Business News of Wednesday, 24 March 2021

Source: goldstreetbusiness.com

Data Controllers Amnesty Period Expires

Patricia Adusei-Poku, Executive Director, Data Protection Commission Patricia Adusei-Poku, Executive Director, Data Protection Commission

The Data Protection Commission (DPC) has noted that the six months amnesty granted all institutions performing functions as data controllers by the Ministry of Communications to legally register with the commission expires on March 31, 2021.

In October 2020, DPC launched registration software mandating all institutions processing personal data to duly register with the commission and pay the required fees as a legal obligation.

A release issued by Patricia Adusei-Poku, Executive Director, said the new registration software could thereafter determine the total arrears owed by defaulting institutions from May 2012.

However, it said considering the potential adverse impact of Covid-19 on businesses, the arrears owed by data controllers were waived by an amnesty, effective October 1, 2020, to allow such defaulting institutions, a grace period to register with the commission or face prosecution as stipulated in Sections 56 and 95 of Data Protection Act, Act 2012 (Act 843).

Affected institutions included limited liability companies, consultancy firms, airlines, hotels, shopping centres, hospitals and clinics, banks and microfinance companies, the media, churches and NGOs, law firms as well as state corporate agencies among others.

It said sections 97 (1) and (2) as well as Section 27 (1) of the Data Protection Act specified varied procedures and modalities for institutions processing personal data or performing such functions as data controllers to register with the Data Protection Commission.

Provisions of Section 97 (1) stipulates, “A data controller incorporated or established after the commencement of this Act shall be required to register as a data controller within 20 days of the commencement of business;” whereas Section 97 (2) provides that “A data controller in existence at the commencement of this Act shall be required to register as a data controller within three months after the commencement of this Act.” Similarly, Section 27 (1) mandates, “A data controller who intends to process personal data shall register with the Data Protection Commission.”