45. Data protection impact assessment

45.—

1. Unless otherwise specified in a notice under subsection (4), a data controller shall, in respect of each calendar year—

(a) within ninety days after the end of the relevant calendar year; and

(b) in such form as may be prescribed by the Commissioner by notice published in the Gazette, submit to the Commissioner a data protection impact assessment in respect of all personal data in the custody or control of the data controller.

2. The Commissioner shall evaluate each data protection impact assessment received under subsection (1) and shall, as the Commissioner considers appropriate, issue such directions to the data controller concerned—

(a) to make such amendments to the data controller’s systems of operation or other activities; or

(b) to implement such other recommendations, as may be necessary to secure compliance with this Act.

3. The data protection impact assessment form prescribed under subsection (1) shall require at least the following information—

(a) a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms, of data subjects, referred to in subsection (5); and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.

4. The Commissioner may publish a notice in the Gazette, and in such other manner as the Commissioner considers appropriate to bring the notice to the attention of data controllers, specifying the classes or kinds of personal data, or data controllers, to which subsection (1) shall apply or shall not apply.

5. In determining any class or kind for the purposes of subsection (4), the Commissioner shall have regard to the likely level of risk to the rights and freedoms of data subjects involved in processing the data concerned, taking into account the nature, scope, context and purposes of the processing.