white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Australia<br />
The Privacy Act requires credit rat<strong>in</strong>g bodies to ensure that regular audits are carried out by<br />
an <strong>in</strong>dependent pers<strong>on</strong> to ensure that certa<strong>in</strong> agreements with credit providers are be<strong>in</strong>g<br />
complied with. 749<br />
South Africa<br />
Under Secti<strong>on</strong> 89 of the POPI Act, the Informati<strong>on</strong> Regulator is required to assess ―whether<br />
an <strong>in</strong>stance of process<strong>in</strong>g of pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> complies with the provisi<strong>on</strong>s of [the] Act‖<br />
<strong>in</strong> the prescribed manner. It may do so <strong>on</strong> its own <strong>in</strong>itiative or <strong>on</strong> request by or <strong>on</strong> behalf of<br />
the resp<strong>on</strong>sible party, <strong>data</strong> subject or any other pers<strong>on</strong>. The provisi<strong>on</strong> clarifies the mandatory<br />
nature of such assessment, stat<strong>in</strong>g that it must be carried out by the Informati<strong>on</strong> Regulator ―if<br />
it appears to be appropriate‖ though it may not make the assessment if, <strong>on</strong> a request, it is<br />
unable to identify the requester or the acti<strong>on</strong> that must be assessed. 750 Informati<strong>on</strong> notices are<br />
sent to the relevant organisati<strong>on</strong> towards <strong>in</strong>itiat<strong>in</strong>g an assessment. 751 A provisi<strong>on</strong> is also made<br />
regard<strong>in</strong>g the assessment report result<strong>in</strong>g from the assessment process. 752 The report is to be<br />
given to the resp<strong>on</strong>sible party and the Informati<strong>on</strong> Regulator may also make any aspect of the<br />
assessment public if it is <strong>in</strong> public <strong>in</strong>terest to do so.<br />
(iv) Data Protecti<strong>on</strong> Officer<br />
The designati<strong>on</strong> of a specific <strong>in</strong>dividual or officer by a <strong>data</strong> c<strong>on</strong>troller to facilitate compliance<br />
through m<strong>on</strong>itor<strong>in</strong>g and advis<strong>in</strong>g as well as to act as a po<strong>in</strong>t of c<strong>on</strong>tact with a <strong>data</strong> protecti<strong>on</strong><br />
authority is a crucial element of <strong>data</strong> protecti<strong>on</strong> laws. These <strong>in</strong>dividuals are often called <strong>data</strong><br />
protecti<strong>on</strong> officers (DPOs). 753 It is relevant to note that <strong>in</strong> the present Indian legal framework,<br />
a body corporate is required to designate a grievance officer for grievance redressal purposes<br />
with certa<strong>in</strong> details of the same posted <strong>on</strong> the body corporate‘s website. 754<br />
Internati<strong>on</strong>al Practices<br />
European Uni<strong>on</strong><br />
749 Secti<strong>on</strong>s 20N (3)(b) and 20Q(2)(b), Privacy Act.<br />
750 Secti<strong>on</strong> 89(2), POPI Act. The criteria that the Informati<strong>on</strong> Regulator is to keep <strong>in</strong> m<strong>in</strong>d when determ<strong>in</strong><strong>in</strong>g<br />
when it is ‗appropriate‘ to make the assessment is also laid down. See Secti<strong>on</strong> 89(3), POPI Act.<br />
751 Secti<strong>on</strong> 90, POPI Act.<br />
752 Secti<strong>on</strong> 91, POPI Act.<br />
753 For example, as part of EU GDPR‘s accountability-based compliance framework, DPOs will be at the heart<br />
of the regulatory scheme, facilitat<strong>in</strong>g compliance with the provisi<strong>on</strong>s of the EU GDPR as key players: See<br />
Article 29 Data Protecti<strong>on</strong> Work<strong>in</strong>g Party, ‗Guidel<strong>in</strong>es <strong>on</strong> Data Protecti<strong>on</strong> Officers (‗DPOs‘)‘, European<br />
Commissi<strong>on</strong> (13 December 2016), 4-5, available<br />
at: http://ec.europa.eu/newsroom/document.cfm?doc_id=43823, (last accessed 20 November 2017).<br />
754 Rule 5(9), SPDI Rules.<br />
170