Basis for Use
Data Protection Act 2018
PART 3
DATA PROTECTION REGULATION
CHAPTER 1
General
Fees
28. The Commission may, with the consent of the Minister, prescribe the fees to be paid to
it—
(a) for the performance of its functions under Article 57(1)(r) and (s), and
(b) in relation to requests that are manifestly unfounded or excessive in accordance
with Article 57(4).
Consent of child in relation to information society services
29. (1) The age of a child specified for the purposes of Article 8 is 13 years of age.
(2) The reference in Article 8 to “information society services” does not include a
reference to preventative or counselling services.
Designation of data protection officer
30. (1) The Minister may, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, make regulations requiring
controllers, processors, associations or other bodies representing categories of
controllers or processors to designate a data protection officer in accordance with
Article 37(4).
(2) Regulations under subsection (1) may apply to—
(a) one or more than one class of controller,
(b) one or more than one class of processor, or
(c) one or more than one class of association or other body representing categories of
controllers or processors.
(3) In making regulations under subsection (1) the Minister shall have regard to the need
for the protection of individuals with regard to the processing of their personal data
and, without prejudice to the generality of the foregoing, shall have regard in
particular to—
(a) the nature, scope, context and purposes of the processing,
(b) risks arising for the rights and freedoms of individuals,
(c) the likelihood and the severity of such risk for the individuals concerned, and
(d) the costs of implementation of any requirement if it were imposed under that
subsection.
Accreditation of certification bodies by Irish National Accreditation Board
31. The Irish National Accreditation Board is the accreditation body for the purposes of
Article 43(1).
Suitable and specific measures for processing
32. (1) Where a requirement that suitable and specific measures be taken to safeguard the
fundamental rights and freedoms of data subjects in processing personal data of those
subjects is imposed by this Act or regulations made under this Act, those measures
may include—
(a) explicit consent of the data subject for the processing of his or her personal data
for one or more specified purposes,
(b) limitations on access to the personal data undergoing processing within a
workplace in order to prevent unauthorised consultation, alteration, disclosure or
erasure of personal data,
(c) strict time limits for the erasure of personal data and mechanisms to ensure that
such limits are observed,
(d) specific targeted training for those involved in processing operations, and
(e) having regard to the state of the art, the context, nature, scope and purposes of
data processing and the likelihood of risk to, and the severity of any risk to, the
rights and freedoms of data subjects—
(i) logging mechanisms to permit verification of whether and by whom the
personal data have been consulted, altered, disclosed or erased,
(ii) in cases in which it is not mandatory under the Data Protection Regulation,
designation of a data protection officer,
(iii) where the processing involves data relating to the health of a data subject, a
requirement that the processing is undertaken by a person referred to in
section 46(2),
(iv) pseudonymisation of the personal data,
(v) encryption of the personal data, and
(vi) other technical and organisational measures designed to ensure that the
processing is carried out in accordance with the Data Protection Regulation
and processes for testing and evaluating the effectiveness of such measures.
(2) Suitable and specific measures referred to in subsection (1) may be identified in
regulations made by—
(a) the Minister following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(3) Without prejudice to the generality of subsection (2), suitable and specific measures
identified in regulations made under that subsection may include—
(a) any measure referred to in subsection (1),
(b) governance structures,
(c) processes or procedures for risk assessment purposes, and
(d) processes or procedures for the management and conduct of research projects.
(4) Regulations under subsection (2)—
(a) may identify different measures for different categories of personal data, different
categories of controllers, different types of processing or categories of
processing, and
(b) may specify that the measures identified are mandatory in respect of the
processing to which they are stated to apply.
(5) In making regulations under subsection (2), the Minister or any other Minister of the
Government, as the case may be, shall have regard to the public interest and the need
for protection of individuals with regard to the processing of their personal data and,
without prejudice to the generality of the foregoing shall have regard to—
(a) the nature, scope, context and purposes of the processing,
(b) risks arising for the rights and freedoms of individuals, and
(c) the likelihood and the severity of the risks for the individuals concerned.
(6) Suitable and specific measures referred to in subsection (1) shall be identified in
regulations made under section 45(2) and subsections (2) to (5) shall apply to
regulations made under that section in like manner as they apply to regulations made
under this section.
Limitation on transfers of personal data outside the European Union
33. (1) The Minister may, in the absence of an adequacy decision under Article 45, following
consultation with such other Minister of the Government as he or she considers
appropriate and the Commission, make regulations restricting the transfer of
categories of personal data to a third country or an international organisation for
important reasons of public policy.
(2) Regulations under subsection (1) shall specify the important reasons of public policy
for restricting the transfer concerned and may be expressed to apply by reference to
one or more of the following—
(a) a category or categories of personal data,
(b) a third country or classes of third country, or
(c) an international organisation.
(3) In making regulations under subsection (1), the Minister shall have regard to the
public interest and the need for protection of individuals with regard to the processing
of their personal data and, without prejudice to the generality of the foregoing, shall in
particular have regard to—
(a) the nature, scope, context and purposes of the processing,
(b) the desirability of facilitating international transfers of data,
(c) risks arising for the rights and freedoms of individuals, and
(d) the likelihood and the severity of such risks for individuals concerned.
