Civil Measures
Data Protection Act 2018
PART 6
ENFORCEMENT OF DATA PROTECTION REGULATION AND DIRECTIVE
CHAPTER 1
Preliminary
Interpretation (Part 6)
100. (1) In this Part—
“complaint” means a complaint within the meaning of Chapter 2 or 3;
“investigation” means an investigation under Chapter 5;
“investigation report” has the meaning assigned to it by section 134;
“relevant enactment” means—
(a) the Data Protection Regulation, or
(b) the provisions of this Act, or regulations under this Act, that give further effect to
the Data Protection Regulation;
“relevant provision” means—
(a) the provisions of this Act, or
(b) regulations under this Act, that give effect to the Directive.
(2) A reference in this Part (other than in Chapter 2) to a controller or a processor
includes a reference to a controller or a processor, as the case may be, within the
meaning of Part 5.
(3) A reference in this Part to information obtained in an inquiry (within the meaning of
section 105 or 118) shall be construed as including, where applicable—
(a) an investigation report prepared in the course of the inquiry, and any submissions
annexed to the report, and
(b) any additional information obtained in the course of the inquiry by the
Commission under section 135(2).
Service of documents (Part 6)
101. (1) Subject to section 111(4)(a), a notice or other document that is required to be served
on or given to a person under this Part shall be addressed to the person concerned by
name and shall be so served on or given to the person in one of the following ways:
(a) by delivering it to the person;
(b) by leaving it at the address at which the person ordinarily resides or carries on
business or, in a case in which an address for service has been furnished, at that
address;
(c) by sending it by post in a prepaid registered letter or by any other form of
recorded delivery service to the address referred to in paragraph (b); or
(d) by electronic means, in a case in which the person has given notice in writing to
the person serving or giving the notice or document concerned of his or her
consent to the notice or document (or notices or documents of a class to which
the notice or document belongs) being served on, or given to, him or her in that
manner.
(2) For the purposes of this section, a company within the meaning of the Act of 2014 is
deemed to be ordinarily resident at its registered office, and every other body
corporate and every unincorporated body of persons shall be deemed to be ordinarily
resident at its principal office or place of business.
CHAPTER 2
Enforcement of Data Protection Regulation
Interpretation (Chapter 2)
102. In this Chapter—
“complainant” means a data subject who lodges a complaint or, as the case may be, a
not-for-profit body, organisation or association that, in accordance with Article 80(1),
lodges a complaint on behalf of a data subject;
“complaint” means a complaint lodged pursuant to Article 77(2) or in accordance with
Article 80(1), and shall be deemed to include a complaint so lodged by or on behalf of
a data subject where—
(a) the data subject considers that the processing of personal data relating to him or
her infringes a relevant enactment, and
(b) the Commission is the competent supervisory authority in respect of the
complaint;
“corrective power” means a power conferred by Article 58(2) of the Data Protection
Regulation;
“infringement” means an infringement of a relevant enactment;
“inquiry” means an inquiry referred to in section 105(1).
Complaints under Chapter 2: General
103. (1) Where a complaint is lodged with the Commission, the Commission shall, as soon as
practicable, give the complainant concerned a notice in writing acknowledging the
lodging of the complaint, and informing the complainant of—
(a) where the Commission is the competent supervisory authority in respect of the
complaint, the complainant’s right under section 145(5) and (7), and
(b) where a supervisory authority other than the Commission is the competent
supervisory authority in respect of the complaint, the complainant’s right to a
judicial remedy against that competent supervisory authority where it does not—
(i) handle the complaint, or
(ii) inform the complainant within 3 months from the date on which the
complaint is received by that authority on the progress or outcome of the
complaint.
(2) Where the Commission is the competent supervisory authority in respect of a
complaint, it shall—
(a) handle the complaint in accordance with this Part, and
(b) inform the complainant, within 3 months from the date on which the complaint is
received by the Commission, on the progress or outcome of the complaint.
(3) For the purposes of subsection (2)(b), the Commission shall be taken to have informed
a complainant of the outcome of the complaint concerned where it gives the
complainant a notice under section 104(6) or, as the case may be, section 111.
Commission to handle complaint under Chapter 2
104. (1) For the purposes of section 103(2)(a), the Commission shall examine the complaint
and shall, in accordance with this section, take such action in respect of it as the
Commission, having regard to the nature and circumstances of the complaint,
considers appropriate.
