A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

• the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
• the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

• to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
• to public authorities.

The National Authority has set up a digital portal on its website enabling those concerned by the processing of personal data to create an account and fill in electronic forms with the below: 

• For prior declaration of processing operations; 
• Requests for authorisation; and 
• Requests for opinions. 

Applicants may also monitor the status of their requests.

The processing of personal data is subject to the below:

• A prior declaration must be filed with the National Authority by the data controller of a private or public entity whenever the latter is likely to receive, store and process personal data. This declaration must be renewed before any new data is processed; or
• A prior authorization of the National Authority when the processing concerns any of the following:
  • transfer of personal data abroad;
  • communication of data to a third party;
  • The interconnection of data belonging to one or more legal entities managing a public service for different purposes relating to the general interest must be authorised by the National Authority;
    
    • Article 3 of the law No. 18-07 define “data interconnection” as (free translation): “(…) any mechanism of connection involving the linking of processed data for a specific purpose with other processed data, whether for identical or different purposes, by the same data controller or by one or more other data controllers.”

As provided by Law, entities shall provide prior notice to, or obtain prior authorization from, APD (depending on the type of personal data and purpose of processing) to process personal data. Please note that in the case of authorization, compliance with specific legal conditions is mandatory. APD has authority to exempt certain processing from notification requirements. 

Generally, notification and authorization requests should include the following: 

• The name and address of the controller and of its representative (if applicable)
• The purposes of the processing
• A description of the data subject categories and the personal data related to those categories
• The recipients or under which categories of recipient to whom the personal data may be communicated and respective conditions
• Details of any third party entities responsible for the processing
• The possible combinations of personal data
• The duration of personal data retention
• The process and conditions for data subjects to exercise their rights
• Any predicted transfers of personal data to third countries
• A general description (to allow APD to assess whether security measures adopted are suitable to protect personal data in its processing)

All archives, registries, databases and data banks, whether public or private, having the purpose of supplying information, must be registered with the Registry organized by the national data protection authority. This registration requires the following information, to be provided to the registry:

• The name and domicile of the person responsible for the archive, registry, database or data bank

• The characteristics and purpose of the archive, registry, database or data bank

• The nature of the personal data included or to be included in the archive, registry, database or data bank

• The way in which data are collected and updated

• The destination of the data and the identity of the individuals or legal entities to whom such data may be transferred

• The way in which the recorded information is interrelated

• The means to assure the security of the data, indicating the category of persons with access to the processing of data

• The term during which the data will be preserved

• The way and conditions pursuant to which interested persons may have access to the data referring to such persons, and the procedures to be followed to rectify and update the registered data

Registration is voluntary unless otherwise specified by the authorized body. Processing of personal data may be carried out by state administration or local self-government bodies, state or municipal institutions or organizations, legal or natural persons, which organize and / or carry out the processing of personal data.

The processor, prior to the processing of personal data, shall have the right to notify the authorized body for the protection of personal data of the intention to process data.

At the request of the authorized body, the processor shall be obliged to send a notification to the authorized body.

The processor, prior to the processing of biometric or special category personal data, shall be obliged to notify the authorized body for the protection of personal data of the intention to process data.

The notification shall include the following information:

• name (surname, name, patronymic) of the processor or his or her authorised person (if any), registered office or place of registration (actual residence);
• purpose and legal grounds for processing personal data;
• scope of personal data;
• scope of data subjects;
• list of operations performed upon personal data, general description of the ways of processing personal data by the processor;
• description of measures which the processor is obliged to undertake for ensuring security of processing personal data;
• date of starting the processing of personal data;
• time limits and conditions for completing the processing of personal data.

The authorized body for the protection of personal data shall enter the information mentioned in the notification, as well as the information on the date of sending the given notification into the register of processors within thirty days following the receipt of the given notification.

In case when information submitted by the processor, provided for by the mentioned notification, is incomplete or inaccurate, the authorized body for the protection of personal data shall have the right to require the processor to specify the submitted information prior to its entry into the register of processors.

National Ordinance Person Registration 

No registration required. 

GDPR 

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data processing activities carried out by the company.

There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act, organizations are not required to notify the Information Commissioner of any processing of personal information.

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

Information systems of personal data must be registered with the DPA. There are also certain exemptions from such registration requirement.

There is no obligation under DPA to register with the Office of the Data Protection Commissioner as a data controller (or data processor).

The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must be registered in that register.

No requirements.

A data controller must be registered in the Register of Data Controllers. 

A data processor must be registered in the Register of Data Processors.

Since 1 January 2024 operators are obliged to add information about information resources (systems) containing personal data into Register of Personal Data Operators and ensure that the relevant information is kept up-to-date. Information shall be added regarding information resources (systems) that involve:

• cross–border transfer of special personal data, to a foreign state with “inappropriate” level of data subjects’ rights protection (special except for certain cases provided by Data Protection Law);
• processing of biometric and (or) genetic personal data;
• personal data processing of more than 100 thousand individuals; and
• personal data processing of more than 10 thousand individuals under the age of sixteen.

Order of the Operational and Analytical Centre under the President of the Republic of Belarus (OAC) No. 94 of 1 June 2022 establishes the list of data that shall be added into the Register of Personal Data Operators.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Belgium regulation

The registration of processing activities through a notification has been abolished. However, in the public sector, the Data Protection Act obliges the controller of processing activities in the context of police services to  publish a protocol detailing the transfer to a public authority or private body based on public interest and compliance with legal obligations¹.

The is no country-wide system of registration in the Republic of Benin. However, the law imposes an obligation of notification and requires the controller to keep a register of processing activities carried out under its responsibility.

Pursuant to Article 405 of the Digital Code, Automated or non-automated processing carried out by public or private bodies and involving personal data must, prior to their implementation, be the subject of a prior declaration to the Authority or be entered in a register kept by the person designated for that purpose by the controller.

All processing of personal data is subject to a reporting obligation to the Authority, except for the exemptions provided for in Book V of the Digital Code (see Articles 408, 410, 411, and 417 of the Digital Code).

In terms of Article 435 of the Digital Code, each controller and, where applicable, the controller's representative shall keep a register of the processing activities carried out under their responsibility.

This register shall include all of the following information:

• the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
• the purposes of the processing;
• a description of the categories of data subjects and categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
• where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization;
• the time limits for the deletion of the different categories of data;
• a general description of technical and organizational security measures.

Each processor and, where applicable, the processor's representative of the processor shall also maintain a record of all categories of processing activities performed on behalf of the controller including:

• the name and contact details of the sub-processor(s) and of each controller on whose behalf the processor is acting and, where applicable, the names and contact details of the controller's or processor's representative and of the data protection officer;
• the categories of processing carried out on behalf of each controller;
• where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization and, in the case of transfers, the documents attesting to the existence of appropriate safeguards;
• a general description of the technical and organizational security measures.

The above-mentioned records must be in written form, including electronic form.

The controller or processor and, if applicable, their representative shall make the register available to the Authority upon request.

The obligation to keep a register does not apply to small and medium-sized enterprises except in the following cases:

• if the processing they carry out is likely to involve a risk to the rights and freedoms of the data subjects;
• if it is not occasional or if it concerns in particular the special categories of data referred to in article 394 paragraph 1 of the numerical code, or personal data relating to criminal convictions and offences.

There is no system of registration and none provided for in PIPA.

There is no requirement to register databases or personal information processing activities with regulators.

Personal Data Protection Act BES 

No registration required. 

GDPR

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data processing activities carried out by the company.

Each data controller (defined as a person or legal entity which processes personal data) must provide the DPA with specific information on the database containing personal data ("Database") established and maintained by the controller. The DPA maintains a publicly available register of data controllers and Databases.

The Database's registration includes two phases:

• First, the controller must register as a data controller (this registration as a controller is to be performed only once).
• Second, the controller must report to the Database's establishment, which has to be done within 14 days.

Registration of the Database is made by submitting the application in the prescribed form to the DPA. The DPA form includes information regarding:

• Data controller
  • Name
  • Address of its registered seat
• The Database itself
  
  • Processing purpose
  • Legal ground for its establishment
  • Identification of exact processing activities
  • Types of processed data
  • Categories of data subjects, and
  • Transfer of data abroad

If there is a subsequent change in the registered data, for example changing initial processing activities, the change needs to be reported to the DPA within 14 days from the date the change occurred.

Unlike the DP Law, the Draft Data Protection Law foresees the obligation of data controllers and data processors to keep records of their data processing activities identically as the GDPR, however it does not oblige data controllers to register their data processing activities/databases with the Agency.   

The Commission is responsible for creating and maintaining a public register of all data controllers. There is, however, currently no prescribed method of registration. 

A data controller is a person who alone or jointly with others determines the purposes and means of which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person's behalf. Additionally, a data controller may engage a data processor, being a person who processes data on behalf of the data controller.  

In terms of the DPA, data controllers are required to notify the Commissioner of the Commission (“the Commissioner”) before carrying out any wholly or partially automated processing operation or set of such operations which are intended to serve a single purpose or serve several related purposes.

The notification should include the following details: 

• The name and address of the data controller or data processor;
• The purpose of the processing;
• A description of the category or categories of a data subject and of the personal data or categories of personal data relating to the data subject;
• The recipients to whom personal data can be disclosed to;
• Proposed transfers of personal data to a third country; and
• A general description to allow the Commission to preliminarily assess the appropriateness of the security measures.

The requirement for notification does not apply to operations which have the sole purpose of keeping a register that is intended to provide information to the public by virtue of any law, and for which the register is open for public inspection. In addition, the notification will not be required where a data controller has appointed a data protection representative.

Data controllers are further required to immediately notify the Commissioner of any breach to the technical or organizational security safeguards for processing of personal data.

The Commissioner has the authority to grant an exemption for notification when satisfied that:

1. The personal data being processed has no apparent risk of infringement to the rights of the data subject;
2. The purposes of the processing, the category of processing, the category of a data subject, the category of a recipient, and the data retention period are specified; and
3. The data controller has appointed a data protection representative, and the Commissioner has been notified of such appointment.

There is currently no requirement to register with the National Data Protection Authority under Brazilian law.

There is currently no requirement for a data controller or a data processor to notify the Information Commissioner of their role or complete any registration.

At present no legal requirement.

It is anticipated that the PDPO will not have any registration requirements.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Bulgaria regulation

The requirement for registration of data controllers before the Commission for Personal Data Protection was repealed with the implementation of the GDPR.

Pursuant to the Personal Data Protection Act, the Commission for Personal Data Protection maintains the following public registers:

• register of data controller and data processors who have appointed data protection officers containing the name of the data controller / data processor, the name of the appointed data protection officer and its contact details;
• register of the accredited certifying bodies under art. 14 containing information on the name and the contact details of the certifying body and on the period of validity of its accreditation;
• register of codes of conduct which includes the name of the code, the name of the editor and the relevant certification body, information about the sector concerned and its content.

The Commission shall also support (a) an internal register of established breaches of the GDPR and the Personal Data Protection Act and the measures taken in accordance with art. 58, para 2 of the GDPR, (b) a register of notifications of personal data breaches, and (c) a register of the personal data destroyed on a monthly basis by providers of public electronic communication networks and / or services in accordance with art. 251g of the Electronic Communications Act. These registers, however, are not public.

In accordance with the Rules of Procedure of the Commission for Personal Data Protection and its Administration, the above-mentioned registers are held in electronic format and should be updated regularly.

The is no country-wide system of registration in Burkina Faso. However, the law imposes an obligation of notification and annual reporting to the National Data Protection Authority. These annual reports provide information on those responsible of personal data's activity throughout the concerned year.

There is no requirement to register databases.

Since Cambodia does not have any dedicated laws on data protection, there are no specific registration requirements for data controllers, data processors, or data processing activities.

Article 19 of the 2024 Law provides that the processing of personal data is subject to prior authorisation issued by the Personal Data Protection Authority. Article 27 of the draft decree provides for 3 types of authorisations: prior notice, prior declaration and prior authorisation.

Further, article 39 (1) provides that the controller or processor shall keep a physical or digital register of the processing operations carried out under his/her responsibility. 

