Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ireland - Data Protection Overview
Back

Ireland - Data Protection Overview

July 2022

1. Governing Texts

The Data Protection Act 2018 ('DPA 2018') gives further effect to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Data Protection Commission ('DPC') is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority which is responsible for monitoring the application of the GDPR and has functions and powers related to other important regulatory frameworks including the (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks and Services) (Privacy And Electronic Communications) Regulations 2011) ('ePrivacy Regulations') and the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) ('Law Enforcement Directive'). The DPC is very active in respect of its complaint-handling and enforcement functions.

1.1. Key acts, regulations, directives, bills

The GDPR, as implemented by the DPA 2018 is the principal data protection legislation in Ireland. The DPA 2018 serves to repeal the Data Protection Act, 1988, and the Data Protection (Amendment) Act, 2003, except for provisions relating to the processing of personal data for the purposes of national security, defence, and international relations of the State. The collective citation is 'the Data Protection Acts 1988 to 2018'.

The DPA 2018 transposes the Law Enforcement Directive which regulates the processing of personal data by law enforcement. There are also other Irish laws (including sectoral specific legislation) that impact data protection. However, this Note does not cover these laws, but instead focuses on the Irish derogations, as contained in the DPA 2018, which are permitted under the GDPR.

1.2. Guidelines

The DPC provides information and guidance for individuals and organisations on its website, including the following:

The annual reports and case studies, published by the DPC, are also helpful to understand the DPC's current and planned activities, and its approach to its regulation of specific areas of compliance.

Furthermore, the European data Protection Board ('EDPB') has published the following Opinion for Ireland:

1.3. Case law

The DPC provides access to written judgments where it was a party to the proceedings. Noteworthy decisions include:

Facebook Ireland Limited v Data Protection Commissioner (2020 No. 126 COM). Further to the decision of the CJEU in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') the DPC initiated an own volition inquiry under Section 110 of the DPA 2018, examining the lawfulness of data transfers by Facebook Ireland Limited using Standard Contractual Clauses ('SCCs') when transferring data to Facebook Inc. in the United States. The DPC issued a Preliminary Draft Decision ('PDD') to Facebook Ireland on 28 August 2020. In response, Facebook Ireland issued judicial review proceedings against the DPC, claiming the DPC was not entitled to commence the inquiry by way of the PDD and that the PDD was in effect a premature judgment of the DPC. Ultimately, it was held that Facebook Ireland had not identified any material unfairness in the DPC's procedure to issue a PDD and their application for judicial review was dismissed, with Facebook ordered to pay 90% of the DPC's costs as well as those of Mr Schrems as a Notice Party.

2020/707 JR / (2020/146 COM) Maximilian Schrems v Data Protection Commission (Notice Party: Facebook Ireland Limited) (Date of Order/Judgment – 13 January 2021). These proceedings related to the PDD issued by the DPC in respect of its S110 inquiry into Facebook Ireland's data transfers to its US parent. Mr Schrems took this judicial review action on the basis that the DPC should be compelled to address only the issues raised in his complaint to the DPC in respect of Facebook Ireland's transatlantic data transfers. Mr Schrems also argued that the inquiry operated to breach his right to a fair procedure as it had the effect of excluding him from the procedure. These proceedings were settled between the parties subject to an Order for costs being issued by the Court. The S110 inquiry and complaint-based procedures are being pursued by the parties in tandem.

2. Scope of Application

2.1. Personal scope

Living natural persons. However, pursuant to Section 27 of the Health Identifiers Act 2014 (as amended), Article 32 of the GDPR applies to a deceased individual's relevant information as it applies to a living individual's relevant information.

2.2. Territorial scope

There are no variations from the GDPR.

2.3. Material scope

There are no variations from the GDPR.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The DPA 2018 established the DPC as Ireland's supervisory authority, for the purpose of Chapter VI of the GDPR. The DPC replaces the previous regulatory body, the Office of the Data Protection Commissioner. All functions previously vested in the Office of the Data Protection Commissioner were transferred to the DPC on the enactment of the DPA 2018.

3.2. Main powers, duties and responsibilities

The core functions of the DPC under the GDPR and the DPA 2018 include:

  • regulating controllers' and processors' compliance with data protection legislation;
  • receipt of and handling complaints from individuals in relation to potential breaches of their data protection rights;
  • conducting inquiries and investigations regarding potential breaches of data protection legislation;
  • imposing fines;
  • promoting awareness among organisations and the public of the risks, rules, safeguards, and rights in relation to processing of personal data; and
  • cooperating with other EU supervisory authorities on issues such as complaints and alleged infringements involving cross-border processing.

In addition to being the Irish supervisory authority in charge of monitoring the application of the GDPR, the DPC acts as a supervisory authority in respect to the processing of personal data under several additional legal frameworks. These include acting as Ireland's supervisory authority under the Law Enforcement Directive and having certain supervisory and enforcement functions in relation to the processing of personal data in the context of electronic communications under the ePrivacy Regulations.