(2) The Commission, where it considers that there is a reasonable likelihood of the parties
concerned reaching, within a reasonable time, an amicable resolution of the subject
matter of the complaint, may take such steps as it considers appropriate to arrange or
facilitate such an amicable resolution.
(3) Where the parties concerned reach an amicable resolution of the subject matter of the
complaint, the complaint shall, from the date on which the amicable resolution is
reached, be deemed to have been withdrawn by the complainant concerned.
(4) Where the Commission considers that an amicable resolution cannot be reached by
the parties within a reasonable time, it shall proceed—
(a) in the case of a complaint to which section 108 applies, to comply with section
108(2), or
(b) in the case of any other complaint, to take an action specified in subsection (5).
(5) The actions referred to in subsection (4)(b) include one or more than one of the
following:
(a) rejection of the complaint;
(b) dismissal of the complaint;
(c) provision to the complainant of advice in relation to the subject matter of the
complaint;
(d) serving on the controller or processor concerned of an enforcement notice,
requiring it to do one or more than one of the following:
(i) comply with the data subject’s request to exercise his or her rights pursuant
to a relevant enactment;
(ii) where the enforcement notice is given to the controller, communicate a
personal data breach to the data subject;
(iii) rectify or erase personal data or restrict processing pursuant to Articles 16,
17 and 18, and to notify, pursuant to Article 17(2) and Article 19, such
actions to recipients to whom the personal data have been disclosed;
(e) causing of such inquiry as the Commission thinks fit to be conducted in respect
of the complaint;
(f) taking of such other action in respect of the complaint as the Commission
considers appropriate.
(6) The Commission shall, as soon as practicable after taking an action referred to in
subsection (5) (other than paragraph (e) of that subsection), give the complainant a
notice in writing informing the complainant of the action taken.
Commission may conduct inquiry into suspected infringement of relevant enactment
105. (1) The Commission, whether for the purpose of section 104(5)(e), section 108(2), or of
its own volition, may, in order to ascertain whether an infringement has occurred or is
occurring, cause such inquiry as it thinks fit to be conducted for that purpose.
(2) The Commission may, for the purposes of subsection (1), where it considers it
appropriate to do so, in particular do either or both of the following:
(a) cause any of its powers under Chapter 4 (other than section 130) to be exercised;
(b) cause an investigation under Chapter 5 to be carried out.
Decision of Commission where inquiry under Chapter 2 conducted of own volition
106. (1) Where an inquiry has been conducted of the Commission’s own volition, the
Commission, having considered the information obtained in the inquiry, shall—
(a) if satisfied that an infringement by the controller or processor to which the
inquiry relates has occurred or is occurring, make a decision to that effect, and
(b) if not so satisfied, make a decision to that effect.
(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition,
make a decision—
(a) as to whether a corrective power should be exercised in respect of the controller
or processor concerned, and
(b) where it decides to so exercise a corrective power, the corrective power that is to
be exercised.
(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall
exercise the corrective power concerned.
Decision of Commission where inquiry conducted in respect of complaint
to which Article
55 or 56(5) applies
107. (1) Where an inquiry has been conducted in respect of a complaint in respect of which the
Commission is the competent supervisory authority under Article 55 or 56(5), the
Commission, having considered the information obtained in the examination, may—
(a) if satisfied that an infringement by the controller or processor to which the
complaint relates has occurred or is occurring, make a decision to that effect, or
(b) if not so satisfied, make a decision to dismiss the complaint.
(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition,
make a decision—
(a) as to whether a corrective power should be exercised in respect of the controller
or processor concerned, and
(b) where it decides to so exercise a corrective power, the corrective power that is to
be exercised.
(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall
exercise the corrective power concerned.
Complaint to which Article 60 applies
108. (1) This section applies to a complaint in respect of which the Commission is the lead
supervisory authority.
(2) Where section 104(4)(a) applies, the Commission shall—
(a) in accordance with subsection (3), make a draft decision in respect of the
complaint (or, as the case may be, part of the complaint) and, where applicable,
as to the envisaged action to be taken in relation to the controller or processor
concerned, and
(b) in accordance with Article 60 and, where appropriate, Article 65, adopt its
decision in respect of the complaint or, as the case may be, part of the complaint.
