June 2023 

1. Governing Texts

The Data Protection Act 2018 ('DPA 2018') gives further effect to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Data Protection Commission ('DPC') is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority that is responsible for monitoring the application of the GDPR and has functions and powers related to other important regulatory frameworks including the (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks and Services) (Privacy And Electronic Communications) Regulations 2011) ('ePrivacy Regulations') and the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) ('Law Enforcement Directive'). The DPC is very active with respect to its complaint handling and enforcement functions.

1.1. Key acts, regulations, directives, bills

The GDPR, as implemented by the DPA 2018 is the principal data protection legislation in Ireland. The DPA 2018 serves to repeal the Data Protection Act, 1988, and the Data Protection (Amendment) Act, 2003, except for provisions relating to the processing of personal data for the purposes of national security, defense, and international relations of the State. The collective citation is 'the Data Protection Acts 1988 to 2018'.

The DPA 2018 transposes the Law Enforcement Directive which regulates the processing of personal data by law enforcement. There are also other Irish laws (including sectoral-specific legislation) that impact data protection. However, this Note does not cover these laws, but instead focuses on the Irish derogations, as contained in the DPA 2018, which are permitted under the GDPR.

1.2. Guidelines

The DPC provides information and guidance for individuals and organizations on its website, including the following:

• Guidance on Appropriate Qualifications for a DPO (GDPR) ('the Qualifications Guidance');
• Guide to DPIAs ('the DPIA Guide'); and
• Fundamentals for a Child-Oriented Approach to Data Processing ('Children's Data Processing Guidance')

The annual reports and case studies, published by the DPC, are also helpful to understand the DPC's current and planned activities, and its approach to its regulation of specific areas of compliance.

Furthermore, the European Data Protection Board ('EDPB') has published the following Opinions for Ireland:

• Opinion 11/2018 on the draft list of the competent supervisory authority of Ireland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) (25 September 2018).
• Opinion 11/2020 on the draft decision of the competent supervisory authority of Ireland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• Opinion 14/2020 on the draft decision of the competent supervisory authority of Ireland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)

1.3. Case law

The DPC provides access to written judgments where it was a party to the proceedings. Noteworthy decisions include:

Facebook Ireland Limited v Data Protection Commissioner (2020 No. 126 COM). Further to the decision of the CJEU in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), the DPC initiated its own volition inquiry under Section 110 of the DPA 2018, examining the lawfulness of data transfers by Facebook Ireland Limited using Standard Contractual Clauses ('SCCs') when transferring data to Facebook Inc. in the United States. The DPC issued a Preliminary Draft Decision ('PDD') to Facebook Ireland on August 28, 2020. In response, Facebook Ireland issued judicial review proceedings against the DPC, claiming the DPC was not entitled to commence the inquiry by way of the PDD and that the PDD was in effect a premature judgment of the DPC. Ultimately, it was held that Facebook Ireland had not identified any material unfairness in the DPC's procedure to issue a PDD, and their application for judicial review was dismissed, with Facebook ordered to pay 90% of the DPC's costs as well as those of Mr. Schrems as a Notice Party.

Maximilian Schrems v Data Protection Commission (Notice Party: Facebook Ireland Limited) (January 13, 2021). These proceedings related to the PDD issued by the DPC in respect of Section 110 of the DPA 2018 inquiry into Facebook Ireland's data transfers to its US parent company. Mr. Schrems took this judicial review action on the basis that the DPC should be compelled to address only the issues raised in his complaint to the DPC in respect of Facebook Ireland's transatlantic data transfers. Mr. Schrems also argued that the inquiry operated to breach his right to a fair procedure as it had the effect of excluding him from the procedure. These proceedings were settled between the parties subject to an Order for costs being issued by the Court. In a follow-on judgment delivered by the High Court on September 29, 2022, the Court decided that the DPC should pay 80% of Mr. Schrems' costs of his proceedings. The Court deducted 20% of the costs to reflect the fact that Mr. Schrems did not ultimately pursue his claim for an order quashing the DPC's inquiry or for certain other (ancillary) reliefs referred to in his case.

The DPC's own volition inquiry under Section 110 of the DPA 2018 and the complaint-based procedures are being pursued by the parties in tandem.

The DPC circulated the draft decision of its own volition inquiry to the Concerned Supervisory Authorities in July 2022, for the purposes of the co-decision-making process outlined in Article 60 GDPR. In response, a number of Supervisory Authorities raised objections or made comments on the decision. The DPC issued a composite response to the objections in September 2022.  A number of the Concerned Supervisory Authorities maintained their objections. The DPC subsequently triggered the Article 65 dispute resolution process. In April 2023, the EDPB issued its biding decision, and the DPC's final decision was released on 22 May 2023.

2. Scope of Application

2.1. Personal scope

Living natural persons. However, pursuant to Section 27 of the Health Identifiers Act 2014 (as amended), Article 32 of the GDPR applies to a deceased individual's relevant information as it applies to a living individual's relevant information.

2.2. Territorial scope

There are no variations from the GDPR.

2.3. Material scope

There are no variations from the GDPR.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The DPA 2018 established the DPC as Ireland's supervisory authority, for the purpose of Chapter VI of the GDPR. The DPC replaces the previous regulatory body, the Office of the Data Protection Commissioner. All functions previously vested in the Office of the Data Protection Commissioner were transferred to the DPC on the enactment of the DPA 2018.

