Statutory Rights
Data Protection Act
Preliminary
Interpretation and application of Act.
1.— (1) In this Act, unless the context otherwise requires—
F1 [ ‘ the Act of 2003 ’ means the Data Protection (Amendment) Act 2003 ]
“ appropriate authority” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;
F1 [ ‘ automated data ’ means information that —
( a ) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
( b ) is recorded with the intention that it should be processed by means of such equipment; ]
“ back-up data” means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged;
F1 [ ‘ blocking ’ , in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked; ]
“ civil servant” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;
“ the Commissioner” has the meaning assigned to it by section 9 of this Act;
“ company” has the meaning assigned to it by the Companies Act, 1963
“ the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981, the text of which is set out in the First Schedule to this Act;
“ the Court” means the Circuit Court
F2 [ ‘ data ’ means automated data and manual data; ]
“ data controller” means a person who, either alone or with others, controls the contents and use of personal data;
“ data equipment” means equipment for processing data;
“ data material” means any document or other material used in connection with, or produced by, data equipment;
“ data processor” means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;
“ data subject” means an individual who is the subject of personal data;
F1 [ ‘ the Directive ’ means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1) ; ]
F2 [ ‘ direct marketing ’ includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office; ]
“ disclosure”, in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed;
F1 [ ‘ the EEA Agreement ’ means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993; ]
F1 [ ‘ enactment ’ means a statute or a statutory instrument (within the meaning of the Interpretation Act 1937 ); ]
“ enforcement notice” means a notice under section 10 of this Act;
F1 [ ‘ the European Economic Area ’ has the meaning assigned to it by the EEA Agreement; ]
“ financial institution” means—
( a) a person who holds or has held a licence under section 9 of the Central Bank Act, 1971, or
( b) a person referred to in section 7 (4) of that Act;
“ information notice” means a notice under section 12 of this Act;
F3 [ “ local authority ” means a local authority for the purposes of the Local Government Act 2001 (as amended by the Local Government Reform Act 2014); ]
F1 [ ‘ manual data ’ means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; ]
“ the Minister” means the Minister for Justice;
F2 [ ‘ personal data ’ means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller; ]
“ prescribed”, in the case of fees, means prescribed by regulations made by the Minister with the consent of the Minister for Finance and, in any other case, means prescribed by regulations made by the Commissioner with the consent of the Minister;
F2 [ ‘ processing ’ of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including —
( a ) obtaining, recording or keeping the information or data,
( b ) collecting, organising, storing, altering or adapting the information or data,
( c ) retrieving, consulting or using the information or data,
( d ) disclosing the information or data by transmitting, disseminating or otherwise making it available, or
( e ) aligning, combining, blocking, erasing or destroying the information or data; ]
“ prohibition notice” means a notice under section 11 of this Act;
“ the register” means the register established and maintained under section 16 of this Act;
F4 [ ‘ relevant filing system ’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible; ]
F1 [ ‘ sensitive personal data ’ means personal data as to —
( a ) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,
( b ) whether the data subject is a member of a trade union,
( c ) the physical or mental health or condition or sexual life of the data subject,
( d ) the commission or alleged commission of any offence by the data subject, or
( e ) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings; ]
and any cognate words shall be construed accordingly.
(2) For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.
(3) ( a) An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force—
(i) the civil servant so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and
(ii) this Act shall not apply to the authority,
as respects the data concerned.
( b) Without prejudice to paragraph (a) of this subsection, the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a data controller or a data processor and, while the designation is in force—
(i) the officer so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and
(ii) this Act shall not apply to the Minister for Defence,
as respects the data concerned.
( c) For the purposes of this Act, as respects any personal data—
(i) where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,
(ii) where a designation under paragraph (b) of this subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and
(iii) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the said Commissioner.
F1 [ (3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive.
(3B) ( a ) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if —
(i) the data controller is established in the State and the data are processed in the context of that establishment, or
(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.
( b ) For the purposes of paragraph ( a ) of this subsection, each of the following shall be treated as established in the State:
(i) an individual who is normally resident in the State,
(ii) a body incorporated under the law of the State,
(iii) a partnership or other unincorporated association formed under the law of the State, and
(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) of this paragraph, but maintains in the State —
(I) an office, branch or agency through which he or she carries on any activity, or
(II) a regular practice,
and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.
( c ) A data controller to whom paragraph ( a )(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.
(3C) Section 2 and sections 2A and 2B (which sections were inserted by the Act of 2003) of this Act shall not apply to —
( a ) data kept solely for the purpose of historical research, or
( b ) other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986 ),
and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects. ]
(4) This Act does not apply to—
( a) personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,
( b) personal data consisting of information that the person keeping the data is required by law to make available to the public, or
( c) personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.
F1 [ (5) ( a ) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997 .
( b ) The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other. ]
Annotations:
Amendments:
F1
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 2, S.I. No. 207 of 2003.
F2
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 2, S.I. No. 207 of 2003.
F3
Substituted (1.06.2014) by Local Government Act 2014 (1/2014), s. 5(8) and sch. 2 part 6, S.I. No. 214 of 2014.
F4
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 2, S.I. No. 207 of 2003.
Modifications (not altering text):
C22
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(a), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely—
(a) in section 1(1), the insertion of the following definitions:
‘Act of 2008’ means the Criminal Justice (Mutual Assistance) Act 2008;
‘Act of 2014’ means the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014;
‘Agreement with Iceland and Norway’, ‘Council Decision’, ‘dactyloscopic data’, ‘designated state’, ‘European Union or international instrument’, ‘Member State’ and ‘relevant European Union or international instrument’ have the meanings they have in section 109 of the Act of 2014;
‘Article 7 request’ means a request made or received under Chapter 3 of Part 5 of the Act of 2008 pursuant to Article 7 of the Council Decision or that Article insofar as it is applied by Article 1 of the Agreement with Iceland and Norway;
‘Central Authority’ has the meaning it has in section 2(1) of the Act of 2008;
‘data protection authority’, in relation to a designated state, means the authority in that designated state that is designated by that designated state to be the independent data protection authority of that designated state for the purposes of a European Union or international instrument;
‘DNA’ means deoxyribonucleic acid;
‘national contact point’, in relation to a relevant European Union or international instrument, has the meaning it has in section 109 of the Act of 2014;
‘processing’ has the meaning it has in this Act and shall include the sending or receipt, as the case may be, of a notification under section 113 (2), 114 (3), 115 (2), 116 (3), 119 (2) or 120 (2) of the Act of 2014.
