Policing Use
Data Protection Act 2018 (Part V)
Saver for regulations under Act of 1988
62. (1) Regulations specified in subsection (2) which are in force on the coming into
operation of section 34 shall, on that coming into operation, continue in force as if
made under subsection (3) of that section and may be amended or revoked
accordingly.
(2) The Regulations specified for the purposes of subsection (1) are:
(a) Data Protection Act 1988 (Section 2A) Regulations 2013 (S.I. No. 313 of 2013);
(b) Data Protection Act 1988 (Section 2A) Regulations 2016 (S.I. No. 220 of 2016).
(3) Subject to subsections (5) and (6), regulations specified in subsection (4) which are in
force on the coming into operation of section 7 in so far as it relates to the repeal of
section 4(8) of the Act of 1988, shall, on that coming into operation, continue in
force—
(a) in the case of regulations specified in subsection (4)(a), until new regulations are
made under section 54(5)(a), and
(b) in the case of regulations specified in subsection (4)(b), until new regulations are
made under section 54(5)(b).
(4) The Regulations specified for the purposes of subsection (3) are—
(a) the Health Regulations, and
(b) the Social Work Regulations.
(5) The Health Regulations continued in force under subsection (3) continue to apply
subject to the following modifications—
(a) in Regulation 3—
(i) the deletion of the definition of “the Act”,
(ii) the deletion of the definition of “health professional”, and
(iii) the insertion of the following definitions:
“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 20169
on the
protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation);
‘health practitioner’ has the same meaning as it has in the Health
Identifiers Act 2014;”,
(b) in Regulation 4(1)—
(i) the substitution of “a request under Article 15 of the Data Protection
Regulation” for “a request under section 4(1)(a) of the Act”, and
(ii) the substitution of “the physical or mental health of the data subject but this
restriction on providing information applies only to the extent to which, and
for so long as, that likelihood pertains.” for “the physical or mental health of
the data subject.”,
(c) in Regulation 5—
(i) the substitution of “health practitioner” for “health professional” in each
place it occurs,
(ii) in paragraph (1)(a), the substitution of “a request under the said Article 15 of
the Data Protection Regulation” for “a request under the said section 4(1)
(a)”, and
(iii) in paragraph (2)(a), by the substitution of “within the meaning of section 2 of
the Medical Practitioners Act 2007 or a medical practitioner practising
medicine pursuant to section 50 of that Act” for “within the meaning of the
Medical Practitioners Act, 1978 (No. 4 of 1978), or registered dentist, within
the meaning of the Dentists Act 1985 (No. 9 of 1985),”,
(d) the deletion of Regulation 6, and
(e) a request referred to in Regulation 4(1) which has been received but not
responded to prior to the coming into operation of section 7 in so far as it relates
to the repeal of section 4(8) of the Act of 1988 shall be treated as a request under
Article 15 of the Data Protection Regulation.
(6) The Social Work Regulations continued in force under subsection (3) continue to
apply subject to the following modifications—
(a) in Regulation 3—
(i) the deletion of the definition of “the Act”,
(ii) the insertion of the following definition:
“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 201610 on the
protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation);”,
9 OJ No. L 119, 4.5.2016, p.1
10 OJ No. L 119, 4.5.2016, p.1
and
(iii) the substitution of the following definition for the definition of “social work
data”:
“ ‘social work data’ means personal data kept for, or obtained in the
course of, carrying out social work by a public authority, public body,
voluntary organisation or other body but excludes any health data
within the meaning of the Data Protection (Access Modification)
(Health) (Regulations) 1989 (S.I. No. 82 of 1989) and ‘social work’
shall be construed accordingly.”,
(b) in Regulation 4—
(i) in paragraph (1)—
(I) the substitution of “a request under Article 15 of the Data Protection
Regulation” for “a request under section 4(1)(a) of the Act”, and
(II) the substitution of “the physical or mental health or emotional condition
of the data subject but this restriction on providing information applies
only to the extent to which, and for as long as, that likelihood pertains.”
for “the physical or mental health or emotional condition of the data
subject”,
and
(ii) in paragraph (3), the substitution of “under Article 15 of the Data Protection
Regulation” for “under section 4(1)(a) of the Act”,
(c) the deletion of Regulation 5, and
(d) a request referred to in Regulation 4(1) which has been received but not
responded to prior to the coming into operation of section 7 in so far as it relates
to the repeal of section 4(8) of the Act of 1988 shall be treated as a request under
Article 15 of the Data Protection Regulation.
(7) The Regulations of 2011 shall, subject to suitable and specific measures being taken
to safeguard the fundamental rights and freedoms of data subjects, apply to—
(a) each special category of personal data that, immediately before the coming into
operation of this section—
(i) constituted sensitive personal data to which those Regulations applied, or
(ii) would have constituted sensitive personal data to which those Regulations
applied had the data existed immediately before such commencement,
and
(b) Article 10 data that, immediately before such coming into operation—
(i) constituted sensitive personal data to which those Regulations applied, or
(ii) would have constituted sensitive personal data to which those Regulations
applied had the data existed immediately before such coming into operation.
(8) The Regulations of 2015 shall, in addition to applying to sensitive personal data to
which the Act of 1988 applies and subject to suitable and specific measures being
taken to safeguard the fundamental rights and freedoms of data subjects, apply to—
(a) each special category of personal data that, immediately before the coming into
operation of this section—
(i) constituted sensitive personal data to which those Regulations applied, or
(ii) would have constituted sensitive personal data to which those Regulations
applied had the data existed immediately before such commencement,
and
(b) Article 10 data that, immediately before such coming into operation—
(i) constituted sensitive personal data to which those Regulations applied, or
(ii) would have constituted sensitive personal data to which those Regulations
applied had the data existed immediately before such coming into operation.
(9) The Regulations of 2016 shall, in addition to applying to sensitive personal data to
which the Act of 1988 applies and subject to suitable and specific measures to
safeguard the fundamental rights and freedoms of data subjects, apply to—
(a) each special category of personal data that, immediately before the coming into
operation of this section—
(i) constituted sensitive personal data to which those Regulations applied, or
(ii) would have constituted sensitive personal data to which those Regulations
applied had the data existed immediately before such commencement,
and
(b) Article 10 data that, immediately before such coming into operation—
(i) constituted sensitive personal data to which those Regulations applied, or
(ii) would have constituted sensitive personal data to which those Regulations
applied had the data existed immediately before such coming into operation.
(10) In this section—
“Article 10 data” has the meaning assigned to it in section 49;
“Health Regulations” means the Data Protection (Access Modification) (Health)
Regulations 1989 (S.I. No. 82 of 1989);
“Regulations of 2011” means the Data Protection Act 1988 (Section 2B) Regulations
2011 (S.I. No. 486 of 2011);
“Regulations of 2015” means the Data Protection Act 1988 (Section 2B) Regulations
2015 (S.I. No. 240 of 2015);
“Regulations of 2016” means the Data Protection Act 1988 (Section 2B) (No. 2)
Regulations 2016 (S.I. No. 427 of 2016);
“sensitive personal data” has the meaning assigned to it by the Act of 1988;
“Social Work Regulations” means the Data Protection (Access Modification) (Social
Work) Regulations 1989 (S.I. No. 83 of 1989).