3.2. Main powers, duties and responsibilities

The core functions of the DPC under the GDPR and the DPA 2018 include:

• regulating controllers' and processors' compliance with data protection legislation;
• receipt of and handling complaints from individuals in relation to potential breaches of their data protection rights;
• conducting inquiries and investigations regarding potential breaches of data protection legislation;
• imposing fines;
• promoting awareness among organizations and the public of the risks, rules, safeguards, and rights in relation to the processing of personal data; and
• cooperating with other EU supervisory authorities on issues such as complaints and alleged infringements involving cross-border processing.

In addition to being the Irish supervisory authority in charge of monitoring the application of the GDPR, the DPC acts as a supervisory authority with respect to the processing of personal data under several additional legal frameworks. These include acting as Ireland's supervisory authority under the Law Enforcement Directive and having certain supervisory and enforcement functions in relation to the processing of personal data in the context of electronic communications under the ePrivacy Regulations.

The DPA 2018 sets out the DPC's enforcement and investigation powers (Part 6, Chapters 2, 4, and 5), together with provisions dealing with administrative fines and criminal offenses (Part 6, Chapters 6 and 7).

Complaints

Chapter 2 of Part 6 of the DPA 2018 deals with the DPC's handling of complaints. Where the DPC considers there to be a reasonable likelihood that a complaint can be resolved amicably by the parties, it may take the steps it considers appropriate to arrange or facilitate an amicable resolution. The DPC has expressed its preference for complaints to be resolved amicably, where possible. If an amicable resolution cannot be achieved in a reasonable time it will take one or more of the following actions:

• reject the complaint;
• dismiss the complaint;
• provide advice to the data subject in respect of their complaint;
• serve an enforcement notice on the relevant controller or processor requiring it to:
  • comply with the data subject's request;
  • communicate a personal data breach to the data subject; and/or
  • rectify or erase personal data or restrict processing; and
• commence an inquiry into the complaint; or
• take such other action as the DPC considers appropriate.

Inquiries

Pursuant to Section 110 of the DPA 2018, the DPC may conduct a complaints-based statutory inquiry, or a statutory inquiry of its own volition, in order to establish whether an infringement of the GDPR or the DPA 2018 has occurred or is taking place. In conducting an inquiry, the DPC can exercise any of its powers under Chapter 4 of Part 6 of the DPA 2018 (other than its power under Section 135) and/or commence an investigation under Chapter 5 of the DPA 2018.

Powers of investigation, audit, and enforcement under Chapter 4 of the DPA 2018

The powers that may be exercised pursuant to Chapter 4 of the DPA 2018 include the appointment of authorized officers, who can exercise a broad range of investigatory powers provided under the DPA 2018 enabling them to gather relevant information and materials (e.g. powers of entry, search, and inspection; powers to remove and retain documents and records and to require information and assistance to be provided in respect of an investigation). Authorized officers may be accompanied by members of the Irish police and may apply for a search warrant to the Irish courts where access to premises is refused.

The DPC or authorized officers may issue information notices requiring a controller or processor to furnish specified information and may issue enforcement notices requiring a controller/processor to take certain steps specified in the notice (Sections 132 and 133 of the DPA 2018). It is an offense to fail to comply with these notices. There is a right to appeal any notice to the High Court within 28 days of receipt of the same.

Section 134 of the DPA 2018 permits the DPC, where it identifies an urgent need to protect data subjects' rights and freedoms under a relevant act or statutory instrument, to make an application to the High Court (which may be ex-parte under Section 134(4) of the DPA) for an order to suspend, restrict, or prohibit the processing of personal data, or the transfer of the same to a third country or to an international organization.

Section 135 of the DPA 2018 gives the DPC the power to require a controller or processor to provide a report on a matter specified by the DPC. Before exercising this power, the DPC must consider whether any other of its powers may be more appropriate in the circumstances, the level of knowledge, expertise, and resources available to the controller or processor, and the likely benefit to the controller or processor of providing the report. These reports must be prepared by an expert 'reviewer', which is either nominated by the controller or processor and approved by the DPC or nominated by the DPC in certain circumstances. The controller or processor must enter into a contract with the reviewer, containing minimum terms prescribed by law, which the DPC may request to see in draft form before its execution such that it can require amendments to the same. The controller or processor must bear the costs of the report and assist the reviewer where reasonably required. It is an offense for any person to obstruct or impede the reviewer's duties under this section or to give false or misleading information to the reviewer.

Powers of investigation under Chapter 5 of the DPA 2018

Further to the DPC's power to commence complaint-based and own-volition inquiries (Section 110), the DPC may exercise its power to conduct an investigation under Chapter 5 of Part 6 of the DPA 2018.

The DPC may direct one or more authorized officers to carry out and report to the DPC on the investigation. Authorized officers can exercise various powers to compel the production of records or documents and require persons to appear before them to produce documents or records and answer questions that may be required under oath. Failure to comply can lead to a court order compelling compliance. However, legal privilege may apply. Authorized officers can, for the purposes of an investigation, conduct an oral hearing. Section 138(12) of the DPA 2018 sets out various offenses, including obstructing an authorized officer, or withholding, destroying, or refusing to provide any information for the purposes of an investigation.