…
C23
The definition of “financial institution”, defined above, is extended (31.03.2014) by European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014), reg. 152.
Continuation of contravention of Regulations
152. Notwithstanding Regulation 7(1), the references, however expressed, to the holder of a licence under section 9 of the Act of 1971, in—
(a) sections 19 to 26, section 28, sections 31 to 42 or section 58 of the Act of 1971,
(b) section 27, sections 49 to 51, sections 90, 108, 117, 134 or 140 of the Central Bank Act 1989 (No. 16 of 1989), or
(c) any other enactment which was in force on 1 January 1993,
shall be construed so as to include any person who, but for the application of Regulation 7(1), was or would have been required to hold a licence under section 9 of the Act of 1971.
C24
Functions transferred and references to “Department of Finance” and “Minister for Finance” construed (29.07.2011) by Finance (Transfer of Departmental Administration and Ministerial Functions) Order 2011 (S.I. No. 418 of 2011), arts. 2, 3, 5 and sch. 1 part 2, in effect as per art. 1(2), subject to transitional provisions in arts. 6-9.
2. (1) The administration and business in connection with the performance of any functions transferred by this Order are transferred to the Department of Public Expenditure and Reform.
(2) References to the Department of Finance contained in any Act or instrument made thereunder and relating to the administration and business transferred by paragraph (1) shall, on and after the commencement of this Order, be construed as references to the Department of Public Expenditure and Reform.
3. The functions conferred on the Minister for Finance by or under the provisions of —
(a) the enactments specified in Schedule 1, and
(b) the statutory instruments specified in Schedule 2,
are transferred to the Minister for Public Expenditure and Reform.
…
5. References to the Minister for Finance contained in any Act or instrument under an Act and relating to any functions transferred by this Order shall, from the commencement of this Order, be construed as references to the Minister for Public Expenditure and Reform.
…
Schedule 1
Enactments
…
Part 2
1922 to 2011 Enactments
Number and Year
Short Title
Provision
(1)
(2)
(3)
…
…
…
No. 25 of 1988
Data Protection Act 1988
Sections 1 and 33(1); Second Schedule, paragraph 9
…
…
…
C25
Application of section extended (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
(8) Section 1(1) of the Act applies as if the following definition were inserted: “‘Regulations of 2003’ means the European Communities (Directive 2000/31/EC) Regulations 2003;”
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
…
Editorial Notes:
E6
As provided (13.07.2015) by Health Identifiers Act 2014 (15/2014), s. 27(1), (2), S.I. No. 294 of 2015, a living individual’s individual health identifier held by certain persons is considered personal data for the purposes of the Data Protection Acts 1988 and 2003. This shall not be construed to prevent a living individual’s individual health identifier held by a person other than the certain persons from being personal data in accordance with the provisions of those Acts.
E7
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35, subject to transitional provisions in reg. 34.
E8
Previous affecting provision: definitions for “Directive”, “EEA Agreement”, “Enactment” and “European Economic Area” inserted (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 2(a); substituted as per F-note above.
E9
Previous affecting provision: subs. (5) inserted (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 2(b); substituted as per F-note above.
(1) O.J. No. L 281/38 of 23.11.95, p.31.
Protection of Privacy of Individuals with regard to Personal Data
Collection, processing, keeping, use and disclosure of personal data.
2.— F5 [ (1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:
( a ) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,
( b ) the data shall be accurate and complete and, where necessary, kept up to date,
( c ) the data —
(i) shall have been obtained only for one or more specified, explicit and legitimate purposes,
(ii) shall not be further processed in a manner incompatible with that purpose or those purposes,
(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
(iv) shall not be kept for longer than is necessary for that purpose or those purposes,
( d ) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. ]
(2) A data processor shall, as respects personal data processed by him, comply with paragraph (d) of subsection (1) of this section.
(3) Paragraph (a) of the said subsection (1) does not apply to information intended for inclusion in data, or to data, kept for a purpose mentioned in section 5 (1) (a) of this Act, in any case in which the application of that paragraph to the data would be likely to prejudice any of the matters mentioned in the said section 5 (1) (a) .
(4) Paragraph (b) of the said subsection (1) does not apply to backup data.
(5) F6 [ ( a ) Subparagraphs (ii) and (iv) of paragraph ( c ) of the said subsection (1) do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects, and, ]
( b) the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained,
if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject.
(6) F7 [ … ]
F8 [ (7) Where —
( a ) personal data are kept for the purpose of direct marketing, and
( b ) the data subject concerned requests the data controller in writing —
(i) not to process the data for that purpose, or
(ii) to cease processing the data for that purpose,
then —
(I) if the request is under paragraph ( b )(i) of this subsection, the data controller —
(A) shall, where the data are kept only for the purpose aforesaid, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, erase the data, and
(B) shall not, where the data are kept for that purpose and other purposes, process the data for that purpose after the expiration of the period aforesaid,
(II) if the request is under paragraph ( b )(ii) of this subsection, as soon as may be and in any event not more than 40 days after the request has been given or sent to the data controller, he or she —
(A) shall, where the data are kept only for the purpose aforesaid, erase the data, and
(B) shall, where the data are kept for that purpose and other purposes, cease processing the data for that purpose,
and
(III) the data controller shall notify the data subject in writing accordingly and, where appropriate, inform him or her of those other purposes.
(8) Where a data controller anticipates that personal data, including personal data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the data controller shall inform the persons to whom the data relates that they may object, by means of a request in writing to the data controller and free of charge, to such processing. ]
Annotations:
Amendments:
F5
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(a), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
F6
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(b), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
F7
Deleted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(c), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
F8
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(d), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
Modifications (not altering text):
C26
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(b), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— …
(b) in section 2, the insertion of the following subsections after subsection (1):
“(1A) A data controller (including a national contact point) shall in order to comply with subsection (1) (b) as respects personal data kept by him or her also comply with section 125 of the Act of 2014 in respect of those data.
