(1) The Commission shall not grant an application for registration under this Act where

(a) the particulars provided for inclusion in an entry in the Register are insufficient;

(b) the appropriate safeguards for the protection of the privacy of the data subject have not been provided by the data controller; and

(c) in the opinion of the Commission, the person making the application for registration does not merit the grant of the registration.

(2) Where the Commission refuses an application for registration as a data controller, the Commission shall inform the applicant in writing within fourteen days

(a) of its decision and the reasons for the refusal, and

(b) the applicant may apply for judicial review to the High Court against the refusal.

(3) A refusal of an application for registration is not a bar to reapplication.