21. Duty of data controller to comply with standards

21.—

1. It shall be the duty of a data controller to comply with the data protection standards in relation to all personal data with respect to which that data controller is the data controller.

2. A data controller who processes personal data in contravention of any of the data protection standards or any of the provisions of this Part, or fails to make a report or notification required under subsection (3) or (5), commits an offence and shall be liable upon—

(a) summary conviction in a Parish Court to a fine not exceeding two million dollars or to imprisonment for a term not exceeding two years; or

(b) conviction on indictment in a Circuit Court, to a fine, or to imprisonment for a term not exceeding seven years.

3. The data controller shall report to the Commissioner, in such form and manner as shall be prescribed—

(a) any contravention of the data protection standards; and

(b) any security breach in respect of the data controller’s operations which affects or may affect personal data, within seventy-two hours after becoming aware of the contravention or security breach (as the case may be).

4. A report under subsection (3) shall set out—

(a) the facts surrounding the contravention or security breach:

(b) a description of the nature of the contravention or security breach, including the categories, number of data subjects concerned, and the type and number of personal data concerned;

(c) the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach;

(d) the consequences of the breach; and

(e) the name, address and other relevant contact information of its data protection officer.

5. Where a contravention or security breach mentioned in subsection (3) occurs, the data controller shall upon becoming aware of, or having reason to become aware of, the contravention or breach, notify each data subject, whose personal data is affected by the breach, of—

(a) the nature of the contravention or security breach;

(b) the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and

(c) the name, address and other relevant contact information of its data protection officer, in such form and manner, and within such time, as shall be prescribed.

6. Upon receiving a report under subsection (4), the Commissioner may—

(a) serve an enforcement notice under section 44 on the data controller concerned;

(b) direct the data controller to give to any data subject concerned such information as the Commissioner thinks fit concerning the contravention or security breach (as the case may be) and the measures taken, or proposed to be taken, to address it.

(7) It shall be a defence for a person charged with an offence under this section to show that the person exercised all due diligence to prevent the commission of the offence, and the standard of proof shall be on the balance of probabilities.