On conclusion of an investigation, the authorized officer will send its draft investigation report to the relevant controller or processor, who will have 28 days to provide written submissions in response. Following this, the investigation report is submitted to the DPC. This report will specify whether or not the authorized officer considers an infringement of data protection laws has occurred or is occurring and provide the grounds for this determination. However, the authorized officer's report cannot contain any recommendation, or express any opinion, as to the corrective power under Chapters 2 or 3 of the DPA 2018 (as applicable). It is for the DPC to make its own determination in this regard. If having considered this investigation report the DPC requires further information in order to make its determination, it may conduct an oral hearing, invite further submissions from the controller or processor, or direct the authorized officer to conduct a further investigation into the matter.

The DPC must give the controller or processor notice of its decision, the reasons for it, and where applicable the corrective power it decides to exercise, which may be an administrative fine and/or another corrective power available under Article 58(2) of the GDPR.

4. Key Definitions

Data controller: There are no national variations from the GDPR.

Data processor: There are no national variations from the GDPR.

Personal data: There are no national variations from the GDPR.

Sensitive data: There are no national variations from the GDPR.

Health data: There are no national variations from the GDPR.

Biometric data: There are no national variations from the GDPR.

Pseudonymization: There are no national variations from the GDPR.

5. Legal Bases

The DPC has published a guidance note on the legal bases for processing personal data for further assistance.

5.1. Consent

There are no national variations from the GDPR.

Please see the section on children's data for information on consent in regard to children. 

5.2. Contract with the data subject

There are no national variations from the GDPR.

5.3. Legal obligations

There are no national variations from the GDPR.

5.4. Interests of the data subject

There are no national variations from the GDPR.

5.5. Public interest

There are no national variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no national variations from the GDPR.

5.7. Legal bases in other instances

Not applicable. 

6. Principles

There are no national variations from the GDPR. However, the DPC has published guidance on the principles of data protection to assist data controllers with compliance with the principles of data protection and to ensure data controllers comply with the requirements of the GDPR and data protection law generally.

There are a number of provisions in the DPA 2018 which are subject to a requirement that 'suitable and specific measures' be taken to safeguard the fundamental rights and freedoms of data subjects in respect of the processing of their personal data. Section 36 of the DPA 2018 sets out a non-exhaustive list of what these 'suitable and specific measures' might look like, and the list includes: explicit consent; strict access credentials; targeted data protection training; strict erasure protocols; and voluntary designation of a data protection officer ('DPO'). Section 36 of the DPA 2018 also provides the Minister for Justice with power to make future regulations identifying additional 'suitable and specific measures', or to specify that a particular measure is mandatory in respect of certain processing.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no requirement for Irish controllers or processors to notify their processing activities to the DPC, or to pay a registration fee to the DPC.

7.2. Data transfers

There are no national variations from the GDPR.

S.I. No. 297/2021 - European Union (Enforcement of data subjects' rights on the transfer of personal data outside the European Union) Regulations 2021 amended the DPA 2018 by providing for an express right on the part of individuals to enforce third-party beneficiary rights conferred on data subjects under BCRs and under standard data protection clauses adopted by the DPC or by a supervisory authority and approved by the European Commission ('Commission'). The amendment to the DPA 2018 also provides for the enforcement of SCCs previously brought forward by the Commission under Data Protection Directive 95/46/EC, as well as the enforcement of contractual clauses authorized by a supervisory authority pursuant to Article 46(3)(a) of the GDPR.

The DPC has published guidance on transfers of personal data to third countries or international organizations.

7.3. Data processing records

There are no national variations from the GDPR.

The DPC has published Records of Processing (Article 30) Guidance intended to assist controllers with compliance with Article 30 of the GDPR.

7.4. Data protection impact assessment

The DPA 2018 does not prescribe national activities subject to prior consultation/authorization.

The DPA 2018 does not vary or further specify the requirements for the conducting of a DPIA.

Pursuant to Article 35(4) of the GDPR, the DPC adopted the DPIA Blacklist ('Blacklist'), which is a non-exhaustive list of the types of processing operations that require a DPIA. This list can also be found in the DPC's Guide to DPIAs.

The Blacklist provides the following types of processing operations requiring a DPIA:

• use of personal data on a large scale for a purpose(s) other than that for which it was initially collected pursuant to Article 6(4) of the GDPR;
• profiling vulnerable persons including children to target marketing or online services at such persons;
• use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects;
• systematically monitoring, tracking, or observing individuals' location or behavior;
• profiling individuals on a large scale;
• processing biometric data to uniquely identify an individual or individuals or enable or allow the identification or authentication of an individual or individuals in combination with any of the other criteria set out in the WP29 DPIA Guidelines;
• processing genetic data in combination with any of the other criteria set out in the WP29 DPIA Guidelines;
• indirectly sourcing personal data where the GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort;
• combining, linking, or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioral analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for different purposes or by different controllers; and
• large-scale processing of personal data where the DPA 2018 requires 'suitable and specific measures' to be taken in order to safeguard the fundamental rights and freedoms of individuals.