The DPA 2018 sets out the DPC's enforcement and investigation powers (Part 6, Chapters 2, 4, and 5), together with provisions dealing with administrative fines and criminal offences (Part 6, Chapters 6 and 7).

Complaints

Chapter 2 of Part 6 of the DPA 2018 deals with the DPC's handling of complaints. Where the DPC considers there to be a reasonable likelihood that a complaint can be resolved amicably by the parties, it may take the steps it considers appropriate to arrange or facilitate an amicable resolution. The DPC has expressed its preference for complaints to be resolved amicably, where possible. If an amicable resolution cannot be achieved in a reasonable time it will take one or more of the following actions:

  • reject the complaint;
  • dismiss the complaint;
  • provide advice to the data subject in respect of their complaint;
  • serve an enforcement notice on the relevant controller or processor requiring it to:
    • comply with the data subject's request;
    • communicate a personal data breach to the data subject; and/or
    • rectify or erase personal data or restrict processing; and
  • commence an inquiry into the complaint; or
  • take such other action as the DPC considers appropriate.

Inquiries

Pursuant to Section 110 of the DPA 2018, the DPC may conduct a complaints-based statutory inquiry, or a statutory enquiry on its own volition, in order to establish whether an infringement of the GDPR or the DPA 2018 has occurred or is taking place. In conducting an inquiry, the DPC can exercise any of its powers under Chapter 4 Part 6 of the DPA 2018 (other than its power under Section 135) and/or commence an investigation under Chapter 5 of the DPA 2018.

Powers of investigation, audit, and enforcement under Chapter 4 of the DPA 2018

The powers that may be exercised pursuant to Chapter 4 of the DPA 2018 includes the appointment of authorised officers, who can exercise a broad range of investigatory powers provided under the DPA 2018 enabling them to gather relevant information and materials (e.g. powers of entry, search, and inspection; powers to remove and retain documents and records, and to require information and assistance to be provided in respect of an investigation). Authorised officers may be accompanied by members of the Irish police and may apply for a search warrant to the Irish courts where access to premises is refused.

The DPC or authorised officers may issue information notices requiring a controller or processor to furnish specified information and may issue enforcement notices requiring a controller/processor to take certain steps specified in the notice (Sections 132 and 133 of the DPA 2018). It is an offence to fail to comply with these notices. There is a right to appeal any notice to the High Court within 28 days of receipt of the same.

Section 134 of the DPA 2018 permits the DPC, where it identifies an urgent need to protect data subjects' rights and freedoms under a relevant act or statutory instrument, to make an application to the High Court (which may be ex-parte under Section 134(4) of the DPA) for an order to suspend, restrict, or prohibit the processing of personal data, or the transfer of the same to a third country or to an international organisation.

Section 135 of the DPA 2018 gives the DPC the power to require a controller or processor to provide a report on a matter specified by the DPC. Before exercising this power, the DPC must consider whether any other of its powers may be more appropriate in the circumstances, the level of knowledge, expertise, and resources available to the controller or processor, and the likely benefit to the controller or processor of providing the report. These reports must be prepared by an expert 'reviewer', which is either nominated by the controller or processor and approved by the DPC or nominated by the DPC in certain circumstances. The controller or processor must enter into a contract with the reviewer, containing minimum terms prescribed by law, which the DPC may request to see in draft form before its execution such that it can require amendments to the same. The controller or processor must bear the costs of the report and assist the reviewer where reasonably required. It is an offence for any person to obstruct or impede the reviewer's duties under this section or to give false or misleading information to the reviewer.

Powers of investigation under Chapter 5 of the DPA 2018

Further to the DPC's power to commence complaint-based and own volition inquiries (Section 110) the DPC may exercise its power to conduct an investigation under Chapter 5 of Part 6 of the DPA 2018.

The DPC may direct one or more authorised officers to carry out and report to the DPC on the investigation. Authorised officers can exercise various powers to compel production of records or documents and require persons to appear before them to produce documents or records and answer questions which may be required under oath. Failure to comply can lead to a court order compelling compliance. However, legal privilege may apply. Authorised officers can, for the purposes of an investigation, conduct an oral hearing. Section 138(12) of the DPA 2018 sets out various offences, including obstructing an authorised officer, or withholding, destroying, or refusing to provide any information for the purposes of an investigation.

On conclusion of an investigation the authorised officer will send its draft investigation report to the relevant controller or processor, who will have 28 days to provide written submissions in response. Following this, the investigation report is submitted to the DPC. This report will specify whether or not the authorised officer considers an infringement of data protection laws has occurred or is occurring and provide the grounds for this determination. However, the authorised officer's report cannot contain any recommendation, or express any opinion, as to the corrective power under Chapters 2 or 3 of the DPA 2018 (as applicable). It is for the DPC to make its own determination in this regard. If having considered this investigation report the DPC requires further information in order to make its determination, it may conduct an oral hearing, invite further submissions from the controller or processor, or direct the authorised officer to conduct a further investigation into the matter.

The DPC must give the controller or processor notice of its decision, the reasons for it, and where applicable the corrective power it decides to exercise, which may be an administrative fine and/or another corrective power available under Article 58(2) of the GDPR.