(1B) For the purposes of subparagraphs (i) and (ii) of subsection (1) (c), the processing of personal data supplied or received pursuant to—
(a) Chapter 2 of Part 12 of the Act of 2014, or
(b) Chapter 3 of that Part of that Act,
is deemed to be a purpose compatible with the purpose for which those data were obtained.”,
…
C27
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
Editorial Notes:
E10
Subs. (1)(d) applied to a deceased individual’s relevant information as it does to a living individual’s relevant information (13.07.2015) by Health Identifiers Act 2014 (15/2014), s. 27(3), S.I. No. 294 of 2015.
F9 [
Processing of personal data.
2A. — (1) Personal data shall not be processed by a data controller unless section 2 of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the following conditions is met:
( a ) the data subject has given his or her consent to the processing or, if the data subject, by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the data subject and the giving of such consent is not prohibited by law,
( b ) the processing is necessary —
(i) for the performance of a contract to which the data subject is a party,
(ii) in order to take steps at the request of the data subject prior to entering into a contract,
(iii) for compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract, or
(iv) to prevent —
(I) injury or other damage to the health of the data subject, or
(II) serious loss of or damage to property of the data subject,
or otherwise to protect his or her vital interests where the seeking of the consent of the data subject or another person referred to in paragraph ( a ) of this subsection is likely to result in those interests being damaged,
( c ) the processing is necessary —
(i) for the administration of justice,
(ii) for the performance of a function conferred on a person by or under an enactment,
(iii) for the performance of a function of the Government or a Minister of the Government, or
(iv) for the performance of any other function of a public nature performed in the public interest by a person,
( d ) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
(2) The Minister may, after consultation with the Commissioner, by regulations specify particular circumstances in which subsection (1)( d ) of this section is, or is not, to be taken as satisfied. ]
Annotations:
Amendments:
F9
Inserted (1.07.2003) by Data Protection Amendment Act 2003 (6/2003), s. 4, S.I. No. 207 of 2003. Commenced (24.10.2007) in respect of manual data held in relevant filing systems on the passing of 6/2003 by s. 23(4), subject to transitional provision in subs. (5).
Editorial Notes:
E11
Power pursuant to subss. (1)(d) and (2) exercised (30.03.2016) by Data Protection Act 1988 (Section 2A) Regulations 2016 (S.I. No. 220 of 2016).
E12
Power pursuant to subs. (1)(d) and (2) exercised (22.06.2013) by Data Protection Act 1988 (Section 2A) Regulations 2013 (S.I. No. 313 of 2013).
E13
Previous affecting provision: section inserted (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 3; substituted as per F-note above.
F10 [
Processing of sensitive personal data.
2B. — (1) Sensitive personal data shall not be processed by a data controller unless:
( a ) sections 2 and 2A (as amended and inserted, respectively, by the Act of 2003) are complied with, and
( b ) in addition, at least one of the following conditions is met:
(i) the consent referred to in paragraph ( a ) of subsection (1) of section 2A (as inserted by the Act of 2003 ) of this Act is explicitly given,
(ii) the processing is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment,
(iii) the processing is necessary to prevent injury or other damage to the health of the data subject or another person or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where —
(I) consent to the processing cannot be given by or on behalf of the data subject in accordance with section 2A(1)( a ) (inserted by the Act of 2003) of this Act, or
(II) the data controller cannot reasonably be expected to obtain such consent,
or the processing is necessary to prevent injury to, or damage to the health of, another person, or serious loss in respect of, or damage to, the property of another person, in a case where such consent has been unreasonably withheld,
(iv) the processing —
(I) is carried out in the course of its legitimate activities by any body corporate, or any unincorporated body of persons, that —
(A) is not established, and whose activities are not carried on, for profit, and
(B) exists for political, philosophical, religious or trade union purposes,
(II) is carried out with appropriate safeguards for the fundamental rights and freedoms of data subjects,
(III) relates only to individuals who either are members of the body or have regular contact with it in connection with its purposes, and
(IV) does not involve disclosure of the data to a third party without the consent of the data subject,
(v) the information contained in the data has been made public as a result of steps deliberately taken by the data subject,
(vi) the processing is necessary —
(I) for the administration of justice,
(II) for the performance of a function conferred on a person by or under an enactment, or
(III) for the performance of a function of the Government or a Minister of the Government,
(vii) the processing —
(I) is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings, or
(II) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
(viii) the processing is necessary for medical purposes and is undertaken by —
(I) a health professional, or
(II) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health professional,
(ix) the processing is necessary in order to obtain information for use, subject to and in accordance with the Statistics Act 1993 , only for statistical, compilation and analysis purposes,
(x) the processing is carried out by political parties, or candidates for election to, or holders of, elective political office, in the course of electoral activities for the purpose of compiling data on people ’ s political opinions and complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects,
(xi) the processing is authorised by regulations that are made by the Minister and are made for reasons of substantial public interest,
(xii) the processing is necessary-for the purpose of the assessment, collection or payment of any tax, duty, levy or other moneys owed or payable to the State and the data has been provided by the data subject solely for that purpose,
(xiii) the processing is necessary for the purposes of determining entitlement to or control of, or any other purpose connected with the administration of any benefit, pension, assistance, allowance, supplement or payment under the Social Welfare (Consolidation) Act 1993 , or any nonstatutory scheme administered by the Minister for Social, Community and Family Affairs.
(2) The Minister may by regulations made after consultation with the Commissioner —
( a ) exclude the application of subsection (1)( b )(ii) of this section in such cases as may be specified, or
( b ) provide that, in such cases as may be specified, the condition in the said subsection (1)( b )(ii) is not to be regarded as satisfied unless such further conditions as may be specified are also satisfied.
(3) The Minister may by regulations make such provision as he considers appropriate for the protection of data subjects in relation to the processing of personal data as to —
( a ) the commission or alleged commission of any offence by data subjects,
( b ) any proceedings for an offence committed or alleged to have been committed by data subjects, the disposal of such proceedings or the sentence of any court in such proceedings,
( c ) any act or omission or alleged act or omission of data subjects giving rise to administrative sanctions,
( d ) any civil proceedings in a court or other tribunal to which data subjects are parties or any judgment, order or decision of such a tribunal in any such proceedings,
and processing of personal data shall be in compliance with any regulations under this subsection.