PROCESSING OF PERSONAL DATA FOR LAW ENFORCEMENT PURPOSES
CHAPTER 1
Preliminary and general (Part 5)
Interpretation (Part 5)
63. (1) In this Part—
“biometric data” means personal data resulting from specific technical processing
relating to the physical, physiological or behavioural characteristics of an individual
that allow or confirm the unique identification of the individual, including facial
images or dactyloscopic data;
“competent authority”, subject to subsection (2), means—
(a) a public authority competent for the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties in the
State, including the safeguarding against, and the prevention of, threats to public
security, or
(b) any other body or entity authorised by law to exercise public authority and public
powers for the purposes of the prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties in the State, including
the safeguarding against, and the prevention of, threats to public security;
“controller”, subject to subsection (2), means—
(a) a competent authority that, whether alone or jointly with others, determines the
purposes and means of the processing of personal data, or
(b) where the purposes and means of the processing of personal data are determined
by the law of the European Union or otherwise by the law of the State, a
controller nominated—
(i) by that law, or
(ii) in accordance with criteria specified in that law;
“data concerning health” means personal data relating to the physical or mental health
of an individual, including the provision of health care services to the individual, that
reveal information about the status of his or her health;
“data protection impact assessment” has the meaning assigned to it by section 78(1);
“data protection officer” has the meaning assigned to it by section 82(1);
“data subject” means an individual to whom personal data relate;
“genetic data” means personal data—
(a) relating to the inherited or acquired genetic characteristics of an individual that
give unique information about the physiology or health of the individual, and
(b) that result from an analysis of a biological sample from the individual in
question;
“international organisation” means—
(a) an organisation, and subordinate bodies of an organisation, governed by public
international law, or
(b) any other body that is established by, or on the basis of, an agreement between
two or more States;
“joint controller” has the meaning assigned to it by section 73(1);
“online identifier” includes an internet protocol address, a cookie identifier or other
identifier such as a radio frequency identification tag;
“personal data” means information relating to—
(a) an identified living individual, or
(b) a living individual who can be identified from the data, directly or indirectly, in
particular by reference to—
(i) an identifier such as a name, an identification number, location data or an
online identifier, or
(ii) one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of the individual;
“personal data breach” means a breach of security leading to the accidental or
unlawful destruction, loss, alteration or unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed;
“processing”, of or in relation to personal data, means an operation or a set of
operations that is performed on personal data or on sets of personal data, whether or
not by automated means, including—
(a) the collection, recording, organisation, structuring or storing of the data,
(b) the adaptation or alteration of the data,
(c) the retrieval, consultation or use of the data,
(d) the disclosure of the data by their transmission, dissemination or otherwise
making the data available,
(e) the alignment or combination of the data, or
(f) the restriction, erasure or destruction of the data;
“processor” means an individual who, or a legal person, public authority, agency or
other body that, processes personal data on behalf of a controller, but does not include
an employee of a controller who processes such data in the course of his or her
employment;
“profiling” means any form of automated processing of personal data consisting of the
use of the data to evaluate certain personal aspects relating to an individual, including
to analyse or predict aspects concerning the individual’s performance at work,
economic situation, health, personal preferences, interests, reliability, behaviour,
location or movements;
“pseudonymisation” means the processing of personal data in such a way that the data
can no longer be attributed to a specific data subject without the use of additional
information, provided that—
(a) such additional information is kept separately from the data, and
(b) is subject to technical and organisational measures to ensure that the data are not
attributed to an identified or identifiable individual;
“rectification”, of or in relation to personal data, includes, where the data concerned
are incomplete, the completion of the data, whether by means of a supplementary
statement or otherwise;
“recipient”, of or in relation to personal data, means an individual to whom, or a legal
person, public authority, agency or other body to which, the data are disclosed, and
includes a third party;
“relevant filing system” means a set of personal data, whether centralised,
decentralised or dispersed on a functional or geographical basis, where the set is
structured according to specific criteria in such a way that the data are readily
accessible according to those criteria;
“restrict”—
(a) in relation to the exercise of the right of a data subject—
(i) under section 81(1) to be notified of a personal data breach,
(ii) under section 87(10) to be notified of the restriction of the processing of
personal data under subsection (9) of that section, or
(iii) under section 87(12) to be notified of a decision not to rectify or erase data
pursuant to a request under subsection (1) or (3) of that section, as the case
may be,
means—
(I) to delay the notification concerned,
(II) to limit the information contained in the notification concerned, or
(III) not to make the notification concerned,
and
(b) in relation to the exercise of the right of a data subject—
(i) under section 85(1) in so far as relates to the provision to the data subject of
information specified in subsection (2)(f) of that section, or
(ii) under section 86(1)(a) or (b),
means—
(I) to delay the provision of the information concerned,
(II) to limit the information concerned provided to the data subject, or
(III) not to provide the information concerned;
“restriction of processing” means the marking, by or on behalf of a controller, of
personal data for which the controller is responsible for the purpose of limiting their
processing in the future;
“special categories of personal data” means—
(a) personal data revealing—
(i) the racial or ethnic origin of the data subject,
(ii) the political opinions or the religious or philosophical beliefs of the data
subject, or
(iii) whether the data subject is a member of a trade union,
(b) genetic data,
(c) biometric data for the purposes of uniquely identifying an individual,
(d) data concerning health, or
(e) personal data concerning an individual’s sex life or sexual orientation.
(2) Where a reference is made in this Part—
(a) to a controller in a Member State other than the State, for the purposes of that
reference—
(i) in the definition of “competent authority” in subsection (1), the references to
“in the State” shall be construed as meaning “in the Member State
concerned”, and
(ii) in the definition of “controller” in subsection (1), the reference to “the law of
the State” shall be construed as meaning “the law of the Member State
concerned”,
or
(b) to a controller in a third country, for the purposes of that reference—
(i) in the definition of “competent authority” in subsection (1), the references to
“in the State” shall be construed as meaning “in the state concerned”, and
(ii) in the definition of “controller” in subsection (1), the reference to “the law of
the European Union or the law of the State” shall be construed as meaning
“the law of the state concerned”.
(3) A word or expression that is used in this Part and is also used in the Directive has,
unless the context otherwise requires, the same meaning in this Part as it has in the
Directive.
Application of Part 5
64. (1) This Part applies, subject to subsection (2), to the processing of personal data by or on
behalf of a controller where the processing is carried out—
(a) for the purposes of—
(i) the prevention, investigation, detection or prosecution of criminal offences,
including the safeguarding against, and the prevention of, threats to public
security, or
(ii) the execution of criminal penalties,
and
(b) by means that—
(i) are wholly or partly automated, or
(ii) where the personal data form part of, or are intended to form part of, a
relevant filing system, are not automated.
(2) This Part shall not apply to the processing of personal data—
(a) that occurs in the course of an activity falling outside the scope of the law of the
European Union, or
(b) by an institution, body, office or agency of the European Union.
CHAPTER 2
General principles of data protection
Processing of personal data
65. (1) A controller shall, as respects personal data for which it is responsible, comply with
the following provisions:
(a) the data shall be processed lawfully and fairly;
(b) the data shall be collected for one or more specified, explicit and legitimate
purposes and shall not be processed in a manner that is incompatible with such
purposes;
(c) the data shall be adequate, relevant and not excessive in relation to the purposes
for which they are processed;
(d) the data shall be accurate, and, where necessary, kept up to date, and every
reasonable step shall be taken to ensure that data that are inaccurate, having
regard to the purposes for which they are processed, are erased or rectified
without delay;
(e) the data shall be kept in a form that permits the identification of a data subject for
no longer than is necessary for the purposes for which the data are processed;
(f) the data shall be processed in a manner that ensures appropriate security of the
data, including, by the implementation of appropriate technical or organisational
measures, protection against—
(i) unauthorised or unlawful processing, and
(ii) accidental loss, destruction or damage.
(2) The processing of personal data shall be lawful where, and to the extent that—
(a) the processing is necessary for the performance of a function of a controller for a
purpose specified in section 64(1)(a) and the function has a legal basis in the law
of the European Union or the law of the State, or
(b) the data subject has, subject to subsection (3), given his or her consent to the
processing.
(3) Where the processing of personal data is to be carried out on the basis of the consent
of the data subject referred to in subsection (2)(b), the processing shall be lawful only
where, and to the extent that—
(a) having been informed of the intended purpose of the processing and the identity
of the controller, the data subject gives his or her consent freely and explicitly,
(b) the request for consent is expressed in clear and plain language, and where such
consent is given in the context of a written statement that also concerns other
matters, the request for consent is presented to the data subject in a manner that is
clearly distinguishable from those other matters,
(c) the data subject may withdraw his or her consent at any time, and he or she shall
be informed of this possibility prior to giving consent.
(4) Where a data subject withdraws his or her consent to the processing of personal data
pursuant to subsection (3)(c), the withdrawal of consent shall not affect the lawfulness
of processing based on that consent prior to the consent being withdrawn.
(5) Where a controller collects personal data for a purpose specified in section 64(1)(a),
the controller or another controller may process the data for a purpose so specified
other than the purpose for which the data were collected, in so far as—
(a) the controller is authorised to process such personal data for such a purpose in
accordance with the law of the European Union or the law of the State, and
(b) the processing is necessary and proportionate to the purpose for which the data
are being processed.
(6) A controller may process personal data, whether the data were collected by the
controller or another controller, for the purposes of—
(a) the archiving of the data in the public interest,
(b) scientific or historical research, or
(c) statistical use,
provided that the said archiving, research or use—
(i) is for a purpose specified in section 64(1)(a), and
(ii) is subject to appropriate safeguards for the rights and freedoms of data subjects.
(7) A controller shall ensure, in relation to personal data for which it is responsible, that
an appropriate time limit is established for—
(a) the erasure of the data, or
(b) the carrying out of periodic reviews of the need for the retention of the data.
(8) Where a time limit is established in accordance with subsection (7), the controller
shall ensure, by means of procedural measures, that the time limit is observed.
(9) A processor, or any person acting under the authority of the controller or of the
processor who has access to personal data, shall not process the data unless the
processor or person is—
(a) authorised to do so by the controller, or
(b) required to do so by the law of the European Union or the law of the State,
and then only to the extent so authorised or required, as the case may be.
(10) A controller shall ensure that it is in a position to demonstrate that the processing of
personal data for which it is responsible is in compliance with subsections (1) to (8) of
this section.
Security measures for personal data
66. (1) In determining appropriate technical or organisational measures for the purposes of
section 65(1)(f), a controller shall ensure that the measures provide a level of security
appropriate to the harm that might result from accidental or unlawful destruction, loss,
alteration or unauthorised disclosure of, or access to, the data concerned.
(2) A controller or processor shall take all reasonable steps to ensure that—
(a) persons employed by the controller or the processor, as the case may be, and
(b) other persons at the place of work concerned,
are aware of and comply with the relevant technical or organisational measures
referred to in subsection (1).
Processing of special categories of personal data (Part 5)
67. (1) The processing of a special category of personal data shall be lawful only where—
(a) section 65 is complied with, and
(b) at least one of the following conditions is met:
(i) where the processing is to be carried out on the basis of the consent of the
data subject pursuant to section 65(2)(b), the consent referred to in that
paragraph explicitly refers to the special category of personal data
concerned;
(ii) the processing is necessary—
(I) to prevent injury or other damage to the data subject or another
individual,
(II) to prevent loss in respect of, or damage to, property, or
(III) otherwise to protect the vital interests of the data subject or another
individual;
(iii) the personal data to which the processing relates have been made public as a
result of steps deliberately taken by the data subject;
(iv) the processing is necessary for—
(I) the administration of justice,
(II) the performance of a function conferred on a person by or under an
enactment, or
(III) the performance of a function of the Government or a Minister of the
Government;
(v) the processing—
(I) is required for the purposes of providing or obtaining legal advice or for
the purposes of, or in connection with, legal claims, prospective legal
claims, legal proceedings or prospective legal proceedings, or
(II) is otherwise required for the purposes of establishing, exercising or
defending legal rights;
(vi) the processing is necessary for medical purposes and is carried out by, or
under the responsibility of—
(I) a health practitioner, or
(II) a person who in the circumstances owes a duty of confidentiality to the
data subject that is equivalent to that which would exist if that person
were a health practitioner;
(vii) the processing is necessary for the purposes of exercising or performing any
right or obligation which is conferred or imposed by law on the controller or
the data subject in connection with employment or social welfare law;
(viii) the processing is carried out pursuant to section 65(6);
(ix) the processing is authorised by regulations made under subsection (2).
