Article 16 - Registry of Data Controllers

(1) The Presidency shall maintain a publicly accessible Registry of Controllers under the supervision of the Board.

(2) Natural or legal persons who process personal data shall be obliged to enrol in the Registry of Data Controllers before proceeding with data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, the legal requirement for data processing, or transferring the data to third parties, the Board may provide exception to the obligation of enrolment in the Registry of Data Controllers.

(3) Application for enrolling in the Registry of Data Controllers shall be made with a notification including:

  • a) identity and address of the controller and of his representative, if any,
  • b) purposes for which the personal data will be processed,
  • c) explanations about group(s) of personal data subjects as well as about the data categories belonging to these people,
  • ç) recipients or groups of recipients to whom the personal data may be transferred,
  • d) personal data which is envisaged to be transferred abroad,
  • e) measures taken for the security of personal data.
  • f) maximum period of time required for the purpose of the processing of personal data.

(4) Any changes in the information provided under the third paragraph shall be immediately notified to the Presidency

(5) Other procedures and principles governing the Registry of Data Controllers shall be laid down through a by-law.