(4) In this section —
‘ health professional ’ includes a registered medical practitioner, within the meaning of the Medical Practitioners Act 1978, a registered dentist, within the meaning of the Dentists Act 1985 or a member of any other class of health worker or social worker standing specified by regulations made by the Minister after consultation with the Minister for Health and Children and any other Minister of the Government who, having regard to his or her functions, ought, in the opinion of the Minister, to be consulted;
‘ medical purposes ’ includes the purposes of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services. ]
Annotations:
Amendments:
F10
Inserted (1.07.2003) by Data Protection Amendment Act 2003 (6/2003), s. 4, S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
Modifications (not altering text):
C28
Term “registered medical practitioner” construed (3.7.2008) by Medical Practitioners Act 2007 (25/2007), s. 108(1), S.I. No. 231 of 200.
Construction of references to registered medical practitioner and Medical Council, etc.
108.— (1) Every reference to a registered medical practitioner contained in any enactment or any statutory instrument shall be construed as a reference to a registered medical practitioner within the meaning of section 2.
…
Editorial Notes:
E14
Power pursuant to subs. (1)(b)(xi) exercised (30.07.2016) by Data Protection Act 1988 (Section 2 B) (No. 2) Regulations 2016 (S.I. No. 427 of 2016).
E15
Power pursuant to subs. (1)(b)(xi) exercised (30.07.2016) by Data Protection Act 1988 (Section 2 B) Regulations 2016 (S.I. No. 426 of 2016).
E16
Power pursuant to subs. (1)(b)(xi) exercised (10.06.2015) by Data Protection Act 1988 (Section 2B) Regulations 2015 (S.I. No. 240 of 2015).
E17
Power pursuant to subs. (1)(b)(xi) exercised (15.06.2012) by Data Protection Act 1988 (Section 2B) Regulations 2012 (S.I. No. 209 of 2012).
E18
Power pursuant to subs. (1)(b)(xi) exercised (27.09.2011) by Data Protection Act 1988 (Section 2B) Regulations 2011 (S.I. No. 486 of 2011).
F11 [
Security measures for personal data.
2C. — (1) In determining appropriate security measures for the purposes of section 2(1)( d ) of this Act, in particular (but without prejudice to the generality of that provision), where the processing involves the transmission of data over a network, a data controller —
( a ) may have regard to the state of technological development and the cost of implementing the measures, and
( b ) shall ensure that the measures provide a level of security appropriate to —
(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and
(ii) the nature of the data concerned.
(2) A data controller or data processor shall take all reasonable steps to ensure that —
( a ) persons employed by him or her, and
( b ) other persons at the place of work concerned,
are aware of and comply with the relevant security measures aforesaid.
(3) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall —
( a ) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor carries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent to those imposed on the data controller by section 2(1)( d ) of this Act,
( b ) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and
( c ) take reasonable steps to ensure compliance with those measures. ]
Annotations:
Amendments:
F11
Inserted (1.07.2003) by Data Protection Amendment Act 2003 (6/2003), s. 4, S.I. No. 207 of 2003.
Modifications (not altering text):
C29
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(c), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— …
(c) in section 2C, the substitution of the following subsection for subsection (1):
“(1) In determining appropriate security measures for the purposes of section 2(1)(d) (but without prejudice to the generality of that provision), a data controller—
(a) shall, in relation to the processing of personal data supplied or received pursuant to—
(i) Chapter 2 of Part 12 of the Act of 2014, or
(ii) Chapter 3 of that Part of that Act,
comply with the technical specifications of the automated search and comparison procedure required by the relevant European Union or international instrument, and
(b) shall ensure that the measures provide a level of security appropriate to—
(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, or accidental alteration of, the data concerned, and
(ii) the nature of the data concerned.”,
…
Editorial Notes:
E19
Section applied to a deceased individual’s relevant information as it does to a living individual’s relevant information (13.07.2015) by Health Identifiers Act 2014 (15/2014), s. 27(3), S.I. No. 294 of 2015.
F12 [
Fair processing of personal data.
2D. — (1) Personal data shall not be treated, for the purposes of section 2(1)( a ) of this Act, as processed fairly unless —
( a ) in the case of data obtained from the data subject, the data controller ensures, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (2) of this section,
( b ) in any other case, the data controller ensures, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (3) of this section —
(i) not later than the time when the data controller first processes the data, or
(ii) if disclosure of the data to a third party is envisaged, not later than the time of such disclosure.
(2) The information referred to in subsection (1)( a ) of this section is:
( a ) the identity of the data controller,
( b ) if he or she has nominated a representative for the purposes of this Act, the identity of the representative,
( c ) the purpose or purposes for which the data are intended to be processed, and
( d ) any other information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data to be fair to the data subject such as information as to the recipients or categories of recipients of the data, as to whether replies to questions asked for the purpose of the collection of the data are obligatory, as to the possible consequences of failure to give such replies and as to the existence of the right of access to and the right to rectify the data concerning him or her.
(3) The information referred to in subsection (1)( b ) of this section is:
( a ) the information specified in subsection (2) of this section,
( b ) the categories of data concerned, and
( c ) the name of the original data controller.
(4) The said subsection (1)( b ) does not apply —
( a ) where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of the information specified therein proves impossible or would involve a disproportionate effort, or
( b ) in any case where the processing of the information contained or to be contained in the data by the data controller is necessary for compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract,
if such conditions as may be specified in regulations made by the Minister after consultation with the Commissioner are complied with. ]
Annotations:
Amendments:
F12
Inserted (1.07.2003) by Data Protection Amendment Act 2003 (6/2003), s. 4, S.I. No. 207 of 2003.
Right to establish existence of personal data.
3.— An individual who believes that a person keeps personal data shall, if he so requests the person in writing—
( a) be informed by the person whether he keeps any such data, and
( b) if he does, be given by the person a description of the data and the purposes for which they are kept,
as soon as may be and in any event not more than 21 days after the request has been given or sent to him.
Right of access.