(2) Regulations may be made permitting the processing of special categories of personal
data for the purposes of subsection (1)(b)(ix) where the processing is necessary for
reasons of substantial public interest, and without prejudice to the generality of the
foregoing, such regulations shall identify the public interest concerned.
(3) Regulations under subsection (2) may be made by—
(a) the Minister, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(4) The Minister or any other Minister of the Government, as the case may be, making
regulations under subsection (2) shall have regard to the need for the protection of
individuals with regard to the processing of their personal data and without prejudice
to the generality of that need, have regard to—
(a) the nature, scope and purposes of the processing,
(b) the nature of the substantial public interest concerned,
(c) any benefits likely to arise for the data subjects concerned,
(d) any risks arising for the rights and freedoms of such subjects, and
(e) the likelihood of any such risks arising and the severity of such risks.
(5) Where a special category of personal data is processed in accordance with this
section, the controller shall ensure that the processing is carried out with appropriate
safeguards for the rights and freedoms of the data subject.
(6) In this section—
“health practitioner” has the same meaning as it has in the Health Identifiers Act
2014;
“medical purposes” includes the purposes of preventative medicine, medical
diagnosis, medical research, the provision of medical care and treatment and the
management of healthcare services.
Data quality
68. (1) A controller shall, where relevant and in so far as is possible, make a distinction
between the personal data of different categories of data subject.
(2) A controller shall, in so far as is possible, ensure that personal data based on facts are
distinguished from personal data based on personal assessments.
(3) A controller shall—
(a) take all reasonable steps to ensure that personal data that are inaccurate,
incomplete or no longer up to date are not transmitted or otherwise made
available,
(b) verify, in so far as is possible, the quality of personal data before they are
transmitted or otherwise made available, and
(c) provide, in so far as is possible, in a transmission of personal data, the
information necessary for the recipient to assess the accuracy, completeness and
reliability of the data and the extent to which the data are up to date.
(4) Where a controller becomes aware that incorrect personal data have been transmitted
or personal data have been unlawfully transmitted—
(a) the controller shall ensure that the recipient of the personal data is notified
without delay of that fact, and
(b) the recipient shall ensure that the personal data are rectified or erased or the
processing of the data is restricted in accordance with section 87.
CHAPTER 3
Obligations of controllers and processors
General obligations of controller with regard to technical and organisational measures
69. (1) A controller shall implement appropriate technical and organisational measures for
the purposes of—
(a) ensuring that the processing of personal data for which it is responsible is
performed in compliance with this Part, and
(b) demonstrating such compliance.
(2) A controller shall ensure that measures implemented in accordance with subsection
(1) are reviewed at regular intervals and, where required, updated.
(3) The measures referred to in subsection (1) shall include the implementation of an
appropriate data protection policy by the controller, where such implementation is
proportionate in relation to the processing activities carried out by the controller.
Data protection by design and by default
70. (1) A controller shall, without prejudice to the generality of section 69(1), for the
purposes of meeting the requirements of this Part and protecting the rights of data
subjects—
(a) when determining the means of processing personal data, and
(b) when carrying out the said processing,
implement appropriate technical and organisational measures that are designed—
(i) to implement the principles of the protection of personal data contained in this
Part in an effective manner, and
(ii) to integrate the necessary safeguards into the said processing.
(2) Without prejudice to the generality of section 69(1) and subsection (1), a controller
shall, subject to subsection (3), when processing personal data implement appropriate
technical and organisational measures to ensure that only personal data that are
necessary for each specific purpose of the processing are processed.
(3) The requirement in subsection (2) applies in relation to—
(a) the amount of personal data collected for the processing concerned,
(b) the extent of the processing of the personal data concerned,
(c) the period for which the personal data concerned are stored, and
(d) the accessibility of the personal data concerned.
(4) Technical and organisational measures implemented in accordance with subsection (2)
shall ensure that personal data are not made generally available unless, and only to the
extent, authorised by the controller.
Security of automated processing
71. A controller or processor, prior to carrying out automated processing, shall—
(a) evaluate the risks to the rights and freedoms of individuals arising from the
processing concerned, and
(b) implement measures designed to—
(i) deny access to the processing equipment used for the processing to any
person other than the persons authorised in that regard by the controller or
processor, as the case may be,
(ii) prevent the reading, copying, modification or removal of the data media
concerned, other than in so far as is authorised by the controller or processor,
as the case may be,
(iii) prevent the input of personal data other than in so far as is authorised by the
controller or processor, as the case may be,
(iv) prevent the inspection, modification or deletion of the data other than in so
far as is authorised by the controller or processor, as the case may be,
(v) prevent the use of the automated processing system by persons using data
communication equipment who are not authorised to do so by the controller
or processor, as the case may be,
(vi) ensure that where a person is authorised to use the automated processing
system concerned, he or she has access to personal data on the system only in
so far as he or she is so authorised by the controller or processor, as the case
may be,
(vii) ensure that it is possible to verify or establish the persons to whom personal
data have been or may be transmitted or made available using data
communication equipment,
(viii) ensure that it is possible to verify or establish which personal data have been
input into an automated processing system, and in relation to such data, to
verify and establish the person who input the data and when the data were
input,
(ix) prevent the reading, copying, modification or deletion of personal data
during transfers of personal data or during transportation of data media, other
than in so far as is authorised by the controller or processor, as the case may
be,
(x) ensure that an installed automated system may be restored in the event of an
interruption in the service of the system,
(xi) ensure that the automated processing system properly performs its function
and the appearance of a fault in the automated processing system is reported
to the controller or processor, as the case may be, and
(xii) ensure that personal data that are stored on the automated processing system
cannot be corrupted by means of a malfunctioning of the system.
Technical and organisational measures
72. For the purposes of determining the appropriate technical and organisational measures in
relation to personal data that are required to be taken by a controller or processor in order
to ensure compliance with this Part, and in particular sections 65(1)(f), 69(1), 70 and 74,
the controller or processor, as the case may be, shall, where relevant, have regard to the
following matters:
(a) the nature of the personal data concerned;
(b) the accessibility of the data;
(c) the nature, scope, context and purpose of the processing concerned;
(d) any risks to the rights and freedoms of individuals arising from the processing
concerned;
(e) the likelihood of any such risks arising and the severity of such risks;
(f) the state of the art and the cost of implementation;
(g) guidelines, recommendations and descriptions of best practice issued by the
Commission or the European Data Protection Board.
Joint controllers
73. (1) Where 2 or more controllers jointly determine the purposes and means of the
processing of personal data (in this Part referred to as “joint controllers”), they shall
determine their respective responsibilities for compliance with this Part in a
transparent manner by means of an agreement in writing between them, save in so far
as the said responsibilities are determined by the law of the European Union or the
law of the State.
(2) An agreement in writing referred to in subsection (1)—
(a) shall include a determination of—
(i) the respective responsibilities of the joint controllers concerned as regards
the exercise by data subjects of their rights under this Part, and
(ii) the respective duties of the joint controllers concerned as regards the
provision to a data subject of the information specified in section 85(2),
and
(b) may designate a single point of contact in respect of the processing concerned for
the data subject to whom it relates, where such designation is not otherwise
determined by the law of the State.
Processors
74. (1) A controller shall engage a processor to carry out processing on its behalf only
where—
(a) the processing is carried out, subject to subsection (3), in pursuance of a contract
in writing between the controller and the processor that provides for the matters
specified in subsection (2), and
(b) the processor provides sufficient guarantees to implement appropriate technical
and organisational measures to ensure that—
(i) the processing shall comply with the provisions of this Part, and
(ii) the rights and freedoms of the data subjects are protected.
(2) A contract entered into between a controller and processor in accordance with
subsection (1)(a) shall—
(a) specify the subject matter, duration, nature and purpose of the processing to be
carried out thereunder,
(b) specify the type of personal data to be processed thereunder and the categories of
data subjects to whom the personal data relate,
(c) specify the obligations and rights of the controller in relation to the processing,
and
(d) provide that the processor shall—
(i) act only on instructions from the controller in relation to the processing,
except in so far as the law of the European Union or the law of the State
requires the processor to act otherwise,
(ii) procure the services of another processor in relation to the processing only
where authorised to do so in advance and in writing by the controller, which
authorisation may be specific or general in nature,
(iii) ensure that any person authorised to process the personal data has undertaken
to maintain the confidentiality of the personal data or is under an appropriate
statutory obligation to do so,
(iv) assist the controller in ensuring compliance with this Part in so far as it
relates to the exercise by a data subject of his or her rights,
(v) erase or return to the controller, at the election of the controller, all personal
data upon completion of the processing services carried out by the processor
on behalf of the controller and erase any copy of the data, unless the
processor is required by the law of the European Union or the law of the
State to retain the data, and
(vi) make available to the controller all information necessary to demonstrate
compliance by the processor with this section.
(3) Subsection (1)(a) shall not apply in relation to processing where the form of the
processing and the role of the controller and the processor concerned are otherwise
specified in the law of the European Union or the law of the State.