The register shall contain the following information: 

• the name and contact details of the controller and, where applicable the name of the processor
• the purposes of processing data 
• a description of the categories of data subjects and personal data 
• the categories of recipients to whom the personal data have been or will be disclosed
• documents attesting to the existence of appropriate safeguards or the number of the authorization issued by the Personal Data Protection Authority 

There is no general registration requirement under Canadian Privacy Statutes.

Some registration requirements exist under Quebec privacy laws:

• Personal information agents, defined as “any person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports”, must be registered with the CAI
• The use of certain biometric systems and the creation of databases of biometric information must be disclosed to and registered with the CAI

Pursuant to the Data Protection Law, before starting the processing of personal data (and considering the specific categories of personal data), prior authorization or registration with the data protection authority is required.

Specific prior written registration (ie authorization) granted by the data protection authority is necessary in the following cases:

• the processing of sensitive data (except in certain specific cases eg if the processing relates to data which is manifestly made public by the data subject, provided his consent for such processing can be clearly inferred from his/her statements) and only in cases where the data subject has given his/her consent to the use of such data

• the processing of data in relation to creditworthiness or solvency

• the interconnection of personal data

• the use of personal data for purposes other than those for which it was initially collected.

There is currently no requirement for a data controller or data processor to notify the Ombudsman of their role or complete any registration.

The is no country-wide system of registration in Chad. However, the processing of personal data may be subject to prior notification to, or authorization/Prior approval from the CDP. 

Regime of authorisation

The authorisation of the ANSICE is required for the processing of any personal data relating to:

• genetic, biometric data, and research in the health field;
• offenses, convictions, or security measures;
• interconnection of files;
• national identification number or any other identifier of the same nature; or
• public interest in particular for historical, statistical, or scientific purposes.

The regime of declaration

Apart from the data provided for by the authorisation regime, any processing of personal data must be declared in a written form and addressed to ANSICE.

Notice / opinion regime ("Avis") 

The automated processing of personal information carried out on behalf of the State, a public institution or a local authority or a legal person under private law managing a public service are decided by regulatory act taken after a reasoned opinion from the ANSICE. Such processing relates to: 

1. State security, defense or public safety;
2. the prevention, investigation, recording or prosecution of criminal offences or the execution of criminal sentences or security measures;
3. the population census;
4. personal data that reveal, directly or indirectly, the racial, ethnic or regional origins, parentage, political, philosophical or religious opinions or trade union membership of persons, or that relate to the health or sexual life of persons when they are not covered by provisions related to interconnexion of data;
5. the processing of salaries, pensions, taxes, and other settlements. 

(Articles 51, 52 and 53 of the Act)

Public databases must be registered in the Civil Registry and Identification Service (Servicio de Registro Civil e Identificación). There is no obligation to register private databases.

Generally, there is no legal requirement in the PRC for data users to register with the data protection authority.

That said, there are specific registration requirements imposed on the sharing and transferring of specific categories of data (e.g. human genetic resources), and proposed filling requirements for security impact assessments (see Cross Border Transfers).

Law 1581 created the National Register of Data Bases (NRDB). Databases that store personal data and whose automated or manual processing is carried out by a natural or legal person, whether public or private in nature, in the Colombian territory or abroad, shall be registered in the NRDB. Database registration is also required if Colombian law applies to the data controller or data processor under an International Law or Treaty. Registration is mandatory for data controllers that are either of the following:

• Companies or nonprofit entities that have total assets valued above 100,000 Tax Value Units (TVU), meaning COP 3.800.400.000 million (USD 950.100)[1]
• Legal persons of public nature

Decree 866 states that each data controller shall register each one of its databases, independently and must distinguish between manual and automatized databases. In addition, in order to register each database, the data controller or data processor shall provide the following information: 

• Identification information of the data controller, such as: business name, tax identification number, location and contact information
• Identification details of the data processor, such as: business name, tax identification number, location and contact information
• Contact channels to grant data subjects rights
• Name and purpose of the database
• Form of processing (manual / automatized)
• Security standards
• Privacy policy

All data bases were required to register by January 31, 2019. Any new data base(s) shall be registered within the 2 months following its creation.

Any substantial change to any of the abovementioned items, shall be updated in the National Registry of Data Bases. For this purpose, substantial changes are considered as any changes that are made in regards to the purposes of the databases, the data processors, the channels to process any claim or request from the data subject, the class or type of personal data, the security measures implemented, the data privacy policy and/or the international transfer or transmission of personal data.

Such updates shall be made:

       i. Within the 10 first days of the month in which the substantial change was made,

       and

       ii. Yearly (between January 2 and March 31 of each year).

Moreover, through the National Register of Data Bases, data controllers shall inform of the following:

1. Any claim submitted by a data subject to the data controller and/or data processor, within each semester of the year. This information shall be registered within the first 15 business days of February and August of each year with the information of the previous semester.
2. Any breaches of registered data bases. Such report shall be submitted within the 15 business days following the day on which the data controller had knowledge of the data breach.

These are the prior formalities that data controllers must complete before implementing certain types of data processing. These formalities may take the form of declarations or requests for authorisation, depending on the nature of the processing. 

In principle, any processing of personal data is subject to prior declaration to the protection authority (article 5 of the 2013-450 Data Protection Act). The declaration must include detailed information about the processing, such as the identity of the person responsible, the purposes of the processing, the types of data processed, and the security measures put in place (article 9 of the aforementioned law).

However, certain types of processing are exempt from prior declaration under article 10 of the aforementioned law. These include:

• Processing carried out by a natural person in the exclusive context of his or her personal or domestic activities, provided that the data is not intended for systematic communication to third parties
• Processing for the sole purpose of keeping a register for exclusively private use
• Processing carried out by an association or non-profit-making body of a religious, philosophical, political or trade union nature, subject to certain conditions
• Processing of data concerning a natural person whose publication is required by law
• Processing operations for which the data controller has appointed a data protection correspondent, except in the event of data being transferred to a third country

As for Prior Authorisation in accordance with Article 7 of the aforementioned 2013 Act, it is required for Certain processing operations considered riskier for privacy. This concerns:

• Processing of genetic data and research in the field of health
• Processing of data relating to offences, convictions or security measures
• Processing of a national identification number or any other similar identifier, in particular telephone numbers
• Processing of biometric data
• Processing in the public interest, in particular for historical, statistical or scientific purposes
• The transfer of personal data to a third country
• The interconnection of files
• Processing carried out on behalf of the State: The processing of personal data carried out on behalf of the State, a public establishment or a local authority, or a legal person under private law managing a public service shall be decided by legislative or regulatory act adopted after a reasoned opinion from the national data protection authority (article 13)
• Transfers of personal data to a third country

Registration process

• The declaration or request for authorisation may be sent to the protection authority electronically, by post or by any other means against delivery of an acknowledgement of receipt (in accordance with Article 10 of the aforementioned Act).
• ARTCI must give its decision within one month of receipt of the declaration or request for authorization. This period may be extended by a further month. Failure to respond within the time limit is equivalent to a rejection ‘Article 5 of Decree No. 2015 -79 of 04 February 2015, laying down the procedures for filing declarations, submitting applications, granting and withdrawing authorizations for the processing of personal data.
• For the most common categories of processing, the ARTCI may establish standards to simplify or exempt from the declaration obligation.
• Once the declaration has been made, the data protection authority issues a receipt, which may be issued electronically. The applicant may then begin processing but remains responsible for compliance with the law.

Under Law 8968, companies that manage databases containing personal information and that distribute, disclose or commercialize such personal information in any manner must register with the Agency.

Entities that manage databases containing personal information for internal purposes do not need to be registered with PRODHAB.

Databases managed by financial institutions subject to control and regulation from the Superintendent of Financial Entities of Costa Rica do not need to be registered with the Agency.

In-house databases are outside the scope of enforcement of the Laws.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Croatia regulation

The Act does not impose any special registration requirements, save for those imposed by the GDPR.

No requirements.

National Ordinance Personal Data Protection 

No registration required. 

GDPR 

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data processing activities carried out by the company.

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

There is no registration applicable with the exception of what is referred to in the immediately succeeding paragraph for data protection officers.

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

The Digital Code provides for a declaration regime and an authorisation regime with the APD (Autorité de Protection des Données).

The declaration regime is applicable to all actors processing data and such declaration is to be performed by the person or entity responsible for the processing of personal data.

The authorisation regime is applicable for the processing of certain (more sensitive) data, such as the processing of national identification numbers, genetic data, data regarding criminal records, etc. or whenever personal data will be transferred to a third country.

Considering that the APD has not yet been established, the declaration and authorisation regimes are not yet in practice complied with.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Denmark regulation

In Denmark, the following types of processing require the DPA’s preapproval:

• private data controllers’ processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (‘Special Categories of Personal Data’), solely in the public’s interest
• disclosure of personal data as mentioned in Articles 9(1) and 10 of the GDPR, originally processed for the sole purpose of carrying out scientific or statistic studies, if i) such data is to be processed outside the geographical scope of the GDPR, ii) the data constitutes biological material or iii) if the data is to be published in a recognised scientific journal or similar
• processing personal data in a register on behalf of a private data controller:
  
  • solely for the purpose of warning other businesses from engaging in business with or employing a natural person
  • with the intention of commercial exploitation of data on the natural person’s creditworthiness and financial solidity, or
  • for the creation of a register on judicial information

Except for credit bureaus, the Dominican Republic does not maintain a registration of personal data controllers or databases, nor of companies that carry out the processing of personal data.

Article 51 of the Organic Law for the Protection of Personal Data creates the National Registry for the Protection of Personal Data, a registry that will be under the responsibility and custody of the Superintendence of Data Protection as the competent national protection authority. The person responsible for the processing of personal data shall report and keep updated the information before the Personal Data Protection Authority, on the following: 

• Identification of the database treatment.
• Name, legal domicile, and contact details of the responsible and in charge individual of the processing of personal data.
  Characteristics and purpose of the personal data treatment.
• Nature of the personal data treatment.
• Identification, name, legal domicile, and contact details of the recipients of the personal data, including processors and third parties.
• Description of the utilized method of interrelation of the recorded information.
• Description of the means used to implement the principles, rights and obligations contained in the present Law and specialized regulations for the data protection.
• Requirements and/or technical and physical, organizational, and legal administrative tools implemented to guarantee the security and protection of personal data.
• Data retention time.

Article 87 of the Regulation to the Organic Law for the Protection of Personal Data creates the Registry of Defaulting Controllers and Processors, under the responsibility and custody of the Superintendence of Data Protection, exclusively for purposes of statistics, prevention and training.

Pursuant to the Law, the controller or the processor must obtain a license or a permit from the Centre for practicing the activity of collecting, storing, transferring, or processing electronic personal data, sensitive data or to undertake any electronic marketing activities.

Applications for licenses, permits, and certifications shall be submitted on the forms produced by the Centre together with all of the supporting documents and information requested to be submitted, along with proof of the applicant's financial ability and its ability to implement the stipulated requirements and technical standards. Decisions on the applications shall be made within a period not exceeding ninety (90) days from the date of completing all documentation and information. The lapse of the above-mentioned period without any decision shall be deemed rejection of the application.

Pursuant to Article (26) of the Law, the licensing fee shall not exceed EGP 2,000,000 (two million Egyptian pounds), while permits or certifications shall not exceed EGP 500,000 (five hundred thousand Egyptian pounds).

Registration is not regulated.

The General Data Protection Registry (art. 33) is the organ responsible for registration under its Technical Secretariat which takes charge of the registration of public and private personal data files and of carrying out all actions entailing the modification, creation or suppression of personal data through authorised books.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Estonia regulation

Given that the GDPR does not provide for the registration of processing personal data, registries and systems will no longer exist. The PDPA specifies that pre-recorded data will remain as archived information about past activities for the term of up to five years after entry into force of the PDPA and upon expiry of the prior term (i.e. on 15 January 2024), pre-recorded data shall be erased.^[1]

There is no requirement to register databases or personal data processing activities.

None.

None.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Finland regulation

The Finnish Data Protection Act does not contain any provisions related to registration. The former Finnish Personal Data Act did contain some requirements for registration, but these have been repealed.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

France regulation

Prior formalities with the CNIL are no longer required and are replaced by the obligation to hold a record of processing activities which include the same categories of information as those requested in the filing forms prior to the GDPR.