The DPC's list is stated to be intended to encompass both national and cross-border data processing and has been approved by the EDPB in the context of processing operations involving the provision of goods and services to individuals or the monitoring of their behavior in several Member States or which may substantially affect the free movement of data within EU.

The DPC has not issued a DPIA Whitelist. However, the Blacklist states that a DPIA is not required where:

• processing operations are not likely to result in a high risk to the rights and freedoms of individuals;
• processing was previously found not to be at risk by a DPIA;
• processing had already been authorized by the DPC;
• processing pursuant to Article 6(1)(c) or (e) of the GDPR already has an existing clear and specific legal basis in EU or Member State law and where a DPIA has already been carried out as part of the establishment of that legal basis as per Article 35(10) of the GDPR;
• performed as part of an impact assessment arising from a public interest basis and where a DPIA was an element of that impact assessment (Art 35(10) of the GDPR); and/or
• where a supervisory authority chooses to enumerate the processing operation in accordance with Article 35(5) of the GDPR.

Moreover, the DPIA Guide outlines the steps involved in carrying out a DPIA, as well as the key stages for a DPIA (pages 14 to 23 of the DPIA Guide).

In addition, the DPC published the Children's Data Processing Guidance which introduces child-specific data protection interpretative principles and recommended measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of, or access to, services in both an online and offline world.

7.5. Data protection officer appointment

Appointment of a DPO

The DPA 2018 does not vary the requirements for the appointment of a DPO. Section 34 of the DPA 2018 allows the Minister for Justice to enact further laws, in accordance with Article 37(4) of the GDPR, that would impose a mandatory obligation to designate a DPO for one or more classes of controller, processor, associations, or representative bodies. However, no such further laws have yet been enacted.

For the purpose of Article 37(7) of the GDPR, the appointment of a DPO must be notified to the DPC via an online form, which can be accessed here.

Article 37(5) of the GDPR provides that a DPO 'shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39'. The DPC has issued Guidance on Appropriate Qualifications for a Data Protection Officer ('the Qualification Guidance') on the considerations controllers should take into account when assessing the level of knowledge and qualification which they need to ensure their DPO possesses.

In particular, the DPC's Qualifications Guidance highlights that when assessing the qualifications and level of training required for their DPO, organizations should be aware that there are various training options that may be pursued, including day sessions, online courses, and internationally recognized professional training programs.

The DPC's Qualifications Guidance contains a non-exhaustive list of factors it recommends should be taken into account when selecting the appropriate DPO training program:

• the content and means of the training and assessment;
• whether training leading to certification is required;
• the standing of the accrediting body; and
• whether the training and certification is recognized internationally.

Role/tasks of the DPO

The DPA 2018 has not amended, or added to, the role and tasks of the DPO.

The DPC's website provides a section dedicated to DPOs, which includes various resources and guidance to assist DPOs in understanding the scope and requirements of their role.

7.6. Data breach notification

The DPA 2018 has not varied or provided exemptions in respect of obligations concerning the notification of personal data breaches to the DPC. However, Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 34 of the GDPR (Communication of a personal data breach to the data subject), and Section 162 of the DPA provides circumstances in respect of legal privilege where the rights and obligations provided under Article 34 of the GDPR will not apply.

For the purpose of Article 33(1) of the GDPR, breach notifications must be made to the DPC via an online breach notification form, available here.

The DPC has published a guidance note on personal data breach notifications under the GDPR that is intended to give data controllers some practical advice on how to handle data breaches and navigate the mandatory data breach notification regime. The DPC, in addition, published a guidance note on GDPR breach notifications, which is intended to help controllers better understand their obligations regarding notification and communication requirements covering both notifications to the DPC and to data subjects, where applicable.

Sectoral obligations



In Ireland, there are separate reporting requirements applicable to telecoms/ISP providers under the ePrivacy Regulations.

7.7. Data retention

There are no variations from the GDPR.

7.8. Children's data

Section 29 of the DPA 2018 provides that any references to a 'child' in the GDPR should be taken to refer to a person under the age of 18 years. However, Section 31(1) of the DPA 2018 provides that the digital age of consent for Ireland is 16 years. Therefore, 16 years is the minimum age at which a child may provide their consent to the processing of their personal data in respect of information society services. For the purpose of the application of Article 8 of the GDPR in Ireland the reference in that Article to 'information society services' does not include preventative or counseling services.

Section 33 of the DPA 2018 provides a specific right of erasure for children in respect of personal data collected pursuant to the provision of information society services. It provides that a controller must, in accordance with Article 17 of the GDPR, at the request of a data subject, without undue delay, erase personal data of the data subject where the data has been collected in relation to the offer to that data subject of information society services referred to in Article 8(1) GDPR. This right of erasure will not apply to the extent that the processing is necessary for the purposes set out in Article 17(3) of the GDPR.

Section 30 of the DPA 2018 makes it an offense, punishable by an administrative fine under Section 141 of the DPA 2018, to process the personal data of a child (i.e. a person under the age of 18 years) for the purposes of direct marketing, profiling, or micro-targeting. This provision has not yet entered into effect, as there are concerns in Ireland that this provision conflicts with the GDPR.

