Supervised entities are classified into pre-determined risk categories based on the number of collected points, which are then divided on a scale from insignificant to critical risk category.
If you do not collect enough points based on your answers, you can easily be classified as a controller with a high or critical risk level for personal data protection.
Also, each answer requires you to explain and state how did you comply with the Law and possibly provide the necessary evidence, as part of the report you compiled in accordance with the answers to the questions.
The Commissioner’s next step is to make an inspection plan for the future period, based on your submitted report in accordance with your personal data risk category.
If the total number of points on the Checklist indicates that you are in the category of risky or even critical subjects, it is advised to know what the next steps should be are and how to improve your position.
Specifically, if data controllers do not actually comply with the Law, the Commissioner has the authority to perform inspection and determine which obligations were not fulfilled by the supervised entity, and consequently, which provisions of the Law were violated. Per single violation, the fines prescribed by the Law are in the range from 50,000 dinars up to 2 million dinars for a legal entity. Certainly, the consequences of such high fines can be critical for the company’s financial operations, as well as for its reputation.
Clearly, compliance with the obligations of the Law can no longer be avoided, and as soon as you take the necessary steps and fulfill your obligations, there will be no reason to await the email from the Commissioner with the Checklist with trepidation. In order not to rank under the category of critical subjects again, it is recommended you adopt internal acts, introduce protective measures required by the Law, and regulate relationships with data processors (if any) through detailed agreements, and prevent potential adverse consequences.