Processing for a task carried out in the public interest or in the exercise of official authority
34. (1) The processing of personal data shall be lawful to the extent that such processing is
necessary for—
(a) the performance of a function of a controller conferred by or under an enactment
or by the Constitution, or
(b) the administration by or on behalf of a controller of any non-statutory scheme,
programme or funds where the legal basis for such administration is a function of
a controller conferred by or under an enactment or by the Constitution.
(2) Subject to subsection (3), the processing of personal data and disclosure of that data
to a person for the purposes of preserving of the Common Travel Area, or any part of
that Area, shall be lawful where the controller is an Irish air carrier, an air carrier or a
sea carrier.
(3) The Minister shall, following consultation with such other Minister of the
Government as he or she considers appropriate and the Commission, make regulations
for the purposes of subsection (2) specifying—
(a) the part of the Common Travel Area to which the regulations apply,
(b) the personal data that may be processed,
(c) the circumstances in which the personal data may be disclosed, including
specifying the person to whom the data may be disclosed, and
(d) such other conditions (if any) as the Minister considers appropriate to impose on
such processing.
(4) Processing of personal data which is necessary for the performance of a task carried
out in the public interest by a controller or which is necessary in the exercise of
official authority vested in a controller may be specified in regulations made by—
(a) the Minister following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(5) Regulations made under subsection (4) shall specify—
(a) the personal data that may be processed,
(b) the circumstances in which the personal data may be processed, including
specifying the persons to whom the data may be disclosed, and
(c) such other conditions (if any) as the Minister or any other Minister of the
Government, as the case may be, considers appropriate to impose on such
processing.
(6) In this section—
“air carrier” means an undertaking established in the State that provides air services;
“air service” has the meaning it has in Regulation (EC) No 1008/2008 of the
European Parliament and of the Council of 24 September 20087
on common rules for
the operation of air services in the Community (Recast);
“Common Travel Area” means the State, the United Kingdom of Great Britain and
Northern Ireland, the Channel Islands and the Isle of Man;
“Irish air carrier” means an undertaking with a valid operating licence, within the
meaning of Regulation (EC) No 1008/2008 of the European Parliament and of the
Council of 24 September 20088
, granted by the Commission for Aviation Regulation;
“passenger” means a person carried by an air carrier on an aircraft, or as the case may
be, a sea carrier in a passenger ship, other than a member of the crew of the aircraft or
passenger ship concerned;
“passenger ship” means a sea-going ship that carries more than 12 passengers;
“sea carrier” means an undertaking established in the State that, for remuneration,
carries passengers by sea in a passenger ship.
Processing for purpose other than purpose for which data collected
35. Without prejudice to the processing of personal data for a purpose other than the purpose
for which the data has been collected which is lawful under the Data Protection
Regulation, the processing of personal data and special categories of personal data for a
purpose other than the purpose for which the data has been collected shall be lawful to
the extent that such processing is necessary for the purposes—
(a) of preventing a threat to national security, defence or public security,
(b) of preventing, investigating or prosecuting criminal offences, or
(c) set out in paragraph (a) or (b) of section 41.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
36. (1) Subject to suitable and specific measures being taken to safeguard the fundamental
rights and freedoms of data subjects, personal data may be processed, in accordance
with Article 89, for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes.
(2) Processing of personal data for the purposes referred to in subsection (1) shall respect
the principle of data minimisation.
(3) Where the purposes referred to in paragraph (a), (b) or (c) of subsection (1) can be
fulfilled by processing which does not permit, or no longer permits, identification of
data subjects, the processing of information for such purposes shall be fulfilled in that
manner.
Data processing and freedom of expression and information
37. (1) The processing of personal data for the purpose of exercising the right to freedom of
expression and information, including processing for journalistic purposes or for the
purposes of academic, artistic or literary expression, shall be exempt from compliance
with a provision of the Data Protection Regulation specified in subsection (2) where,
having regard to the importance of the right of freedom of expression and information
in a democratic society, compliance with the provision would be incompatible with
such purposes.
(2) The provisions of the Data Protection Regulation specified for the purposes of
subsection (1) are Chapter II (Principles), other than Article 5(1)(f), Chapter III (rights
of the data subject), Chapter IV (controller and processor), Chapter V (transfer of
personal data to third countries and international organisations), Chapter VI
(independent supervisory authorities) and Chapter VII (cooperation and consistency).
(3) The Commission may, on its own initiative, refer any question of law which involves
consideration of whether processing of personal data is exempt in accordance with
subsection (1) to the High Court for its determination.
(4) An appeal shall, by leave of the High Court, lie from a determination of that Court on
a question of law under subsection (3) to the Court of Appeal.
(5) In order to take account of the importance of the right to freedom of expression and
information in a democratic society that right shall be interpreted in a broad manner.
Data processing and public access to official documents
38. (1) For the purposes of Article 86, personal data contained in a record may be disclosed
where a request for access to the record is granted under and in accordance with the
Act of 2014 pursuant to an FOI request.
(2) In this section—
“Act of 2014” means the Freedom of Information Act 2014;
“FOI request” has the same meaning as it has in the Act of 2014;
“record” has the same meaning as it has in the Act of 2014.