(4) Where a controller gives an authorisation, whether specific or general in nature, to a
processor to procure the services of another processor (in this section referred to as
“the secondary processor”) in relation to the processing, the processor shall inform
the controller in advance of any such procurement or of a change in the terms of such
procurement.
(5) Where a processor engages a secondary processor to carry out processing on behalf of
a controller, subsections (1) and (2) shall apply to the processor and the secondary
5
processor, and the references in those subsections to “controller” shall be construed as
including the processor in respect of its relationship with the secondary processor,
with any necessary modifications.
(6) Where a person, who by virtue of the operation of this Part is a processor of personal
data, when purporting to act as such a processor, determines the purpose and means of
the processing of the data, the obligations that are placed on a controller under this
Part shall apply thereafter to the person as though the person were a controller of the
data.
Record of data processing activities
75. (1) A controller shall create and maintain a record in writing containing the following
information in relation to each category of processing activity for which it is
responsible:
(a) the identity and contact details of the controller and, where applicable, the
controller’s data protection officer or any joint controller;
(b) a description of—
(i) the purpose of the processing,
(ii) the categories of personal data concerned,
(iii) the categories of data subjects to which the personal data relate,
(iv) the categories of recipients to which the personal data have been or will be
disclosed, including recipients in a third country or an international
organisation, if any,
(v) the categories of transfer of personal data to a third country or an
international organisation, if any,
(vi) the legal basis for the processing operation for which the personal data are
intended, including the transfer of the data, where applicable, and
(vii) where possible, the proposed time limit within which each category of
personal data shall be erased;
(c) whether the processing involves the use of profiling;
(d) where possible, a general description of the technical and organisational security
measures implemented in respect of the processing activity in accordance with
section 66(1).
(2) A processor shall create and maintain a record in writing of each category of
processing activity carried out by the processor on behalf of a controller containing
the following information:
(a) the identity and contact details of—
(i) the processor,
(ii) each controller on behalf of which the processor is carrying out the
processing, and
(b) a description of each category of processing carried out on behalf of each
controller;
(c) details of any transfer of personal data to a third country or an international
organisation, if applicable, including the identification of the third country or
international organisation to which the data are transferred;
(d) where possible, a general description of the technical and organisational security
measures implemented in respect of the processing activity in accordance with
section 66(1).
(3) A controller or processor shall, where requested to do so, make a record created and
maintained pursuant to subsection (1) or (2), as the case may be, available to the
Commission for inspection and examination.
Data logging for automated processing system
76. (1) Subject to subsection (5), where a controller or processor carries out processing of
personal data by automated means, the controller or processor, as the case may be,
shall create and maintain a log (in this section referred to as a “data log”) of the
following processing operations carried out in automated processing systems in
respect of that processing:
(a) the collection of personal data for the purposes of such processing and the
alteration of any such data;
(b) the consultation of the personal data by any person;
(c) the disclosure of the personal data, including the transfer of the data, to any other
person;
(d) the combination of the personal data with other data;
(e) the erasure of the personal data, or some of the data.
(2) Where a data log contains information specified in paragraph (b) or (c) of subsection
(1), the controller or processor, as the case may be, shall ensure that the data log
contains sufficient information to establish the following:
(a) the date and time of the consultation or disclosure, as the case may be;
(b) the reason for the consultation or disclosure, as the case may be;
(c) in so far as is possible, the identification of the person who consulted or
disclosed, as the case may be, the personal data;
(d) the identity of any recipient to whom the personal data were disclosed.
(3) A data log shall not be used by any person for any purpose other than—
(a) verifying the lawfulness of the processing,
(b) monitoring—
(i) by the controller of processing carried out by the controller, or
(ii) monitoring by the processor of processing carried out by the processor,
as the case may be,
(c) ensuring the integrity and security of the personal data concerned, or
(d) for the purposes of criminal proceedings.
(4) A controller or processor shall, where requested to do so, make a data log created and
maintained by the controller or processor, as the case may be, available to the
Commission for inspection and examination.
(5) This section shall not apply, in respect of an automated processing system established
on or before 6 May 2016—
(a) prior to 6 May 2023, where compliance by a controller or processor, as the case
may be, with this section prior to that date would involve disproportionate effort,
or
(b) prior to 6 May 2026, where compliance by a controller or a processor, as the case
may be, with this section prior to that date would cause serious difficulties for the
operation of the automated processing system to which the data log relates.
(6) A controller or processor who intends to rely upon subsection (5)(b) in respect of an
automated processing system operated by the controller or processor, as the case may
be, shall notify the Minister in writing of the said intention on or before 31 December
2022.
(7) A notification referred to in subsection (6) shall include a description of the serious
difficulties referred to in subsection (5)(b) in respect of the automated processing
system concerned.
Cooperation with Commission
77. A controller or a processor shall, on request by the Commission, cooperate with and
assist the Commission in the performance of its functions under this Part.
Data protection impact assessment and prior consultation with Commission
78. (1) Where having regard to its nature, scope, context and purposes, a type of processing,
and in particular a type of processing using new technology, is likely to result in a
high risk to the rights and freedoms of individuals, the controller that is proposing to
carry out the processing shall conduct an assessment of the likely impact of the
proposed processing operations on the protection of personal data (in this Part
referred to as a “data protection impact assessment”) prior to carrying out the
processing.
(2) A data protection impact assessment carried out in accordance with subsection (1)
shall include:
(a) a general description of the proposed processing operations to which it relates,
(b) an assessment of the potential risks to the rights and freedoms of data subjects as
a result of the proposed processing, and
(c) a description of any safeguards, security measures or mechanisms proposed to be
implemented by the controller to mitigate any risk referred to in paragraph (b)
and to ensure the protection of the personal data in compliance with this Part.
(3) Where—
(a) it appears to a controller, having conducted a data protection impact assessment,
that the processing concerned would, despite the implementation of safeguards,
security measures or mechanisms referred to in subsection (2)(c), result in a high
risk to the rights and freedoms of individuals, or
(b) the controller proposes to carry out processing of a type prescribed by the
Commission under subsection (9),
the controller shall, prior to commencing the processing, consult the Commission by
request in that regard in writing.
(4) A controller shall, when making a request under subsection (3), provide the
Commission with—
(a) the data protection impact assessment conducted in relation to the processing
concerned, and
(b) any other information required by the Commission to enable it to assess—
(i) the potential risks to the rights and freedoms of individuals arising from the
proposed processing, and
(ii) the compliance of the proposed processing with this Part.
(5) The Commission shall, where it is of the view that the proposed processing would not
comply with this Part, in particular where it is of the view that the controller has
insufficiently identified or mitigated the potential risks to the rights and freedoms of
individuals arising from the proposed processing, issue written advice in relation to
the processing to the controller and, where applicable, any proposed processor.
(6) Subject to subsection (8), where the Commission issues written advice pursuant to
subsection (5), it shall do so within a period of 6 weeks from the date on which it
receives the request under subsection (3).
(7) For the purposes of responding to a request under subsection (3), the Commission
may use any of its powers referred to in Chapter 4 of Part 6.
(8) Where, taking into account the complexity of the proposed processing, the
Commission is of the opinion that it requires additional time to consider a request
made under subsection (3), it may, once only and within one month from the date of
the receipt of the request, extend the time period referred to in subsection (6) by such
further period not exceeding one month as it may specify by notice in writing to the
controller concerned.
(9) The Commission may, following consultation with the Minister, make regulations
prescribing a type of processing for the purposes of subsection (3)(b) as a type of
processing in relation to which a controller shall consult the Commission prior to
commencing the processing.
(10) The Commission shall, when prescribing a type of processing under subsection (9),
have regard to—
(a) the nature, scope and purposes of the type of processing,
6
(b) the type of processing involved, in particular where the use of new technology is
likely to result in a high risk to the rights and freedoms of individuals,
(c) the likelihood of any such risks arising and the severity of such risks, and
(d) any submissions received pursuant to subsection (11)(c) in relation to the
proposed regulations.
(11) The Commission shall, prior to making regulations under subsection (9), publish a
notice on the website of the Commission and in at least one daily newspaper
circulating generally in the State—
(a) indicating that it proposes to make regulations under this section,
(b) indicating that a draft of the regulations is available for inspection on that website
for a period specified in the notice, being not less than 28 days from the date of
the publication of the notice in the newspaper, and
(c) stating that submissions in relation to the draft regulations may be made in
writing to the Commission before a date specified in the notice, which shall be
not less than 28 days after the end of the period referred to in paragraph (b).
(12) Where there is a proposal for a legislative measure for which a Minister of the
Government is responsible that relates to the processing of personal data, the relevant
Minister shall consult with the Commission during the process of the preparation of
the legislative measure.
Notification of personal data breach by processor
79. Where a processor becomes aware of a personal data breach, the processor shall notify
the controller on whose behalf the data are being processed of the breach—
(a) in writing, and
(b) without undue delay.
Notification of personal data breach to Commission, etc.
80. (1) Subject to subsection (3), where a personal data breach occurs, the controller shall,
without undue delay and where feasible within 72 hours of becoming aware of the
breach, notify the Commission of the breach.
(2) Where a controller does not notify the Commission under subsection (1) of a personal
data breach within 72 hours of becoming aware of the breach, the controller shall
include in the notification the reason for not so notifying.
(3) Subsection (1) shall not apply where, taking into account the nature of the personal
data and the scope, context and purposes of the processing, the personal data breach is
unlikely to result in a risk to the rights and freedoms of data subjects.