Section 32(1) of the DPA 2018 requires the DPC to encourage the development of codes of conduct intended to contribute to the proper application of the GDPR in respect to children's personal data. Section 32(2) of the DPA 2018 provides that for the purpose of considering whether a draft code of conduct or an extension or amendment to an existing code of conduct referred to in Article 40 of the DPA 2018 provides sufficient appropriate safeguards referred to in that Article, the DPC may, where it concerns the application of the GDPR to children, consult with persons it considers appropriate including children, children representative bodies, the holders of parental responsibility, and the Ombudsman for Children. The DPC conducted a nationwide public consultation on the processing of children's personal data and the rights of children as data subjects. Further to this, the DPC published guidance titled Children Front and Centre: Fundamentals for a Child Oriented Approach to Data Processing ('the Fundamentals') to set out the standards that all organizations should follow when collecting and processing children's data. The Fundamentals have operational effects and form the basis for the DPC's approach to supervision, regulation, and enforcement in the area of processing children's personal data.

7.9. Special categories of personal data

Processing for scientific or historical research purposes

Article 9(2)(j) of the GDPR provides that the prohibition on the processing of special categories of personal data does not apply where the processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Section 42 of the DPA 2018 provides that, subject to 'suitable and specific measures' being taken to safeguard the fundamental rights and freedoms of data subjects, personal data may be processed, in accordance with Article 89 for:

• archiving purposes in the public interest;
• statistical purposes; or
• scientific or historical research purposes.

However, this processing must respect the principle of data minimization. If these purposes can be fulfilled by processing that does not, or no longer, identifies a data subject then the processing should be conducted in that way.

Similarly, Section 54 of the DPA 2018 provides that, subject to Section 42 (above), the processing of special categories of personal data is lawful where such processing is necessary and proportionate for:

• archiving purposes in the public interest;
• statistical purposes; or
• scientific or historical research purposes.

Sections 46, 48, 49, 50, 51, 52, 53, and 54 of the DPA 2018 are each subject to 'suitable and specific measures' being taken to safeguard the fundamental rights and freedoms of data subjects in respect of the processing of their personal data (Section 36 of the DPA 2018).

Section 36 of the DPA 2018 sets out a non-exhaustive list of examples of 'suitable and specific measures', and the list includes: explicit consent; strict access credentials; targeted data protection training; strict erasure protocols; and voluntary designation of a DPO. Section 36 of the DPA 2018 also provides the Minister for Justice with the power to make future regulations identifying additional 'suitable and specific measures', or to specify that a particular measure is mandatory in respect of certain processing.

Processing of special categories of personal data

Article 9 of the GDPR gives Member States some flexibility with respect to the lawful bases to legitimize the processing of special categories of personal data. In this regard, the DPA 2018 permits the processing of special categories of personal data in certain circumstances, an overview of which is provided below:

Section 41 of the DPA 2018

Provides for the processing of special categories of personal data for a purpose other than the purpose for which the data was collected if the processing is necessary and proportionate for the purposes:

• of preventing a threat to national security, defense, or public security;
• of preventing, detecting, investigating, or prosecuting criminal offenses; or
• set out in paragraphs (a) or (b) of Section 47 of the DPA 2018.

This section is stated to be without prejudice to the processing of personal data for a purpose other than the purpose for which the data has been collected which is lawful under the GDPR.

Section 46 of the DPA 2018

Permits the processing of special categories of personal data where the processing is necessary for exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.

Section 47 of the DPA 2018

Permits the processing of special categories of personal data where the processing:

• is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings, or prospective legal proceedings; or
• is otherwise necessary for the purposes of establishing, exercising, or defending legal rights.

Section 48 of the DPA 2018

Permits the processing of personal data revealing political opinions where the processing is carried out:

• in the course of electoral activities in Ireland for the purpose of compiling data on people's political opinions by a political party or by a candidate/holder of elective political office in Ireland; and
• by the Referendum Commission in the performance of its functions.

Section 49 of the DPA 2018

Permits the processing of special categories of personal data where the processing respects the essence of the right to data protection and is necessary and proportionate for:

• the administration of justice; or
• the performance of a function conferred on a person by or under an enactment or by the Irish Constitution.

Section 50 of the DPA 2018

Permits the processing of health data where the processing is necessary and proportionate for the purposes of:

• a policy of insurance or life assurance;
• a policy of health insurance or health-related insurance;
• an occupational pension, a retirement annuity contract, or any other pension arrangement; or
• the mortgaging of property.

Section 51 of the DPA 2018

Permits the processing of special categories of personal data and/or data on criminal convictions and offenses pursuant to Article 10 of the GDPR, where necessary for reasons of substantial public interest, if the processing is carried out in accordance with regulations made under Section 51(3) of the DPA 2018.

Section 52 of the DPA 2018

Permits the processing of special categories of personal data where necessary for the purposes set out in Article 9(2)(h) of the GDPR. Section 52(3) of the DPA 2018 identifies the statutory meaning of a 'health practitioner' for the purpose of this Section.

Section 53 of the DPA 2018

Permits the processing of special categories of personal data where necessary for public interest reasons in the area of public health including:

• protecting against serious cross-border threats to health; and
• ensuring high standards of quality and safety of healthcare and medicinal products and medical devices.