(3) In making a draft decision under subsection (2)(a), the Commission shall, where
applicable, have regard to—
(a) the information obtained by the Commission in its examination of the complaint,
including, where an inquiry has been conducted in respect of the complaint, the
information obtained in the inquiry, and
(b) any draft for a decision that is submitted to the Commission by a supervisory
authority in accordance with Article 56(4).
(4) Where the Commission adopts a decision under subsection (2)(b) to the effect that an
infringement by the controller or processor concerned has occurred or is occurring, it
shall, in addition, make a decision—
(a) where an inquiry has been conducted in respect of the complaint—
(i) as to whether a corrective power should be exercised in respect of the
controller or processor concerned, and
(ii) where it decides to so exercise a corrective power, the corrective power that
is to be exercised,
or
(b) where an inquiry has not been conducted in respect of the complaint—
(i) as to whether an action specified in subsection (6) should be taken in respect
of the controller or processor concerned, and
(ii) where it decides to take such an action, the action that is to be taken.
(5) The Commission, in making its decision under subsection (4), shall have due regard to
the decision as to the envisaged action to be taken in relation to the controller or
processor included in the Commission’s draft decision under subsection (2)(a) or, as
the case may be, its revised draft decision under Article 60.
(6) The actions referred to in subsection (4)(b) include either or both of the following:
(a) the serving on the controller or processor concerned of an enforcement notice,
requiring it to do one or more than one of the following:
(i) comply with the data subject’s request to exercise his or her rights pursuant
to a relevant enactment;
(ii) where the enforcement notice is given to the controller, communicate a
personal data breach to the data subject;
(iii) rectify or erase personal data or restrict processing pursuant to Articles 16,
17 and 18, and to notify, pursuant to Article 17(2) and Article 19, such
actions to recipients to whom the personal data have been disclosed;
(b) the taking of such other action in respect of the complaint as the Commission
considers appropriate.
(7) The Commission—
(a) where it makes a decision referred to in subsection (4)(a)(ii), shall exercise the
corrective power concerned, and
(b) where it makes a decision referred to in subsection (4)(b)(ii), shall take the action
concerned.
Commission to adopt decision in certain circumstances
109. Where—
(a) a complaint is lodged with the Commission, or a complaint is lodged with another
supervisory authority and the Commission is the supervisory authority in respect
of the complainant concerned,
(b) another supervisory authority is the lead supervisory authority in respect of the
complaint, and
(c) a decision is made, in accordance with Article 60, to dismiss or reject the
complaint or, where Article 60(9) applies, part of the complaint,
the Commission shall adopt the decision referred to in paragraph (c) in respect of the
complaint or, as the case may be, part of the complaint.
Exercise by Commission of corrective power
110. (1) For the purposes of exercising a corrective power under section 106, 107 or 108, the
Commission may do either or both of the following:
(a) subject to Chapter 6, decide to impose an administrative fine on the controller or
processor concerned;
(b) exercise any other corrective power specified in Article 58(2).
(2) Without prejudice to the generality of subsection (1)(b), the Commission may, for the
purposes of exercising a power referred to in that provision, serve on the controller or
processor concerned an enforcement notice requiring it to take such steps as the
Commission considers necessary for those purposes.
Notification of decision of Commission under Chapter 2
111. (1) The Commission shall—
(a) as soon as practicable after it makes a decision under section 106 or 107, give the
controller or processor concerned a notice in writing setting out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has decided to
exercise in respect of the controller or processor,
and
(b) in the case of a decision under section 107, and as soon as practicable after the
giving of the notice under paragraph (a), give the complainant concerned a
notice in writing setting out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has decided to
exercise in respect of the controller or processor.
(2) Subject to subsection (4), the Commission shall—
(a) as soon as practicable after it adopts a decision under section 108(2)(b), give the
controller or processor concerned a notice in writing setting out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has decided to
exercise or, as the case may be, the action that it has decided to take, in
respect of the controller or processor,
and
(b) in the case of a complaint lodged with the Commission, and as soon as
practicable after the giving of the notice under paragraph (a), give the
complainant concerned a notice in writing setting out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has decided to
exercise or, as the case may be, the action that it has decided to take, in
respect of the controller or processor.
(3) The Commission shall, as soon as practicable after it adopts a decision under section
109, give—
(a) the complainant concerned, and
(b) the controller or processor concerned,
a notice in writing informing them of the rejection or dismissal of the complaint or, as
the case may be, the part of the complaint.