(4) A notification under subsection (1) shall include—
(a) a description of the personal data breach, including, where possible the categories
and number, or approximate number, of—
(i) data subjects concerned, and
(ii) personal data records concerned,
(b) a description of the likely consequences of the personal data breach,
(c) a description of the measures taken or proposed to be taken by the controller to
address the personal data breach, including any measures taken or proposed to be
taken to mitigate its possible adverse effects, and
(d) the name and contact details of the controller’s data protection officer (if any) or
other point of contact.
(5) Where, at the time of the making of a notification under subsection (1), it is not
possible for a controller to include in the notification all the information specified in
subsection (4) in relation to the personal data breach concerned, the controller shall—
(a) nevertheless make the notification including such information as is possible to
include at that time, and
(b) supply the Commission with such information specified in subsection (4) as is
outstanding without undue delay.
(6) A controller shall create and maintain a detailed record in writing of a data protection
breach, including a description of—
(a) the breach,
(b) the effects of the breach, and
(c) the measures taken to address the breach, including any measures taken to
mitigate its possible adverse effects.
(7) A controller shall, where so requested by the Commission, provide a copy of a record
created and maintained under subsection (6) to the Commission.
(8) Where a personal data breach involves personal data that have been transmitted—
(a) by a controller in the State to a controller in another Member State, or
(b) by a controller in another Member State to a controller in the State,
the controller in the State shall provide the controller in the other Member State with
the information specified in subsection (4) without undue delay.
Communication of personal data breach to data subject
81. (1) Subject to subsections (2), (4) and (7), where a personal data breach occurs that is
likely to result in a high risk to the rights and freedoms of a data subject, the
controller shall, without undue delay, notify the data subject to whom the breach
relates.
(2) Subsection (1) shall not apply where—
(a) the controller has implemented appropriate technological and organisational
protection measures that were applied to the personal data affected by the
personal data breach, in particular where the said measures, including encryption,
render the personal data unintelligible to any person who is not authorised to
access it, or
(b) the controller has taken measures in response to the personal data breach that
ensure that the high risk to the rights and freedoms of a data subject from the
breach is no longer likely to materialise.
(3) A notification under subsection (1) shall—
(a) describe, in clear and plain language, the nature of the personal data breach
concerned, and
(b) contain at least the information specified in paragraphs (b) to (d) of section
80(4).
(4) Where a notification under subsection (1) would involve a disproportionate effort, the
controller shall notify the data subjects concerned of the personal data breach by way
of public communication or other similar measure that ensures the data subjects are
informed of the personal data breach in an equally effective manner.
(5) A notification under subsection (4) shall—
(a) describe, in clear and plain language, the nature of the personal data breach
concerned, and
(b) contain such other information as is appropriate in all the circumstances.
(6) Where—
(a) a controller notifies the Commission under section 80 of a personal data breach,
and
(b) the controller has not notified the data subject to whom the personal data relate
under subsection (1) or (4), as the case may be, of the personal data breach,
the Commission may, having considered the likelihood of the data breach resulting in
a high risk to the rights and freedoms of a data subject—
(i) require the controller to notify the data subject under subsection (1) or (4), as the
case may be, or
(ii) determine that subsection (2) applies in relation to the personal data breach.
(7) A controller may, in relation to the exercise of the right of a data subject to be notified
under subsection (1) of a personal data breach, restrict the exercise of the said right
where to do so constitutes a necessary and proportionate measure in a democratic
society, with due regard for the fundamental rights and legitimate interests of the data
subject, for a purpose specified in section 89(2).
(8) Where a controller restricts the exercise of the right of a data subject under subsection
(7), subsections (5), (6) and (7) of section 89 shall apply in respect of the said
restriction, with all necessary modifications.
Data protection officer
82. (1) A controller, other than an independent judicial authority acting in its judicial
capacity, shall, subject to subsections (2) and (3), appoint a person to carry out the
functions specified in subsection (5) in respect of the controller (in this Part referred
to as a “data protection officer”).
(2) Two or more controllers may, subject to subsection (3), having regard to their
organisational structure and size, appoint a single data protection officer to carry out
the functions specified in subsection (5) in respect of each of the controllers.
(3) A controller, when appointing a data protection officer, shall do so on the basis of—
(a) the person’s expert knowledge of the law and the practice relating to the
protection of personal data, and
(b) his or her ability to carry out the functions specified in subsection (5).
(4) Where a controller appoints a data protection officer, the controller shall—
(a) publish or cause to be published the contact details of the data protection officer,
(b) inform the Commission of the appointment of the data protection officer and
provide the Commission with his or her contact details,
(c) ensure that the data protection officer is involved in an appropriate and timely
manner in all matters relating to the protection of personal data, and
(d) support the data protection officer in performing his or her functions under
subsection (5), including by—
(i) providing him or her with the resources that he or she requires to perform
those functions,
(ii) ensuring that he or she has access to processing operations carried out by the
controller, and
(iii) assisting him or her to maintain his or her expert knowledge in the law and
practice relating to the protection of personal data.
(5) The functions of a data protection officer shall include the following:
(a) informing and advising the controller, and the employees of the controller who
carry out processing, of their obligations under this Part and under any other law
of the European Union or law of the State that relates to the protection of
personal data;
(b) monitoring the compliance of the controller with—
(i) this Part,
(ii) any other law of the European Union or law of the State that relates to the
protection of personal data, and
(iii) the policies of the controller in relation to the protection of personal data,
including the assignment of responsibilities in the controller in relation to the
protection of personal data, the raising of awareness and the training of staff
involved in processing operations in that regard, and any audit activity
related to the protection of personal data;
(c) providing advice, where requested to do so, in relation to the carrying out of a
data protection impact assessment in accordance with section 78 and monitoring
any steps taken on foot of that assessment;
(d) cooperating with the Commission and acting as a contact point for the
Commission for issues related to processing carried out by the controller,
including consultation by the controller with the Commission under section 78.
CHAPTER 4
Rights, and restriction of rights, of data subject (Part 5)
Application of Chapter
83. This Chapter shall not apply to the processing of personal data by Forensic Science
Ireland of the Department of Justice and Equality, insofar as it relates to the processing of
personal data in the context of—
(a) the forensic criminal investigation functions performed by Forensic Science
Ireland, including the analysis of specimens,
(b) an investigation being undertaken by An Garda Síochána or the Garda Síochána
Ombudsman Commission, or
(c) the approval, supply, testing and maintenance of apparatus and of equipment.
Rights in relation to automated decision making (Part 5)
84. (1) Subject to subsection (2), a decision that produces an adverse legal effect for a data
subject or significantly affects a data subject shall not be based solely on automated
processing, including profiling, of personal data that relate to him or her.
(2) Subsection (1) shall not apply where—
(a) the taking of a decision based solely on automated processing is authorised by the
law of the European Union or the law of the State and the law so authorising
contains appropriate safeguards for the rights and freedoms of the data subject,
including the right of the data subject to make representations to the controller in
relation to the decision, and
(b) the controller has taken adequate steps to safeguard the legitimate interests of the
data subject.
(3) Profiling that results in discrimination against an individual on the basis of a special
category of personal data shall be prohibited.
Right to information
85. (1) Subject to subsection (4) and section 89, a controller shall ensure that the data subject
is provided with, or, as appropriate, has made available to him or her, the information
specified in subsection (2) in relation to personal data relating to him or her within a
reasonable period after the date on which the controller obtains the personal data
concerned, having regard to the circumstances in which the data are or are to be
processed.
(2) The information to which subsection (1) applies is:
(a) the identity and the contact details of the controller;
(b) the contact details of the data protection officer of the controller, where
applicable;
(c) the purpose for which the personal data are intended to be processed or are being
processed;
(d) information detailing the right of the data subject to request from the controller
access to, and the rectification or erasure of, the personal data;
(e) information detailing the right of the data subject to lodge a complaint with the
Commission and the contact details of the Commission;
(f) in individual cases where further information is necessary to enable the data
subject to exercise his or her rights under this Part, having regard to the
circumstances in which the personal data are or are to be processed, including the
manner in which the data are or have been collected, any such information
including:
(i) the legal basis for the processing of the data concerned;
(ii) the period for which the data concerned will be retained, or where it is not
possible to determine the said period at the time of the giving of the
information, the criteria used to determine the said period;
(iii) where applicable, each category of recipients of the data.
(3) The information referred to in paragraphs (a) to (e) of subsection (2) may be made
available to the data subject by means of publication on the website of the controller.
(4) Without prejudice to section 89, subsection (1) shall not apply to information
specified in subsection (2)—
(a) where the information is already in the possession of the data subject, or
(b) where, in particular in the case of processing for the purposes of archiving in the
public interest, scientific or historical research, or for statistical use, the provision
of the information proves impossible or would involve a disproportionate effort.
Right of access
86. (1) Subject to subsections (7), (9) and (12) and sections 88(4)(ii) and 89, an individual
who believes that personal data relating to him or her have been or are being
processed by or on behalf of a controller, if he or she so requests the controller by
notice in writing shall—
(a) be informed by the controller whether personal data relating to him or her have
been or are being processed by or on behalf of the controller, and
(b) where such data have been or are being so processed, be provided by the
controller with the following information:
(i) a description of—
(I) the purpose of, and the legal basis for, the processing,
(II) the categories of personal data concerned,
(III) the recipients or categories of recipients to whom the personal data
concerned have been disclosed, and
(IV) the period for which the personal data concerned will be retained, or
where it is not possible to determine the said period at the time of the
giving of the information, the criteria used to determine the said period;
(ii) information detailing the right of the data subject to request from the
controller the rectification or erasure of the personal data concerned;
(iii) information detailing the right of the data subject to lodge a complaint with
the Commission and the contact details of the Commission;
(iv) a communication of the personal data concerned;
(v) any available information as to the origin of the personal data concerned,
unless the communication of that information is contrary to the public
interest.