4. Key Definitions

Data controller: There are no national variations from the GDPR.

Data processor: There are no national variations from the GDPR.

Personal data: There are no national variations from the GDPR.

Sensitive data: There are no national variations from the GDPR.

Health data: There are no national variations from the GDPR.

Biometric data: There are no national variations from the GDPR.

Pseudonymisation: There are no national variations from the GDPR.

5. Legal Bases

The DPC has published a guidance note on the legal bases for processing personal data for further assistance.

5.1. Consent

There are no national variations from the GDPR.

Please see section on Children's data for information on consent in regard to children. 

5.2. Contract with the data subject

There are no national variations from the GDPR.

5.3. Legal obligations

There are no national variations from the GDPR.

5.4. Interests of the data subject

There are no national variations from the GDPR.

5.5. Public interest

There are no national variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no national variations from the GDPR.

5.7. Legal bases in other instances

Not applicable. 

    6. Principles

    There are no national variations from the GDPR. However, the DPC has published guidance on the principles of data protection to assist data controllers with compliance with the principles of data protection and to ensure data controllers comply with the requirements of the GDPR and data protection law generally.

    There are a number of provisions in the DPA 2018 which are subject to a requirement that 'suitable and specific measures' be taken to safeguard the fundamental rights and freedoms of data subjects in respect of the processing of their personal data. Section 36 of the DPA 2018 sets out a non-exhaustive list of what these 'suitable and specific measures' might look like, and the list includes: explicit consent; strict access credentials; targeted data protection training; strict erasure protocols; and voluntary designation of a data protection officer ('DPO'). Section 36 of the DPA 2018 also provides the Minister for Justice with power to make future regulations identifying additional 'suitable and specific measures', or to specify that a particular measure is mandatory in respect of certain processing.

    7. Controller and Processor Obligations

    7.1. Data processing notification

    There is no requirement for Irish controllers or processors to notify their processing activities to the DPC, or to pay a registration fee to the DPC.

    7.2. Data transfers

    There are no national variations from the GDPR.

    S.I. No. 297/2021 - European Union (Enforcement of data subjects' rights on transfer of personal data outside the European Union) Regulations 2021 amended the DPA 2018 by providing for an express right on the part of individuals to enforce third party beneficiary rights conferred on data subjects under BCRs and under standard data protection clauses adopted by the DPC or by a supervisory authority and approved by the European Commission ('Commission'). The amendment to the DPA 2018 also provides for the enforcement of SCCs previously brought forward by the Commission under Data Protection Directive 95/46/EC, as well as the enforcement of contractual clauses authorised by a supervisory authority pursuant to Article 46(3)(a) of the GDPR.

    7.3. Data processing records

    There are no national variations from the GDPR.

    7.4. Data protection impact assessment

    The DPA 2018 does not prescribe national activities subject to prior consultation/authorisation.

    The DPA 2018 does not vary or further specify the requirements for the conducting of a DPIA.

    Pursuant to Article 35(4) of the GDPR, the DPC adopted the DPIA Blacklist ('Blacklist'), which is a non-exhaustive list of the types of processing operations that require a DPIA. This list can be found in the DPC's Guide to DPIA's.

    The Blacklist provides the following types of processing operations requiring a DPIA:

    • use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected pursuant to Article 6(4) of the GDPR;
    • profiling vulnerable persons including children to target marketing or online services at such persons;
    • use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects;
    • systematically monitoring, tracking or observing individuals' location or behaviour
    • profiling individuals on a large-scale;
    • processing biometric data to uniquely identify an individual or individuals or enable or allow the identification or authentication of an individual or individuals in combination with any of the other criteria set out in the Guidelines;
    • processing genetic data in combination with any of the other criteria set out in the Guidelines;
    • indirectly sourcing personal data where the GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort;
    • combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for difference purposes or by different controllers; and
    • large scale processing of personal data where the Act requires 'suitable and specific measures' to be taken in order to safeguard the fundamental rights and freedoms of individuals.

    The DPC's list is stated to be intended to encompass both national and cross-border data processing, and has been approved by the EDPB in the context of processing operations involving the provision of goods and services to individuals or the monitoring of their behaviour in several Member States or which may substantially affect the free movement of data within EU.

    The DPC has not issued a DPIA Whitelist. However, the Blacklist states that a DPIA is not required where:

    • processing operations do not result in a high risk to the rights and freedoms of individuals;
    • processing was previously found not to be at risk by a supervisory authority;
    • processing had already been authorised by the DPC;
    • processing pursuant to Article 6(1)(c) and (e) of the GDPR already has an existing clear and specific legal basis in EU or Member State law and where a DPIA has already been carried out as part of the establishment of that legal basis as per Article 35(10) of the GDPR;
    • performed as part of an impact assessment arising from a public interest basis and where a DPIA was an element of that impact assessment (Art 35(10) of the GDPR); and/or
    • where a supervisory authority chooses to enumerate the processing operation in accordance with Article 35(5) of the GDPR.

