!
20
Data Protection
No.
2019
steps at the request of the data subject before
entering into a contract;
(ii)
for compliance with any legal obligation to
which the controller is subject;
(iii)
in order to protect the vital interests of the
data subject or another natural person;
(iv)
for the performance of a task carried out in
the public interest or in the exercise of
official authority vested in the controller;
(v)
the performance of any task carried out by a
public authority;
(vi)
for the exercise, by any person in the public
interest, of any other functions of a public
nature;
(vii) for the legitimate interests pursued by the
data controller or data processor by a third
party to whom the data is disclosed, except
if the processing is unwarranted in any
particular case having regard to the harm
and prejudice to the rights and freedoms or
legitimate interests of the data subject; or
(viii) for the purpose of historical, statistical,
journalistic, literature and art or scientific
research.
(2) Further processing of personal data shall be in
accordance with the purpose of collection.
(3) A data controller who contravenes the provisions
of sub-section (1) commits an offence.
31. (1) Where a processing operation is likely to result
in high risk to the rights and freedoms of a data subject, by
virtue of its nature, scope, context and purposes, a data
controller or data processor shall, prior to the processing,
carry out a data protection impact assessment.
(2) A data protection impact assessment shall include
the following—
(a) a systematic description of the envisaged
processing operations and the purposes of the
processing, including, where applicable, the
Data protection
impact
assessment.