(4) Where the Commission is the lead supervisory authority in relation to a complaint to
which Article 60(9) applies, the Commission shall, as soon as practicable after it
adopts its decision under Article 60(9)—
(a) give the controller or processor concerned, at its main establishment or single
establishment, a notice in writing setting out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has decided to
exercise or, as the case may be, the action that it has decided to take in
respect of the controller or processor,
and
(b) give the complainant concerned a notice in writing setting out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has decided to
exercise or, as the case may be, the action that it has decided to take in
respect of the controller or processor.
Judicial remedy for infringement of relevant enactment
112. (1) Subject to subsection (9), and without prejudice to any other remedy available to him
or her, including his or her right to lodge a complaint, a data subject may, where he or
she considers that his or her rights under a relevant enactment have been infringed as
a result of the processing of his or her personal data in a manner that fails to comply
with a relevant enactment, bring an action (in this section referred to as a “data
protection action”) against the controller or processor concerned.
(2) A data protection action shall be deemed, for the purposes of every enactment and
rule of law, to be an action founded on tort.
(3) The Circuit Court shall, subject to subsections (5) and (6), concurrently with the High
Court, have jurisdiction to hear and determine data protection actions.
(4) The court hearing a data protection action shall have the power to grant to the plaintiff
one or more than one of the following reliefs:
(a) relief by way of injunction or declaration, or
(b) compensation for damage suffered by the plaintiff as a result of the infringement
of a relevant enactment.
(5) The compensation recoverable in a data protection action in the Circuit Court shall
not exceed the amount standing prescribed, for the time being by law, as the limit of
that court’s jurisdiction in tort.
(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by
the judge of any circuit in which—
(a) the controller or processor against whom the data protection action is taken has
an establishment, or
(b) the data subject has his or her habitual residence.
(7) A data protection action may be brought on behalf of a data subject by a not-for-profit
body, organisation or association to which Article 80(1) applies that has been
mandated by the data subject to do so.
(8) The court hearing a data protection action to which subsection (7) applies shall not
award compensation for material or non-material damage suffered.
(9) A data subject may not bring a data protection action against a controller or processor
that is a public authority of another Member State acting in the exercise of its public
powers.
(10) In this section—
“damage” includes material and non-material damage;
“injunction” means—
(a) an interim injunction,
(b) an interlocutory injunction, or
(c) an injunction of indefinite duration.
CHAPTER 3
Enforcement of Directive
Interpretation (Chapter 3)
113. In this Chapter—
“competent supervisory authority” shall be construed in accordance with the Directive;
“complainant” means a data subject who or, as the case may be, a body mandated in
accordance with section 115 that, lodges a complaint;
“complaint” means a complaint lodged in accordance with section 114;
“controller” and “processor” have the meanings they have in Part 5;
“corrective power” means a power conferred on the Commission by section 122;
“inquiry” means an inquiry referred to in section 118;
“infringement” means an infringement of a relevant provision.
Data subject may lodge complaint with Commission
114. (1) Without prejudice to any other remedy available to him or her, and subject to section
115, a data subject who considers that processing of his or her personal data infringes
a relevant provision, or provisions adopted by another Member State giving effect to a
right to the data subject under the Directive, may lodge a complaint with the
Commission.
(2) (a) Without prejudice to the right of a data subject under subsection (1), the
Commission may specify the form of a complaint lodged under that subsection.
(b) When specifying a form under paragraph (a), the Commission shall, without
excluding other means of communication, ensure that the form is capable of
being completed electronically.
(3) The Commission, where it is not the competent supervisory authority in respect of a
complaint lodged with it under subsection (1), shall—
(a) without undue delay, transmit the complaint to the competent supervisory
authority, and
(b) inform the data subject of the transmission of the complaint.
(4) Where a complaint is transmitted to the Commission in accordance with the law of a
Member State giving effect to Article 52(2) of the Directive, the complaint shall, for
the purposes of this Part, be deemed to be a complaint lodged, on the date on which
the complaint is received by the Commission, with the Commission in accordance
with subsection (1).
Representation of data subjects
115. (1) A data subject may mandate a body, organisation or association to which subsection
(2) applies to do either or both of the following on his or her behalf—
(a) lodge a complaint under section 114,
(b) exercise the rights referred to in section 123 and section 145.
