits obtainable under the certificate of registration.
  4. A data controller or data processor who fails to adhere to the terms and conditions of surrender in subsection (2) commits an offence and is liable, on conviction, to a fine not exceeding one million penalty units or to imprisonment for a term of ten years.

27. Exemption from registration

The Data Protection Commissioner may, by declaration, exempt a person for a limited or unlimited period of time, from the requirement to hold a certificate of registration to process personal data.

28. Power to forbear

  1. The Data Protection Commissioner may forbear from applying to a data controller any provision of this Part, where the Data Protection Commissioner considers that forbearance is consistent with the objects of this Act.
  2. The Data Protection Commissioner shall, where it decides to forbear from applying any provision, immediately, publish a notice of forbearance in the Gazette, setting out the details of and the reasons for, the decision.