    Moreover, the DPIA Guide outlines the steps involved in carrying out a DPIA, as well as the key stages for a DPIA (pages 14 to 23 of the DPIA Guide).

    In addition, the DPC published guidance on fundamentals for child-oriented approach to data processing, which introduces child-specific data protection interpretative principles and recommended measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of, or access to, services in both an online and offline world.

    7.5. Data protection officer appointment

    Appointment of a DPO

    The DPA 2018 does not vary the requirements for the appointment of a DPO. Section 34 of the DPA 2018 allows the Minister for Justice to enact further laws, in accordance with Article 37(4) of the GDPR, that would impose a mandatory obligation to designate a DPO for one or more classes of controller, processor, associations, or representative bodies. However, no such further laws have yet been enacted.

    For the purpose of Article 37(7) of the GDPR, the appointment of a DPO must be notified to the DPC via an online form, which can be accessed here.

    Article 37(5) of the GDPR provides that a DPO 'shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39'. The DPC has issued Qualifications Guidance on the considerations controllers should take into account when assessing the level of knowledge and qualification which they need to ensure their DPO possesses.

    In particular, the DPC highlighted that when assessing the qualifications and level of training required for their DPO, organisations should be aware that there are various training options that may be pursued, including day sessions, online courses, and internationally recognised professional training programmes (the Qualifications Guidance and the DPO Guidance).

    The DPC has produced a non-exhaustive list of factors it recommends should be taken into account when selecting the appropriate DPO training programme (the Qualifications Guidance and the DPO Guidance):

    • the content and means of the training and assessment;
    • whether training leading to certification is required;
    • the standing of the accrediting body; and
    • whether the training and certification is recognised internationally.

    Role/tasks of the DPO

    The DPA 2018 has not amended, or added to, the role and tasks of the DPO.

    7.6. Data breach notification

    The DPA 2018 has not varied or provided exemptions in respect of obligations concerning the notification of personal data breaches.

    For the purpose of Article 33(1) of the GDPR, breach notifications must be made to the DPC via an online breach notification form, available here.

    The DPC has published a guidance note on personal data breach notifications under the GDPR that is intended to give data controllers some practical advice on how to handle data breaches and navigate the mandatory data breach notification regime. The DPC, in addition, published a guidance note on GDPR breach notifications, which is intended to help controllers better understand their obligations regarding notification and communication requirements covering both notifications to the DPC and to data subjects, where applicable.

    Sectoral obligations

    In Ireland, there are separate reporting requirements applicable to telecoms/ISP providers under the ePrivacy Regulations.

    7.7. Data retention

    There are no variations from the GDPR.

    7.8. Children's data

    Section 29 of the DPA 2018 provides that any references to a 'child' in the GDPR should be taken to refer to a person under the age of 18 years. However, Section 31(1) of the DPA 2018 provides that the digital age of consent for Ireland is 16 years. Therefore, 16 years is the minimum age at which a child may provide their consent to the processing of their personal data in respect of information society services. Section 31(3) of the DPA 2018 requires that the Government of Ireland ('the Government') must begin a review of the operation of this provision not later than May 2021, and this review must be concluded within one year. For the purpose of the application of Article 8 of the GDPR in Ireland the reference in that Article to 'information society services' does not include preventative or counselling services.

    Section 33 of the DPA 2018 provides a specific right of erasure for children in respect of personal data collected pursuant to the provision of information society services. It provides that a controller must, in accordance with Article 17 of the GDPR, at the request of a data subject, without undue delay, erase personal data of the data subject where the data has been collected in relation to the offer to that data subject of information society services referred to in Article 8(1) GDPR. This right of erasure will not apply to the extent that the processing is necessary for the purposes set out in Article 17(3) of the GDPR.

    Section 30 of the DPA 2018 makes it an offence, punishable by an administrative fine under Section 141 of the DPA 2018, to process the personal data of a child (i.e. a person under the age of 18 years) for the purposes of direct marketing, profiling, or micro-targeting. This provision has not yet entered into effect, as there are concerns in Ireland that this provision conflicts with the GDPR.

    Section 32(1) of the DPA 2018 requires the DPC to encourage the development of codes of conduct intended to contribute to the proper application of the GDPR in respect children's personal data. Section 32(2) of the DPA 2018 provides that for the purpose of considering whether a draft code of conduct or an extension or amendment to an existing code of conduct referred to in Article 40 of the DPA 2018 provides sufficient appropriate safeguards referred to in that Article, the DPC may, where it concerns the application of the GDPR to children, consult with persons it considers appropriate including children, children representative bodies, the holders of parental responsibility, and the Ombudsman for Children. The DPC conducted a nation-wide public consultation on the processing of children's personal data and the rights of children as data subjects. Further to this, the DPC published guidance titled Children Front and Centre: Fundamentals for a Child Oriented Approach to Data Processing ('the ‘Fundamentals') to set out the standards that all organisations should follow when collecting and processing children's data. The Fundamentals have operational effect and form the basis for the DPC's approach to supervision, regulation, and enforcement in the area of processing of children's personal data.

