APPLICATION FOR A PERMIT

For the purposes of Article 12 of the Regulations, a Data Controller seeking a permit from the Data Protection Office to Process Sensitive Personal Data must apply in writing to the Data Protection Office setting out:

(A) the identity and contact details of the Data Controller;
(B) the name, address, telephone number and e-mail address of the Person within the Data Controller responsible for making the application for the permit;
(C) a description of the Processing of Sensitive Personal Data for which the permit is being sought, including a description of the nature of the Sensitive Personal Data involved;
(D) the purpose of the proposed Processing of the Sensitive Personal Data;
(E) the classes of Data Subjects being affected;
(F) the identity of any Person to whom the Data Controller intends disclosing the Sensitive Personal Data;
(G) to which jurisdictions, if known, such Sensitive Personal Data may be transferred outside of the QFC; and
(H) a description of the safeguards put into place by the Data Controller, to ensure the security of the Sensitive Personal Data.

The Data Controller must provide the Data Protection Office with such further information as it requires to determine whether to grant a permit.

Rejection of an application for a permit

The Data Protection Office may refuse to grant a permit to Process Sensitive Personal Data.

Upon refusing to grant a permit, the Data Protection Office will inform the Data Controller in writing of such refusal and provide the reasons for such refusal.

Granting a permit to Process Sensitive Personal Data

The Data Protection Office may grant a permit to Process Sensitive Personal Data without conditions or with such conditions as it considers necessary.

Upon deciding to grant a permit, the Data Protection Office will inform the Data Controller of the decision and any conditions applicable to the permit.