Part 11 » General Provisions¶

72. Right to compensation¶

A data subject who has suffered damage as a result of an infringement of that data subject’s right under this Act, may receive compensation from the data controller or data processor as determined by a court of competent jurisdiction for the damage suffered.

73. Offences¶

Subject to the other provisions of this Act, a person commits an offence if that person unlawfully discloses sensitive personal data to another person.
A person convicted of an offence under subsection (1) is liable, on conviction, to a fine not exceeding two hundred thousand penalty units, or to imprisonment to a term not exceeding two years, or to both.

74. Power of Data Protection Commissioner to compound certain offences¶

Where the Data Protection Commissioner is satisfied, after an investigation, or where a person admits that the person has committed an offence under this Act, the Data Protection Commissioner may, compound the offence by collecting from that person a sum of money that the Data Protection Commissioner considers appropriate, but not exceeding fifty percent of the maximum amount of the fine to which that person would have been liable on conviction.

75. Forfeiture¶

Where there has been a conviction for any of the offences under this Act, the court may pronounce the forfeiture of the medium containing the personal data to which the offence relates or make any other order as it deems fit.
A court may order forfeiture or deletion where the medium containing the personal data does not belong to the person convicted.
A court may, on conviction for an offence under this Act, impose a prohibition to manage any processing of personal data, directly or through an intermediary, for a period that the court determines.

76. Offence by principal officer shareholder or partner of body corporate or unincorporate body¶

Where an offence under this Act is committed by a body corporate or unincorporate body, with the knowledge, consent or connivance of the director, manager, shareholder or partner, of that body corporate or unincorporate body, that director, manager, shareholder or partner of the body corporate or unincorporate body commits an offence and is liable, on conviction, to the penalty specified for that offence.

77. General penalty¶

Aperson who commits an offence under this Act for which a specified penalty is not provided, is liable, on conviction, to a fine not exceeding three hundred thousand penalty units or to imprisonment for a term not exceeding three years, or to both.

78. Code of conduct¶

The Data Protection Commissioner may prepare a code of conduct for data controllers, data processors and data auditors.
A code of conduct under subsection (1) shall be binding on data controllers and data processors and shall include —
1. the provision of information to data subjects regarding confidentiality;
2. the advertising or representation of services;
3. fair, accessible format and transparent processing of personal data for all data subjects; and
4. any other matter relating to the processing of personal data under this Act.
The Data Protection Commissioner shall publish the code of conduct in a Gazette or website of general circulation in the Republic for public information.
A code of conduct published under subsection (3), shall be effective from the date of its publication.
A person who contravenes the code of conduct under subsection (1) commits an offence and is liable, on conviction, to a fine not exceeding two hundred thousand penalty units or to imprisonment for a term not exceeding two years, or to both.

79. Guidelines¶

The Data Protection Commissioner may issue guidelines that are necessary for the better carrying out of the provisions of this Act.
The Data Protection Commissioner shall publish all the guidelines issued under this Act in a daily newspaper of general circulation, and the guidelines shall not take effect until they are so published.
The guidelines issued under subsection (1) shall be binding on all persons regulated under this Act.
A person who contravenes the guidelines under subsection (1), commits an offence and is liable on conviction, to a fine not exceeding two hundred thousand penalty units or to imprisonment for a term not exceeding two years or to both.

80. Register¶

The Data Protection Commissioner shall keep and maintain a Register in which the Data Protection Commissioner shall keep information that it may determine.
The Register under subsection (1), shall be kept at a place that the Data Protection Commissioner may determine, and shall be open to inspection by the public during normal working hours on payment of a prescribed fee.

81. Auditing of data controller¶

The Data Protection Commissioner or an independent data auditor licensed by the Data Protection Commissioner under this Act shall, unless otherwise provided under this Act, audit the policies of a data controller and the conduct of processing of personal data annually.
Where a data controller has been authorised to store data on a server or data centre located outside the Republic, the cost of auditing the server or data controller shall be borne by the data controller.

82. Regulations¶

The Minister may, by statutory instrument make regulations for the better carrying out of the provisions of this Act.
Without limiting the generality of subsection (1), the regulations may make provision for —
1. limitation of obligations and rights where that limitation is necessary to preserve
  1. state security;
  2. defence;
  3. public safety including the economic wellbeing or interest of the State when the processing operation relates to State security matters; and
  4. the prevention, investigation, and proof of criminal offence;
2. the notification of security breaches;
3. licensing of data auditors;
4. processing of genetic, biometric and health data;
5. processing of unique patient identifier;
6. personal data of children;
7. data retention; and
8. registration of data controllers and data processors.