    7.9. Special categories of personal data

    Processing for scientific or historical research purposes

    Article 9(2)(j) of the GDPR provides that the prohibition on the processing of special categories of personal data does not apply where the processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

    Section 42 of the DPA 2018 provides that, subject to 'suitable and specific measures' being taken to safeguard the fundamental rights and freedoms of data subjects, personal data may be processed, in accordance with Article 89 for:

    • archiving purposes in the public interest;
    • statistical purposes; or
    • scientific or historical research purposes.

    However, this processing must respect the principal of data minimisation. If these purposes can be fulfilled by processing that does not, or no longer, identifies a data subject then the processing should be conducted in that way.

    Similarly, Section 54 of the DPA 2018 provides that, subject to Section 42 (above), the processing of special categories of personal data is lawful where such processing is necessary and proportionate for:

    • archiving purposes in the public interest;
    • statistical purposes; or
    • scientific or historical research purposes.

    Sections 46, 48, 49, 50, 51, 52, 53, and 54 of the DPA 2018 are each subject to 'suitable and specific measures' being taken to safeguard the fundamental rights and freedoms of data subjects in respect of the processing of their personal data (Section 36 of the DPA 2018).

    Section 36 of the DPA 2018 sets out a non-exhaustive list of what these 'suitable and specific measures' might look like, and the list includes: explicit consent; strict access credentials; targeted data protection training; strict erasure protocols; and voluntary designation of a DPO. The Minister for Justice with power to make future regulations identifying additional 'suitable and specific measures', or to specify that a particular measure is mandatory in respect of certain processing (Section 36 of the DPA 2018).

    Processing of special categories of personal data

    Article 9 of the GDPR gives Member States some flexibility with respect to the lawful bases to legitimise the processing of special categories of personal data. In this regard, the DPA 2018 permits the processing of special categories of personal data in certain circumstances, an overview of which is provided below:

    Section 41 of the DPA 2018

    Provides for the processing of special categories of personal data for a purpose other than the purpose for which the data was collected if the processing is necessary and proportionate for the purposes:

    • of preventing a threat to national security, defence, or public security;
    • of preventing, detecting, investigating, or prosecuting criminal offences; or
    • set out in paragraphs (a) or (b) of Section 47 of the DPA 2018.

    This section is stated to be without prejudice to the processing of personal data for a purpose other than the purpose for which the data has been collected which is lawful under the GDPR.

    Section 46 of the DPA 2018

    Permits the processing of special categories of personal data where the processing is necessary for exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.

    Section 47 of the DPA 2018

    Permits the processing of special categories of personal data where the processing:

    • is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings, or prospective legal proceedings; or
    • is otherwise necessary for the purposes of establishing, exercising, or defending legal rights.

    Section 48 of the DPA 2018

    Permits the processing of personal data revealing political opinions where the processing is carried out:

    • in the course of electoral activities in Ireland for the purpose of compiling data on peoples' political opinions by a political party or by a candidate/holder of elective political office in Ireland; and
    • by the Referendum Commission in performance of its functions.

    Section 49 of the DPA 2018

    Permits the processing of special categories of personal data where the processing respects the essence of the right to data protection and is necessary and proportionate for:

    • the administration of justice; or
    • the performance of a function conferred on a person by or under an enactment or by the Irish Constitution.

    Section 50 of the DPA 2018

    Permits the processing of health data where the processing is necessary and proportionate for the purposes of:

    • a policy of insurance or life assurance;
    • a policy of health insurance or health-related insurance;
    • an occupational pension, a retirement annuity contract, or any other pension arrangement; or
    • the mortgaging of property.

    Section 51 of the DPA 2018

    Permits the processing of special categories of personal data and/or data on criminal convictions and offenses pursuant to Article 10 of the GDPR, where necessary for reasons of substantial public interest, if the processing is carried out in accordance with regulations made under Section 51(3) of the DPA 2018.

    Section 52 of the DPA 2018

    Permits the processing of special categories of personal data where necessary for the purposes set out in Article 9(2)(h) of the GDPR. Section 52(3) of the DPA 2018 identifies the statutory meaning of a 'health practitioner' for the purpose of this Section.

    Section 53 of the DPA 2018

    Permits the processing of special categories of personal data where necessary for public interest reasons in the area of public health including:

    • protecting against serious cross-border threats to health; and
    • ensuring high standards of quality and safety of healthcare and of medicinal products and medical devices.

    Processing of personal data relating to criminal convictions and offences

    Article 10 of the GDPR concerns personal data relating to criminal convictions and offences, and for the purpose of Section 55 of the DPA 2018, includes personal data relating to the alleged commission of an offence and any proceedings in relation to such an offence.

    Section 55 of the DPA 2018 provides that, without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and subject to compliance with Article 6(1) of the DPA 2018 and to 'suitable and specific measures' being taken to safeguard the fundamental rights and freedoms of the data subject, data on criminal convictions and offenses can be processed:

    • under the control of an official authority (e.g. the administration of justice); or
    • where:
      • the individual has given explicit consent, except where EU law or the law of an EU Member State prohibits such processing;
      • the processing is necessary and proportionate for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
      • the processing is necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising, or defending legal rights;
      • the processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person; or
      • the processing is permitted by regulations made under Section 55(3) of the DPA 2018 or is otherwise authorised by Irish law.