Processing of personal data relating to criminal convictions and offenses

Article 10 of the GDPR concerns personal data relating to criminal convictions and offenses, and for the purpose of Section 55 of the DPA 2018, includes personal data relating to the alleged commission of an offence and any proceedings in relation to such an offense.

Section 55 of the DPA 2018 provides that, without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and subject to compliance with Article 6(1) of the DPA 2018 and to 'suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, data on criminal convictions and offenses can be processed:

• under the control of an official authority (e.g. the administration of justice); or
• where:
  • the individual has given explicit consent, except where EU law or the law of an EU Member State prohibits such processing;
  • the processing is necessary and proportionate for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  • the processing is necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising, or defending legal rights;
  • the processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person; or
  • the processing is permitted by regulations made under Section 55(3) of the DPA 2018 or is otherwise authorized by Irish law.

Section 55(3) of the DPA 2018 provides for a government minister to make regulations in the future concerning the processing of data on criminal convictions, where necessary and proportionate to:

• assess the risk of fraud or prevent fraud;
• assess the risk of bribery or corruption, or both, or to prevent bribery or corruption, or both; or
• ensure network and information systems security as well as prevent attacks on and damage to computer and electronic communications systems.

The relevant Minister must consult with the DPC before enacting any regulations pursuant to this Section.

Section 55(8) of the DPA 2018 introduces a criminal offense for knowingly or recklessly contravening Section 55 or regulations made under Section 55(3).

7.10. Controller and processor contracts

There are no national variations from the GDPR however, the DPC has published guidance on controller-processor contracts which outlines in brief the context of the obligation on controllers and processors to enter into a data processing contract under the GDPR when they need to enter into a data processing contract, and the minimum provisions which should be included in such a contract.

8. Data Subject Rights

Section 60 of the DPA 2018 provides that the rights and obligations provided for under Articles 12 to 22 and Article 34 of the GDPR, and Article 5 of the GDPR insofar as any of its provisions correspond to the rights and obligations under Articles 12 to 22 of the GDPR are restricted in certain circumstances.

Section 60(3) of the DPA 2018 provides for such restriction of rights and obligations to the extent that:

• the restrictions are necessary and proportionate:
  • to safeguard cabinet confidentiality, parliamentary privilege, national security, defense, and the international relations of the State;
  • for the prevention, detection, investigation, and prosecution of criminal offenses and the execution of criminal penalties;
  • for the administration of any tax, duty, or other money due or owing to the State or local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration;
  • in contemplation of or for the establishment, exercise, or defense of, a legal claim, prospective legal claim, legal proceedings, or prospective legal proceedings whether before a court, statutory tribunal, statutory body, or an administrative or out-of-court procedure;
  • for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation, or other liabilities, or debts related to the claim; or
  • for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim;
• personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information; or
• personal data concerned are kept:
  • by the DPC for the performance of its functions;
  • by the Information Commissioner for the performance of their functions; or
  • by the Comptroller and Auditor General for the performance of their functions.

Section 60(5) of the DPA 2018 provides that a Minister of the Government may enact regulations restricting these rights and obligations where it considers it necessary for the protection of a data subject or the rights and freedoms of others:

• if the application of those rights and obligations would be likely to cause serious harm to the physical or mental health of the data subject and to the extent to which, and for as long as such application would be likely to cause such serious harm; and
• in relation to personal data kept for, or obtained in the course of, the carrying out of social work by a public authority, public body, voluntary organization, or other body.

Section 60(6) of the DPA 2018 provides that a Minister of the Government may enact regulations restricting these rights and obligations where the restrictions are necessary for the purposes of safeguarding important objectives of general public interest and these regulations will include, where appropriate, specific provisions required by Article 23(2) of the GDPR. The relevant Minister must consult with the DPC before enacting any regulations pursuant to Sections 60(5) or 60(6) of the DPA 2018.

The Minister for Enterprise, Trade, and Employment has passed Regulations that permit the restriction of data subjects' rights under Articles 12 to 22 and Article 34 of the GDPR, and controllers' obligations under Article 5 GDPR, to the extent necessary and proportionate to allow the Irish Auditing and Accounting Supervisory Authority, Corporate Enforcement Authority and Competition and Consumer Protection Commission to carry out certain statutory functions vested in them.  For example, where the exercise of the data protection right may interfere with the prevention, detection, or investigation of breaches of applicable law, or where disclosure may prejudice the achievement of a relevant objective.

Scientific or historical research purposes or statistical purposes

Section 61(1) of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest, the rights provided under Articles 15, 16, 18, 19, 20, and 21 of the GDPR are restricted to the extent that:

• the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes; and
• such restriction is necessary for the fulfillment of those purposes.

Section 61(2) of the DPA 2018 provides that where personal data is processed for scientific or historical research purposes or statistical purposes, the rights provided under Articles 15, 16, 18, and 21 of the GDPR are restricted to the extent that:

• the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes; and
• such restriction is necessary for the fulfillment of those purposes.

Legal privilege

In respect of legal privilege, Section 162 of the DPA 2018 provides that the rights and obligations provided for under Articles 12 to 22 and 34 of the GDPR, and Article 5 insofar as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of the GDPR, do not apply:

• to personal data processed for the purpose of seeking, receiving, or giving legal advice;
• to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and their legal advisers or between those advisers; or
• where the exercise of such rights or performance of such obligations would constitute contempt of court.

