State Use

Lawful Use (processing) of Personal Data (General Provisions)

The (EU Wide) GDPR   provides that processing (use) of personal data is permitted, provided that the processor complies with one or more of the following conditions;

  • the data subject (the person whose personal information it is) has unambiguously given his consent; to the processing for one or more specific purposes
  • the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject, prior to entering a contract;
  • the processing is necessary for compliance with a legal obligation to which the controller is subject;
  • the processing is necessary to protect the vital interests of the data subject;
  • the processing is necessary for the performance of a task carried out in public interest or the exercise of official authority vested in the controller (data holder) or in a third party to whom the data are disclosed;
  • the processing is necessary for the purpose of the legitimate interests pursued by a controller or the third party to whom they are disclosed, except where such interests or overridden by the fundamental rights and freedoms of the data subject.

Lawful Use (Legal Obligations and Governmental Functions)

The GDPR criteria for data processing are set out above. EU Member States may maintain or introduce more specific provisions to adapt the application of the GDPR rules in the context of legal obligations, public interest or the exercise of public authority. There are criteria in the GDPR in relation to such rules.

Most of the areas concerned relate to governmental and public interest activities. The State and state bodies can also use the general bases for processing. The processing must comply with broad data protection principles. The Member State’s law must meet an objective of public interest and be proportionate to the legitimate aim pursued. Ireland has given effect to these national level options and requirement in the Data Protection Act 2018.

Many of the exemptions and facilitative provisions in relation to State and state body processing relate to sensitive personal information; so, called special categories of personal data under the GDPR. These provisions are dealt with in the chapter on sensitive personal data.


The scope of National Rules permitting Processing

The national rules may contain specific provisions to adapt the GDPR rules to the public and other function concerned including

  • the general conditions governing the processing by the controller;
  • the types of data which are subject to the processing;
  • the data subjects concerned;
  • the entities to, and the purposes for which, the personal data may be disclosed;
  • the purpose limitation;
  • storage periods; and
  • processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations.

Functions under the Constitution or by Law

The processing of personal data is lawful to the extent that it is necessary and proportionate for the performance of a function conferred by law or legislation, by the Constitution, or the administration by or on behalf of a controller of any non-statutory scheme, programme or funds, where the legal basis is thereby conferred.

Data processing that is necessary for the performance of a statutory function is permissible.  Similarly, processing for the performance of a function of a department of State and other function of a public nature is permissible.

The processing of personal data which is necessary for the performance of a task carried out in the public interest by a controller or which is necessary for the exercise of official authority vested in a controller may be specified in regulations.

The regulations may specify the personal data that may be processed, the circumstances in which the personal data may be processed. They may specify the persons to whom the data may be disclosed, and such other conditions (if any) as the Minister or any other Minister of the Government, as the case may be, considers appropriate to impose on such processing.


Administration of Justice

The processing of data required for the administration of justice is exempt from the requirement for consent.  This includes processing by the other party to litigation and his representatives, in the course of litigation from pleadings to the conduct of the case.

To a significant extent, a person waives his privacy when he initiates litigation. For example, a person puts his health at issue in a claim for personal injuries. Therefore, the defendant’s insurer may be able to undertake surveillance in order to collect evidence and materials which contradicts his claim.


Records

There are provisions which facilitate archiving in the public interest, and for scientific, historical research or statistical purposes. Subject to suitable and specific measures being taken to safeguard the fundamental

rights and freedoms of data subjects, personal data may be processed for

  • archiving purposes in the public interest,
  • scientific or historical research purposes, or
  • statistical purposes.

Processing of personal data for these purposes must respect the principle of data minimisation. Where the purpose can be fulfilled by processing which does not permit or no longer permits, the identification of data subjects, the processing of information for such purposes must be fulfilled in that manner.


Political Process

The right of a data subject to object at any time to the processing of his personal data does not apply to processing carried out in the course of electoral activities in the State by a political party, or a candidate for election to, or a holder of, elective political office in the State and by the Referendum Commission in the performance of its functions.

The reference to direct marketing in the GDPR does not apply to marketing in the course of electoral activities in the State

  • by a political party or its members, or a candidate for election to, or a holder of, elective political office in the State, and
  • by the Referendum Commission in the performance of its functions.

Accordingly, such activities are not subject to the full rigour of the rules as they apply generally to direct marketing rules.

Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people’s political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.


Common Travel Area

The processing of personal data and the disclosure of that data for the purposes of preserving of the Common Travel Area, or any part of that Area, is lawful where the controller is an Irish air carrier, an air carrier or a sea carrier.

The Minister may make regulations specifying the personal data that may be processed, the circumstances in which the personal data may be disclosed, including the person to whom the data may be disclosed, and such other conditions (if any) as the Minister considers appropriate to impose on such processing.


Recognised Religious communities

The processing of personal data by official authorities for the purpose of achieving the aims laid down by constitutional law or by international public law, of officially recognised religious associations, is presumed by the GDPR to be carried out on grounds of public interest.


Measures to Protect Fundamental Rights I

Where there is a requirement that suitable and specific measures be taken to safeguard the

fundamental rights and freedoms of data subjects in processing personal data, those measures may include—

  • explicit consent of the data subject for the processing of his or her personal data for one or more specified purposes,
  • limitations on access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data,
  • strict time limits for the erasure of personal data and mechanisms to ensure that such limits are observed,
  • specific targeted training for those involved in processing operations,

Measures to Protect Fundamental Rights II

They may include having regard to the state of the art, the context, nature, scope and purposes of data processing and the likelihood of risk to, and the severity of any risk to, the rights and freedoms of data subjects—

  • logging mechanisms to permit verification of whether and by whom the personal data have been consulted, altered, disclosed or erased,
  • in cases in which it is not mandatory under the Data Protection Regulation, designation of a data protection officer,
  • where the processing involves data relating to the health of a data subject, a requirement that the processing is undertaken by a qualified health professional
  • pseudonymisation of the personal data, and
  • encryption of the personal data.

Regulations; Protection of Freedoms

Regulations may be made for either or both of the following purposes

  • to identify additional suitable and specific measures that may be taken to safeguard the fundamental rights and freedoms of data subjects
  • to specify that a measure or measures referred to above or an additional measure or measures or both, is or are mandatory in respect of the processing to which they are stated to apply.

Additional suitable and specific measures identified in regulations may relate to—

  • governance structures,
  • processes or procedures for risk assessment purposes,
  • processes or procedures for the management and conduct of research projects, and
  • other technical and organisational measures designed to ensure that the processing is carried out in accordance with the Data Protection Regulation and processes for testing and evaluating the effectiveness of such measures.

Processing for other Purposes

The processing of personal data for purposes other than those for which the personal data were initially collected is allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required.

If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, EU or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful.

Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are usually compatible lawful processing operations.  The legal basis provided by EU or Member State law for the processing of personal data may also provide a legal basis for further processing.


Further Processing Criteria I

In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia:

  • any link between those purposes and the purposes of the intended further processing;
  • the context in which the personal data have been collected, in particular, the reasonable expectations of data subjects based on their relationship with the controller as to their further use;
  • the nature of the personal data;
  • the consequences of the intended further processing for data subjects; and
  • the existence of appropriate safeguards in both the original and intended further processing operations.

Further Processing Criteria II

Where the data subject has given consent or the processing is based on EU or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes.

In any case, the application of the principles set out in the GDPR in and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured.

Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller.

However, such transmission in the legitimate interest of the controller or further processing of personal data is if the processing is not compatible with a legal, professional or other binding obligation of secrecy.


References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008