4.— (1) F13 [ ( a ) Subject to the provisions of this Act, an individual shall, if he or she so requests a data controller by notice in writing —
(i) be informed by the data controller whether the data processed by or on behalf of the data controller include personal data relating to the individual,
(ii) if it does, be supplied by the data controller with a description of —
(I) the categories of data being processed by or on behalf of the data controller,
(II) the personal data constituting the data of which that individual is the data subject,
(III) the purpose or purposes of the processing, and
(IV) the recipients or categories of recipients to whom the data are or may be disclosed,
(iii) have communicated to him or her in intelligible form —
(I) the information constituting any personal data of which that individual is the data subject, and
(II) any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest,
and
(iv) where the processing by automatic means of the data of which the individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him or her, be informed free of charge by the data controller of the logic involved in the processing,
as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms.
( b ) A request under paragraph ( a ) of this subsection that does not relate to all of its subparagraphs shall, in the absence of any indication to the contrary, be treated as relating to all of them. ]
( c) (i) A fee may be payable to the data controller concerned in respect of such a request as aforesaid and the amount thereof shall not exceed such amount as may be prescribed or an amount that in the opinion of the Commissioner is reasonable, having regard to the estimated cost to the data controller of compliance with the request, whichever is the lesser.
(ii) A fee paid by an individual to a data controller under subparagraph (i) of this paragraph shall be returned to him if his request is not complied with or the data controller rectifies or supplements, or erases part of, the data concerned (and thereby materially modifies the data) or erases all of the data on the application of the individual or in accordance with an enforcement notice or an order of a court.
(2) Where pursuant to provision made in that behalf under this Act there are separate entries in the register in respect of data kept by a data controller for different purposes, subsection (1) of this section shall apply as if it provided for the making of a separate request and the payment of a separate fee in respect of the data to which each entry relates.
(3) An individual making a request under this section shall supply the data controller concerned with such information as he may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information.
(4) Nothing in subsection (1) of this section obliges a data controller to disclose to a data subject personal data relating to another individual unless that other individual has consented to the disclosure:
Provided that, where the circumstances are such that it would be reasonable for the data controller to conclude that, if any particulars identifying that other individual were omitted, the data could then be disclosed as aforesaid without his being thereby identified to the data subject, the data controller shall be obliged to disclose the data to the data subject with the omission of those particulars.
F14 [ (4A) ( a ) Where personal data relating to a data subject consist of an expression of opinion about the data subject by another person, the data may be disclosed to the data subject without obtaining the consent of that person to the disclosure.
( b ) Paragraph ( a ) of this subsection does not apply —
(i) to personal data held by or on behalf of the person in charge of an institution referred to in section 5(1)( c ) of this Act and consisting of an expression of opinion by another person about the data subject if the data subject is being or was detained in such an institution, or
(ii) if the expression of opinion referred to in that paragraph was given in confidence or on the understanding that it would be treated as confidential. ]
(5) Information supplied pursuant to a request under subsection (1) of this section may take account of any amendment of the personal data concerned made since the receipt of the request by the data controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.
(6) ( a) A request by an individual under subsection (1) of this section in relation to the results of an examination at which he was a candidate shall be deemed, for the purposes of this section, to be made on—
(i) the date of the first publication of the results of the examination, or
(ii) the date of the request,
whichever is the later; and paragraph (a) of the said subsection (1) shall be construed and have effect in relation to such a request as if for “40 days” there were substituted “ 60 days”.
( b) In this subsection “ examination” means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his performance in any test, work or other activity.
(7) A notification of a refusal of a request made by an individual under and in compliance with the preceding provisions of this section shall be in writing and shall include a statement of the reasons for the refusal and an indication that the individual may complain to the Commissioner about the refusal.
(8) ( a) If and whenever the Minister considers it desirable in the interests of data subjects F15 [ or in the public interest ] to do so and by regulations so declares, the application of this section to personal data—
(i) relating to physical or mental health, or
(ii) kept for, or obtained in the course of, carrying out social work by a Minister of the Government, a local authority, a health board or a specified voluntary organisation or other body,
may be modified by the regulations in such manner, in such circumstances, subject to such safeguards and to such extent as may be specified therein.
( b) Regulations under paragraph (a) of this subsection shall be made only after consultation with the Minister for Health and any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted and may make different provision in relation to data of different descriptions.
F16 [ (9) The obligations imposed by subsection (1)( a )(iii) (inserted by the Act of 2003) of this section shall be complied with by supplying the data subject with a copy of the information concerned in permanent form unless —
( a ) the supply of such a copy is not possible or would involve disproportionate effort, or
( b ) the data subject agrees otherwise.
(10) Where a data controller has previously complied with a request under subsection (1) of this section, the data controller is not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in the opinion of the data controller, a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
(11) In determining for the purposes of subsection (10) of this section whether the reasonable interval specified in that subsection has elapsed, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
(12) Subsection (1)( a )(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that such provision would adversely affect trade secrets or intellectual property (in particular any copyright protecting computer software).
F16 [ (13) ( a ) A person shall not, in connection with —
(i) the recruitment of another person as an employee,
(ii) the continued employment of another person, or
(iii) a contract for the provision of services to him or her by another person,
require that other person —
(I) to make a request under subsection (1) of this section, or
(II) to supply him or her with data relating to that other person obtained as a result of such a request.
( b ) A person who contravenes paragraph ( a ) of this subsection shall be guilty of an offence. ] ]
Annotations:
Amendments:
F13
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(a), S.I. No. 207 of 2003.
F14
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(b), S.I. No. 207 of 2003.
F15
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(c), S.I. No. 207 of 2003.
F16
Inserted (18.07.2014) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(d); subs. (13) S.I. No. 338 of 2014.
Modifications (not altering text):
C30
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(d), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— …
(d) in section 4, the addition of the following subsection:
“(14) Notwithstanding section 5, this section applies to the processing of personal data supplied or received pursuant to—
(a) Chapter 2 of Part 12 of the Act of 2014,
(b) Chapter 3 of that Part of that Act,
(c) an Article 7 request.”,
…
C31
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C32
Application of section restricted (1.03.2013) by Personal Insolvency Act 2012 (44/2012), s. 186, S.I. No. 63 of 2013.
Restriction of Data Protection Act 1988.
186.— Section 4 (as amended by section 5 of the Data Protection (Amendment) Act 2003) of the Data Protection Act 1988 shall not apply to data processed by—
(a) the Insolvency Service,
(b) an inspector appointed under section 176, or
(c) the Complaints Committee,
in the performance of functions assigned to those persons under this Act in so far as those functions relate to carrying out an investigation under this Part.