Academic, artistic, or literary expression

Article 85 of the GDPR requires Member States to reconcile the right to the protection of personal data pursuant to GDPR with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic, or literary expression. In this regard, Section 43 of the DPA 2018 provides an exemption from compliance with specific provisions of the GDPR (set out in Section 43(2) of the DPA 2018) where compliance with those provisions would be incompatible with the right of freedom of expression and information.

Section 44 of the DPA 2018 makes access to personal data in official records dependent on a prior grant of access under freedom of information or environmental legislation. Section 56 of the DPA 2018 governs the right of access to examination scripts and results. Section 59 of the DPA 2018 restricts an objection to processing for election purposes and by the Referendum Commission Ireland.

8.1. Right to be informed

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Articles 13 and 14 of the GDPR.

Section 162 of the DPA 2018 deals with legal privilege.

8.2. Right to access

Section 56 of the DPA 2018 deals with the right of access to results and scripts of examination and results of an appeal.

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 15 of the GDPR (right of access).

Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 15 of the GDPR may be restricted if the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and such restriction is necessary for the fulfilment of those purposes.

Section 162 of the DPA 2018 deals with legal privilege.

The DPC has published FAQs on data subject access requests which, answer some of the most frequently asked questions by both individuals who are seeking copies of their personal data, as well as controllers who are struggling to deal with the access requests they are receiving. The DPC has published guidance on the handling of subject access requests entitled Subject Access Requests: A Data Controller's Guide. This highlights the DPC's expectation of a high standard of compliance in respect of a controller's handling of data subject access requests, particularly with respect to response times. This guidance follows the EDPBs Guidelines 01/2022 on data subject rights - Right of access. Also, the DPC has provided guidance on the redaction of documents and records.

S.I. No. 121 of 2022 Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 regulate subject access to health data where the application of that right would be likely to cause serious harm to the physical or mental health of the data subject but only to the extent to which, and only for as long as, such application would be likely to cause such harm.

8.3. Right to rectification

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 16 of the GDPR (right to rectification).

Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 16 of the GDPR may be restricted if the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and such restriction is necessary for the fulfillment of those purposes.

Section 162 of the DPA 2018 deals with legal privilege.

8.4. Right to erasure

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 17 of the GDPR (right to erasure). Section 162 of the DPA 2018 deals with legal privilege.

In relation to the right to erasure for children please see the section above on children's data. 

8.5. Right to object/opt-out

Section 59 of the DPA 2018 includes a restriction on the right of data subjects to object to processing for election purposes and processing by the Referendum Commission. Section 58 of the DPA 2018 provides that for the application of Article 21 GDPR in Ireland, the reference to 'direct marketing' includes a reference to direct mailing except direct mailing carried out:

• in the course of electoral activities in Ireland by:
  • a political party or its members; or
  • a candidate for election to, or a holder of, elective political office in Ireland; and
• by the Referendum Commission in the performance of its functions.

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 21 of the GDPR (right to object).

Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 21 of the GDPR may be restricted if the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and such restriction is necessary for the fulfillment of those purposes.

Section 162 of the DPA 2018 deals with legal privilege.

8.6. Right to data portability

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 20 of the GDPR (data portability).

Section 61(1) of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest, the individual's rights under Article 20 of the GDPR may be restricted if:

• the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and
• such restriction is necessary for the fulfillment of those purposes.

Section 162 of the DPA 2018 deals with legal privilege.

8.7. Right not to be subject to automated decision-making

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 22 of the GDPR (automated individual decision-making, including profiling).

Section 57 of the DPA 2018 supplements Article 22(2)(b) of the GDPR. It provides that, subject to Article 22(4) of the GDPR and to 'suitable and specific measures' to safeguard the fundamental rights and freedoms of the data subject, for the purposes of Article 22(2)(b) of the GDPR, the right of a data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them shall, in addition to the grounds identified in Article 22(2)(a) and (c) of the GDPR, not apply where:

• the decision is authorized or required by or under an enactment; and
• either:
  • the effect of that decision is to grant the request of the data subject; or
  • in all other cases where Article 22(1) of the GDPR is not applicable, adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject which steps shall include the making of arrangements to enable them to:
    • make representations to the controller in relation to the decision;
    • request human intervention in the decision-making process; and
    • request to appeal the decision.

Section 162 of the DPA 2018 deals with legal privilege.

8.8. Other rights

Right to restrict processing

Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 18 of the GDPR (right to restriction of processing).

Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest, or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 18 of the GDPR may be restricted if:

• the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and
• such restriction is necessary for the fulfillment of those purposes.

Section 162 of the DPA 2018 deals with legal privilege.

9. Penalties

Administrative fines

Chapter 6 of Part 6 of the DPA 2018 deals with the power of the DPC to impose administrative fines. Section 141(1) of the DPA 2018 provides that when considering whether to impose an administrative fine, the DPC must act in accordance with Article 83 of the GDPR.

