Civil Measures
GDPR Requirements for Supervisory Authority
Under the GDPR, the supervisory authority is to have the following investigative powers:
- to order a controller, processor, or their representative to provide any information it requires for the performance of its tasks;
- to carry out investigations in the form of data protection audits;
- to carry out a review of certifications issued;
- to notify a controller and processor of an alleged infringement;
- to obtain and access all personal data and information necessary for the performance of its tasks;
- to obtain access to any premises of the controller, including processing equipment and means, in accordance with the requirements of EU or domestic law.
Supervisory authorities are to facilitate the submission of a complaint form which can be completed electronically, without other means of communications. The performance of their tasks shall be free of charge to the data subject concerned and where applicable, for the data protection officer.
However, where requests are manifestly unfounded or unreasonable or excessive, in particular, because of their repetitive character, the authority may charge a reasonable fee based on administrative costs or may refuse to act on the request. They bear the burden of so proving.
Corrective Powers
The supervisory authority has the following corrective powers:
- to issue warnings to controllers and processors that intended operations are likely to infringe the GDPR;
- to issue reprimands where there have been infringements;
- to order compliance with the data subject’s requests to exercise his or her rights;
- to order the controller or processor to bring operations into compliance with the GDPR, within a specified period and in a specified manner;
- to order the controller to communicate a personal data breach to the data subject;
- to impose a temporary or definitive limitation including a ban on processing;
- to order the erasure or rectification of personal data or a restriction on processing pursuant to the data of subject’s rights under the GDPR;
- to withdraw the certification of a certification body;
- to impose administrative fines;
- to order the suspension of data flows to a recipient third country or international organisation.
Complaints and Enforcement of Data Protection
Each State is to provide by law that its authority shall have the power to bring infringements of the GDPR to the attention of the national judicial bodies, commence and engage in legal proceedings, in order to enforce the GDPR.
The GDPR provides that every data subject (the person about whom the personal information is held) has the right to make a complaint by lodging it with the supervisory authority in his State of habitual residence, place of work or place of the alleged infringement, if he considers that processing relating to him infringes the GDPR. The supervisory authority must inform the complainant of the progress and outcome of the complaint.
In Ireland, the supervisory body is the Data Protection Commission. A broadly similar procedure applies to complaints under the GDPR and complaints under the Data Protection Act about the areas (mainly crime and security), covered by the latter Act, which are not covered under the EU legislation (because they state competences) but which are the subject of almost identical provisions to the GDPR.
Not for Profit Representative
The data subject has the right to mandate a not-for-profit body or association in accordance with its home State law, which has statutory objectives in the public interest, and is active in the field of data protection rights and freedoms with regard to the protection of his personal data,
- to lodge a complaint on his behalf,
- to exercise complaint rights on his behalf, or
- to exercise or receive compensation on his behalf
where provided by the Member State’s law.
States may provide that any such body, may independently of the data subject’s mandate, have the right to lodge a complaint with the supervisory authority if it considers that the rights of the data subject have been infringed.
Data Commission Complaint Handling Procedure I
The Commission may undertake an inquiry into whether an infringement has occurred, or is occurring, of its own volition or in response to a complaint received by or on behalf of a data subject.
When a complaint is made the Commission shall, as soon as practicable, give the complainant concerned a notice in writing acknowledging the lodging of the complaint, and informing the complainant of his or her right to a judicial remedy where it (or the authority in another EU State) does not handle the complaint, or inform the complainant within 3 months from the date on which the complaint is received by that authority on its progress or outcome.
Where the Commission is the competent supervisory authority in respect of a complaint, it shall handle the complaint and inform the complainant, within 3 months from the date on which the complaint is received by it, on the progress or outcome of the complaint.
The Commission shall notify the complainant and the parties concerned of its decision. It shall give reasons for its decision. If shall notify the corrective action proposed where applicable. Where it does not have jurisdiction, but another authority has jurisdiction it shall inform the complainant accordingly.
Agreed Resolution
Where the Commission considers that there is a reasonable prospect of the parties reaching an amicable resolution, it may arrange or facilitate such a resolution. Where a complaint is resolved amicably, it is deemed withdrawn. Where an amicable resolution cannot be reached, the Commission may take one or more of a number of corrective actions.
The corrective actions may include
- requiring compliance with an obligation
- rectification or erasure of personal data
- provision of advice to the complainant,
- the serving of an enforcement notice on the controller or processor,
- conducting an inquiry into the complaint,
- dismissing or rejecting the complaint.
In each case, the complainant and parties concerned must be informed of the action taken.
Legal Recourse against Supervisory Authority’s Decision
Without prejudice to administrative or non-judicial remedies, every person whether an individual or company must have an effective judicial remedy against a legally binding decision of the supervisory authority (in Ireland the Data Protection Commission) which affects him.
