21
2019
Data Protection
No.
legitimate interest pursued by the data controller or
data processor;
(b) an assessment of the necessity and proportionality
of the processing operations in relation to the
purposes;
(c) an assessment of the risks to the rights and
freedoms of data subjects;
(d) the measures envisaged to address the risks and the
safeguards, security measures and mechanisms to
ensure the protection of personal data and to
demonstrate compliance with this Act, taking into
account the rights, and legitimate interests of data
subjects and other persons concerned.
(3) The data controller or data processor shall consult
the Data Commissioner prior to the processing if a data
protection impact assessment prepared under this section
indicates that the processing of the data would result in a
high risk to the rights and freedoms of a data subject.
(4) For the purposes of this section, a “data protection
impact assessment” means an assessment of the impact of
the envisaged processing operations on the protection of
personal data.
(5) The data impact assessment reports shall be
submitted sixty days prior to the processing of data.
(6) The Data Commissioner shall set out guidelines
for carrying out an impact assessment under this section.
32. (1) A data controller or data processor shall bear
the burden of proof for establishing a data subject’s consent
to the processing of their personal data for a specified
purpose.
(2) Unless otherwise provided under this Act, a data
subject shall have the right to withdraw consent at any
time.
(3) The withdrawal of consent under sub-section (2)
shall not affect the lawfulness of processing based on prior
consent before its withdrawal.
(4) In determining whether consent was freely given,
account shall be taken of whether, among others, the
performance of a contract, including the provision of a
Conditions of
consent.
!