Skip to main content
Version status: In force | Document consolidation status: Updated to reflect all known changes
Version date: 25 May 2018 - onwards
Version 2 of 2

136. Data Protection Audit

(1) Where Part 5 applies to a controller or processor, the Commission may carry out or cause to be carried out such examination in the form of an audit as it considers appropriate in order to determine whether the practices and procedures of the controller or processor are in compliance with that Part and regulations made under it.

(2) The Commission may, for the purposes of an audit under subsection (1) or a data protection audit, require the controller or processor concerned to produce any documents, records, statements or other information within that person's possession or control, or within that person's procurement, that are relevant to or required for the conduct of the audit.

(3) Before commencing an audit under subsection (1), or a data protection audit, the Commission shall give the controller or processor concerned notice of its proposal to conduct such an audit, which notice shall -

(a) specify the matters to which the proposed audit will relate, and

(b) specify the date, which shall be not earlier than 7 days from the date on which the notice is given on which the audit will be commenced.

(4) In this section, "data protection audit" means a data protection audit conducted for the purpose of Article 58(1)(b) of the Data Protection Regulation.