C33
Application of section restricted (6.07.2012) by Property Services (Regulation) Act 2011 (40/2011), s. 93, S.I. No. 198 of 2012.
Restriction of Data Protection Act 1988.
93.— Section 4 (as amended by section 5 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 shall not apply to data processed by the Authority in the performance of its functions under this Act in so far as those functions relate to carrying out an investigation.
C34
Application of section restricted (18.07.2004) by Commissions of Investigation Act 2004 (23/2004), s. 39, commenced on enactment.
Restriction of Data Protection Act 1988.
39.— Section 4 of the Data Protection Act 1988 does not apply to personal data provided to a commission for as long as the data is in the custody of—
( a) the commission,
( b) the specified Minister after being deposited with him or her under section 43(2) ,
( c) a tribunal of inquiry after being made available to it under section 45 , or
( d) a body after being transferred to it on the dissolution of a tribunal of inquiry to which the data was made available under section 45 .
C35
Application of section restricted (16.12.2002) by Residential Institutions Redress Act 2002 (13/2002), s. 30, S.I. No. 520 of 2005.
Restriction of Data Protection Act, 1988.
30.— Section 4 of the Data Protection Act, 1988 does not apply to personal data provided to the Board while the data is in the custody of the Board or the Review Committee.
C36
Application of section restricted (23.05.2000, establishment day) by Commission to Inquire into Child Abuse Act 2000 (7/2000), s. 33, S.I. No. 149 of 2000.
Restriction of Data Protection Act. 1988.
33.— Section 4 of the Data Protection Act, 1988, does not apply to personal data provided to the Commission or a Committee while the data is in the custody of the Commission or a Committee, or in the case of such data provided to the Confidential Committee, of a body to which it is transferred by the Commission upon the dissolution of the Commission.
C37
Application of section restricted (19.04.1989) by Data Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No. 83 of 1989), reg. 4.
4. (1) Information constituting social work data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to a request under section 4 (1) ( a) of the Act if it would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject.
(2) Nothing in paragraph (1) of this Regulation excuses a data controller from supplying so much of the information sought by the request as can be supplied without causing the harm referred to in that paragraph.
(3) If the social work data include information supplied to a data controller by an individual (other than an employee or agent of the data controller) while carrying out social work, the data controller shall not supply that information to the data subject under section 4 (1) ( a) of the Act without first consulting that individual.
C38
Application of section restricted (19.04.1989) by Data Protection (Access Modification) (Health) Regulations 1989 (S.I. No. 82 of 1989), regs. 4-6.
4. (1) Information constituting health data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to a request under section 4 (1) (a) of the Act if it would be likely to cause serious harm to the physical or mental health of the data subject.
(2) Nothing in paragraph (1) of this Regulation excuses a data controller from supplying so much of the information sought by the request as can be supplied without causing the harm referred to in that paragraph.
5. (1) A data controller who is not a health professional shall not—
(a) supply information constituting health data in response to a request under the said section 4 (1) ( a), …
(b) withhold any such information on the grounds specified in Regulation 4 (1) of these Regulations,
unless he has first consulted the person who appears to him to be the appropriate health professional.
6. Section 4 (4) of the Act shall not apply in relation to personal data relating to an individual other than the data controller or data subject concerned if that individual is a health professional who has been involved in the care of the data subject and the data relate to him in his capacity as such.
C39
Application of section restricted (19.04.1989) by Data Protection Act 1988 (Restriction of Section 4) Regulations 1989 (S.I. No. 81 of 1989), reg. 3 and sch. Adoption Act 1952 repealed (1.11.2010) by Adoption Act 2010 (21/2010), s. 7(1) and sch. part 1, S.I. No. 511 of 2010.
3. The prohibition and restrictions on the disclosure, and the authorisations of the withholding, of information contained in the provision of the enactments specified in the Schedule to these Regulations shall prevail in the interests of the data subjects concerned and any other individuals concerned.
SCHEDULE
Section 22 (5) of the Adoption Act, 1952 (No. 25 of 1952).
Section 9 of the Ombudsman Act, 1980 (No. 26 of 1980).
Editorial Notes:
E20
Power pursuant to section exercised (19.04.1989) by Data Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No. 83 of 1989).
E20
Power pursuant to section exercised (19.04.1989) by Data Protection (Access Modification) (Health) Regulations 1989 (S.I. No. 82 of 1989).
E22
Power pursuant to section exercised (16.12.1988) by Data Protection (Fees) Regulations 1988 (S.I. No. 347 of 1988); regs. 5 and 6 revoked (4.04.1990) by Data Protection (Fees) Regulations 1990 (S.I. No. 80 of 1990), reg. 5.
Restriction of right of access.
5.— (1) Section 4 of this Act does not apply to personal data—
( a) kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid,
( b) to which, by virtue of paragraph (a) of this subsection, the said section 4 does not apply and which are kept for the purpose of discharging a function conferred by or under any enactment and consisting of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in paragraph (a) of this subsection,
( c) in any case in which the application of that section would be likely to prejudice the security of, or the maintenance of good order and discipline in—
(i) a prison,
F17 [ (ii) a place of detention provided under section 2 of the Prisons Act 1970 , or
(iii) a military prison or detention barrack within the meaning of the Defence Act 1954 , ]
(iv) F18 [ … ]
( d) kept for the purpose of performing such functions conferred by or under any enactment as may be specified by regulations made by the Minister, being functions that, in the opinion of the Minister, are designed to protect members of the public against financial loss occasioned by—
(i) dishonesty, incompetence or malpractice on the part of persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or similar organisations, or
(ii) the conduct of persons who have at any time been adjudicated bankrupt,
in any case in which the application of that section to the data would be likely to prejudice the proper performance of any of those functions,
( e) in respect of which the application of that section would be contrary to the interests of protecting the international relations of the State,
( f) consisting of an estimate of, or kept for the purpose of estimating, the amount of the liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim,
( g) in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers,
F19 [ ( gg ) kept by the Commissioner or the Information Commissioner for the purposes of his or her functions, ]
( h) kept only for the purpose of preparing statistics or carrying out research if the data are not used or disclosed (other than to a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of this Act) for any other purpose and the resulting statistics or the results of the research are not made available in a form that identifies any of the data subjects, or
( i) that are back-up data.