Without limiting any administrative or non-judicial remedy, the data subject has the right to an effective judicial remedy where the supervisory authority is the competent authority and does not handle a complaint or inform the person concerned within three months of its progress or outcome.
Proceedings against a supervisory authority are to be brought in the courts of the State where it is established. Where the proceedings are against the decision of the supervisory authority which was preceded by a decision of the European Board under the consistency mechanism, that opinion must be furnished to the court.
Investigation
Authorised officers of the Commission have standard investigatory powers. These are broadly similar to those of inspectors appointed under other legislation of this kind.
They may obtain information as necessary for the performance of their functions. They may enter premises reasonably believed to be occupied by a data controller or processor and inspect any data thereon. Where an authorised officer is refused access to premises while exercising his or her powers, he or she may apply to the District Court for a warrant
Authorised officers may require a person on the premises being a data controller or processor, or an employee, to disclose and produce information in his power or control. They may require persons to give such information as they reasonably require, in relation to processing and procedures complying with the Act. They may operate any data equipment. They may inspect, take extracts and copy information.
They may require details of the sources from which data is obtained, the purposes for which it is kept, persons to whom it is disclosed and data equipment. It is an offence to obstruct an officer or to fail to comply with a requirement, without reasonable excuse. It is an offence to give false information.
Information Notices
The Commission may serve an information notice on an individual in writing. This requires that the information specified be furnished in relation to the matters concerned, as is necessary or expedient for the performance of the Commission’s functions under the legislation. The information notice should specify the matters in respect of which the information is sought, and the time for compliance.
The requirement is not taken to compel a controller or processor, in complying with an information notice, to furnish information that would be exempt from production in proceedings in a court on the ground of legal professional privilege. A document furnished in compliance with an information notice shall not be admissible in evidence in proceedings for an offence (other than for the offence of non-compliance with this requirement) brought against any person who furnishes or concurs in the furnishing of the document.
The notice must state that there is a right to appeal to the Circuit Court or High Court. The time given for compliance is up to 28 days. It may be seven days, in the event of urgency. Compliance may be pursued once the appeal period has expired or 7 days in the event of urgency. It is an offence without reasonable excuse, to fail to comply with an information notice requirement.
In hearing appeals, the courts allow a degree of latitude to specialist regulatory bodies by way of deference to the specialist knowledge of the Commission. The court may hear the appeal other than in public.
Enforcement Notices
An enforcement notice may be served where there is a or has been contravention, which is viewed as insufficiently serious to merit criminal prosecution or where it is expedient not to prosecute. An enforcement notice must be in writing specifying that a provision of the legislation is being or has been contravened, specifying the reason for the opinion and stating what is required to be done. It must state that the notice may be appealed to the Circuit Court or High Court within 28 days.
The enforcement notice may require that specified steps be undertaken. This may include the erasure, modification or rectification of material. It may require supplemental data to be included with it. If the breach arises from the information being inaccurate or not up-to-date and the controller supplements and rectifies it as required, there is deemed no breach of the legislation in that regard. A notification is to be sent to the data subject within 40 days or as soon as possible.
The notice must state that there is a right to appeal to the Circuit Court or High Court. The time given for compliance is up to 28 days. It may be seven days, in the event of urgency. Compliance processes may be pursued once the appeal period has expired or 7 days in the event of urgency.
In hearing appeals, the courts allow a degree of latitude to specialist regulatory bodies by way of deference to the specialist knowledge of the Commission. The court may hear the appeal other than in public.
It is an offence without reasonable excuse, to fail to comply with an enforcement notice or a requirement made in an enforcement notice
High Court Injunction
The Commission may, where there is a need to act urgently in order to protect the rights and freedoms of data subjects, apply in a summary manner, on notice to the controller or processor, to the High Court for an order suspending, restricting or prohibiting data processing or the transfer of personal data to a third country or international organization for such period as may be specified. The application may be made on affidavit evidence. The High Court may give the Commission any other direction as it considers appropriate.
Where urgent, an ex parte (unilateral) application may be made. The High Court may make an interim order in such cases for up to 7 days. This applies only to urgent cases arising under the GDPR. Notice of the interim order is required. Oral communication of the order may be valid notice where the circumstances require.
Power to require a report
The Commission may, for the purposes of proper and effective monitoring of the application of the GDPR, require a controller or processor to provide a report to the Commission on any matter about which the Commission could require the provision of information under the GDPR.
An expert nominated by the controller or processor concerned, and approved by the Commission, will prepare such a report. An expert nominated by the Commission may do so where the controller or processor has not nominated an expert or the Commission is not satisfied with the nominated expert.
