(1) Where Part 5 applies to a controller or processor, the Commission may carry out or cause to be carried out such examination in the form of an audit as it considers appropriate in order to determine whether the practices and procedures of the controller or processor are in compliance with that Part and regulations made under it.
(2) The Commission may, for the purposes of an audit under subsection (1) or a data protection audit, require the controller or processor concerned to produce any documents, records, statements or other information within that person's possession or control, or within that person's procurement, that are relevant to or required for the conduct of the audit.
(3) Before commencing an audit under subsection (1), or a data protection audit, the Commission shall give the controller or processor concerned notice of its proposal to conduct such an audit, which notice shall -
(a) specify the matters to which the proposed audit will relate, and
(b) specify the date, w
…