    Section 55(3) of the DPA 2018 provides for a government minister to make regulations in the future concerning the processing of data on criminal convictions, where necessary and proportionate to:

    • assess the risk of fraud or prevent fraud;
    • assess the risk of bribery or corruption, or both, or to prevent bribery or corruption, or both; or
    • ensure network and information systems security as well as prevent attacks on and damage to computer and electronic communications systems.

    The relevant Minister must consult with the DPC before enacting any regulations pursuant to this Section.

    Section 55(8) of the DPA 2018 introduces a criminal offence for knowingly or recklessly contravening Section 55 or regulations made under Section 55(3).

    7.10. Controller and processor contracts

    There are no national variations from the GDPR however, the DPC has published guidance on controller-processor contracts which outlines in brief the context of the obligation on controllers and processors to enter into a data processing contract under the GDPR, when they need to enter into a data processing contract, and the minimum provisions which should be included in such a contract.

    8. Data Subject Rights

    Section 60 of the DPA 2018 provides that the rights and obligations provided for under Articles 12 to 22 and Article 34 of the GDPR, and Article 5 of the GDPR in so far as any of its provisions correspond to the rights and obligations under Articles 12 to 22 of the GDPR are restricted in certain circumstances.

    Section 60(3) of the DPA 2018 provides for such restriction of rights and obligations to the extent that:

    • the restrictions are necessary and proportionate:
      • to safeguard cabinet confidentiality, parliamentary privilege, national security, defence, and the international relations of the State;
      • for the prevention, detection, investigation, and prosecution of criminal offences and the execution of criminal penalties;
      • for the administration of any tax, duty, or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration;
      • in contemplation of or for the establishment, exercise, or defence of, a legal claim, prospective legal claim, legal proceedings, or prospective legal proceedings whether before a court, statutory tribunal, statutory body, or an administrative or out-of-court procedure;
      • for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation, or other liabilities, or debts related to the claim; or
      • for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim;
    • personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information; or
    • personal data concerned are kept:
      • by the DPC for the performance of its functions;
      • by the Information Commissioner for the performance of their functions; or
      • by the Comptroller and Auditor General for the performance of their functions.

    Section 60(5) of the DPA 2018 provides that a Minister of the Government may enact regulations restricting these rights and obligations where it considers it necessary for the protection of a data subject or the rights and freedoms of others:

    • if the application of those rights and obligations would be likely to cause serious harm to the physical or mental health of the data subject and to the extent to which, and for as long as, such application would be likely to cause such serious harm; and
    • in relation to personal data kept for, or obtained in the course of, the carrying out of social work by a public authority, public body, a voluntary organisation, or other body.

    Section 60(6) of the DPA 2018 provides that a Minister of the Government may enact regulations restricting these rights and obligations where the restrictions are necessary for the purposes of safeguarding important objectives of general public interest and these regulations will include, where appropriate, specific provisions required by Article 23(2) of the GDPR.

    Scientific or historical research purposes or statistical purposes

    The relevant Minister must consult with the DPC before enacting any regulations pursuant to Sections 60(5) or 60(6) of the DPA 2018.

    Section 61(1) of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest, the rights provided under Articles 15, 16, 18, 19, 20, and 21 of the GDPR are restricted to the extent that:

    • the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes; and
    • such restriction is necessary for the fulfilment of those purposes.

    Section 61(2) of the DPA 2018 provides that where personal data is processed for scientific or historical research purposes or statistical purposes, the rights provided under Articles 15, 16, 18, and 21 of the GDPR are restricted to the extent that:

    • the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes; and
    • such restriction is necessary for the fulfilment of those purposes.

    Legal privilege

    In respect of legal privilege, Section 162 of the DPA 2018 provides that the rights and obligations provided for under Articles 12 to 22 and 34 of the GDPR, and Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of the GDPR, do not apply:

    • to personal data processed for the purpose of seeking, receiving, or giving legal advice;
    • to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and their egal advisers or between those advisers; or
    • where the exercise of such rights or performance of such obligations would constitute a contempt of court.

    Academic, artistic, or literary expression

    Article 85 of the GDPR requires Member States to reconcile the right to the protection of personal data pursuant to GDPR with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic, or literary expression. In this regard, Section 43 of the DPA 2018 provides an exemption from compliance with specific provisions of the GDPR (set out in Section 43(2) of the DPA 2018) where compliance with those provisions would be incompatible with the right of freedom of expression and information.

    Section 44 of the DPA 2018 makes access to personal data in official records dependent on a prior grant of access under freedom of information or environmental legislation. Section 56 of the DPA 2018 governs the right of access to examination scripts and results. Section 59 of the DPA 2018 restricts an objection to processing for election purposes, and by the Referendum Commission Ireland.

    8.1. Right to be informed

    Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest, or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 15 of the GDPR may be restricted if the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and such restriction is necessary for the fulfilment of those purposes.