However, formalities are maintained for the processing of data in the health sector which is subject either to a declaration of conformity to specific requirements defined by the CNIL or an authorization by the CNIL. In this respect, the CNIL has issued eight (8) methodologies of reference ("Methodologies de Reference" or "MR") for various types of research in the health sector. A formal commitment to comply with these methodologies exempts the data controller – generally the sponsor of the research – from having to apply for a formal authorization with the CNIL.

Certain specific processing of personal data must be authorized by decree of the State Council (Conseil d’Etat) or ministerial order, taken after a motivated and public opinion of the CNIL. These processing are as follows:

• Processing of the social security number (with a few exceptions);
• Processing carried out by or on behalf of the State, acting in the exercise of its public authority prerogatives, of genetic or biometric data necessary to the authentication or identity control of individuals;
• Processing carried out on behalf of the State (i) which concern State security, defense, national security, or (ii) which purpose is the prevention, investigation, detection or prosecution of criminal offences, or enforcement of criminal convictions or security measures.

The is no country-wide system of registration in Gabon. However, the processing of personal data may be subject to prior notification to, or authorisation from APDPVP.

The requirement of prior authorisation is applicable in the following circumstances:

• automatic or non-automatic processing of data regarding criminal convictions and infractions, except for processing carried out by Justice officials in the context of their obligations to ensure the security of possibly affected persons;
• automatic processing of genetic data (except when carried out by healthcare professionals for the purpose of preventive medicine, medical diagnosis or the provision of medical care and treatment);
• automatic processing which, considering the nature of the data or of the underlying purpose of processing, may result in excluding an individual from rights, benefits, contributions, or contract(s), without a legal or regulatory basis;
• automatic processing aimed at interconnection by one or more entities in the context of public service aimed at different public interests, or interconnection between different entities, for different purposes;
• processing which concerns a person's registration number in a national identification database;
• automatic processing of data containing comments, observations, and analysis of social difficulties experienced by individuals; and
• automatic processing of biometric data required for controlling the identity of individuals.

Article 85 of the aforementioned law states that the APDPVP shall take a decision within two months from receiving the request for authorisation. This time limit may be renewed once by a decision from the President of the APDPVP. Where theAPDPVP has not taken a decision within these time limits, the application for authorisation shall be deemed to be rejected.

Specific activities for data processing are subject to ministerial approval. These include data processing carried out on behalf of the State and aimed at State security, defence or public safety, or which is carried out for the purpose of preventing, investigating, detecting, pursuing, or executing criminal infractions is approved by the competent Government ministry(ies), subject to a prior opinion by the  APDPVP. Other matters are also approved by legislative measures, such as publicly relevant processing aimed at public census.

Other data processing operations are subject to a mere prior notification to the,APDPVP except if a complete exemption from notification or authorisation applies. Specifically, the following activities are exempt from formalities in accordance with article 89 of the aforementioned law:

• processing operations aimed solely at forming a register which is legally intended exclusively for public information and is open to public consultation by any person with legitimate interest;
• processing operations by any organisation, not-for-profit organisation, or any religious, political, philosophical, or trade union organisation or association – this exemption only applies if:
  
  • the processing operations corresponds to the formal and official purpose of said organisation / association;
  • the processing relates only to its members, and, where applicable, to people who have regular contact with the organisation / association in the context of its activity; and
  • the data is not disclosed to third parties, unless the data subject has given its / her consent;
• processing operations for which the data controller has appointed a data protection officer ('DPO'), unless personal data is being transferred across borders.

In addition, in accordance with Article 80 of the aforementioned Protection Act,  the APDPVP may identify specific data processing operations which, due to their simplicity and low-risk level, may be subject only to a simplified notification process. This simplified process includes:

• the purposes of the processing operations;
• personal data or categories of personal data processed;
• the category or categories of persons concerned;
• the addressees or categories of addressees to whom personal data are communicated; and
• the data retention periods.

The Data Protection Law does not establish an indiscriminate system for registration or notification of data processing activities, however, controllers and / or processors may need to consult Personal Data Protection Service in specific cases after conducting a data protection impact assessment (Article 31), or submit registered processing activities to the Personal Data Protection Service on its request (Article 28), or notify Personal Data Protection Service of incidents which have a potential to cause significant damage and / or pose a significant threat to fundamental human rights and freedoms (Article 29). Also, controllers and processors are required to notify the Personal Data Protection Service about their data protection officer (if one is appointed) under Article 33.

In light of the above, it is evident that the Law prioritizes internal accountability over external mechanisms like registration. For instance, under Article 28 (as stated above) controllers and processors are required to keep comprehensive records of their data processing activities. These records, detailing key aspects of the processing within the organization, must be provided to the Personal Data Protection Service upon request. This approach places a substantial operational responsibility on organizations. To be more precise:

In case of keeping internal logs of data processing activities (Article 28), the controller (and its registered representative, in case one is appointed) is obligated to ensure, in writing or electronically, the internal registration of the following data processing information on: 

1. the identity / name and contact details of the controller, special representative, personal data protection officer, joint controller, and the processor; 
2. the objectives of data processing; 
3. the data subjects and the data categories; 
4. the categories of data recipients (including the categories of data recipients from another state or international organization); 
5. the transfer of data to another state or international organization, as well as appropriate guarantees of data protection, including a permit from the Personal Data Protection Service (if any); 
6. the periods of data storage, and where such periods cannot be specified, the criteria for determining the periods of storage; 
7. a general description of the organizational and technical measures taken for ensuring data security;
8. information on incidents (if any). 

Furthermore, a processor is obliged to ensure, in writing or electronically, the internal registration of the following data processing information on: 

1. the name and contact details of the processor, personal data protection officer, controller, joint controller, and special representative; 
2. the types of data processing carried out for or on behalf of the controller; 
3. the transfer of data to another state or international organization, as well as appropriate guarantees of data protection, including a permit from the Personal Data Protection Service, if processor participates in the process of transferring data to another state or international organization; 
4. a general description of the organizational and technical measures taken for ensuring data security; 
5. information on incidents (if any).

A controller, co-controller, processor and a special representative are obligated to provide to the Personal Data Protection Service with the information provided for above immediately upon request, but not later than 3 working days after a request.

When it comes to the incidents as stated above (Article 29), the controller is obliged to register an incident, its resulting outcome, the measures taken, and to notify the Personal Data Protection Service about the incident, not later than 72 hours after the identification of the incident, in writing or electronically, except for the case where it is least expected that the incident would cause significant damage and / or pose a significant threat to fundamental human rights and freedoms. Furthermore, a processor is obliged to notify a controller immediately about an incident. (for more, see below Section on Breach Notification).

As for the consultation with the Personal Data Protection Service during the conducting of impact assessment (Article 31), If, as a result of a data protection impact assessment, a high risk of violation of fundamental human rights and freedoms is identified, a controller is obliged to take all necessary measures to mitigate the risk substantially, and where necessary, address the Personal Data Protection Service for consultation. Where the threat of violation of fundamental human rights and freedoms cannot be mitigated by taking additional organizational and technical measures, the data processing shall not be carried out.

Over the course of consultation with the Personal Data Protection Service on the basis of above a controller needs to submit:

1. information on the authority of the controller, joint controller and a processor;
2. information on the purposes and means of the planned data processing;
3. information on security measures for protecting the rights and freedoms of a data subject;
4. the contact details of a personal data protection officer (if any);
5. data protection impact assessment;
6. other (additional) information in the event of a request by the Personal Data Protection Service.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Germany regulation

There is no general requirement in Germany for controllers or processors to register their processing activities with the competent supervisory authority for data protection law; however, a register of data protection officers (DPOs) is maintained by each authority.

A data controller who intends to process personal data is required to register with the Data Protection Commission. A data controller who is not incorporated in Ghana must register as an external company.

Upon registration, a data controller is issued a Certificate of Registration which is valid for two (2) years and must be renewed thereafter. The Data Protection Commission also maintains an online public search register of registered data controllers, which shows the status of the entity with the Commission as well as the expiry date of its current registration.

Currently there are no registration requirements for controllers or processors under the Gibraltar GDPR.

There remains however the obligation to register Data Protection Officers with the GRA although no fee is required.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Greece regulation

There are no registration requirements under Greek Law. Notification and authorization requirements under the former data protection regime pertaining to the processing of special category data or installation of CCTV systems have been abolished and replaced by the obligation to hold a record of processing activities and to conduct DPIAs.

Registration of Personal Data is not regulated, yet if personal data of an individual is gathered by any public office or obliged subject, even private parties (under the premise that they receive public funds or grants from the State of Guatemala), Article 30 of the Law on Access to Public Information grants the right to Habeas Data. 

Section 39 of the DPL 2017 prohibits all controllers and processors established in the Bailiwick from processing personal data unless they have registered with the ODPA. Failure to comply with section 39 of the DPL 2017 is a criminal offence.

The Authority may prescribe the form and manner of registration. These particulars are described in the Data Protection (General Provisions) (Bailiwick of Guernsey)  Regulations, 2018 (as amended) (the "Registration Regulations")) which set out the framework for a new registration and levy collection regime applicable from 1 January 2021. The new regime abolishes the previous set of exemptions from registration (which expired on 31 December 2020) and replaces them with a much narrower sub-set of exemptions.

The Registration Regulations also introduce the concept of a 'Levy Collection Agent', which is, in essence, a regulated entity licensed by the Guernsey Financial Services Commission (GFSC) who has been appointed to collect an entity's registration fees on its behalf.

Importantly, whilst a Levy Collection Agent has certain responsibilities under the Registration Regulations (which include submitting an annual return, preparing and issuing certificates of exemption to all relevant entities which it administers and retaining records on such entities for a period of 6 years), the ODPA has clarified in its guidance that "all the legal responsibility as well as liability for data protection compliance still rests with [the controller/processor]…[and in this regard Levy Collection Agents] are simply … a payment gateway to assist with the administrative requirements for the regulated community."

Exemptions

Certain limited exemptions to the requirement to register are available to some controllers and processors under the Registration Regulations. These include, for example, where the controller and/or processor has appointed a Levy Collection Agent on its behalf. Not all entities will be eligible to appoint a Levy Collection – this route is only available to organisations who employ fewer than 50 FTE employees, are not required by law to appoint a DPO, do not already act as a Levy Collection Agent and are not nonprofits. 

If a controller or processor seeks to rely on any one exemption, they must document their rationale for their decision.

Registration particulars

Since the introduction of the DPL 2017, the ODPA has streamlined the registration regime, both from an outward-facing and internal perspective.  For example, in accordance with the GDPR's approach, the register is no longer available to be searched online, thereby removing the requirement for the ODPA to maintain a public register containing significant volumes of processing details. The ODPA has also removed the requirement for controllers and processors to include details about the types of processing undertaken and no longer requires entities to provide a description of the categories of data subject or details of the countries to which such data is transferred.

Instead, at the time of writing, a controller or processor established in the Bailiwick who is required to register with the ODPA must give the ODPA an online annual return setting out the following information (as stipulated in the Registration Regulations):

• the contact details (including name and principal business address) of the entity to be registered;
• confirmation of whether the entity is a controller, processor or both in relation to the processing activities;
• the representative¹ appointed (if the entity is based outside the Bailiwick);
• confirmation of whether the entity is a charity / not-for-profit;
• the DPO (as applicable);
• confirmation of whether the entity employs 50 or more full time equivalent employees;
• confirmation of whether the entity has agreed to act as Levy Collection Agent.

The return must also be accompanied by a levy, which will be calculated depending on the status of the organisation (i.e. if it is a charity / not for profit) and the number of full-time equivalent employees employed by the entity.

Levy Collection Agents are required to submit a slightly different set of information to the ODPA, as follows:

• the contact details (including name, principal business address and GFSC number) of Levy Collection Agent;
• confirmation of whether the entity is a controller, processor or both in relation to the processing activities;
• the DPO (as applicable);
• confirmation of whether the entity employs 50 or more full time equivalent employees;
• Declaration of the number of organisations the Levy Collection Agent is acting for.

The return must also be accompanied by a levy (being the aggregate of its own fees plus those of the entities that it administers).

There are two levels of fees (which are as follows with effect from 1 January 2025):

• For organisations with 1-49 full-time equivalent (FTE) employees - £60 per annum; or
• For organisations with 50 or more FTE employees - £2,400 per annum.