In advance of requiring the production of a report, the Commission is required to consider whether any other power at its disposal would be more appropriate in the circumstances, as well as the level of resources available to the controller or processor concerned
Data protection audit
The Commission may carry out audits in order to ascertain whether the practices and procedures of a controller or processor are in compliance with the GDPR and Act.
The Commission may, for the purposes of an audit or a data protection audit, require the controller or processor concerned to produce any documents, records, statements or other information within that person’s possession or control, or within that person’s procurement, that are relevant to or required for the conduct of the audit.
Before commencing an audit, the Commission shall give the controller or processor concerned notice of its proposal to conduct such an audit. The notice shall—
- specify the matters to which the proposed audit will relate, and
- specify the date, which shall be not earlier than 7 days from the date on which the notice is given on which the audit will be commenced.
Investigations
There are provisions which allow for in-depth investigations into possible infringements of the GDPR or the Data Protection Acts. In accordance with constitutional due process standards, the legislation provides for separate investigative and adjudicative stages in an investigation.
There is provision for the appointment of an authorised officer to undertake the investigation. There are detailed provisions governing the conduct of the investigation, including examination of witnesses on oath and oral hearings. It is an offence to obstruct an investigation.
Having completed an investigation, an authorised officer prepares a draft report setting out his or her findings. He provides it to the controller or processor concerned for any views they may have, consider any submissions received and then finalises the report for submission to the Commission.
The investigation report will state whether the authorised officer is satisfied that an infringement has occurred or is occurring, and the grounds for that belief. Where an authorised officer has concluded that an infringement has occurred or is occurring, he or she will not make any recommendation, or express any opinion, as to the corrective power that he or she considers ought to be applied in that event.
On receiving a report, Commissioner will consider its contents, including any submissions attached to it. If further information is required, the Commissioner may conduct an oral hearing, seek further submissions form the controller or processor, or require the authorised officer to carry out further investigations.
Civil Infringement Proceedings
Without limiting the effectiveness of any available administrative or non-judicial remedy, including the above right to complaint to the authority, the data subject shall have an effective judicial remedy where he considers that his rights have been infringed as a result of the processing of his personal data in breach of the GDPR.
Proceedings against a data controller or processor are brought before the courts of the State where that entity has an establishment. Alternatively, they may be brought in the State where the data subject has his habitual residence unless the controller or processor is a public authority of the State acting in the exercise of public powers.
Where the courts of a Member State, have information on proceedings concerning the same matter as regards processing by the same controller, that are pending in another State, it shall contact the other court to confirm the existence of the proceedings. Where such proceedings are pending in another competent court, the court other than the court first seized of the matter, may suspend its proceedings. Where proceedings are pending at first instance, any court other than the court first seized may also, decline jurisdiction if the first court is seized of the matter.
Liability for Damages of Infringing Controller / Processor
Every person who has suffered material or non-material damage as a result of the infringement of the legislation has a right to receive compensation from the data controller or processor for the damage suffered. Any controller involved in the processing is liable for the damage caused by processing which infringes the legislation.
A processor shall be liable for the damage caused by the processing only where it has not complied with its obligations under the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. The controller or processor, are exempt from this liability if they prove that they are not in any way responsible for the event giving rise to the damage.
Where there is more than one controller or processor, or both controller and processor, are involved in the same processing and where they are, responsible for the damage caused, each is to be liable for the entire damage in order to ensure effective compensation of the person, the subject of the data.
Where the controller or processor has paid full compensation, the other shall be entitled to claim a contribution from other controllers and processors involved in the same processing in accordance with their responsibility.
Irish Judicial Remedy
A data subject may, where he or she considers that his or her rights under the GDPR or the Data Protection Act have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment (GDPR, Data Protection Act and certain related legislation), bring an action against the controller or processor concerned. A data protection action is deemed, to be an action founded on tort.
A data protection action may be brought on behalf of a data subject by a qualifying not-for-profit body, organisation or association (which may also make complaints on behalf of data subjects. A data subject may not bring a data protection action against a controller or processor that is a public authority of another Member State acting in the exercise of its public powers
The Circuit Court, concurrently with the High Court, has jurisdiction to hear and determine data protection actions. The court hearing a data protection action has the power to grant to the plaintiff one or more than one of the following reliefs:
- relief by way of injunction or declaration; or
- compensation for damage suffered by the plaintiff as a result of the infringement of a relevant enactment.
The court hearing a data protection action shall not award compensation for material or non-material damage suffered.
The compensation recoverable in a data protection action in the Circuit Court shall not exceed the amount standing prescribed, for the time being by law, as the limit of that court’s jurisdiction in tort.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
EU Legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Irish Books
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008