(2) A controller shall respond to a request made under subsection (1) and provide the
information specified in paragraph (b) thereof to the data subject as soon as may be
and, subject to subsections (4) and (5), in any event not later than one month after the
date on which the request is made.
(3) When making a request under subsection (1), the individual making the request shall
provide the controller with such information as the controller may reasonably require
to satisfy itself of the identity of the individual and to locate any relevant personal
data or information.
(4) Where a controller has reasonable doubts as to the identity of an individual making a
request under subsection (1) or reasonably requires additional information to locate
any relevant personal data, it may request such additional information from the data
subject as may be necessary to confirm his or her identity or to enable it to locate such
personal data or information, as the case may be, and the period of time from the
making of such a request for additional information until the request is complied with
shall not be reckonable for the purposes of subsection (2).
(5) Where, taking into account the complexity of a request made under subsection (1) and
the number of such requests received by the controller, the controller is of the opinion
that it requires additional time to consider the request, it may, once only and within
one month from the date of the receipt of the request, extend the time period referred
to in subsection (2) by such further period not exceeding 2 months as it may specify
by notice in writing to the individual making the request.
(6) A notice in writing referred to in subsection (5) shall include the reason for which the
controller is of the opinion that it requires additional time to consider the request
made under subsection (1).
(7) Where information that a controller would otherwise be required to provide to a data
subject pursuant to subsection (1) includes personal data relating to another individual
that would reveal, or would be capable of revealing, the identity of the individual, the
controller—
(a) shall not, subject to subsection (8), provide the data subject with the information
that constitutes such personal data relating to the other individual, and
(b) shall provide the data subject with a summary of the personal data concerned
that—
(i) in so far as is possible, permits the data subject to exercise his or her rights
under this Part, and
(ii) does not reveal, or is not capable of revealing, the identity of the other
individual.
(8) Subsection (7) shall not apply where the individual to whom the personal data that
would reveal, or would be capable of revealing, his or her identity, relate consents to
the provision of the information concerned to the data subject making a request
pursuant to subsection (1).
(9) Subsection (1) shall not apply—
(a) in respect of personal data relating to the data subject that consists of an
expression of opinion about the data subject by another person given in
confidence or on the understanding that it would be treated as confidential, or
(b) to information specified in paragraph (b)(i)(III) of that subsection in so far as a
recipient referred to therein is a public authority which may receive data in the
context of a particular inquiry in accordance with the law of the State.
(10) Information provided pursuant to a request under subsection (1) may take account of
any amendment of the personal data concerned made since the receipt of the request
by the controller (being an amendment that would have been made irrespective of the
receipt of the request) but not of any other amendment.
(11) The obligations imposed by subparagraphs (iv) and (v) of subsection (1)(b) shall be
complied with by supplying the data subject with a copy of the information concerned
in permanent form unless—
(a) the supply of such a copy is not possible or would involve disproportionate effort,
or
(b) the data subject agrees otherwise.
(12) Where a controller has previously complied with a request under subsection (1), the
controller is not obliged to comply with a subsequent identical or similar request
under that subsection by the same individual unless, in the opinion of the controller, a
reasonable interval has elapsed between compliance with the previous request and the
making of the current request.
(13) In determining for the purposes of subsection (12) whether the reasonable interval
specified in that subsection has elapsed, regard shall be had to the nature of the
personal data, the purpose for which the personal data are processed and the
frequency with which the personal data are altered.
(14) Where a controller, pursuant to subsection (12) refuses to act upon a request under
subsection (1), it shall, as soon as practicable, so notify the data subject in writing.
Right to rectification or erasure and restriction of processing
87. (1) Where a data subject is of the opinion that a controller is processing personal data
relating to him or her that are inaccurate, the data subject may make a request in
writing to the controller for the controller to rectify the data concerned.
(2) A controller that receives a request under subsection (1) shall, subject to subsections
(6), (7) and (9), and sections 88(4)(ii) and 89, where it is satisfied that the personal
data to which the request relates are inaccurate, rectify the data as soon as may be and
in any event no later than one month after the date on which the request is made.
(3) Where a data subject is of the opinion that a controller is processing personal data
relating to him or her—
(a) in a manner that contravenes subsections (1) to (6) of section 65 or section 67(1),
or
(b) that are required to be erased by the controller in accordance with a legal
obligation to which the controller is subject,
the data subject may make a request in writing to the controller to erase the data
concerned.
(4) A controller that receives a request under subsection (3) shall, subject to subsections
(6), (7) and (9), sections 88(4)(ii) and 89 and where it is satisfied that paragraph (a)
or (b) of subsection (3) applies to the personal data to which the request relates, erase
the data as soon as may be and in any event no later than one month after the date on
which the request is made.
(5) When making a request under subsection (1) or (3), the data subject shall provide
such information as the controller may reasonably require to—
(a) satisfy itself as to the identity of the data subject,
(b) locate any relevant personal data, and
(c) satisfy itself as to whether the personal data concerned are inaccurate or as to the
basis on which the data should be erased, as the case may be.
(6) Where a controller—
(a) has reasonable doubts as to the identity of an individual making a request under
subsection (1) or (3), or
(b) reasonably requires additional information—
(i) to locate any relevant personal data, or
(ii) to satisfy itself as to whether the personal data concerned are inaccurate or as
to the basis on which the data should be erased, as the case may be,
it may request such additional information from the data subject as may be necessary
to confirm his or her identity or to so locate or satisfy itself, as the case may be, and
the period of time from the making of such a request for additional information until
the request is complied with shall not be reckonable for the purposes of subsection (2)
or (4), as the case may be.
(7) Where, taking into account the complexity of a request made under subsection (1) or
(3) and the number of such requests received by the controller, the controller is of the
opinion that it requires additional time to consider the request, it may, once only and
within one month from the date of the receipt of the request, extend the time period
referred to in subsection (2) or (4), as the case may be, by such further period not
exceeding 2 months as it may specify by notice in writing to the data subject making
the request.
(8) A notice in writing referred to in subsection (7) shall include the reason for which the
controller is of the opinion that it requires additional time to consider the request
made under subsection (1) or (3), as the case may be.
(9) Where a data subject makes a request under subsection (1) or (3), and—
(a) the accuracy of the data is contested by the data subject and it is not possible to
ascertain whether the data are so inaccurate, or
(b) the personal data are required for the purposes of evidence in proceedings before
a court or tribunal or in another form of official inquiry,
the controller shall restrict the processing of the data and shall not rectify or erase the
data, as the case may be.
(10) Where a controller—
(a) complies with a request under subsection (1) or (3), or
(b) restricts the processing of personal data under subsection (9),
the controller shall, as soon as practicable, notify in writing—
(i) the data subject concerned, and
(ii) subject to subsection (11)—
(I) each controller from which the personal data concerned were received,
and
(II) each person to whom the data were disclosed,
of the rectification, erasure or restriction concerned, as the case may be.
(11) Subsection (10) shall not apply in relation to the notification of a controller or a
person specified in subparagraph (I) or (II) of paragraph (ii) of that subsection where
such notification proves impossible or involves a disproportionate effort.
(12) Where a controller receives a request under subsection (1) or (3), and—
(a) the controller is not satisfied that, as the case may be,—
(i) in relation to a request under subsection (1), the personal data to which the
request relates should be rectified pursuant to subsection (2), or
(ii) in relation to a request under subsection (3), the personal data to which the
request relates should be erased pursuant to subsection (4),
and
(b) subsection (9) does not apply to the data,
the controller shall, subject to section 89, as soon as practicable, so notify the data
subject in writing.
(13) A notification under subsection (12) shall include—
(a) the reasons for the controller’s decision under that subsection, and
(b) information relating to the data subject’s right under section 90 to request the
Commission to verify the lawfulness of the processing concerned.
(14) Where a person to whom personal data were disclosed is notified under subsection
(10)(ii)(II) of—
(a) the rectification or erasure of the data pursuant to a request under subsection (1)
or (3), as the case may be, or
(b) the restriction of the processing of the data under subsection (9),
the person shall rectify or erase, or restrict the processing of, as the case may be, any
of the data concerned that the person has under his or her control in the same manner,
and to the same extent, as the controller making the notification has rectified or
erased, or restricted the processing of, as the case may be, the data concerned.
(15) Where a controller has restricted the processing of personal data pursuant to
subsection (9) and proposes to lift the said restriction, the controller shall inform the
data subject prior to the lifting of the restriction.
(16) Where a controller that restricted the processing of personal data pursuant to
subsection (9) lifts the said restriction—
(a) the controller shall notify any person who was notified under subsection (10)(ii)
(II) of the said restriction of the lifting of the restriction as soon as practicable,
and
(b) the person so notified shall lift any restriction of the processing of the data
concerned implemented under subsection (14) in the same manner, and to the
same extent, as the controller making the notification has lifted the restriction on
the processing of the data concerned.
(17) This section shall not apply to personal data that are contained in witness statements.
(18) For the purposes of this section, personal data are inaccurate if—
(a) they are incorrect or misleading as to any matter of fact, or
(b) they are incomplete in a material manner.
Communication with data subject
88. (1) Where a controller—
(a) provides or makes available information to a data subject under section 85,
(b) provides or makes available information to, or communicates with, a data subject
pursuant to a request under section 86 or 87,
the controller shall take all reasonable steps to ensure the information is provided or
made available, or the communication is made, as the case may be, in a concise,
intelligible and easily accessible form using clear and plain language.