    Section 162 of the DPA 2018 deals with legal privilege.

    8.2. Right to access

    Section 56 of the DPA 2018 deals with the right of access to results and scripts of examination and results of appeal.

    Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 15 of the GDPR (right of access).

    Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 15 of the GDPR may be restricted if the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and such restriction is necessary for the fulfilment of those purposes.

    Section 162 of the DPA 2018 deals with legal privilege.

    The DPC has published FAQs on data subject access requests which, answers some of the most frequently asked questions by both individuals who are seeking copies of their personal data, as well as controllers who are struggling to deal with the access requests they are receiving. Also, the DPC has provided guidance on the redaction of documents and records.

    S.I. No. 121 of 2022 Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 regulate subject access to health data where the application of that right would be likely to cause serious harm to the physical or mental health of the data subject but only to the extent to which, and only for as long as, such application would be likely to cause such harm.

    8.3. Right to rectification

    Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 16 of the GDPR (right to rectification).

    Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 16 of the GDPR may be restricted if the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and such restriction is necessary for the fulfilment of those purposes.

    Section 162 of the DPA 2018 deals with legal privilege.

    8.4. Right to erasure

    Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 17 of the GDPR (right to erasure). Section 162 of the DPA 2018 deals with legal privilege.

    In relation to the right to erasure for children please see section above on children's data. 

    8.5. Right to object/opt-out

    Section 59 of the DPA 2018 includes a restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission. Section 58 of the DPA 2018 provides that for the application of Article 21 GDPR in Ireland, the reference to 'direct marketing' includes a reference to direct mailing except direct mailing carried out:

    • in the course of electoral activities in Ireland by:
      • a political party or its members; or
      • a candidate for election to, or a holder of, elective political office in Ireland; and
    • by the Referendum Commission in the performance of its functions.

    Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 21 of the GDPR (right to object).

    Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 21 of the GDPR may be restricted if the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and such restriction is necessary for the fulfilment of those purposes.

    Section 162 of the DPA 2018 deals with legal privilege.

    8.6. Right to data portability

    Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 20 of the GDPR (data portability).

    Section 61(1) of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest, the individual's rights under Article 20 of the GDPR may be restricted if:

    • the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and
    • such restriction is necessary for the fulfilment of those purposes.

    Section 162 of the DPA 2018 deals with legal privilege.

    8.7. Right not to be subject to automated decision-making

    Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 22 of the GDPR (automated individual decision-making, including profiling).

    Section 57 of the DPA 2018 supplements Article 22(2)(b) of the GDPR. It provides that, subject to Article 22(4) of the GDPR and to 'suitable and specific measures' to safeguard the fundamental rights and freedoms of the data subject, for the purposes of Article 22(2)(b) of the GDPR, the right of a data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them shall, in addition to the grounds identified in Article 22(2)(a) and (c) of the GDPR, not apply where:

    • the decision is authorised or required by or under an enactment; and
    • either:
      • the effect of that decision is to grant a request of the data subject; or
      • in all other cases where Article 22(1) of the GDPR is not applicable, adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject which steps shall include the making of arrangements to enable them to:
        • make representations to the controller in relation to the decision;
        • request human intervention in the decision-making process; and
        • request to appeal the decision.

    Section 162 of the DPA 2018 deals with legal privilege.

    8.8. Other rights

    Right to restrict processing

    Section 60 of the DPA 2018 provides for the restriction of the individual's rights and the controller's obligations under Article 18 of the GDPR (right to restriction of processing).

    Section 61 of the DPA 2018 provides that where personal data is processed for archiving purposes in the public interest, or processed for scientific or historical research purposes or statistical purposes, the individual's rights under Article 18 of the GDPR may be restricted if:

    • the exercise of those rights would likely render impossible, or seriously impair, the achievement of those purposes; and
    • such restriction is necessary for the fulfilment of those purposes.

    Section 162 of the DPA 2018 deals with legal privilege.

    9. Penalties

    Administrative fines

    Chapter 6 of Part 6 of the DPA 2018 deals with the power of the DPC to impose administrative fines. Section 141(1) of the DPA 2018 provides that when considering whether to impose an administrative fine, the DPC must act in accordance with Article 83 of the GDPR.

    Under Section 142 of the DPA 2018, a DPC decision to impose an administrative fine may be appealed to the Circuit Court (if the fine does not exceed €75,000) or the High Court within 28 days. On hearing an appeal, the Court may confirm the decision, replace it with another decision that it considers just and appropriate, or annul the decision. Ireland has availed of the power granted by Article 83(7) of the GDPR to decide on the extent of administrative fines to be imposed on public authorities. Section 141(4) of the DPA 2018 sets the maximum amount of an administrative fine on a controller or a processor that is a public authority or a public body at €1 million. The limit does not, however, apply where a public authority or public body is acting as an undertaking within the meaning of the Irish Competition Act 2002.

    Criminal offences

    A number of the principal offences contained in the DPA 2018 are provided below.

