Responsibility of the data controller

53.(1) The data controller shall implement the appropriate technical and organisational measures to ensure that processing is performed in accordance with this Act taking into consideration the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity to the rights and freedoms of individuals.

(2) Where proportionate in relation to processing activities, the measures referred to in subsection (1) shall include the implementation of appropriate data protection policies by the data controller.