(2) The information or communication, as the case may be, referred to in subsection (1),
shall—
(a) be provided to the data subject by appropriate means, including by electronic
means, and
(b) in the case of a communication with a data subject pursuant to a request under
section 86 or 87, in so far as is possible, be provided in the same form as that in
which the request is made.
(3) A controller shall not impose a charge on a data subject for information provided to
him or her under section 85 or, subject to subsection (4)(i), pursuant to a request
under section 86 or 87.
(4) Where a data subject makes a request to a controller under section 86 or 87 that is—
(a) manifestly unfounded, or
(b) excessive in nature, having regard to the number of requests made by the data
subject to the controller under those sections,
the controller may—
(i) charge a reasonable fee to the data subject in respect of the request, having regard
to the administrative cost to the controller of complying with the request, or
(ii) refuse to act upon the request.
(5) Where a controller, pursuant to subsection (4)(ii), refuses to act upon a request under
section 86 or 87 it shall, as soon as practicable, so notify the data subject in writing.
(6) A notification under subsection (5) shall include—
(a) the reasons for which the controller is refusing to act upon the request under
section 86 or 87, as the case may be, pursuant to subsection (4)(ii), and
(b) information relating to the right of the data subject under Chapter 3 of Part 6 to
lodge a complaint with the Commission and the contact details of the
Commission.
(7) Where, pursuant to subsection (4)(ii), a controller refuses to act upon a request made
to the controller by a data subject under section 86 or 87, it shall be for the controller
to demonstrate that the request was manifestly unfounded or excessive in nature.
(8) In this section, a reference to a “data subject” shall be construed as including an
individual who makes a request under section 86(1), irrespective of whether the
controller is processing personal data in relating to the individual.
Restrictions on exercise of data subject rights (Part 5)
89. (1) Subject to subsection (2), a controller, with respect to personal data for which it is
responsible, may restrict, wholly or partly, the exercise of a right of a data subject
specified in subsection (4).
(2) Subsection (1) shall apply where the controller is satisfied that restricting the exercise
of a right under that subsection constitutes a necessary and proportionate measure in a
democratic society with due regard for the fundamental rights and legitimate interests
of the data subject for the purposes of—
(a) avoiding obstructing official or legal inquiries, investigations or procedures,
(b) avoiding prejudicing the prevention, detection, investigation or prosecution of
criminal offences or the execution of criminal penalties,
(c) protecting public security,
(d) protecting national security, or
(e) protecting the rights and freedoms of other persons.
(3) Without prejudice to the generality of subsection (2), the purposes specified in
paragraph (a) to (e) of subsection (2) include the following:
(a) the prevention, detection or investigation of offences, the apprehension or
prosecution of offenders or the effectiveness of lawful methods, systems, plans or
procedures employed for the purposes of the matters aforesaid;
(b) the enforcement of, compliance with or administration of any enactment related
to a purpose specified in section 64(1)(a);
(c) ensuring the safety of the public and the safety or security of individuals and
property;
(d) ensuring the fairness of criminal proceedings in a court or other tribunal;
(e) ensuring the security of—
(i) a penal institution,
(ii) a children detention school within the meaning of section 3 of the Children
Act 2001,
(iii) a remand centre designated under section 88 of the Children Act 2001,
(iv) the Central Mental Hospital, or
(v) any system of communications, whether internal or external, of the Garda
Síochána, the Defence Forces, the Revenue Commissioners or a penal
institution;
(f) protecting the life, safety or well-being of any person;
(g) preventing the facilitation of the commission of an offence;
(h) avoiding the prejudice or impairment of national security, defence or the
international relations of the State;
(i) avoiding the obstruction or impairment of official or legal inquiries,
investigations or procedures or the operation of legal privilege.
(4) The rights of a data subject to which subsection (1) applies are:
(a) the right of the data subject under section 85(1) in so far as relates to information
specified in subsection (2)(f) of that section;
(b) the rights of the data subject under paragraphs (a) and (b) of section 86(1);
(c) the right of the data subject to be notified—
(i) under section 87(10) of the restriction of the processing of personal data
under subsection (9) of that section, or
(ii) under section 87(12) of a decision not to rectify or erase data pursuant to a
request under subsection (1) or (3) of that section, as the case may be.
(5) Subject to subsection (6), where a controller restricts, pursuant to subsection (1), the
exercise of the right of a data subject specified in paragraph (b) or (c) of subsection
(4), the controller shall notify the data subject in writing of—
(a) the restriction of the exercise of the said right and the reasons for such restriction,
and
(b) the right of the data subject—
(i) under section 90 to request the Commission to verify the lawfulness of the
processing concerned, or
(ii) under section 123 to seek a judicial remedy in relation to the said restriction.
(6) Subsection (5) shall not apply where to notify the data subject in accordance with that
subsection of the matters specified therein would be contrary to a purpose specified in
subsection (2).
(7) Where a controller restricts, pursuant to subsection (1), the exercise of the right of a
data subject specified in paragraph (b) or (c) of subsection (4), the controller shall—
(a) create and maintain a record in writing of the factual or legal basis for the
decision to so restrict the right concerned, and
(b) make such a record available to the Commission, if so requested by the
Commission.
(8) Regulations may be made specifying a category of processing to be a category of
processing in respect of which the exercise of the rights specified in subsection (4)
may, in accordance with subsection (2), be restricted under subsection (1).
(9) Regulations under subsection (8) may be made by—
(a) the Minister, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government, following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(10) The Minister of the Government making regulations under subsection (8) shall have
regard to—
(a) the nature, scope and purposes of the category of processing concerned,
(b) whether, having regard to the matters referred to in paragraph (a), the restriction
concerned is one to which subsection (2) would apply, and
(c) any risks arising for the rights and freedoms of data subjects.
(11) Regulations made under this section shall—
(a) respect the essence of the right to data protection and protect the interests of the
data subject, and
(b) restrict the exercise of data subject rights only in so far as is necessary and
proportionate to the aim sought to be achieved.
(12) For the purposes of this section, “penal institution” means—
(a) a place to which the Prisons Acts 1826 to 2015 apply, or
(b) a military prison or detention barrack within the meaning, in each case, of the
Defence Act 1954.
I
ndirect exercise of rights and verification by Commission
90. (1) Where an individual—
(a) is aware, having been notified under section 89(5), that the exercise of his or her
rights have been restricted by a controller pursuant to section 89, or
(b) believes that the exercise of his or her rights have been so restricted and that he
or she has not been notified of the said restriction by virtue of the operation of
subsection (6) of that section,
the individual may make a request in writing to the Commission to verify whether the
controller is processing personal data relating to him or her and if so, whether the
processing is in compliance with this Part.
(2) Where the Commission receives a request under subsection (1), it may take such steps
as appear to it to be appropriate, including the exercise of its powers under section
127.
(3) The Commission, having taken the steps referred to in subsection (2), shall inform the
individual making the request under subsection (1)—
(a) that all necessary verifications or reviews have been carried out by the
Commission, and
(b) of his or her right to seek a judicial remedy under section 123.
CHAPTER 5
Transfers of personal data to third countries or international organisations
Transfer to third country or international organisation
91. (1) The transfer of personal data to a third country or an international organisation shall
not take place, subject to section 95, unless—
(a) the transfer is necessary for a purpose specified in section 64(1)(a),
(b) the personal data are to be transferred to a controller in a third country or an
international organisation that is an authority competent for the purposes
specified in section 64(1)(a),
(c) where the personal data were transmitted or made available to the controller
making the transfer from a controller in another Member State, subject to
subsection (2), the controller in the other Member State or another relevant
controller in that state has given its prior authorisation to the transfer,
(d) section 92, 93 or 94 applies, and
(e) the transfer is subject to a condition that a subsequent transfer to another third
country or international organisation from the third country or international
organisation to which the data are being transferred by the controller shall only
occur where the controller authorises the subsequent transfer, having taken into
due account all relevant factors, including—
(i) the seriousness of any criminal offence to which the data relate,
(ii) the purpose for which the data were originally transferred, and
(iii) the level of protection for personal data in the third country or the
international organisation to which the data are to be transferred onwards.
(2) Subsection (1)(c) shall not apply where—
(a) the transfer of the personal data concerned is necessary for the prevention of an
immediate and serious threat to—
(i) public security in a Member State or a third country, or
(ii) the essential interests of a Member State,
and
(b) an authorisation under the said subsection (1)(c) cannot be obtained in good time.
(3) Where subsection (2) applies and personal data are transferred to a third country or an
international organisation without an authorisation from the controller in the other
Member State that transmitted or made available the personal data, the controller
making the transfer, or on whose behalf the transfer is being made, shall inform the
controller in the other Member State of the transfer without delay.
(4) Without prejudice to the generality of section 65, a processor shall not transfer
personal data to a third country or an international organisation, or to a recipient in a
third country, under this Chapter unless explicitly instructed in writing to do so by the
controller.
Adequacy decision
92. (1) Personal data may be transferred in accordance with section 91(1), subject to
subsection (2), to a third country or an international organisation where a decision has
been taken by the European Commission under Article 36 of the Directive that the
third country or the international organisation, as the case may be, ensures an
adequate level of protection of personal data.
(2) Where the European Commission has taken a decision under Article 36 of the
Directive that applies to a specified territory within a third country or a specified
sector in a third country, personal data may be transferred under subsection (1) to a
controller in the specified territory or sector only, as the case may be.
