Legal Update – 8 March 2024
Personal Data Protection Commission Operationalized
- Established to enforce personal data protection laws
- Mandate of the Commission articulated
- Complaint procedure before the Commission provided
- Decisions of the Commission appealable to High Court
Recently, the Personal Data Protection Commission (the Commission) was operationalized. It should be remembered that, on 1 November 2022, the Personal Data Protection Act, 2022 (the Act) was passed by Parliament for purposes of recognizing the right to privacy and personal data security. The Act establishes the Commission so as to protect the privacy of individuals and ensure that the collection and processing of personal data is guided by the principles set out in the Act.
The Commission is vested with powers, among others, to monitor compliance by data controllers and data processors; register data controllers and data processors; receive, investigate and deal with complaints about alleged violations of the protection of personal data and privacy of persons; inquire into and take measures against any matter that appears to the Commission to affect the protection of personal data and infringes privacy of individuals; and undertake research and monitoring technological developments in data processing.
Regarding complaint procedure before the Commission, the law obliges any person who considers that there is a violation of personal data protection principles or is dissatisfied with the decision of the data controller or data processor regarding personal data to submit a complaint to the Commission through Form No. 1 as prescribed in the Schedule to the Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023 (the Regulations).
Upon receipt of the complaint, the Commission is empowered to investigate and attempt to resolve the complaint in an amicable manner within 30 days from the date of filing the complaint. However, if the parties cannot reach an amicable settlement within the above specified time, the mediator shall refer the complaint to the Commission for hearing. The Commission will then appoint a Complaints Hearing Committee (the Committee) that shall be composed of three persons among people with expertise and experience in the field of law, personal data protection and ICT within the Commission.
Having heard the complaint, the Committee shall prepare and submit recommendations for the Commission to consider and issue a written award in the relevant complaint. Upon issuance of the award, the Commission, if satisfied that a person has failed to comply with the law, may issue an enforcement notice (the notice) to that person. The said notice may require that person to rectify the deficiencies within 7 days together with directions of the Commission such as, to rectify or change personal data; prevent or suspend collection or processing of data; erase or remove the personal data from the system; and destroy personal data.
In terms of the enforcement, the award of the Commission is enforceable as an order of the High Court. The High Court after receiving the application for registration of the award, will proceed to register the same as if it has been issued under the Arbitration Act.
Lastly, any party who is not satisfied with the award of the Commission may within 21 days apply for review of the award to the Commission and the Commission shall, within 14 days from the date of receiving the review, review its award and may reverse, alter or revoke any direction given in the award. An aggrieved party may, within 21 days from the date of delivery of the award, appeal to the High Court.
To read the Personal Data Protection Act, 2022 click here
To read the Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023 click here