Acts 2017
496
(3) In determining the appropriate security measures referred
to in subsection (1), in particular, where the processing involves the
transmission of data over an information and communication network, a
controller shall have regard to –
(4)
(a)
the state of technological development available;
(b)
the cost of implementing any of the security measures;
(c)
the special risks that exist in the processing of the data; and
(d)
the nature of the data being processed.
Where a controller is using the services of a processor –
(a)
he or it shall choose a processor providing sufficient
guarantees in respect of security and organisational
measures for the purpose of complying with
subsection (1); and
(b) the controller and the processor shall enter into a
written contract which shall provide that –
(i)
the processor shall act only on instructions
received from the controller; and
(ii) the processor shall be bound by obligations
devolving on the controller under subsection (1).
(5) Where a processor processes personal data other than as
instructed by the controller, the processor shall be considered to be a
controller in respect of that processing.
(6) Every controller or processor shall take all reasonable steps
to ensure that any person employed by him or it is aware of, and complies
with, the relevant security measures.
32.
Prior security check
(1) Where the Commissioner is of the opinion that the processing
or transfer of data by a controller or processor may entail a specific risk to
the privacy rights of data subjects, he may inspect and assess the security
measures taken under section 31 prior to the beginning of the processing or
transfer.