The Registration Regulations stipulate separate levies are applicable when dealing with certain government bodies.

The States of Guernsey pay a flat rate fee of £250,000. Registered charities and not for profit organisations pay nothing.

Law on Cybersecurity and Personal Data protection in the Republic of Guinea provides that the processing of personal data is subject to a prior declaration or request for authorisation of the competent authority designated by regulation. 

The declaration or request for authorisation may be sent to the authority in charge of personal data protection by post, in person at the premises of the said authority or by any other means against the delivery of an acknowledgment of receipt in due form. 

The authority in charge of personal data protection has a period of two months to decide on any declaration or request submitted or addressed to it. This period may be extended by two additional months provided that the personal data protection authority can justify its decision or the extension. 

The declaration or request for authorisation must include the commitment that the protection meets the requirements of the law on Cybersecurity and Protection of Personal Data and any other regulations or laws in the Republic of Guinea relating to personal data protection.  

At the end of this declaration, the competent authority issues a receipt and, if necessary, by electronic means. 

The applicant may then implement the processing operation upon receipt of the receipt. However, the applicant is not relieved of any responsibility. 

Processing operations carried out by the same organisation and having identical or related purposes may be subject to a single declaration. The information required under the declaration shall be provided for each of the processing operations only insofar as it is specific to said declaration. 

Law on Cybersecurity and Personal Data Protection also provides that the modalities for filing declarations or request for authorisation for the processing of personal data shall be determined by presidential decree. This decree has not yet been implemented.

N/A.

Only Obligated Entities must inform the Institute for the Access to Public Information of their databases. Obligated Entities are:

• Government institutions
• NGO’s
• Entities that receive public funds, and
• Trade unions with tax exemptions

The Institute for the Access to Public Information will maintain a list of the databases of the above-mentioned entities.

Currently, there is no requirement for organizations that control the collection and use of personal data (known as "data users") to register with the data protection authority.

However, under the Ordinance the PCPD has the power to specify certain classes of data users to whom registration and reporting obligations apply. Under the Data User Return Scheme (DURS), data users belonging to the specified classes are required to submit data returns containing prescribed information to the PCPD, which will compile them into a central register accessible by the public. However, at the time of writing, no register has been created to date. The PCPD has proposed to implement the DURS in phases, with the initial phase covering data users from the following sectors and industries:

• the public sector;
• banking, insurance and telecommunications industries; and
• organizations with a large database of members (e.g. customer loyalty schemes).

A public consultation for the DURS by the PCPD was concluded in September 2011. The PCPD had originally planned to implement the DURS in the second half of 2013. However, in January 2014, the PCPD indicated that it planned to put the DURS on hold until the reforms of the European Union (EU) data protection system have been finalized (as the Hong Kong model is broadly based on the same) but no exact time frame for the implementation has been announced. In light of the European Union General Data Protection Regulation 2016/679 (GDPR), which generally eliminated the data processing registration requirements under EU data protection law, it is unclear whether the PCPD will now implement the Hong Kong DURS scheme.

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Iceland regulation

According to Article 31 of the DPA, controllers need to consult with and obtain prior authorization from the supervisory authority in relation to processing by a controller for the performance of a task carried out in the public interest. The GDPR generally implies certain withdrawal from the previous policy that processing of personal data may be based on licenses, but this Article in the DPA is an exception. The Data Protection Authority’s Rules no. 811/2019 on processing subject to authorization provides for a list of processing activities which are subject to the Authority’s written authorization, such as the transfer of sensitive personal data, which is stored with authorities, to third parties for research purposes.

Article 30 of the DPA implements the requirement to consult the supervisory authority in certain cases following a data protection impact assessment. Furthermore advertisement no. 828/2019 lists the processing activities that require a data protection impact assessment.

There is no registration requirement for Data Fiduciaries under the DPDP Act. However, Consent Managers are required to register themselves with the Board.

Consent Managers

The DPDP Act provides for Consent Managers registered with the Board and defines them as a single point of contact to enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform. A Data Principal may give, manage, review or withdraw their consent through a Consent Manager. Consent Managers are accountable to the Data Principal and act on behalf of the Data Principal in such manner and subject to obligations as may be prescribed. However, it is yet to be prescribed if all Data Fiduciaries are expected to integrate with the Consent Managers for seeking consent of the Data Principals and the way the Consent Manager is required to perform its functions. Additionally, the Board may impose penalties on Consent Managers, in respect of breach in observance of its obligations in relation to Data Principal’s personal data, or breach of any condition of registration of the Consent Manager.

The Draft Rules contain conditions of registration that a Consent Manager must fulfil before it seeks registration with the Board as a Consent Manager and prescribes certain obligations for Consent Managers to fulfil on an ongoing basis.

The PDP Law does not contain a specific obligation to register and / or notify supervisory authorities of the processing of personal data.

However, it is to be noted that there is a general registration obligation with the KOMDIGI for any foreign and / or Indonesian party, who provides, manages, and / or trades goods and / or services through electronic systems and / or over the internet as an electronic system operator, provided that:

• it provides services in the territory of Indonesia;
• it conducts business in Indonesia; and / or
• its electronic system is used and / or offered in the territory of Indonesia.

Such a party (commonly also referred to as a "electronic system operator" or "PSE") would be required to make certain registration with the KOMDIGI before its electronic system is to be used in Indonesia which will be marked by the grant of an electronic system operator registration certificate (Surat Tanda Terdaftar Penyelenggara Sistem Elektronik or commonly abbreviated as "TDPSE").

Such a registration requirement is to ensure the reliability, security and compatibility of the electronic system in processing any personal data stored in it. Certain publication of the PSE’s profile is intended to and / or will be made on a website operated by the relevant authority (KOMDIGI) upon successful registration.

There is no registration requirement.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Ireland regulation

There is no general requirement in Ireland for controllers or processors to register their processing activities with the DPC, however, a register of Data Protection Officers (DPOs) is maintained.

Subject to certain exceptions, database registration is required to the extent that currently one of the following conditions are met¹:

• the database contains information in respect of more than 10,000 data subjects;
• the database contains sensitive information;
• the database includes information on persons, and the information was not provided by them, on their behalf or with their consent;
• the database belongs to a public entity; or
• the database is used for direct marketing services.

Amendment 13 limited the abovementioned registration requirements to apply to the extent one of the following conditions are met:

• Databases containing Personal Data about more than 10,000 data subjects and its main purpose is the collection of Personal Data for the purpose of transferring to third parties, either for business purposes or in exchange for compensation (including direct marketing services); or
• The controller of the database is a Public Body (as defined in Section 23 of the PPL), unless the database contains Personal Data only with respect to the employees of the Public Body.

Amendment 13 also added a notification requirement to the IPA in the event that a database that does not require registration contains Especially Sensitive Data in respect of more than 100,0000 data subjects.

A database is defined under the PPL as a collection of data, stored by magnetic or optic means and intended for computer processing, consequently excluding noncomputerized collections.

In 2005, the Ministry of Justice set up a committee generally known as the 'Schoffman Committee' which recommended relaxing registration of 'ordinary' databases and focusing on specific categories of information (e.g. medical data, criminal records or information about a person's political or religious beliefs). However, to date, the Schoffman Committee recommendations have not crystallized into binding legislation.

On November 11, 2018, the IPA published Opinion: Is the Collection of Names and Emails Considered a “Database”? in which the IPA ruled that a list of emails is deemed Personal Data.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Italy regulation

Under the GDPR and the Privacy Code there is no obligation to notify regulators of any data processing activity.

Japan does not have a central registration system.

Registration and fees are governed by the  Data Protection (Registration and Charges) (Jersey) Regulations 2018 (as amended) (the "Regulations") under which  annual processing fees are charged, the value of which are based on:

• the number of full-time employees;
• the level of past-year revenue;
• whether the relevant entity is a regulated financial services provider (or otherwise subject to the Money Laundering (Jersey) Order 2008);
• if the entity processes special category data; and
• if the entity is administered by a trust company business or fund services business, and if so, the name of the administrator. 

The maximum fee payable on the basis of the above is £1,600. However, the majority of data controllers and processors pay £70.

Entities that are administered by a regulated trust company business or fund services business are required to pay a fixed annual charge of £50. No fees are payable where the entity does not process data (as they would not be considered data controllers or processors).

All controllers and processors are required to renew their registration annually. It should be noted that, external accountability to the Information Commissioner via registration or notification has in many ways superseded in the DPAJL and DPJL by rigorous demands for internal accountability. 

In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 14(3) DPJL), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request.

No registration required.

Under Kazakh law, there is no express registration requirement in relation to personal data and its protection, except the requirement for the personal data database owner and (or) operator as well as a third party related to the owner and / or operator to register and keep a record of the following actions:

• The term or period during which the consent to the collection, processing of personal data is valid;
• Information on whether there is a possibility of transfer of personal data to third parties by the personal data operator or not;
• Information on whether there is a cross-border transfer of personal data as part of the personal data processing;
• Information on dissemination of personal data in publicly resources.

Section 18 of the Act

Data processors and data controllers are required to be registered with the ODPC. The ODPC, however, has discretion to prescribe the thresholds for mandatory registration based on:

• the nature of industry;
• the volumes of data processed; and
• whether sensitive personal data is being processed.

The Registration Regulations provide for the registration of data controllers and data processors with the ODPC. The threshold for mandatory registration is also set out under these regulations. The ODPC also launched a portal where applications for registration are submitted in the prescribed form and upon payment of a prescribed fee. Where the ODPC is satisfied that the applicant has fulfilled the requirements for registration, a certificate of registration is issued within 14 days and entry of the applicant’s details is made in the register of data controllers and data processors.

The certificate of registration issued is valid for 24 months from the date of issuance.

A data controller or data processor with an annual turnover or revenue of below Kenya Shillings Five Million (approx. USD 40,000) and has less than 10 employees is exempt from mandatory registration.

Data controllers and data processors who process data for the following purposes regardless of their annual turnover or revenue or number of employees have to be registered under the Registration Regulations:

• Canvassing political support among the electorate;
• Crime prevention and prosecution of offenders (including operating security CCTV systems);
• Gambling;
• Operating an educational institution;
• Health administration and provision of patient care;
• Hospitality industry firms, excluding tour guides;
• Property management including the selling of land;
• Provision of financial services;
• Telecommunications network or service providers;
• Businesses that are wholly or mainly in direct marketing; and
• Transport services firms (including online passenger hailing applications); and businesses that process genetic data.

Considering that the LPPD transposes the GDPR, same as the latter, it provides meticulous and protective measures to which the Controllers and the Processors must comply, and as such does not impose restrictive registration or notification requirements to be undertaken with the IPA. Accordingly, in general, LPPD does not contain mandatory provisions requiring registration of processing activities. 

However, certain notification requirements apply in cases where a data protection impact assessment suggests a high risk without adequate protection measures (Article 36.1). Further, controllers or processors must report their appointed data protection officer to the IPA, where such appointment is required by law (Article 37.7). In the private sector, controllers or processors using biometric data for their activities must inform the IPA beforehand. This includes providing a detailed description of safety measures for processing biometric data (Article 83).

Additionally, controller and processor, including entities which process personal data based on the LPPD, are required to obtain the certification to perform work related to personal data (Article 43(1)). In practice, the certification procedure is not applicable in Kosovo, and its implementation is subject to the adoption of a sub-legal act (Article 43 (2)).

Not required.

The Law on Personal Data obliges Holders (Owners) of Personal Data Arrays to register with the competent state authority, however, to the best of our knowledge, none of Holders (Owners) of Personal Data Array has been registered to date, in particular, due to the fact that such regulator does not exist.

According to the Law on Personal Data within the registration procedure the following must be provided:

• Name and details of Holders (Owners) of Personal Data Arrays (ie. data controller);
• Purposes and procedures of collection and processing of personal data;
• Retention and terms of storage;
• List of collected personal data;
• Categories or groups of personal data bearers;
• A source of collecting of personal data;
• Procedure of notification of data subjects on collecting and possible transfer of personal data;
• List of measures regarding the regime of confidentiality and safety of personal data;
• Authorized person responsible for working with personal data;
• Receiving party or category of receiving parties of personal data;
• Proposed transfer of personal data outside of the Kyrgyz Republic.

With regards to the registration obligation the procedure for registering holders (owners) of personal data arrays was approved. 