Under Section 142 of the DPA 2018, a DPC decision to impose an administrative fine may be appealed to the Circuit Court (if the fine does not exceed €75,000) or the High Court within 28 days. On hearing an appeal, the Court may confirm the decision, replace it with another decision that it considers just and appropriate, or annul the decision. Ireland has availed of the power granted by Article 83(7) of the GDPR to decide on the extent of administrative fines to be imposed on public authorities. Section 141(4) of the DPA 2018 sets the maximum amount of an administrative fine on a controller or a processor that is a public authority or a public body at €1 million. The limit does not, however, apply where a public authority or public body is acting as an undertaking within the meaning of the Irish Competition Act 2002.

Criminal offenses

A number of the principal offenses contained in the DPA 2018 are provided below.

The maximum criminal penalty for summary offenses under the DPA 2018 is €5,000 and/or 12 months imprisonment. Indictable offenses are prosecuted in the Circuit Court or Central Criminal Court and carry a maximum penalty of €250,000 and/or five years imprisonment, depending on the offense.

Section 149 of the DPA 2018 requires the DPC to publish details of:

• any convictions for offenses under the DPA 2018;
• court orders made under Section 134 for the suspension, restriction, or prohibition of the processing; or
• its imposition of administrative fines; or any orders made for the suspension of cross-border transfers.

The DPC may choose to publish details regarding the exercise of its other corrective powers under Article 58(2). Further, the DPC may choose, in the public interest, to publish reports required under Section 135 of the DPA 2018, and reports of investigations or audits carried out, or other functions performed, by the DPC.

9.1 Enforcement decisions

The DPC publishes enforcement decisions here, and the notable are as follows:

In August 2021, the DPC issued WhatsApp Ireland Limited., ('WhatsApp') with an administrative fine in respect of WhatsApp's breach of transparency requirements under Articles 12-14 of GDPR. A fine in the region of €30–50 million was originally proposed but following referral of the case to the EDPB, the figure was uplifted to €225 million. In addition to the imposition of an administrative fine, the DPC imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.

On October 18, 2021, the DPC's decision to impose an administrative fine on Twitter International Company was confirmed by the Irish courts. The application to confirm the decision to impose an administrative fine of €450,000 was made pursuant to Section 143 of the Data Protection Act 2018. This decision concerned Twitter's compliance with its obligations under the GDPR in respect of a breach notification. The DPC found that Twitter had infringed Articles 33(1) and (5) of the GDPR by not notifying the DPC of the breach on time and by failing to adequately document the breach.

On March 15, 2022, the DPC adopted a decision regarding Meta Platforms Ireland Limited., ('Meta Platforms'), imposing a fine of €17 million on Meta Platforms (formerly Facebook Ireland Limited). The decision followed an inquiry by the DPC into a series of 12 data breach notifications it received in the six-month period between June 7, 2018 and December 4, 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of Articles 5(1)(f), 5(2), 24(1), and 32(1) of the GDPR, in relation to the processing of personal data relevant to the 12 breach notifications. As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) of the GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users' data, in the context of the 12 personal data breaches. The processing under examination constituted 'cross-border' processing, therefore the DPC's decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.

On September 2, 2022, the DPC adopted its decision regarding the Instagram social network service imposing a fine on Instagram of €405 Million in which the DPC reprimanded Instagram for failures to adequately safeguard the rights of child users of the Instagram social networking service whilst processing their personal data.

In November 2022, the DPC announced that it had submitted a draft decision in an inquiry into Yahoo! EMEA Limited (Yahoo!) to other European supervisory authorities. The DPC highlighted that the inquiry centered around Yahoo!'s compliance with its obligations under Articles 5(1)(a), 12, 13, and 14 of the GDPR in the context of its products and services across the EU. The inquiry also concerns the compliance of Yahoo!’s cookie banners displayed on its media properties.

On November 25, 2022, the DPC announced its decision to impose a fine of €265 million on Meta Platforms as well as a range of corrective measures on the company. An inquiry was commenced by the DPC in April 2021 after reports emerged in the media about the discovery of a collated dataset of Facebook personal data being made available on the internet. The inquiry concerned Meta Platforms’ compliance with its obligation under Article 25 GDPR for Data Protection by Design and Default and investigated Meta Platforms' implementation of technical and organizational measures in this regard. The inquiry concluded that Meta Platforms was in breach of its obligations under Articles 25(1) and 25(2) GDPR, and imposed the administrative fine of €265 million, a reprimand, and an order requiring Meta Platforms to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.

In December 2023 the DPC imposed fines amounting to €390 million on Meta Platforms in connection with the delivery of its Facebook and Instagram services. These decisions arose from complaints as to how Meta processed users' personal data, particularly for the purposes of behavioral advertising. Other concerned EU supervisory authorities agreed with the DPC's analysis of Meta Ireland's failings in respect of transparency, signifying that a robust approach to transparency is likely to be taken by supervisory authorities across the EU.

On January 12, 2023, the DPC adopted its decision in respect of the processing carried out by WhatsApp in connection with the delivery of its service. The DPC's decision includes findings that WhatsApp is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as 'IT security') for the WhatsApp service, and that its processing of such data to-date, in purported reliance on the contract legal basis, amounts to a contravention of Article 6(1) of the GDPR. The DPC has imposed an administrative fine of €5.5 million on WhatsApp Ireland and ordered that WhatsApp Ireland must bring its processing operations into compliance with the GDPR within a period of six months.