    The maximum criminal penalty for summary offences under the DPA 2018 is €5,000 and/or 12 months' imprisonment. Indictable offences are prosecuted in the Circuit Court or Central Criminal Court and carry a maximum penalty of €250,000 and/or five years' imprisonment, depending on the offence.

    Section 149 requires the DPC to publish details of:

    • any convictions for offences under the DPA 2018;
    • court orders made under Section 134 for the suspension, restriction, or prohibition of processing; or
    • its imposition of administrative fines; or any orders made for the suspension of cross-border transfers.

    The DPC may choose to publish details regarding the exercise of its other corrective powers under Article 58(2). Further, the DPC may choose, in the public interest, to publish reports required under Section 135, and reports of investigations or audits carried out, or other functions performed, by the DPC.

    Nature of the OffenceRelevant DPA 2018 Provision
    Enforced subject access requests in connection with the recruitment of an employee, the continued employment of that individual, or in relation to a contract for the provision of services to the person by an individual.Section 4(2)

    Data relating to criminal convictions and offences: Knowingly or recklessly contravening Section 55 in respect of personal data relating to criminal convictions and offences (See the section on controllers and processor contracts above).

    Section 55(8)

    Failure to cooperate with an authorised officer (Chapter 4): Section 130(7) relates to any person who in respect of the exercise of Chapter 4 powers, obstructs, impedes, or assaults an authorised officer in the performance of their functions; fails or refuses to comply with a requirement of an authorised officer; provides an authorised officer false or misleading in a material respect.

    Section 130(7)
    Failure to comply with an information notice: Without reasonable excuse, fail to comply with a requirement specified in an information notice or, in purported compliance with such a requirement, gives to the DPC or an authorised officer information which the controller or processor knows to be false or misleading in a material respect.Section 132(6)
    Failure to comply with an enforcement notice: Without reasonable excuse, fail to comply with a requirement specified in an enforcement notice.Section 133(10)
    Offences regarding power to require report: Obstructing or impeding a reviewer charged with preparing a report for the DPC, giving false or misleading information to the reviewer, or a reviewer themselves giving information to the DPC which is known by them to be false or misleading.Section 135(15)
    Failure to cooperate with an investigation under section 137: Section 138(12) relates to any person who in respect of an investigation under Section 137 (Chapter 5), withholds, destroys, conceals, or refuses to provide any information or statements, records or other documents required for the purposes of an investigation; fails or refuses to comply with any requirement of an authorised officer under this Section; gives an authorised officer false or misleading material; otherwise obstructs or hinders an authorised officer in the performance of their functions.Section 138(12)(a)
    Unauthorised disclosure by processor under section 144: Processor or its employee or agent recklessly or knowingly discloses personal data without the prior authority of the controller on behalf of whom the data is processed.Section 144(2)
    Disclosure of personal data obtained without authority under section 145: Obtaining and disclosing personal data to another person without the prior authority of the controller or processor. Selling personal data that was disclosed to the person in contravention of section 145(1). Offering to sell personal data obtained without the prior authority of the controller or processor.

    Section 145(1); Section 145(3); and

    Section 145(4)

    Offences by directors, etc., of bodies corporate: If an offence is committed by a corporate entity and it is proven to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, a director, manager, secretary or other officer of the corporate entity or a person who was purporting to act in any such capacity, that person, as well as the corporate entity, will be guilty of that offence and liable to be proceeded against and punished as if their were guilty of the first-mentioned offence.Section 146

    9.1 Enforcement decisions

    The DPC publishes enforcement decisions here, and the notable are as follows:

    In September 2021, the DPC issued WhatsApp Ireland Limited., ('WhatsApp') with its largest ever administrative fine in respect of WhatsApp's breach of transparency requirements under Articles 12-14 of GDPR. A fine in the region of €30–50 million was originally proposed but following referral of the case to the EDPB, the figure was uplifted to €225 million. In addition to the imposition of an administrative fine, the DPC imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.

    On 18 October 2021, the DPC's decision to impose an administrative fine on Twitter International Company was confirmed by the Irish courts. The application to confirm the decision to impose an administrative fine of €450,000 was made pursuant to Section 143 of the Data Protection Act 2018. This decision concerned Twitter's compliance with its obligations under the GDPR in respect of a breach notification. The DPC found that Twitter had infringed Articles 33(1) and (5) of the GDPR by not notifying the DPC of the breach on time and by failing to adequately document the breach.

    On the 15 March 2022, the DPC adopted a decision regarding Meta Platforms Ireland Limited., ('Meta Platforms'), imposing a fine of €17 million on Meta Platforms (formerly Facebook Ireland Limited). The decision followed an inquiry by the DPC into a series of 12 data breach notifications it received in the six-month period between 7 June 2018 and 4 December 2018.  The inquiry examined the extent to which Meta Platforms complied with the requirements of Articles 5(1)(f), 5(2), 24(1), and 32(1) of the GDPR, in relation to the processing of personal data relevant to the 12 breach notifications. As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) of the GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users' data, in the context of the 12 personal data breaches. The processing under examination constituted 'cross-border' processing, therefore the DPC's decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.