Registration in the Register consists of three stages. During the first two stages, the holder fills in electronic forms to obtain a registration number in the Registry. During the third stage, the holder goes through the procedure for agreeing and registering lists of personal data for their collection, processing and storage as part of the implementation of their functions and purposes. 

Registration of holders in the Register is carried out after authorization in the Register through the Unified Identification System through a cloud-based electronic signature of a legal entity. After filing the application, the holder receives a unique registration number in the Registry. Based on the results of registration in the Register, the holder receives the right to collect, process and store personal data in accordance with the legislation of the Kyrgyz Republic in the field of personal data.¹

There is no registration required for Data Protection Officers in Laos, or for any legal entities or individuals with a national data protection authority, as the case may be in other jurisdictions.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Latvia regulation

Given that the GDPR does not provide for the registration of processing personal data, registries and systems will no longer exist. Pre-recorded data will remain as archived information about past activities.

Any person or entity wishing to process personal data must file a declaration before the Ministry of Economy and Trade obtaining a permit issued against receipt of such declaration, unless:

• when the data subject has agreed in advance to the processing of their personal data.
• when processed by public authorities, within their prerogatives;
• when processed by Non-Profit Organizations in relation to the members and clients thereof, within the scope of the normal and legal exercise of their functions;
• when processed for the purpose of keeping dedicated records required under the provisions of applicable laws and regulations, for the purpose of informing the public and which data can be accessed by any person having a legitimate interest;
• when processed by educational institutions in relation to their students and pupils, for educational or administrative purposes;
• when processed by institutions, commercial companies, trade unions, associations and liberal professionals in relation to their employees and members, within limits and for the needs of exercising their activities in a legal manner;
• when processed by commercial entities, associations, organizations, trade unions and liberal professionals in relation to their clients and customers, within limits and for the needs of exercising their activities in a legal manner.

The DP Act (section 25(5)) requires that a data controller process personal information only upon notification to the Commission.

In terms of “Spatial Data”, Liberia Institute of Statistics and Geo-Information Services (LISGIS) is the public agency responsible for the collection of statistical and geographic information that are used to produce maps." 

However, entity(ies) whose business requires the collection of data are required to register and receive the requisite permit / license from the government entity controlling / overseeing the sector in which the entity(ies) would be conducting business. Every permit / license issued by the requisite government authority is renewable.

There are no registration requirements relating to personal data.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Lithuania regulation

Given that the GDPR does not provide for the registration of data processing activities, registries and related systems no longer exist.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Luxembourg regulation

No specific provisions in the applicable law.

The OPDP must be notified of any processing of personal data by a data controller, within 8 days from the commencement of the processing activity, unless an exemption applies.

For certain data categories (e.g. certain sensitive personal data, data regarding illicit activities or criminal and administrative offenses or credit and solvency data) and certain specific personal data processing, data controllers must obtain prior authorization from the OPDP.

The OPDP provides (official) forms that must be submitted regarding personal data processing, either in Portuguese or Chinese language, along with the following information (if applicable):

• Identification and contact details of the data controller and its representatives;
• The personal data processing purpose;
• Identification and contact details of any third party carrying out the personal data processing;
• The commencement date of the personal data processing;
• The categories of personal data processed (disclosing whether sensitive personal data, data concerning the suspicion of illicit activities, criminal and / or administrative offenses or data regarding credit and solvency are to be collected);
• The legal basis for processing personal data;
• The means and forms available to the data subject for updating his or her personal data;
• Any transfer of personal data outside Macau, along with the grounds for, and measures to be adopted with, the transfer;
• Personal data storage time limits;
• Interconnection of personal data with third parties; and
• Security measures adopted to protect the personal data.

Except for certain data processing that is subject to exemption, authorisation, ministerial order or decree, the processing of personal data requires a prior declaration to the CMIL.

The prior declaration to the CMIL shall specify, where relevant, inter alia:

• the identity and the address of the data controller (responsable du traitement) (i.e. the natural or legal person who either alone or jointly with other persons determines the purpose and the means of the personal data processing and implements such processing itself or appoints a data processor for that purpose);

• the purpose(s) of the processing;

• the interconnections between databases;

• the types of personal data processed, their origins and the categories of persons affected by the processing;

• the duration for which the data will be kept;

• the department or persons in charge of implementing the data processing;

• the existence of data transfer to other country;

• the measures taken in order to ensure the security of the processing;

• the use of a data processor (sous-traitant).

The CMIL has to issue its decision on any authorisation application 2 months following receipt of the application. An additional time period of 2 months can be added to this period after decision of the President of the CMIL. The absence of decision of the CMIL during these periods is considered as a refusal of the application.

Currently, the PDPA requires the following classes of data users to register under the PDPA:

Communications

• A licensee under the Communications and Multimedia Act 1998
• A licensee under the Postal Services Act 2012

Banking and financial institutions

• A licensed bank and licensed investment bank under the Financial Services Act 2013
• A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
• A development financial institution under the Development Financial Institution Act 2002

Insurance

• A licensed insurer under the Financial Services Act 2013
• A licensed takaful operator under the Islamic Financial Services Act 2013
• A licensed international takaful operator under the Islamic Financial Services Act 2013

Health

• A licensee under the Private Healthcare Facilities and Services Act 1998
• A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998
• A body corporate registered under the Registration of Pharmacists Act 1951

Tourism and hospitalities

• A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992
• A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992

Transportation

• Certain named transportations services providers

Education

• A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
• A private school or private educational institution registered under the Education Act 1996

Direct selling

• A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993

Services

• A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961 carrying on business as follows:
  • • legal
    • audit
    • accountancy
    • engineering
    •  architecture
• A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961
• A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981

Real estate

• A licensed housing developer under the Housing Development (Control and Licensing) Act 1966
• A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah
• A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak

Utilities

• Certain named utilities services providers

Pawnbroker

• A licensee under the Pawnbrokers Act 1972

Moneylender

• A licensee under the Moneylenders Act 1951

Certificates of registration are valid for at least one year, after which data users must renew registrations and may not continue to process personal data.

Data users are also required to display their certificate of registration at a conspicuous place at their principal place of business, and a copy of the certificate at each branch, where applicable.

The Commissioner may designate a body or a data controller as a data user forum for a class of data users. Data user forums can prepare codes of practice to govern compliance with the PDPA, which can be registered with the Commissioner. Once registered, all data users / data controllers must comply with the provisions of the code, and non-compliance violates the PDPA. As of January 02, 2025, the Commissioner has published several codes of practice, including for the banking and financial sector, the aviation sector, the utilities sector, communications sector, the healthcare sector, and the insurance and takaful industry in Malaysia. There is also a general code of practice which applies to classes of data users / data controllers required to be registered as data users / data controllers under the PDPA who are currently not subject to any codes of practice registered by the Commissioner.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Malta regulation

Under Article 7 of the Maltese DPA, data controllers must consult and gain prior authorization from the Commissioner to process in the public interest: genetic data, biometric data or data concerning health for statistical or research purposes or special categories of data relating to the management of social care services and systems.

Every person who intends to act as a data controller or a data processor (as defined below) must register with the Commissioner in a form approved by the Commissioner and is required to pay a prescribed registration fee. The Commissioner is authorized to approve applications and issue registration certificates, which are valid for three years.

Data processors and controllers must renew their registration within three months prior to the date that their registration expires. Failure to register or renew registration constitutes an offence under the Act, punishable by a fine not exceeding 200,000 Mauritian rupees or imprisonment for a term not to exceed five years.

A data controller is a person or public body who alone, or jointly with others, determines the purposes and means of personal data processing, and who has decision making power with respect to processing. A data processor is a person or public body who processes personal data on behalf of a controller.

Application for registration

Every registration application must include all of the following:

• Name and address;
• Whether a representative has been nominated for the purposes of the Act, and the name and address of the representative;
• A description of the personal data to be processed by the controller or processor, and of the category of data subjects, to which the personal data relate;
• A statement as to whether data controller or processor holds, or is likely to hold, special categories of personal data;
• A description of the purpose for which the personal data are to be processed;
• A description of any recipient to whom the controller intends or may wish to disclose the personal data;
• The name, or a description of, any country to which the proposed controller intends or may wish, directly or indirectly, to transfer, the data;
• A general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data.

A controller or processor who knowingly supplies false or misleading material information in their registration application commits an offense and could be held liable to a fine not to exceed 100,000 Mauritian rupees or imprisonment for a term not to exceed five years.

Mexican law does not require registration with a data protection authority or other regulator in relation to the use of personal data.

As of January 10, 2022, the requirement of mandatory registration or notification of personal data databases has been abolished. 

Instead, according to the new legal provisions, before starting the data processing operations, the data controller shall perform a data protection impact assessment, analysing thereby the envisaged actions to be performed and their eventual impact on the data subject.

The data protection impact assessment should contain at least the following information:

• The description of envisaged processing operations, the purpose of processing and legitimate interest of the data controller (if any);
• The description of the necessity and proportionality of processing operations in relation to the purpose of processing;
• Risk assessment for the rights and freedoms of data subjects, in particular, the source of those data, nature, specific degree of likelihood of materialization of the increased risk and the severity of that risk;
• The description of risk prevention measures, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the provisions of the data protection law.

The NCPDP has additionally approved and published a list of types of personal data processing operations, which are subject to the mandatory data protection impact assessment requirement. The list may be consulted at the following link.

Furthermore, the data controller shall consult with the NCPDP before starting any operations on processing of personal data if the data protection impact assessment indicates that the processing would generate an increased risk, and the data controller considers that such risk cannot be mitigated through reasonable means, considering the available technologies and implementation costs.

Data controllers, who process personal data must notify the CCIN and request approval so that their processing of personal data may be registered. Any changes to the processing of personal data will require the registration to be amended. Concerning data controllers who are legal persons governed by public law, public authorities and bodies governed by private law with a mission of general interest, the decision shall be taken by the competent authorities or bodies following a reasoned opinion from the CCIN. A recent Ministerial Order of 18 March 2021 has brought some changes to this procedure.

Any natural or legal entities governed by private law who intend to implement automated data processing including personal information must first complete the required procedure with the CCIN.

There are four possible procedures to follow:

• Ordinary declaration (all nature or legal persons governed by private law usually fall under the ordinary declaration procedure);

• Simplified declaration (all processing compliant to a referenced Ministerial Order and only when it is clearly established that the processing operations do not adversely affect the rights and freedoms of the data subjects);

• Authorization request (only for automated processing of personal data relating to suspected unlawful activities, offences or security measures or including biometric data required to check persons’ identities, or for the purpose of surveillance);

• Legal advisory request (only processing relating to research in the field of health - excluding biomedical research and for processing implemented by natural or legal persons governed by public law, public authorities, organizations governed by private law entrusted with a mission of general interest or a concessionaire of public utility).

The data controller must decide which procedure is the most adapted to the processing he wants to implement. To do so, he needs to analyze the purpose of the processing, and depending on this purpose, complete one of the aforementioned procedures (ordinary request, simplified request, authorization request, or legal advisory request).

The notification to the CCIN should include at least the following information:

• What data is being collected;
• Why the data will be processed;
• The categories of data subject;
• Whether the data will be transferred either within or outside the Monaco.

There is no registration requirement for Data Controllers or data processing activities except that Data Controllers have the obligation to keep records of:

• its activities of collection, processing and use of Personal Data; and
• its response to damages occurred to Personal Data.

Data Controllers are required to submit records of their response to damages occurred to Personal Data to the National Human Rights Commission annually or at any time as requested by the National Human Rights Commission.

Each data controller must do the following:

• Register as a data controller (this registration as a controller is to be performed only once);
• Separately register each database of personal data ('Database') which it intends to establish, before the database is established.

Both registrations must be submitted online through specific forms, whereas the database's registration form is accessible via the DPA's website. The type and scope of the information that must be included in these forms is explicitly prescribed by the DP Law (e.g. the data controller's name and address of its registered seat, name of the Database, legal basis for the processing and purpose of the processing, types of processed data, categories of data subjects, (if applicable) information on any data transfers out of Montenegro). Any significant change to the registered data processing activities, subsequent to the registration should be notified to and registered with the DPA as well.

