Skip to content

Part 6 » Data Auditors

29. Data auditors

The Data Protection Commissioner shall licence data auditors in the prescribed manner and form on payment of the prescribed fee.

30. Application for licence

  1. A person who intends to provide data auditing services under this Act shall apply to the Data Protection Commissioner for a licence in the prescribed manner and form on payment of the prescribed fee.
  2. The Data Protection Commissioner shall, within sixty days of receipt of an application, grant or reject the application.
  3. Where the Data Protection Commissioner fails to make a decision within the period referred to under subsection (2), except as otherwise provided under this Act, the application shall be deemed to have been granted.
  4. The Data Protection Commissioner shall, where it rejects an application for a licence, inform the applicant in writing stating the reasons for the rejection.
  5. The Data Protection Commissioner may request for further particulars in respect of an application.
  6. Where the Data Protection Commissioner requests for particulars referred to in subsection (5), the period referred to in subsection (2) stops running.

31. Issue of licences

Alicence under this Act shall only be issued to an applicant that possesses the relevant technical capabilities determined by the Data Protection Commissioner.

32. Conditions of licence

A licence issued under this Act shall —

  1. contain the terms and conditions of the licence; and
  2. be valid for the period as maybe prescribed.

33. Variation of licence

  1. A licensee may, at any time during the validity of the licence, apply to the Data Protection Commissioner for variation of the terms and conditions of the licence or any matter relating to the licence.
  2. The Data Protection Commissioner shall consider the application referred to in subsection (1) and may grant or reject the application, and shall give reasons to the applicant where it rejects the application.

  3. The Data Protection Commissioner may vary the licence or the terms and conditions of a licence where —

    1. the variation is necessary in the public interest; or
    2. the variation is necessary to address the concerns of the members of the public;

  4. The Data Protection Commissioner shall, before making any variation of the terms and conditions of a licence under this section, give notice to the licensee —

    1. stating that it proposes to make variations in the manner specified in the notice; and
    2. specifying the time, not being more than fourteen days from the date of service of the notice on the Licensee, within which written representation in respect of the proposed variation may be made to the Data Protection Commissioner by the licensee.

  5. Compensation shall not be payable by the Data Protection Commissioner to a licensee for any variation to a licence.

34. Surrender of licence

  1. Where a licensee decides not to continue providing the services relating to the licence, the licensee shall notify the Data Protection Commissioner in writing and shall agree with the Data Protection Commissioner on the terms and conditions of the surrender of the licence, with particular reference to anything done or any benefit obtained under the licence.

  2. Where a licence is surrendered under sub section (1), the licence shall lapse, and the licensee shall cease to be entitled to any benefits obtainable under the licence.

  3. Where a licence is surrendered under subsection (1), the licensee shall not be entitled to a refund of any fees paid with respect to the licence.

35. Transfer of licence

  1. A licensee shall not cede, pledge, encumber or otherwise dispose of a licence.
  2. A licensee may transfer or assign a licence with the prior approval of the Data Protection Commissioner.
  3. An application for approval to transfer or assign a licence shall be made to the Data Protection Commissioner.

  4. The Data Protection Commissioner may, within thirty days of receipt of the application —

    1. approve the application on such terms and conditions as it may determine; or
    2. reject the application in accordance with the provisions of this Act.

36. Suspension and cancellation

  1. Subject to the other provisions of this Act, the Data Protection Commissioner may suspend or cancel a licence if the holder:

    1. obtained the licence by fraud or submission of false information or statements;
    2. contravenes this Act, any other written law relating to the licence or any terms and conditions of the licence;
    3. fails to comply with a decision or guidelines issued by the Data Protection Commissioner;
    4. enters into receivership or liquidation or takes any action for voluntary winding up or dissolution;
    5. enters into any scheme of arrangement, other than for the purpose of reconstruction or amalgamation, on terms and within such period as may previously have been approved in writing by the Data Protection Commissioner;
    6. is the subject of any order that is made by a court or tribunal for its compulsory winding up or dissolution;
    7. has ceased to fulfil the eligibility requirements under this Act; or
    8. the suspension or cancellation is in the public interest.

  2. The Data Protection Commissioner shall before suspending or cancelling the licence in accordance with this section, give written notice to the holder thereof of its intention to suspend or cancel the licence and shall —

    1. give the reasons for the intended suspension or cancellation; and
    2. require the holder to show cause, within a period of not more than thirty days, why the licence should not be suspended or cancelled.

  3. The Data Protection Commissioner shall not suspend or cancel a licence under this section if the licensee takes remedial measures to the satisfaction of the Data Protection Commissioner within the period referred to in subsection(2).

  4. The Data Protection Commissioner shall, in making its final determination on the suspension or cancellation of the licence consider submissions made by the licensee under subsection(2).
  5. The Data Protection Commissioner may suspend or cancel a licence if the holder after being notified under subsection (2) fails to show cause or does not take remedial measures, to the satisfaction of the Data Protection Commissioner within the time specified in that subsection.
  6. The Data Protection Commissioner shall, where it suspends or cancels a licence under this section, publish the suspension or revocation in the Register.

37. Renewal of licence

  1. A licensee may, not less than three months before the expiry of a licence, apply for a renewal of the licence in the prescribed manner and form on payment of a prescribed fee.

  2. The Data Protection Commissioner shall, where a licensee makes an application under subsection (1), renew the licence if the licensee —

    1. fulfils the eligibility requirements as prescribed under this Act;
    2. at the time of the renewal, the licensee is compliant with the terms and conditions of the licence, the Guidelines issued by the Data Protection Commissioner or any other relevant law.

  3. Where the Data Protection Commissioner rejects an application for renewal of a licence, the Data Protection Commissioner shall inform the licensee and give reasons for the rejection.

38. Functions of data auditor

The functions of a data auditor are to —

  1. promote adherence to principles of data protection by controllers and processors of data;
  2. ensure that data controllers and data processors implement adequate policies and procedures to regulate the processing of personal data;
  3. enhance public and stakeholder awareness of data protection principles and rights; and
  4. check that data controllers implement adequate safeguards to prevent data leaks and data breaches from data controllers and data processors.