(2) Regulations under subsections (1) (d) and (3) (b) of this section shall be made only after consultation with any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted.
(3) ( a) Subject to paragraph (b) of this subsection, section 4 of this Act, as modified by any other provisions thereof, shall apply notwithstanding any provision of or made under any enactment or rule of law that is in force immediately before the passing of this Act and prohibits or restricts the disclosure, or authorises the withholding, of information.
( b) If and whenever the Minister is of opinion that a prohibition, restriction or authorisation referred to in paragraph (a) of this subsection in relation to any information ought to prevail in the interests of the data subjects concerned or any other individuals and by regulations so declares, then, while the regulations are in force, the said paragraph (a) shall not apply as respects the provision or rule of law concerned and accordingly section 4 of this Act, as modified as aforesaid, shall not apply in relation to that information.
Annotations:
Amendments:
F17
Substituted (7.04.2017) by Prisons Act 2015 (57/2015), s. 14(a), S.I. No. 134 of 2017.
F18
Deleted (7.04.2017) by Prisons Act 2015 (57/2015), s. 14(b), S.I. No. 134 of 2017.
F19
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 6, S.I. No. 207 of 2003.
Editorial Notes:
E23
Power pursuant to subss. (1)(d) and (2) exercised (21.10.2009) by Data Protection Act 1988 (Section 5(1)(d)) (Specification) Regulations 2009 (S.I. No. 421 of 2009).
E24
Power pursuant to subss. (1)(d) and (2) exercised (7.04.1993) by Data Protection Act 1988 (Section 5(1)(d)) (Specification) Regulations 1993 (S.I. No. 95 of 1993).
E25
Power pursuant to subss. (2) and (3)(b) exercised (19.04.1989) by Data Protection Act 1988 (Restriction of Section 4) Regulations 1989 (S.I. No. 81 of 1989).
E26
Previous affecting provision: power pursuant to subss. (1)(d) and (2) exercised (19.04.1989) by Data Protection Act 1988 (Section 5(1)(d)) (Specification) Regulations 1989 (S.I. No. 84 of 1989); revoked (7.04.1993) by Data Protection Act 1988 (Section 5(1)(d) (Specification) Regulations 1993 (S.I. No. 95 of 1993), reg. 4.
Right of rectification or erasure.
6.— (1) An individual shall, if he so requests in writing a data controller who keeps personal data relating to him, be entitled to have rectified or, where appropriate, F20 [ blocked or ] erased any such data in relation to which there has been a contravention by the data controller of section 2 (1) of this Act; and the data controller shall comply with the request as soon as may be and in any event not more than 40 days after it has been given or sent to him:
Provided that the data controller shall, as respects data that are inaccurate or not kept up to date, be deemed—
( a) to have complied with the request if he supplements the data with a statement (to the terms of which the individual has assented) relating to the matters dealt with by the data, and
( b) if he supplements the data as aforesaid, not to be in contravention of paragraph (b) of the said section 2 (1) .
F21 [ (2) Where a data controller complies, or is deemed to have complied, with a request under subsection (1) of this section, he or she shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, notify —
( a ) the individual making the request, and
( b ) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period of 12 months immediately before the giving or sending of the request unless such notification proves impossible or involves a disproportionate effort, ]
Annotations:
Amendments:
F20
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 7(a), S.I. No. 207 of 2003.
F21
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 7(b), S.I. No. 207 of 2003; subs. (2)(b) commenced (18.07.2014) by S.I. No. 338 of 2014.
Modifications (not altering text):
C40
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
F22 [
Right of data subject to object to processing likely to cause damage or distress.
6A. — (1) Subject to subsection (3) and unless otherwise provided by any enactment, an individual is entitled at any time, by notice in writing served on a data controller, to request him or her to cease within a reasonable time, or not to begin, processing or processing for a specified purpose or in a specified manner any personal data in respect of which he or she is the data subject if the processing falls within subsection (2) of this section on the ground that, for specified reasons —
( a ) the processing of those data or their processing for that purpose or in that manner is causing or likely to cause substantial damage or distress to him or her or to another person, and
( b ) the damage or distress is or would be unwarranted.
(2) This subsection applies to processing that is necessary —
( a ) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are or are to be disclosed, or
( b ) for the purposes of the legitimate interests pursued by the data controller to whom the data are or are to be disclosed, unless those interests are overridden by the interests of the data subject in relation to fundamental rights and freedoms and, in particular, his or her right to privacy with respect to the processing of personal data.
(3) Subsection (1) does not apply —
( a ) in a case where the data subject has given his or her explicit consent to the processing,
( b ) if the processing is necessary —
(i) for the performance of a contract to which the data subject is a party,
(ii) in order to take steps at the request of the data subject prior to his or her entering into a contract,
(iii) for compliance with any legal obligation to which the data controller or data subject is subject other than one imposed by contract, or
(iv) to protect the vital interests of the data subject,
( c ) to processing carried out by political parties or candidates for election to, or holders of elective political office, in the course of electoral activities, or
( d ) in such other cases, if any, as may be specified in regulations made by the Minister after consultation with the Commissioner.
(4) Where a notice under subsection (1) of this section is served on a data controller, he or she shall, as soon as practicable and in any event not later than 20 days after the receipt of the notice, serve a notice on the individual concerned —
( a ) stating that he or she has complied or intends to comply with the request concerned, or
( b ) stating that he or she is of opinion that the request is unjustified to any extent and the reasons for the opinion and the extent (if any) to which he or she has complied or intends to comply with it.
(5) If the Commissioner is satisfied, on the application to him or her in that behalf of an individual who has served a notice under subsection (1) of this section that appears to the Commissioner to be justified, or to be justified to any extent, that the data controller concerned has failed to comply with the notice or to comply with it to that extent and that not less than 40 days have elapsed since the receipt of the notice by him or her, the Commissioner may, by an enforcement notice served on the data controller, order him or her to take such steps for complying with the request, or for complying with it to that extent, as the Commissioner thinks fit and specifies in the enforcement notice, and that notice shall specify the reasons for the Commissioner being satisfied as aforesaid. ]
Annotations:
Amendments:
F22
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 8, S.I. No. 207 of 2003.
