Registration

All who process personal information must register with the Commission unless otherwise directed. The Commission registers Data Controllers and Processors online.  As part of the measures to ensure openness and transparency aspects of the registered data controllers and processors information will be made available on the Commission’s online public search register.

 

WHAT IS REGISTRATION?
Registration is the process by which data controller(s) and processor (s) informs the Commission on some the following:

    • Who they are;
    • the type(s) of personal data it holds; 
    • The nature of  processing of personal information they engage in; How they ensure the protection of the personal information they collect or process; and
    • Who their contact person is for data protection issues.

 

WHY REGISTER

·       Act 843 makes it mandatory for all who process personal data to register with the Commission.

·       Section 56  states  further that “a person who fails to register as a data controller but processes personal data commits an offence and is liable on summary conviction to a fine of not more than two hundred and fifty penalty units or a term of imprisonment of not more than two years or to both”.

 

WHO SHOULD REGISTER

A Data Controller or Data Processor. If in doubt on whether you are required to register please contact the Commission..

 

EXAMPLES OF WHO SHOULD REGISTER

If personal information is processed for the following purposes you are required to register.

    • Accountancy and auditing
    • Administration of justice
    • Advertising, marketing and public relations for others
    • Canvassing political support among the electorate
    • Constituency casework
    • Consultancy and advisory services
    • Credit Bureaus
    • Crime prevention and prosecution of offenders (including some CCTV systems)
    • Debt administration and factoring
    • Education
    • Health administration and provision of patient care
    • Insurance administration
    • Journalism and media
    • Legal services
    • Mortgage/insurance broking
    • Pastoral care
    • Pensions administration
    • Personal information processed by or obtained from a credit reference agency
    • Private investigation
    • Property management (including the selling of property)
    • Provision of childcare
    • Provision of financial services and advice
    • Research
    • Trading and sharing in personal information
    • Telecommunications network or service providers
    • Insurance undertakings 
    • Businesses that are wholly or mainly in direct marketing
    • Businesses that wholly or mainly in collect debts
    • Internet access providers
    • Government Bodies / Public Authorities
    • Businesses that process genetic data.

 

APPLICATION FOR REGISTRATION

An application for registration as a data controller shall be made in writing to the Commission and the applicant shall furnish the following particulars:

    • the business name and address of the applicant;
    • the name and address of the company’s representative where the company is an external company;
    • a description of the personal data to be processed and the category of persons whose personal data are to be collected;
    • an indication as to whether the applicant holds or is likely to hold special personal data;
    • a description of the purpose for which the personal data is being or is to be processed;
    • a description of a recipient to whom the applicant intends to disclose the personal data;
    • the name or description of the country to which the applicant may transfer the data;
    • the class of persons or where practicable the names of persons whose personal data is held by the applicant;
    • a general description of measures to be taken to secure the data; and
    • Any other information that the Commission may require.

An applicant who knowingly supplies false information in support of an application for registration as a data controller commits an offence and is liable on summary conviction to a fine of not more than one hundred and fifty penalty units or a term of imprisonment of not more than one year or to both.

Where a data controller intends to keep personal data for two or more purposes the Commission shall make separate entries for each purpose in the Register.

For guidelines on how to complete the registration form, read the document below.