Penalties

Offences I

Breach of various parts of the legislation is a criminal offence. This includes

  • failing to comply with an enforcement notice;
  • failing to comply with a prohibition notice;
  • failing to comply with an information notice;
  • processing in breach of the legislation;
  • keeping personal data where there is no entry in the register in respect of the data controller where required;
  • providing false and misleading information in relation to the register;
  • disclosure of data by a data processor without prior authority of the data controller;
  • obtaining access to personal data without prior authority of the data controller, or
  • obstructing or impeding an authorised officer.

Offences II

Offences under the legislation are subject to a fine of up to €3,000 on summary conviction and up to €100,000 on conviction on indictment.  A court may make ancillary orders regarding erasure, destruction of information and/or forfeiture of data.

Where an offence is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, a person being a director, manager, secretary or other officer of the body corporate or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and shall be liable to be proceeded against and punished as if he or she were guilty of the first-mentioned offence.


Unauthorised disclosure by the processor

Personal data processed by a processor shall not be disclosed by the processor or by an employee or agent of the processor, without the prior authority of the controller on behalf of whom the data are processed.

A person who knowingly or recklessly contravenes these requirements is guilty of an offence and shall be liable—

  • on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or
  • on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

It is a defence that person shows that the disclosure concerned was required or authorised by or under any enactment, rule of law or order of a court.


Disclosure of personal data obtained without authority

A person who, without the prior authority of the controller or processor by whom the data are kept—

  • obtains personal data or any information constituting personal data, and
  • discloses the data or information to another person,

shall be guilty of an offence. He shall be liable—

  • on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or
  • on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for

a term not exceeding 5 years, or both.

A person who sells personal data obtained in contravention of the above provision is guilty of an offence and is liable to the same penalties. A person who offers to sell personal data obtained, or intended to be obtained, in contravention of the above requirement is guilty of an offence and is liable to the same penalties.


Prosecution of summary offences by Commission

Summary proceedings for an offence may be brought and prosecuted by the Commission. Summary proceedings for an offence under the legislation may be brought

  • at any time within 3 years from the date on which the offence was alleged to have been committed, or
  • if, at the expiry of that period, the person against whom the proceedings are to be brought is outside the State, within 6 months of the date on which he or she next enters the State, whichever is the later, provided that no such proceedings shall be commenced later than 5 years from the date on which the offence concerned was alleged to have been committed.

Where a person is convicted of an offence under this Act, the court may, where it is satisfied that there are good reasons for so doing, order the person to pay the costs and expenses, measured by the court, incurred by the Commission in  relation to the investigation, detection and prosecution of the offence, including the expenses of and incidental to an examination of any information provided to the Commission or an authorised officer. An order for costs and expenses is in addition to and not instead of any fine or other penalty the court may impose.


Administrative Fines

Each supervisory authority is to ensure the effective imposition of administrative fines and that the imposition of administrative fines in respect of the below infringements is in each individual case effective, proportionate and dissuasive. Administrative fines, depending on the circumstances of the case, shall be imposed in addition to, or instead of the below mentioned measures.

When deciding whether to impose an administrative fine and deciding its amount, in each individual case due regard is to be had to:

  • the nature, gravity, and duration of the infringement taking into account the nature, scope, and purpose of the processing concerned as well as the number of individuals affected and the level of damages suffered by them;
  • the intentional or negligent character of the infringement;
  • the action taken by the controller or processor to mitigate the damage suffered;
  • the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them;
  • any relevant previous infringements;
  • the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the adverse effects;
  • the categories of personal data affected;
  • the manner in which the infringement became known to the supervisory authority, and in particular whether the controller or processor itself notified the infringement;
  • where the authority’s powers have already been exercised against the controller, the degree of compliance with it;
  • adherence to codes of conduct or approved certification mechanisms;
  • any other aggravating or mitigating factor applicable to the circumstances, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor intentionally or negligently, in the same or linked processing operations, infringes several provisions of the legislation, the total administrative fine shall not exceed the amount specified for the most serious infringement.


Administrative Fine Level

Infringements of the following provisions are subject to administrative fines up to €10 million, or up to 2 % of the worldwide turnover of the undertaking in the preceding financial year, whichever is higher:

  • obligations of the controller in relation to consent to the processing
  • processing not involving identification,
  • requirements to put in place and design compliant systems
  • obligations of certifying bodies,
  • obligations of monitoring bodies.

Infringements of the following provisions are subject to administrative fines up to €20 million, or 4 % of annual turnover, whichever is the higher:

  • the basic principles for processing, including conditions for consent;
  • data subjects’ protection rights;
  • transfer of personal data to third countries or international organisations;
  • certain other breaches.

Non-compliance with certain administrative orders and enforcement orders pursuant to general supervisory powers to rectify breaches is itself subject to an administrative fine of up to €20 million, or 4 % of worldwide turnover.


Administrative Fine Issues

States may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that State.

The exercise by the supervisory authority of its powers to apply administrative fines is subject to appropriate procedural safeguards in accordance with EU or domestic State law, including effective judicial remedy and due process.

The Member States must lay down the rules or other penalties applicable to the infringement of the legislation, in particular, for the infringements which are not subject to administrative fines. They must take the necessary measures to ensure that they are implemented. Penalties shall be effective, proportionate and dissuasive.


Irish Provisions on Administrative Fines

The Data Protection Commission may not impose an administrative fine for any act or omission on the part of a controller or processor where the controller or processor has been the subject of a criminal penalty in respect of the same act or omission. An administrative fine may be imposed on a controller or processor that is a public authority only where it is acting as a business undertaking.

A Commission decision to impose an administrative fine may be appealed to the Circuit Court (if the fine does not exceed €75,000) or the High Court within 28 days. On hearing an appeal, the Court may confirm the decision, replace it with another decision that it considers just and appropriate, or annul the decision.

Where no appeal against an administrative fine is lodged, the Commission must, irrespective of the amount of the fine, make an application in a summary manner to the Circuit Court for confirmation of the decision. The Court shall confirm the decision unless it sees a good reason not to do so.


Publication of convictions, sanctions etc.

The Commission is to publish particulars of convictions and any exercise of its powers to impose administrative fines or to order the suspension of transfers of personal data to a third country or international organisation (including Court injunctions on application by the Commission.

The Commission decides whether to publish particulars of the exercise of its other corrective powers. It may also publish, if it considers it in the public interest to do so, particulars of any report of the Commission of an investigation or audit carried out by it. In doing so, the Commission is required to ensure that the publication is undertaken in such a manner that commercially sensitive information relating to a person is not disclosed.

The Data Protection Commission may apply to the High Court for a determination as to whether the level of data protection in a third country, a territory or one or more specified sectors within a third country or an international organisation is adequate. European Commission decisions in respect of the adequacy of data protection are provided for in the GDPR. The matter may be referred to the EU Court of Justice.


References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008