Exceptionally (i.e. if the intended data processing represents a special risk for the rights and freedoms of individuals), a data controller may, depending on the circumstances of each particular case, be obliged to obtain the DPA’s prior approval for such processing (e.g. if biometric data is to be processed without the data subject's consent).

The processing of personal data is subject to:

• A prior declaration to be filed with the Moroccan Data Protection Commission; or
• A prior authorization of the Moroccan Data Protection Commission when the processing concerns any of the following:
  
  • Sensitive data (e.g. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, including genetic data);
  • Using personal data for purposes other than those for which they were initially collected;
  • Genetic data, except for those used by health personnel and that respond to medical purposes;
  • Data relating to offenses, convictions or security measures, except for those used by the officers of the court;
  • Data which includes the number of the national identity card of the concerned person.

The declaration and authorization includes a commitment that the personal data will be treated in accordance with the DP Law.

The prior declaration and authorization shall include, without limitation, the following information:

• The name and address of the person in charge of the processing and, if applicable, its representative;
• The name, characteristics and purpose(s) of the intended processing;
• A description of the category or categories of data subjects, and the data or categories of personal data relating thereto;
• The recipients or categories of recipients to whom the data are likely to be communicated;
• The intended transfers of data to foreign states;
• The data retention time;
• The authority with which the data subject may exercise, if any, the rights granted to him / her by law, and the measures taken to facilitate the exercise of these rights;
• A description of the confidentiality and security measures in place to protect personal data; and
• Overlap, interconnections, or any other form of data reconciliation and their transfer, subcontracting, in any form, to third parties, free of charge or for consideration.

Decree 59/2023 requires the registration of Intermediate Electronic Services Providers and Operators of Digital Platforms. The Electronic Transactions Law defines the intermediate service provider as any person who, in representation of another, sends, receives and stores data messages, and also who provides network access services or provide services through a network. Any entity that performs such acts will qualify as an intermediate service provider and must be registered and licensed with INTIC.

The registration requirement is applicable to Intermediate Electronic Services Providers and Operators of Digital Platforms that offer services to receivers based or located in Mozambique, regardless of where the providers are based.

Not applicable.

There is no registration requirement.

Not applicable.

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

There is no obligation on agencies to register or notify the Privacy Commissioner that they are processing personal information.  

Each organisation that collects personal data will have the obligation to register in the Data File Registry. 

However, since the Personal Data Protection Directorate has not yet been incorporated, such a Register in practice does not yet exist. Therefore, organisations are unable to materially comply with such registration.

The registration of processing activities via a "register of processing activities” does not exist in Niger.

The processing of personal data is subject to prior notification to the HAPD. If a data controller appoints a data protection officer, notification is unnecessary unless personal data is being transferred across national borders. Additionally, Article 64 Law n°2022-59 of December 16, 2022 relating to the protection of personal data provides that the data controller must create an annual report for the HAPDP regarding personal data which is stored within the period, as fixed by the HAPDP, in relation to the purposes for which each type of processing activity was carried out.

Data controllers and data processors of major importance must register with the Commission within six months after the commencement of the Act or of becoming a data controller or data processor of major importance. Data controller or data processor of major importance is defined under the Act to mean a data controller or data processor that is resident or operating in Nigeria and processes the personal data of more than such number of data subjects who are within Nigeria as the Commission may prescribe, or such other class of data controller or data processor processing personal data of particular value or significance to the economy, society or security of Nigeria, as the Commission may designate. The Act Commission through the Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance (Notice) designated all data controllers and data processors that process the personal data of at least 200 data subjects within a six-month period as being of major importance, requiring them to register with the Commission. The Notice further categorized data controllers and data processors of major importance into three levels depending on the volume of personal data processed in a six-month period as follows:

The DPA keeps records of all data controllers and data protection officers and publishes them on its website.

Under the Law on Protection of Personal Data dated 2005, data controllers / processors had an obligation to register their databases containing personal data in the Central Registry of Personal Databases (“Registry”) maintained by the DPA. With the adoption of the DP Law, this Registry changes in a way that it continues to exist, i.e. continues to be maintained by the DPA, but as a registry of databases involving a high risk (“High-Risk Records”), whereas controllers / processors should notify the DPA about their respective high risk databases. It is also envisaged that the provisions of the DP Law governing the High-Risk Records shall cease to apply upon accession of the Republic of North Macedonia to the EU.

The DPA requires entities to report subsequent changes to registration details within 30 days of a change.

The DP Law obliges data controllers / processors and their representatives to maintain records of processing activities with an explicitly prescribed content. However, this obligation is not an obligation generally applicable to all data controllers and data processors. It applies only if data controllers / processors have at least 50 employees or, regardless of their employees’ number, if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of personal data or personal data relating to criminal convictions and offences.

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

There is currently no registration requirement.

However, the PDPB, which is yet to be promulgated, confers upon the Commission the power to devise the appropriate registration requirements.

The Data Protection Law does not include any registration or notification requirement prior to the processing of data before Panama’s National Authority of Transparency and Access to Information (“ANTAI”). What it does require, is for data controller’s (known in Panama as the “Responsible of the data treatment”) (Responsable del tratamiento de datos in Spanish) to have the data subject’s consent to the processing of said personal data, as a general principle.

Under the current legislation, no registration is required in order to process or store personal data. 

Even though the Electronic Commerce Law does not establish a registration requirement, according to Art. 7 of the Regulatory Decree of the Electronic Commerce Law, the Electronic Commerce Direction has the faculty to gather information from companies that render services via electronic means  (such as electronic storage data companies) regarding:

• their commercial activity;
• their identity; and
•  other data established in current regulations.

Such companies have the duty to collaborate with the Electronic Commerce Direction and comply with all information requirements (Art. 8, Regulatory Decree of the Electronic Commerce Law).

The National Registry for the Protection of Personal Data (NRPDP) maintains information about personal databases of public or private ownership and publishes a list of such databases to facilitate individuals’ exercise of their rights of access to information, rectification, cancellation, opposition and others regulated in the PDPL and its Regulation.

In addition, the NRPDP maintains records of:

• Communications of cross-border flow of personal data, and
• The sanctions, precautionary or corrective measures imposed by the NDPA

The holders of personal databases must register in the NRPDP providing the following information:

• The name and location of the personal database
• The purposes and the intended uses of the database
• The identification of the owner of the personal database
• The categories and types of personal data to be processed
• Collection procedures and a description of the system for processing personal data
• The technical description of the security measures
• The recipients of personal data transfers

The cross-border transfer of personal data must be notified to the NDPA, including the information required for the transfer of data and registration of the database.

Data Protection Officer and Data Processing Systems

NPC Circular No. 2022-04 (effective January 2023) provides for mandatory registration of the Data Protection Officer (“DPO”) and the data processing systems (“DPS”) for PICs or PIPs that:

• employ two hundred and fifty (250) or more persons;
• process Sensitive Personal Information of one thousand (1,000) or more individuals; or
• process data that will likely pose a risk to the rights and freedoms of data subjects.

Registration is done via the NPC’s online platform i.e. the NPC Registration System or NPCRS accessible here.

Entities that are not subject to mandatory registration may opt to voluntarily register their DPO and DPS.

A PIC or PIP who is not subject to mandatory registration and does not undertake voluntary registration shall submit a sworn declaration. The Commission, through an order, may require a PIC or PIP to submit supporting documents related to this submission.

A covered PIC or PIP shall register its newly implemented DPS or inaugural DPO in the NPCRS within twenty (20) days from the commencement of such system or the effective date of such appointment.

In the event that a covered PIC or PIP seeks to make minor amendments to its existing registration information, which include updates to an existing DPS, or a change in DPO, the PIC or PIP shall update the NPCRS within ten (10) days from the system update or effective date of the appointment of the new DPO. Major amendments, however, such as amendments to the name of the entity or the business address must be made within thirty (30) days from the effectiveness of the change.

A Certificate of Registration issued upon completion of the registration process shall be valid for one (1) year from its date of issue. The PIC / PIP must renew its registration within thirty (30) days before the expiration of the one-year validity period.

Beginning on 1 October 2024, all PICs and PIPs are required to pay the corresponding fees to register their DPS and / or renew said registration. The enhanced NPCRS will also facilitate the submission of the Sworn Declaration and Undertaking, a mandatory declaration for persons and entities that claim exemption from the NPC’s registration requirement.

PICs and PIPs are mandated to prominently display their NPC registration at the main entrance of their place of business and on their websites, if the PIC and PIP have an online presence.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Poland regulation

Under the previous PDPA (in force until May 25, 2018), as a general rule, data controllers that process personal data were obligated to notify the Inspector General about the data filing system containing that data. The Inspector General kept a register of data controllers and data filing systems, which was available to the public.

This obligation does not longer exists under the new PDPA and the Implementing act.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Portugal regulation

Under the prior Personal Data Protection Law data controllers who processed personal data should notify such activity to the supervisory authority (CNPD), unless a specific exemption applies. However, such obligations are, as general rule, no longer applicable.

Under Law no 58/2019 of 8 August, the implementation of video surveillance systems with sound recording is not allowed except in cases where the monitored premises are closed or there is prior authorization from the supervisory authority.

There is currently no requirement in Qatar for data controllers who process personal information to register with the regulator, the NCGAA.

Unless certain exceptions apply, data controllers must obtain a permit from the DPO prior to processing sensitive personal data or transferring personal data outside of the QFC to a recipient who is not subject to laws or regulations that ensure an adequate level of protection for that personal data.

The Law requires, save for some exceptions, that the processing of personal data must be notified to the Commission. The Commission provides a confirmation of receipt of the notification after which the entity that made the notification can start processing personal data. If some of the data or sensitive personal data and the processing is not prohibited, a prior authorisation is to be obtained from the Commission. The Commission renders a decision within two months after receipt of the request to process certain sensitive personal data.

EU regulation

There are no EU-wide systems of registration or notification, and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (eg, processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority.

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities, which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Romania regulation

All obligations in respect of notifying ANSPDCP of the processing of personal data were repealed on May 25, 2018 (when GDPR came into force). 

Russian law requires all data operators to notify the data regulator in writing about its intention to process personal data, unless very few narrow exclusions apply. The Federal Service for Supervision of Communications, Information Technology and Mass Media or “Roskomnadzor” (the Agency) is the data regulator for Russia.

The notification is made in a letter format and should contain the following information:

• the name and address of the data operator;
• the purpose of the processing;
• the measures of protection of personal data;
• name and contact information of the physical person or legal entity responsible for personal data processing;
• the data processing commencement date;
• information on occurrence or absence of cross border transfer of personal data;
• the term of processing or the conditions for termination of processing the personal data;
• information on personal data security provision;
• information on location of the database containing personal data of Russian citizens; and
• the name of the person or legal entity having access to and (or) carrying out the processing of personal data (based upon a contract) contained in state and municipal information systems.

A Data Controller is defined as a “natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines their means of their processing” (article 3, 19 °). 

A Data Processor is defined as a “natural person, public or private corporate body or legal entity, which is authorised to process personal data on behalf of the data controller” (article 3, 24°). 

Data controllers (“DC”) and Data Processors (“DP”) are required to register with the NCSA. (article 29). 

The registration application must indicate the following (article 30): 

• identity of the DC or DP and their designated single point of contact;
• identity and address of their representative if they have nominated any;
• description of personal data to be processed and the category of data subjects;
• whether or not the applicant holds or is likely to hold the types of personal data based on the sectors in which it operates;
• purposes of the processing of personal data;
• categories of recipients to whom the DC or DP intends to disclose the personal data;
• country to which the applicant intends to directly or indirectly transfer the personal data; and
• risks in the processing of personal data and measures to prevent such risks and protect personal data. 

The NCSA issues a DC or DP registration certificate within 30 days of the application. 

A regulation from the NCSA determining the validity period of the registration certificate is yet to be adopted (article 31).

The PDPL has introduced a potential requirement for data controllers to register with SDAIA. It is expected that SDAIA will issue rules regarding such registration and will specify which data controllers must register.