Transfer subject to appropriate safeguards
93. (1) Personal data may be transferred in accordance with section 91(1) to a third country, a
territory or sector thereof, or an international organisation, in respect of which a
decision has not been taken by the European Commission under Article 36 of the
Directive that the third country, territory or sector thereof, or the international
organisation, as the case may be, ensures an adequate level of protection of personal
data, where—
(a) there is a legally binding instrument that applies to the transfer and that ensures
appropriate safeguards with regard to the processing of personal data, or
(b) the controller transferring the personal data, or on whose behalf the personal data
are being transferred, has—
(i) assessed all the circumstances relating to the transfer, and
(ii) is satisfied that appropriate safeguards exist with regard to the protection of
the personal data.
(2) Where personal data are transferred to a third country, a territory or sector thereof, or
an international organisation pursuant to subsection (1)(b), the controller transferring
the personal data, or on whose behalf the personal data are being transferred, shall—
(a) inform the Commission about each category of such transfers, and
(b) create and maintain a record in writing of each such transfer containing at least
the following:
(i) details of the personal data transferred;
(ii) the date and time of the transfer;
(iii) information about the controller in the third country or the international
organisation to which the data were transferred;
(iv) the reasons for the transfer.
(3) A controller shall make available a record created and maintained pursuant to
subsection (2)(b) to the Commission for inspection upon a request in that regard by
the Commission.
Derogations for specific situations
94. (1) Where section 92 or 93 does not apply in relation to a transfer of personal data to a
third country or an international organisation, personal data may be transferred in
accordance with section 91(1) to the third country or the international organisation,
where the transfer is necessary—
(a) to protect the vital interests of the data subject or another individual,
(b) to safeguard the legitimate interests of a data subject,
(c) for the prevention of an immediate and serious threat to public security in a
Member State or a third country,
(d) subject to subsection (2), in an individual case, for a purpose specified in section
64(1)(a), or
(e) subject to subsection (2), in an individual case, for the establishment, exercise or
defence of legal claims relating to a purpose specified in section 64(1)(a).
(2) Paragraphs (d) and (e) of subsection (1) shall not apply where the controller
transferring the personal data, or on whose behalf the personal data are being
transferred, is of the opinion that the rights and freedoms of the data subject override
the public interest in the transfer concerned.
(3) Where personal data are transferred to a third country or an international organisation
pursuant to subsection (1), the controller transferring the personal data, or on whose
behalf the personal data are being transferred, shall create and maintain a record in
writing of each such transfer containing at least the following:
(a) details of the personal data transferred;
(b) the date and the time of the transfer;
(c) information about the controller in the third country or the international
organisation to which the data were transferred;
(d) the reasons for the transfer.
(4) A controller shall make available a record created and maintained pursuant to
subsection (3) to the Commission for inspection upon a request in that regard by the
Commission.
Transfer to recipient in third country
95. (1) Notwithstanding section 91(1)(b) and the provisions of any relevant international
agreement, a controller may, in an individual case, transfer personal data directly to a
recipient located in a third country who is not a controller or organisation referred to
in section 91(1)(b) where the relevant provisions of this Part are complied with and
each of the following conditions are fulfilled—
(a) the transfer is necessary for the performance of a function of the controller
making the transfer under the law of the European Union or the law of the State
for a purpose specified in section 64(1)(a);
(b) the transfer is in the public interest;
(c) the controller is satisfied that the fundamental rights and freedoms of the data
subject do not override the public interest necessitating the transfer in the
particular instance;
(d) the controller is satisfied that the transfer of the data to an authority in the third
country that is competent for the purposes specified in section 64(1)(a) would be
ineffective or inappropriate, having regard to the purpose for which the data are
being transferred, in particular where the transfer could not be made to such an
authority in time to achieve the purpose of the transfer.
(2) A controller, when transferring personal data to a recipient pursuant to subsection (1)
shall—
(a) specify to the recipient the purpose for which the recipient may process the data,
and
(b) inform the recipient that the data are to be processed by the recipient for the
specified purpose only and then only to the extent that such processing is
necessary for that purpose.
(3) Where a controller transfers personal data to a recipient pursuant to subsection (1),
the controller shall—
(a) notify the relevant authority in the third country that is competent for the purpose
for which the data are transferred of the transfer without undue delay, unless to
do so would be ineffective or inappropriate, having regard to the purpose for
which the data are being transferred,
(b) notify the Commission of the transfer, and
(c) create and maintain a record in writing of the transfer containing at least the
following information:
(i) details of the personal data transferred;
(ii) the date and the time of the transfer;
(iii) the identity of the recipient;
(iv) the reason for which the data were transferred.
(4) A controller shall make available a record created and maintained pursuant to
subsection (3)(c) to the Commission for inspection upon a request in that regard by
the Commission.
(5) In this section—
“controller” means a controller that is a competent authority specified in paragraph
(a) of the definition of “competent authority” in section 63;
“relevant international agreement” means an international agreement—
(a) to which the State and the third country in which the recipient is located are
parties, and
(b) that relates to judicial cooperation in criminal matters or to police cooperation.
CHAPTER 6
Independent supervisory authority
Functions of Commission under Part 5
96. (1) Subject to subsection (2), the functions of the Commission under this Part shall be
to—
(a) monitor and enforce application of this Part and regulations made under it,
(b) promote public awareness and understanding of the risks, rules, safeguards and
rights in relation to processing,
(c) advise, on request by the body concerned, the Houses of the Oireachtas,
Government and public authorities on legislative and administrative measures
relating to the protection of individuals’ rights and freedoms with regard to
processing,
(d) promote the awareness of controllers and processors of their obligations under
this Part and the Directive,
(e) provide, on request by them, information to data subjects on the exercise of their
rights under this Part and the Directive and, where appropriate, cooperate with
the supervisory authorities of other Member States for that purpose,
(f) handle, in accordance with Part 6, complaints lodged by or on behalf of a data
subject under Chapter 3 of that Part,
(g) examine the lawfulness of processing pursuant to section 90 and inform the data
subject within a reasonable period of the outcome of the examination or of the
reasons why the examination has not been carried out,
(h) cooperate with, and provide mutual assistance to, other supervisory authorities in
accordance with section 98 and Chapter VII of the Directive with a view to
ensuring consistent application and enforcement of the Directive,
(i) conduct, of its own volition or on the basis of information received from another
supervisory authority or other public authority, investigations, in accordance with
Part 6, on the application of this Part,
(j) monitor relevant developments insofar as they have an impact on the protection
of personal data, in particular the development of information and
communication technologies,
(k) provide advice to a controller or processor, as the case may be, pursuant to
section 78, and
(l) contribute to the activities of the European Data Protection Board.
(2) The Commission shall not be competent for the supervision of data processing
operations of an independent judicial authority acting in its judicial capacity.
(3) Subject to subsections (4) and (5), the Commission shall not charge a data subject or
data protection officer a fee in respect of the performance by it of its functions under
this section.
(4) Where a request referred to in Article 46(4) of the Directive is manifestly unfounded
or excessive, the Commission may—
(a) charge the person who made the request a reasonable fee, based on its
administrative costs, or
(b) refuse to act on the request.
(5) It shall be for the Commission to demonstrate that a request referred to in subsection
(4) is manifestly unfounded or excessive.
(6) In this section, “excessive” includes, in particular, repetitive.
(7) For the purposes of this section, a request is repetitive where it is substantially the
same as a request previously made by or on behalf of the same person and dealt with
under this Part.
Power of the Commission to advise and issue opinions
97. The Commission shall have the power to issue opinions on matters related to the
protection of personal data to—
(a) on its own initiative or on request by the body concerned, the Houses of the
Oireachtas, Government, public authorities and bodies, and
(b) on its own initiative, to the public.
Mutual assistance
98. (1) The Commission shall, for the purposes referred to in section 96(1)(h)—
(a) in accordance with this Chapter, provide other supervisory authorities with
mutual assistance, and
(b) put in place measures for effective cooperation with those authorities.
(2) The Commission, on receipt by it of a request of another supervisory authority
(“requesting supervisory authority”) shall—
(a) without undue delay and no later than one month after receiving the request, take
all appropriate measures required to reply to the request, and
(b) inform the requesting supervisory authority of the results of, or progress made in
response to, the request.
(3) The measures referred to in subsection (1)(a) include the exercise by the Commission
of its powers under Chapters 3, 4 and 5 of Part 6.
(4) (a) The Commission shall not refuse to comply with a request unless—
(i) it is not responsible under the Directive for the subject matter of the request
or for the measures it is requested to carry out, or
(ii) compliance with the request would infringe law of the State or European
Union.
(b) The Commission shall provide the requesting supervisory authority concerned
with the reasons for its refusal under paragraph (a) to comply with a request.
(5) The Commission, where providing information to a requesting supervisory authority
in response to a request, shall, insofar as practicable, and in accordance with any
implementing acts to which Article 50(8) of the Directive apply, do so—
(a) by electronic means, and
(b) using a standardised format, if any.
(6) Without prejudice to subsection (7), the Commission shall not charge a fee for any
action taken in response to a request for mutual assistance.
(7) The Commission may enter into an agreement with other supervisory authorities on
rules to indemnify each other for specific expenditure arising from the provision of
mutual assistance in exceptional circumstances.
(8) In this section and section 99—
“mutual assistance” includes—
(a) responding to requests for information, and
(b) undertaking supervisory measures, such as the carrying out of inspections or
investigations under Part 6 or consultations;
“request” means a request for mutual assistance referred to in Article 50 of the
Directive.
Requests by Commission for mutual assistance
99. (1) A request by the Commission to another supervisory authority shall contain all the
information necessary for the purpose of the request, which shall include the purpose
of and reasons for the request.
(2) The Commission shall use information received by it from another supervisory
authority in response to a request only for the purpose for which it was requested.