The data controller shall establish internal controls in accordance with section 14 of the Personal Data Act. The systematic measures shall be adapted to the nature, activities and size of the enterprise to the extent that is necessary in order to comply with requirements laid down in or pursuant to the Personal Data Act, with special emphasis on provisions laid down pursuant to section 13 of the Personal Data Act.
Internal controls entail that the data controller shall, inter alia, ensure that he has knowledge of current rules governing the processing of personal data, that he has adequate and up-to-date documentation for the implementation of the above-mentioned routines, and that this documentation is available to the persons it may concern.
The data controller shall also have routines for fulfilling his duties and the rights of data subjects pursuant to current rules of privacy, including routines for
a) obtaining and verifying the consent of data subjects, cf. sections 8, 9 and 11 of the Personal Data Act,
b) evaluating the purpose of personal data processing in accordance with section 11a of the Personal Data Act,
c) evaluating the quality of personal data in relation to the defined purpose of processing the data, cf. sections 11d and 11e, 27 and 28 of the Personal Data Act, and following up any discrepancies,
d) replying to requests for access and information, cf. sections 16 to 24 of the Personal Data Act,
e) complying with the data subject's demands for a bar on certain forms of personal data processing, cf. sections 25 and 26 of the Personal Data Act,
f) complying with the provisions of the Personal Data Act regarding the obligation to give notification and to obtain a licence, cf. sections 31 to 33 of the Personal Data Act.
Data processors who process personal data on assignment for data controllers shall process the data in accordance with routines established by data controllers.
The Data Protection Authority may grant a dispensation from all or parts of this chapter when special circumstances exist.