Businesses must notify the CDP in respect of its processing activities, except in the following case:

• Processing for the sole purpose of keeping a register, by law, this is intended exclusively to provide public information and is open to consultation for any person with a legitimate interest.
• The non-profit processing for religious, philosophical, or political associations, or trade unions.¹

According to Article 22 of the DPA, the declaration must include:

• The identity and address of the Data Controller or his representative;
• Purpose(s)  of the processing and the description of its general functions;
• Possible interconnections between databases;
• Personal data processed and categories of persons concerned by the processing;
• Time period for which the data will be kept;
• Department or person(s) in charge of data processing;
• Recipient(s) or categories of recipients of the processed data;
• Persons or departments before which the right of access is exercised;
• Measures taken to ensure the security of the processing; and
• Identity and address of the data processor.

The registration process, following the collection and processing of personal data, must comply with the requirements set by law. Thus, in addition to the prior consent of the author of the information, the registration of data is also subject to the respect of the right to information and the principles of transparency, clarity, confidentiality, compliance with the rules of ethics and ethics governing certain professions.²

The obligation for the maintenance of the Central Register of Personal Databases by the DPA, which existed under the previous data protection law, was terminated immediately upon the entering into force of the DP Law. Under the DP Law, controllers and processors are only required to internally maintain the database records and only if they have more than 250 employees or if they are involved in certain types of processing or process certain types of personal data (such as, for example, special categories of data or personal data relating to criminal convictions and offences). The latter two conditions are applicable regardless of the number of employees a processer or controller has.

A person shall not hold personal data unless an entry in respect of that person as a data user, or as a data user who also carries on a computer bureau, is for the time being contained in the register of data users maintained by the Data Protection Commissioner.

The particulars to be entered into the data register are as follows:

• the name and address of the data user

• a description of the personal data to be held by it and of the purpose or purposes for which the data is to be held or used

• a description of every source from which it intends or may wish to obtain the data or the information to be contained in the data

• a description of every person to whom it intends or may wish to disclose the data (otherwise than in cases of exemptions from non-disclosure as set out in the Act)

• the name of every country outside Seychelles to which it intends or may wish directly or indirectly to transfer the data, and

• one or more addresses for the receipt of requests from data subjects for access to the data.

A person applying for registration shall state whether he wishes to be registered as a data user, as a person carrying on a computer bureau or as a data user who also carries on a computer bureau, and shall furnish the Data Protection Commissioner with the particulars required to be included in the entry to be made in pursuance of the application. Where a person intends to hold personal data for two or more purposes he may make separate applications for registration in respect of any of those purposes.

A registered person may at any time apply to the Data Protection Commissioner for the alteration of any entries relating to that person. Where the alteration would consist of the addition of a purpose for which personal data are to be held, the person may make a fresh application for registration in respect of the additional purpose.

The Data Protection Commissioner shall, as soon as practicable and in any case within the period of 6 months after receiving an application for registration or for the alteration of registered particulars, notify the applicant in writing whether his application has been accepted or refused. Where the Commissioner notifies an applicant that his application has been accepted, the notification must state the particulars which are to be entered in the register, or the alteration which is to be made, as well as the date on which the particulars were entered or the alteration was made.

No entry shall be retained in the register after the expiration of the initial period of registration except in pursuance of a renewal application made to the Data Protection Commissioner. The initial period of registration and the period for which an entry is to be retained in pursuance of a renewal application ('the renewal period') shall be a period 5 years beginning with the date on which the entry in question was made or, as the case may be, the date on which that entry would fall to be removed if the application had not been made.

The person making an application for registration or a renewal application may in his application specify as the initial period of registration or, as the case may be, as the renewal period, a period shorter than five years, being a period consisting of one or more complete years.

There are no registration requirements under the Act.

While not a requirement, the Commission strongly encourages organizations to register their Data Protection Officers ("DPOs") with the Commission via the Commission's website, to assist DPOs in keeping up to date with developments in the law. Organisations may also choose to register their DPOs’ business contact information as part of their Accounting and Corporate Regulatory Authority (“ACRA”) Bizfile details, so that these will show up in search results on the ACRA website.

National Ordinance Personal Data Protection 

No registration required. 

GDPR 

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data processing activities carried out by the company.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Slovak Republic regulation

There is no registration or notice obligation to the Slovak Office as supervisory authority required anymore.

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

Data protection officers (referred to in POPIA as "information officers") must be registered with the Information Regulator.

Responsible parties are required to obtain prior authorization from the Information Regulator before processing personal information in certain circumstances prescribed in section 57 of POPIA, for example, where special personal information or personal information of children is transferred to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information and where information on criminal behavior or unlawful or objectionable conduct is processed on behalf of third parties. Prior authorization is also required when processing personal information for the purposes of credit reporting or when processing unique identifiers for a purpose other than the purpose for which it was originally collected and linking it with personal information processed by other third parties. Responsible parties are not otherwise required to register their processing of personal information.

The prior authorization requirements in POPIA came into effect on 1 February 2022. This means that all responsible parties (i.e. data controllers) that conduct processing activities that are subject to prior authorization need to submit an application for prior authorization and will need to cease such processing activities until such time as prior authorization is obtained.

Under the PIPA, there is no general rule regarding the registration of personal data controller, however, a public institution which manages a personal information file (i.e. collection of personal information) shall register the following with the PIPC. A “public institution” in this context refers to any government agency or institution.

• name of the personal information file;
• basis and purpose of operation of the personal information file;
• items of personal information which are recorded in the personal information file;
• the method to process personal information;
• period to retain personal information file;
• person who receives personal information generally or repeatedly; and
• other matters prescribed by the Presidential Decree.

The Presidential Decree of PIPA stipulates that the followings also shall be registered with the PIPC:

• the name of the institution which operates the personal information file;
• the number of subjects of the personal information included in the personal information file;
• the department of the institution in charge of personal information processing;
• the department of the institution handling the data subjects’ request for inspection of personal information; and
• the scope of personal information inspection of which can be restricted or rejected and the grounds therefore only “public institutions” are required to register with the PIPC.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities. The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)). 

---

Spain regulation

NLOPD requires to do so, even for voluntarily appointed DPOs within a short period of time (10 days). 

---

EU regulation

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

At present, the PDPA does not require registration. Nevertheless, upon the PDPA becoming operative, rules requiring registration may be introduced as the PDPA empowers the Authority to make regulations specifying the categories and criteria of licenses to be issued under the PDPA.

Although not a registration requirement, the PDPA requires controllers and processors to publish the contact details of their data protection officers and ensure that it is communicated to the Authority.

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases (Article 36 prior consultation) following a data protection impact assessment (Article 35) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

---

Sweden regulation

In Swedish national law, there are no indiscriminate general notification obligations. However, there are sector and processing specific provisions requiring notification and / or requiring a permit from the relevant supervisory authority, inter alia:

• A permit from the Swedish Authority for Privacy Protection is required for camera surveillance of publicly accessible areas carried out by authorities (and under limited circumstances private entities tasked with similar duties as authorities) under the Camera Surveillance Act (2018:1200).
• With a limited number of exceptions, the processing of personal data relating to criminal convictions and offences (Article 10 of the GDPR) by others than public authorities requires a permit from the Swedish Authority for Privacy Protection under the Data Protection Act and the Data Protection Ordinance (2018:219). The Swedish Authority For Privacy Protection has proposed a new regulation to allow for companies in the financial sector and in the defence industry to process personal data relating to criminal convictions and offences.
• Sector specific requirements exist under inter alia the Credit Information Act (1973:1173). A license from the supervisory authority is generally required to carry out credit information activities. From 1 January 2024, the responsibility for issuing licences and supervising credit information activities will be transferred from the Swedish Authority for Privacy Protection to the Swedish Financial Supervisory Authority (Sw: Finansinspektionen).

The FADP does not require the registration of any data collections or processing activities for private data controllers. Instead, the FADP provides for a general duty for controllers and processors to maintain a record of processing activities (ROPA). The controller's ROPA shall at least contain the following information:

• The controller's identity;
• the purpose of the processing;
• a description of the categories of data subjects and the categories of processed personal data;
• the categories of the recipients;
• if possible, the period of storage of the personal data or the criteria to determine this period;
• if possible, a general description of the measures taken to guarantee data security;
• if the data is disclosed abroad, details of the country concerned and the implemented guarantees.

The processor's ROPA may be limited to information on the identity of the processor and of the controller, the categories of processing activities performed on behalf of the controller as well as, if possible, a general description of the data security measures and, in case of cross-border data transfer, the details of the country concerned and the implemented guarantees.

However, companies with less than 250 employees as well as natural persons do not have to maintain a ROPA unless:

• They process sensitive personal data on a large scale; or
• they carry out high-risk profiling.

Taiwan does not have a registration system for personal data protection.

Under PDPL pre-notification of the Regulator while collecting, processing or maintaining a database consisting of personal data is not required.

However, Data Protection Law requires to certify all information security facilities (including cryptographic, software, organizational, technical and hardware-based), as well as foreign made facilities designated for the protection of information.

The list of information protection facilities is set forth by the Main Department for the Protection of State Secrets under the Government of the Republic of Tajikistan (Regulator). Certification is carried out on the basis of an agreement concluded between Regulator and data controller.

Every person collecting or processing personal data must be registered with the Commission.¹ Registration is valid for 5 years.²

The PDPA does not require any registration of Data Controllers, Data Processors or data processing activities. This may change when subordinate laws are enacted.

None.

There is no registration requirement under the DPA.

Any processing of personal data shall be subject to a prior declaration filed at the headquarters of the National Authority for Protection of Personal Data, or by any other means leaving a written record.

• The declaration shall be made by the controller or his legal representative;
• The declaration does not exempt third parties from liability;
• The conditions and procedures for submitting the declaration shall be laid down by decree;
• The Commission may object to the processing of personal data within one month from when the declaration is accepted. (Article 7 of the 2004 Act).

The processing of personal data may be subject to prior authorization by the INDPD if it involves the processing of sensitive personal data, or in the case of transfer of personal data abroad, or if required by law.

The conditions and procedures for declaration and obtaining authorization are regulated by Decree n°. 2007-3004 dated 27 November 2007.

Pursuant to the LPPD and the Regulation on the Registry of Data Controllers, data controllers are required to enroll in the Registry of Data Controllers before proceeding with data processing.

The Regulation on the Registry of Data Controllers was published in the Official Gazette dated December 30, 2017, and entered into force on January 1, 2018. It regulates the establishment of a publicly accessible registry, which is to be held by the Personal Data Protection Authority and the procedures and principles concerning enrollment in the registry.

Under this Regulation, all data controllers are required to enroll in the Registry of Data Controllers before proceeding with data processing. However, the Personal Data Protection Board may bring an exception to the obligation of enrollment by taking into account the nature and number of personal data, purpose of processing personal data, and other objective criteria. Data controllers are not required to enroll in the Registry of Data Controllers in the following circumstances:

• The processing of personal data is required for criminal investigation or for prevention of a criminal offense;
• If the personal data being processed is already publicized by the data subject;
• If, based on the authority given by Law, personal data processing is required for disciplinary investigation or prosecution and execution of the supervision or regulation duties to be conducted by public institutions and organizations and professional organizations with public institution status; or
• If processing of personal data is required to protect the economic and financial interests of the State in relation to budget, tax and financial matters.

Over the past year, the Personal Data Protection Board has enumerated additional exceptions to enrollment obligation:

• Data controllers who process personal data by non-automatic means as a part of a filing system, lawyers, independent accountants and financial advisors;
• Natural or legal persons having less than 50 employees per annum and annual balance less than TRY 100 million and whose main field of activity is not processing special categories of personal data.

Data controllers who are non-resident in Turkey shall enroll in the registry through a representative they assign in Turkey. Legal persons in Turkey or Turkish citizens may be assigned as representatives for this purpose.

In addition, both legal entities resident in Turkey and the above-mentioned representatives of non-resident data controllers shall, as part of the enrollment procedure, appoint an individual to act as “contact person” for both the Personal Data Protection Authority and for data subjects.

Operations related to the Registry of Data Controllers shall be carried out through VERBIS (Data Controllers Registry Information System) by data controllers. The Personal Data Protection Authority, with its decision dated March 11, 2021, numbered 2021/238, had extended the dates for the registration through VERBIS until December 31, 2021.

Although the deadline has passed, it is still possible for local and foreign data controllers to register with VERBIS if the obligation arises or if the controller failed to register in time.

