Regularise business before March 31 - Data controllers cautioned
The Data Protection Commission (DPC) has urged institutions performing functions as data controllers to regularise business with the commission before the six-month amnesty granted them by the Ministry of Communications expires on March 31, 2021.
In October 2020, DPC launched a registration software, mandating all institutions processing personal data to duly register with the commission and pay the required fees as a legal obligation.
Advertisement
The new registration software could thereafter determine the total arrears owed by defaulting institutions from May 2012.
COVID-19 impact
However, considering the potential adverse impact of COVID-19 on businesses, the arrears owed by data controllers were waived by an amnesty, effective October 1, 2020, to allow such defaulting institutions a grace period to register with the commission or face prosecution as stipulated in Sections 56 and 95 of the Data Protection Act, Act 2012 (Act 843).
A statement signed by the Executive Director of the DPC, Ms Patricia Adusei-Poku, said the affected institutions included limited liability companies, consultancy firms, airlines, hotels, shopping centres, hospitals and clinics, banks and microfinance companies, the media, churches and non-governmental organisation (NGOs), law firms, as well as state corporate agencies, among others.
Sections 97 (1) and (2) as well as Section 27 (1) of the Data Protection Act specify varied procedures and modalities for institutions processing personal data or perform such functions as data controllers to register with the Data Protection Commission.
Content of Act
Section 97 (1) stipulates that: “A data controller incorporated or established after the commencement of this Act shall be required to register as a data controller within 20 days of the commencement of business;” whereas Section 97 (2) provides that “A data controller in existence at the commencement of this Act shall be required to register as a data controller within three months after the commencement of this Act”.
Similarly, Section 27 (1) demands that “A data controller who intends to process personal data shall register with the Data Protection Commission”.
The statement urged institutions seeking clarification to make the necessary contacts to get the relevant information.