Modifications (not altering text):
C41
Application of section restricted by Communications Regulation (Postal Services) Act 2011 (21/2015), s. 66C(2); as inserted (6.07.2015) by Communications Regulation (Postal Services) (Amendment) Act 2015 (20/2015), s. 2(b), S.I. No. 337 of 2015.
Personal data protection
66C.(1) Nothing in this Part shall be construed as authorising the processing of personal data contrary to the provisions of the Data Protection Acts 1988 to 2003.
(2) Section 6A of the Act of 1988 shall not apply in respect of such processing of personal data as is required for purposes related to the carrying out of a legitimate postcode activity.
F23 [
Rights in relation to automated decision taking.
6B. — (1) Subject to subsection (2) of this section, a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct.
(2) Subsection (1) of this section does not apply —
( a ) in a case in which a decision referred to in that subsection —
(i) is made in the course of steps taken —
(I) for the purpose of considering whether to enter into a contract with the data subject,
(II) with a view to entering into such a contract, or
(III) in the course of performing such a contract,
or
(ii) is authorised or required by any enactment and the data subject has been informed of the proposal to make the decision, and
(iii) either —
(I) the effect of the decision is to grant a request of the data subject, or
(II) adequate steps have been taken to safeguard the legitimate interests of the data subject by, for example (but without prejudice to the generality of the foregoing), the making of arrangements to enable him or her to make representations to the data controller in relation to the proposal,
or
( b ) if the data subject consents to the processing referred to in subsection (1). ]
Annotations:
Amendments:
F23
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 8, S.I. No. 207 of 2003.
Duty of care owed by data controllers and data processors.
7.— For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned:
Provided that, for the purposes only of this section, a data controller shall be deemed to have complied with the provisions of section 2 (1) (b) of this Act if and so long as the personal data concerned accurately record data or other information received or obtained by him from the data subject or a third party and include (and, if the data are disclosed, the disclosure is accompanied by)—
( a) an indication that the information constituting the data was received or obtained as aforesaid,
( b) if appropriate, an indication that the data subject has informed the data controller that he regards the information as inaccurate or not kept up to date, and
( c) any statement with which, pursuant to this Act, the data are supplemented.
Annotations:
Modifications (not altering text):
C42
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(e), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— …
(e) in section 7—
(i) the proviso shall not apply to a data controller in respect of personal data received or obtained by him or her from a body in a designated state pursuant to a European Union or international instrument,
(ii) the designation of the section (as modified by subparagraph (i)) as subsection (1) of that section, and
(iii) the addition of the following subsections:
“(2) A data controller shall not use the inaccuracy of personal data received by him or her from a body in a designated state pursuant to a European Union or international instrument as a ground to avoid or reduce his or her liability to the data subject concerned under subsection (1).
(3) Where—
(a) the Minister or the Commissioner of the Garda Síochána pays damages to a data subject under this section for damage caused to the data subject by reason of inaccurate data received by the national contact point in relation to DNA data or the national contact point in relation to dactyloscopic data, as may be appropriate, from a body in a designated state pursuant to Chapter 2 or 3 of Part 12 of the Act of 2014, or
(b) the Minister, the Commissioner of the Garda Síochána or the Director of Public Prosecutions pays damages to a data subject under this section for damage caused to the data subject by reason of inaccurate data received by the Central Authority, the Garda Síochána or the Director of Public Prosecutions, as may be appropriate, from a body in a Member State or Iceland or Norway pursuant to an Article 7 request,
the Minister, the Commissioner of the Garda Síochána or the Director of Public Prosecutions, as the case may be, may seek a refund of the amount that he or she paid in damages to the data subject concerned from the body in the designated state concerned.
(4) Where—
(a) a body in a designated state applies to the national contact point in relation to DNA data or the national contact point in relation to dactyloscopic data for a refund of damages paid by it, or on its behalf, on foot of a decision or finding of a court or other tribunal or the data protection authority in that designated state for damage caused to a data subject by reason of inaccurate data sent by the national contact point concerned to that body pursuant to Chapter 2 or 3 of Part 12 of the Act of 2014, or
(b) a body in a Member State or Iceland or Norway applies to the Minister or the Director of Public Prosecutions for a refund of damages paid by it, or on its behalf, on foot of a decision or finding of a court or other tribunal or the data protection authority in that Member State or Iceland or Norway, as the case may be, for damage caused to a data subject by reason of inaccurate data sent by the Minister or the Director of Public Prosecutions, as the case may be, to that body pursuant to an Article 7 request,
the Minister or the Commissioner of the Garda Síochána, as may be appropriate, in the circumstances referred to in paragraph (a), or the Minister or the Director of Public Prosecutions, as may be appropriate, in the circumstances referred to in paragraph (b), shall refund to the body in the designated state concerned the amount paid in damages by it, or on its behalf, to the data subject concerned.”,
…
Disclosure of personal data in certain cases.
8.— Any restrictions in this Act on the F24 [ processing ] of personal data do not apply if the F24 [ processing ] is—
( a) in the opinion of a member of the Garda Síochána not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State,
( b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid,
( c) required in the interests of protecting the international relations of the State,
( d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property,
( e) required by or under any enactment or by a rule of law or order of a court,
( f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the F24 [ processing ] is a party or a witness,
( g) F25 [ … ]
( h) made at the request or with the consent of the data subject or a person acting on his behalf.
Annotations:
Amendments:
F24
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 9(a), S.I. No. 207 of 2003.
F25
Deleted(1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 9(b), S.I. No. 207 of 2003.
Modifications (not altering text):
C43
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(f), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— …
(f) section 8(b) —
(i) insofar as it relates to the purpose of detecting or investigating offences, shall not apply to the processing of data pursuant to Chapter 2,
(ii) insofar as it relates to the purpose of preventing, detecting or investigating offences, shall not apply to the processing of personal data pursuant to Chapter 3, or
(iii) insofar as it relates to the purpose of detecting or investigating offences or apprehending or prosecuting offenders, shall not apply to the processing of personal data pursuant to an Article 7 request,
which are or have been supplied by or to a data controller in the State pursuant to a European Union or international instrument, and
…