On August 15, 2022, the Data Protection Authority has started enforcement against foreign controllers that did not register within the deadline. Within the context of such enforcement the Data Protection Authority sent out letters to foreign controllers to request information as to reasons why the registration was not completed together with information on the number of users and global turnover to calculate the administrative fine.

Administrative fines of between TRY 272.380 – TRY 13.620.402 (approx. € 7,420 - € 370,900) may be imposed on data controllers breaching obligations regarding the Registry of Data Controllers.

Further, the DPA has the right to restrict the data processing activities of a data controller in cases of clear unlawfulness operation by a data controller and in theory, processing personal data without registering with the Registry of Data Controllers may lead to such restriction.

No registration of a personal data database is required under the Data Protection Law.

Data protection fee

Section 24 DPR requires Controllers to pay a data protection fee to the Commissioner of Data Protection before, or as soon as reasonably practicable after, they start Processing Personal Data under the DPR.

It is also necessary to provide the Commissioner of Data Protection with:

• name and address (which, in the case of a registered company, will be its registered office); and
• Data Controllers must also establish and maintain records of any Personal Data Processing operations or set of such operations intended to secure a single purpose or several related purposes.

All licensed entities in the ADGM would have already provided much of the necessary information to the Commissioner of Data Protection during the company incorporation and registration Process. The date of incorporation is also the date the Controller may commence Processing Personal Data, such as the Personal Data of directors, shareholders and other statutory role holders. Each year, within one month of the expiry of the anniversary on which a Controller commenced Processing Personal Data under the DPR it is also necessary to pay the renewal fee.

The amounts payable are set out in the Data Protection Regulations 2021 (Fees) Rules 2021.

As per Section 28 DPR each Controller and Processor to which the DPR applies must maintain a record of Processing activities in writing. This can be in electronic form, but it does not necessarily need to be. The record of Processing activities must be made available to the Commissioner of Data Protection upon request.

Controllers and Processors are required to submit a notification to the Commissioner via the DIFC’s online portal (the “Notification”) (Article 14 (7) DPL) and to keep that up Notification to date.   

The Notification must contain the following information: 

• a general description of the Personal Data Processing being carried out;
• an explanation of the purpose for the Personal Data Processing;
• the Data Subjects or class of Data Subjects whose Personal Data is being Processed;
• a description of the class of Personal Data being Processed; and
• a statement of jurisdictions to which Personal Data will be transferred by the Controller, along with an indication as to whether the particular jurisdiction has been assessed as having an adequate level of protection for the purposes of articles 26 and 27 of the DPL.

The information set out within the Notification will be available on the DIFC’s public register. 

Where an organisation is required to appoint a Data Protection Officer (see DPO), the DPO must complete an “Annual Assessment” in the form prescribed by the Commissioner.

Not applicable.

There are no data protection registration requirements in the PDPL.

Under Regulation 13 of the Data Protection and Privacy Regulations, every data collector, processor, or controller in Uganda (or outside Uganda collecting or processing the personal data of Ugandan citizens) is required to register with the Personal Data Protection Office. The Office maintains a Data Protection and Privacy Register relating to data collectors, processors and controllers, including the purpose for which the data is collected or processed.

As of January 1, 2014, the requirement of obligatory registration of personal data databases has been abolished. However, according to new wording of Data Protection Law, personal data owners are obliged to notify the Ombudsman about personal data processing which is of particular risk to the rights and freedoms of personal data subjects within 30 working days from commencement of such processing. Pursuant to the Notification Procedure, the following types of personal data processing requires obligatory notification to the Ombudsman:

• Racial, ethnic, national origin;
• Political, religious ideological beliefs;
• Participation in political parties and / or organizations, trade unions, religious organizations or civic organization of ideological direction;
• State of health;
• Sexual life;
• Biometric data;
• Genetic data;
• Criminal or administrative liability;
• Application of measures as part of pre-trial investigation;
• Any investigative procedures relating to an individual;
• Acts of certain types of violence used against an individual;
• Location and / or route of an individual.

The Notification Procedure envisages that the application for notification shall contain, inter alia the following information:

• Information about the owner of personal data;
• Information about the processor(s) of personal data;
• Information on the composition of personal data being processed;
• The purpose of personal data processing;
• Category(ies) of individuals whose personal data are being processed;
• Information on third parties to whom the personal data are transferred;
• Information on cross-border transfers of personal data;
• Information on the place (address) of processing of personal data;
• General description of technical and organizational measures taken by personal data owner in order to maintain the security of personal data.

Where any of information listed above is submitted to the Ombudsman and has changed, the owner of the personal data shall notify the Ombudsman on such changes within 10 days from the occurrence of such change.

Additionally, the Notification Procedure requires the owners of personal data to notify the Ombudsman regarding the termination of personal data processing which is of particular risk to the rights and freedoms of personal data subjects, within ten days of such termination.

The Notification Procedure requires owners and processors of personal data that process personal data, which is of particular risk to the rights and freedoms of personal data subjects, to notify the Ombudsman on establishing a structural unit or appointing a person (data protection officer) responsible for the organization of work related to the protection of personal data during the processing. Such notification shall be made within 30 days of establishing a structural unit or appointing a responsible person.

Information regarding the said notifications of the Ombudsman shall be published on the official website of the Ombudsman.

The UK operates a fee-paying scheme for controllers under the Data Protection (Charges and Information) Regulations 2018, known as the ‘Data Protection Fee’. All controllers have to pay the data protection fee to the ICO annually, unless they are exempt from doing so. 

The UK Government has set the fee tiers based on its perception of the risks posed by controllers processing personal data. The amount payable depends upon staff numbers and annual turnover or whether the controller is a public authority, a charity or a small occupational pension scheme. Not every controller must pay a fee – there are exemptions. The maximum fee, for large organisations, is GBP 2,900.

The maximum penalty for a controller who breaks the law by not paying a fee (or not paying the correct fee) is a fine of GBP 4,350 (150% of the top tier fee).

There is no requirement to register databases or personal information processing activities. However, certain states currently impose certain registration requirements on data brokers:

California 

The CCPA (as amended in 2019) requires (subject to some exceptions) that data brokers register with the California Attorney General (however, following amendments to the data broker registration law in late 2023, the data broker registration process and list is being transferred to the Agency). Under the law, a "data broker" is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The terms "sell" and "personal information" are defined as set forth in the CCPA.

Oregon

In 2023, Oregon passed a law requiring data brokers register on an annual basis with the Department of Consumer and Business Services before collecting personal data in Oregon. Companies must register if they maintain data that is “categorized or organized for sale or licensing to another person.” The law took effect on January 1, 2024.

Texas

In 2023, Texas passed a law requiring data brokers register with the Secretary of State. The law has a narrower scope than most of the other state data broker registration laws in that it only applies to businesses that (1) in a 12-month period, derive more than 50% of their revenue from the processing or transfer of personal data that the business did not collect directly from individuals, or (2) derive revenue from the processing or transfer of personal data of more than 50,000 individuals whose data the business did not directly collect. The law took effect on September 1, 2023, with first registrations due March 1, 2024.

Vermont

In 2018, Vermont passed a law requiring data brokers to register with the Secretary of State and adhere to minimum data security standards. Under the law a “data broker” is defined as a company that collects computerized, personal information of Vermont residents with whom the company has no direct relationship, and either sell or licenses that information.

In addition, several state laws require entities that engage in certain types of telemarketing activities to register with the state attorney general or other consumer protection agency.

The Uruguayan legal system requires the registration of all databases containing personal data of individuals or legal entities (Articles 24, 28, and 29 of the Act and Articles 15 to 20 of the Decree 414/009).

The Law applies when the processing of personal data is performed by controllers located in Uruguay.

The Act has extraterritorial effects in the following cases:

• if the activities are related to the offer of goods or services to individuals residing in Uruguay, or intended to monitor their behaviour;
• if private international laws or contractual agreements so establish it; and
• if the processing is made by using means located in Uruguay, with the exceptions of the cases in which those means are used for the sole purpose of transit, and there is a person responsible for the processing with residency in Uruguay, appointed by the controller before the URCDP.

The register must be updated every three months (Article 20 of the Decree 414/009).

The Law on Personal Data requires a personal data database to be registered with the State Registry of Personal Databases maintained by the Personalization Agency. The registration should represent a simple notification with the Personalization Agency.

The registration is performed by an owner / operator of personal database by way of notification, i.e. by approaching the Personalization Agency in person or via its website (pd.gov.uz).

The registration procedure for personal database is mainly set forth by the Regulation on the State Register of Personal Databases, approved by the Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 71 dated February 8, 2020 ("Regulation No. 71").

Under Regulation No. 71, to register a personal database, an owner / operator of personal data is required to fill and submit the application as per the prescribed form to the Personalization Agency. In its turn, the Personalization Agency shall review the submitted application within 15 days from the date of its receipt. Based on the results of such review, the Personalization Agency either agrees or refuses to register the database. In case of a positive decision, the Personalization Agency issues a certificate on registration of a personal database to an owner / operator of personal data.

The registration is not required for databases containing personal data:

• relating to participants / members of a public association or religious organization and processed accordingly by a public association or religious organization, provided that personal data will not be distributed or disclosed to third parties;
• made by the subject of personal data publicly available;
• that constitutes only last name, first name and patronymic of the subject of personal data;
• necessary for the purposes of a single access authorization of the subject of personal data to the territory where the owner and / or operator is located, or for other similar purposes;
• included in personal data information systems with the status of state automatized information systems;
• processed without the use of automation technology;
• processed in accordance with labour laws.

There is no legal requirement to register before any National Data Protection Authority.

There is no requirement under current Vietnamese laws whereby such data controller of private sector is required to have it or its personal data processing activities registered with the local authorities (e.g. MPS, MIC or VNCERT/CC). Sectoral laws will impose registration requirements from time to time, notably:

• Foreign enterprises which provide services on telecom networks and on the Internet and other value-added services in cyberspace in Vietnam (“cyberspace service providers”) may need to have branches or representative offices in Vietnam (subject to specific guidance of the Government under Decree 53);
• Where foreign organizations or individuals involved in cross-border information provision activities that use digital information storage facilities in Vietnam  or have a total number of regular visits from Vietnam in 01 month (average statistics in a period of 06 consecutive months) of 100,000 (one hundred thousand) or more, they shall have the obligation to send a written notice, using Form 10 of Decree 147, to the MIC within 60 days from the time of using the data storage space rental service in Vietnam or meeting the number of visitors aforementioned, via post or email, informing the MIC of the following information:
  • In the case of an organization, registered name, transactional name, and address of the headquarters; in the case of an individual, name of such individual;
  • Location of the main server system in Vietnam;
  • Principal contact information such as name of an organization / individual, address in Vietnam (if any), contact email address and telephone number.

However, data controllers and data processors who collect / process personal data of Vietnamese citizens and / or collect / process personal data in Vietnam are required to submit a DPIA and / or a TIA to the authority (i.e. the A05), as the case may be. 

The DPIA must be prepared in a written form and be made available at all time for the inspection and evaluation by the A05. In addition, the controller / processor / controller-processor must send an original copy of the DPIA to the A05 according to a standard form (included in the PDPD) within 60 days from the date of the personal data processing. The A05 will then appraise the DPIA and request revision if it finds that the DPIA is incomplete. Any change to the DPIA’s contents must be submitted to the A05.

Please refer to the Transer section for details relating to the requirement on preparation and submission of the TIA.

A person shall not control or process personal data without registering as a data controller or a data processor under the DPA.

In order for an entity or individual to operate as a data controller or data processor, they must apply to the Data Protection Commissioner for a Certificate of Registration. 

Upon being satisfied that the applicant has met all the requirements prescribed by the DPA, the Commissioner shall issue the applicant with the Certificate of Registration. 

Once issued, the Certificate shall be valid for the duration of one year, which shall be renewable by application to be made not less than three months before the license expires. 

Similarly, an entity or individual desiring to carry out data audit services, must apply to the Commissioner for a license.  

Section 3 of the Regulations state that anyone who processes personal information to decide the means, purpose, or outcome of processing, to decide what or whose data to collect, or to obtain commercial gain from processing data, must apply for a license with the Data Protection Authority.

The exemptions are data controllers who process personal data for the following purposes are exempt from licensing, but must register with the Authority:

• Law enforcement;
• Journalistic, historical, or archival purposes The Authority maintains a register of all licensed and registered data controllers.