(2) This subsection applies to a body, organisation or association—
(a) that provides its services on a not-for-profit basis,
(b) that has been properly constituted in accordance with the law of the State or
another Member State,
(c) whose objectives, as specified in the documents establishing the body,
organisation or association concerned, are in the public interest, and
(d) that is active with regard to the protection of data subject rights and freedoms,
including protection of their personal data.
(3) Where the Commission or a court, in performing its functions under this Act, has
reasonable doubts as to whether a particular body, organisation or association is one
to which subsection (2) applies, it may request the provision by the body, organisation
or association concerned of such additional information as is necessary in order to
confirm that it is such a body, organisation or association.
Complaints under Chapter 3: General
116. (1) Where a complaint is lodged, or deemed to be lodged, with the Commission under
section 114(1), and section 114(3) does not apply to the complaint, the Commission
shall as soon as practicable give the complainant concerned a notice—
(a) acknowledging the lodging of the complaint or, as the case may be, its receipt by
the Commission referred to in section 114(4), and
(b) informing the complainant of the complainant’s rights under section 123.
(2) Where subsection (1) applies, the Commission shall—
(a) handle the complaint in accordance with this Part, and
(b) inform the complainant within 3 months from the date on which the complaint is
lodged, of the progress or outcome of the complaint.
(3) For the purposes of subsection (2)(b), the Commission shall be taken to have informed
a complainant of the outcome of the complaint concerned where it gives the
complainant a notice under section 117(5) or, as the case may be, section 121.
Commission to handle complaint under Chapter 3
117. (1) For the purposes of section 116(2)(a), the Commission shall examine the complaint
and shall, in accordance with this section, take such action in respect of it as the
Commission, having regard to the nature and circumstances of the complaint,
considers appropriate.
(2) The Commission, where it considers that there is a reasonable likelihood of the parties
concerned reaching, within a reasonable time, an amicable resolution of the subject
matter of the complaint, may take such steps as it considers appropriate to arrange or
facilitate such an amicable resolution.
(3) Where the parties concerned reach an amicable resolution of the subject matter of the
complaint, the complaint shall, from the date on which the amicable resolution is
reached, be deemed to have been withdrawn by the complainant concerned.
(4) Where the Commission considers that an amicable resolution cannot be reached by
the parties within a reasonable time, it shall proceed to take one or more than one of
the following actions:
(a) rejection of the complaint;
(b) dismissal of the complaint;
(c) provision to the complainant of advice in relation to the subject matter of the
complaint;
(d) serving on the controller or processor concerned of an enforcement notice,
requiring it to do one or more than one of the following:
(i) comply with the data subject’s request to exercise his or her rights under a
relevant provision;
(ii) bring processing into compliance with a relevant provision, in a specified
manner and within a specified period;
(iii) where the enforcement notice is given to the controller, communicate a
personal data breach to data subjects;
(e) causing of such inquiry as the Commission thinks fit to be conducted in respect
of the complaint;
(f) taking of such other action in respect of the complaint as the Commission
considers appropriate.
(5) The Commission shall, as soon as practicable after taking an action referred to in
subsection (4) (other than paragraph (e) of that subsection), give the complainant a
notice in writing informing the complainant of the action taken.
Commission may conduct inquiry into suspected infringements of relevant provision
118. (1) The Commission, whether for the purpose of section 117(4)(e) or of its own volition,
may, in order to ascertain whether an infringement has occurred or is occurring, cause
such inquiry as it thinks fit to be conducted for that purpose.
(2) The Commission may, for the purposes of subsection (1), where it considers it
appropriate to do so, in particular do either or both of the following:
(a) cause any of its powers under Chapter 4 (other than sections 129 and 130) to be
exercised;
(b) cause an investigation under Chapter 5 to be carried out.
Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition
119. (1) Where an inquiry has been conducted of the Commission’s own volition, the
Commission, having considered the information obtained in the inquiry, shall—
(a) if satisfied that an infringement by the controller or processor to which the
inquiry relates has occurred or is occurring, make a decision to that effect, or
(b) if not so satisfied, make a decision to that effect.
(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition,
make a decision—
(a) as to whether a corrective power should be exercised in respect of the controller
or processor concerned, and
(b) where it decides to so exercise a corrective power, the corrective power that is to
be exercised.
