Press Release on Registration of Data Controllers and Data Processors

The Data Protection Commission (DPC) has noted with grave concern the conduct of apathy and failure by many who process personal information to register with the Commission as data controllers in accordance with Section 27 (1) of the Data Protection Act, 2012 (Act 843) which states that “A data controller who intends to process personal data shall register with the Commission.”

The Commission commenced registration of data controllers on May 1, 2015. During the period of the registration exercise, notices were published in the Daily Graphic newspaper (references of some publication editions include Page 30 of Wednesday July 15, 2015, Page 34 of Wednesday July 22, 2016 and Page 41 of Wednesday August 5, 2015) informing potential data controllers of their obligation to register with the Commission. In the said publications it was stated that “an institution or individual existing prior to commencement of Act 843 has three (3) months to comply with the requirement to register”. The three (3) months period however expired on the 31st July, 2015 and was subsequently extended by another three (3) months on the request of existing Data Controllers.

Regrettably, many organizations who exercise functions as data controllers have failed to comply with this directive. Consequently, these organizations and individuals are not only breaching the law by failing to register with the DPC, the sole regulator of data protection but also in many cases fail to adhere to the provisions of the Act.
Click HERE for the full documentation of the press release.