Data Protection ACT summary
Implementing Entity: Office of the Data Commissioner
Data Commissioner: Immaculate Kassait
Commencement date of this Act is 25 November 2019.
Functions of the Office of the Data Commissioner
(1 The Office shall—
) (a oversee the implementation of and be responsible for the
) enforcement of this Act;
(b) establish and maintain a register of data controllers and data
processors;
(c exercise oversight on data processing operations, either of own
) motion or at the request of a data subject, and verify whether the
processing of data is done in accordance with this Act;
(d) promote self-regulation among data controllers and data processors;
(e conduct an assessment, on its own initiative of a public or private
) body, or at the request of a private or public body for the purpose of
ascertaining whether information is processed according to the
provisions of this Act or any other relevant law;
(f receive and investigate any
) complaint by any person on
infringements of the rights under this
Act;
(g) take such measures as may be necessary to bring the provisions of
this Act to the knowledge of the general public;
(h) carry out inspections of public and private entities with a view to
evaluating the processing of personal data;
(i) promote international cooperation in matters relating to data
protection and ensure country's compliance on data protection
obligations under international conventions and agreements;
(j) undertake research on developments in data processing of personal
data and ensure that there is no significant risk or adverse effect of
any developments on the privacy of individuals; and
(k) perform such other functions as may be prescribed by any other law
or as necessary for the promotion of object of this Act.
, Registration of data controllers and data processors
(1 Subject to sub-section (2), no person shall act as a data controller or data
) processor unless registered with the Data Commissioner.
(2 The Data Commissioner shall prescribe thresholds required for
) mandatory registration of data controllers and data processors, and in
making such determination, the Data Commissioner shall consider—
(a the nature of industry;
)
(b) the volumes of data
processed;
(c whether sensitive personal data is being processed;
) and
(d) any other criteria the Data Commissioner may
specify.
19. Application for registration
(1 A data controller or data processor required to register
) under section 18 shall apply to the Data Commissioner.
(2 An application under sub-section (1) shall provide the following
) particulars—
(a a description of the personal data to be processed by the data
) controller or data processor;
(b) a description of the purpose for which the personal data is to be
processed;
(c the category of data subjects, to which the personal data
) relates;
(d) contact details of the data controller or data processor;
(e a general description of the risks, safeguards, security measures
) and mechanisms to ensure the protection of personal data;
Implementing Entity: Office of the Data Commissioner
Data Commissioner: Immaculate Kassait
Commencement date of this Act is 25 November 2019.
Functions of the Office of the Data Commissioner
(1 The Office shall—
) (a oversee the implementation of and be responsible for the
) enforcement of this Act;
(b) establish and maintain a register of data controllers and data
processors;
(c exercise oversight on data processing operations, either of own
) motion or at the request of a data subject, and verify whether the
processing of data is done in accordance with this Act;
(d) promote self-regulation among data controllers and data processors;
(e conduct an assessment, on its own initiative of a public or private
) body, or at the request of a private or public body for the purpose of
ascertaining whether information is processed according to the
provisions of this Act or any other relevant law;
(f receive and investigate any
) complaint by any person on
infringements of the rights under this
Act;
(g) take such measures as may be necessary to bring the provisions of
this Act to the knowledge of the general public;
(h) carry out inspections of public and private entities with a view to
evaluating the processing of personal data;
(i) promote international cooperation in matters relating to data
protection and ensure country's compliance on data protection
obligations under international conventions and agreements;
(j) undertake research on developments in data processing of personal
data and ensure that there is no significant risk or adverse effect of
any developments on the privacy of individuals; and
(k) perform such other functions as may be prescribed by any other law
or as necessary for the promotion of object of this Act.
, Registration of data controllers and data processors
(1 Subject to sub-section (2), no person shall act as a data controller or data
) processor unless registered with the Data Commissioner.
(2 The Data Commissioner shall prescribe thresholds required for
) mandatory registration of data controllers and data processors, and in
making such determination, the Data Commissioner shall consider—
(a the nature of industry;
)
(b) the volumes of data
processed;
(c whether sensitive personal data is being processed;
) and
(d) any other criteria the Data Commissioner may
specify.
19. Application for registration
(1 A data controller or data processor required to register
) under section 18 shall apply to the Data Commissioner.
(2 An application under sub-section (1) shall provide the following
) particulars—
(a a description of the personal data to be processed by the data
) controller or data processor;
(b) a description of the purpose for which the personal data is to be
processed;
(c the category of data subjects, to which the personal data
) relates;
(d) contact details of the data controller or data processor;
(e a general description of the risks, safeguards, security measures
) and mechanisms to ensure the protection of personal data;