(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall
exercise the corrective power concerned.
Decision of Commission where inquiry conducted in respect of complaint under Chapter 3
120. (1) Where an inquiry has been conducted in respect of a complaint, the Commission,
having considered the information obtained in the inquiry, may—
(a) if satisfied that an infringement by the controller or processor to which the
complaint relates has occurred or is occurring, make a decision to that effect, or
(b) if not so satisfied, make a decision to dismiss the complaint.
(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition,
make a decision—
(a) as to whether a corrective power should be exercised in respect of the controller
or processor concerned, and
(b) where it decides to so exercise a corrective power, the corrective power that is to
be exercised.
(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall
exercise the corrective power concerned.
Notification of decision of Commission under Chapter 3
121. The Commission shall—
(a) as soon as practicable after the decision under section 119 or 120 is made by it,
give the controller or processor concerned a notice in writing setting out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has exercised in
respect of the controller or processor,
and
(b) in the case of a decision under section 120, give, as soon as practicable after the
notice under paragraph (a) is given, the complainant a notice in writing setting
out—
(i) the decision and the reasons for it, and
(ii) where applicable, the corrective power that the Commission has exercised in
respect of the controller or processor.
Corrective powers of Commission (Chapter 3)
122. (1) The Commission may, for the purposes of sections 119 and 120, do one or more than
one of the following:
(a) issue a warning to the controller or processor that intended data processing is
likely to infringe a relevant provision;
(b) issue a reprimand to the controller or processor where data processing by the
controller or processor has infringed a relevant provision;
(c) order the controller or processor to comply with a data subject’s request to
exercise his or her rights under a relevant provision;
(d) order the controller or processor to bring processing into compliance with a
relevant provision, in a specified manner and within a specified period;
(e) order the controller to communicate a personal data breach to data subjects;
(f) impose a temporary or definitive limitation, including a ban on processing;
(g) impose a restriction on processing by the controller or processor;
(h) order the suspension of data transfers to a recipient in a third country or to an
international organisation.
(2) Without prejudice to the generality of sections 119(2)(b) and 120(2)(b), the
Commission may, for the purposes of exercising a power specified in subsection (1),
serve on the controller or processor concerned an enforcement notice requiring it to
take such steps as the Commission considers necessary for those purposes.
Judicial remedy for infringement of relevant provision
123. (1) Subject to subsection (8), and without prejudice to any other remedy available to him
or her, including his or her right under section 114 to lodge a complaint, a data subject
may, where he or she considers that his or her rights under a relevant provision have
been infringed as a result of the processing of his or her personal data in a manner that
fails to comply with a relevant provision, bring an action (in this section referred to as
a “data protection action”) against the controller or processor concerned.
(2) A data protection action shall be deemed, for the purposes of every enactment and
rule of law, to be an action founded on tort.
(3) The Circuit Court shall, subject to subsections (5) and (6), concurrently with the High
Court, have jurisdiction to hear and determine data protection actions.
(4) The court hearing a data protection action shall have the power to grant to the plaintiff
one or more than one of the following reliefs:
(a) relief by way of injunction or declaration; or
(b) compensation for damage suffered by the plaintiff as a result of the infringement
of a relevant provision.
(5) The compensation recoverable in a data protection action in the Circuit Court shall
not exceed the amount standing prescribed, for the time being by law, as the limit of
that court’s jurisdiction in tort.
(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by
the judge of any circuit in which—
(a) the controller or processor against whom the data protection action is taken has
an establishment, or
(b) the data subject has his or her habitual residence.
(7) The court hearing a data protection action that has been brought, in accordance with
section 115, on behalf of a data subject by a body, organisation or association to
which subsection (2) of that section applies, shall not award compensation for
material or non-material damage suffered.
(8) A data subject may not bring a data protection action against a controller or processor
that is a public authority of another Member State acting in the exercise of its public
powers.
(9) In this section—
“damage” includes material and non-material damage;
“injunction” means—
(a) an interim injunction,
(b) an interlocutory injunction, or
(c) an injunction of indefinite duration.
CHAPTER 4
Inspection, Audit and Enforcement
Authorised officers
124. (1) The Commission may appoint such and so many members of its staff, and such and so
many other suitably qualified persons, as it considers appropriate to be authorised
officers for the purposes of this Act.
(2) A person appointed under subsection (1) shall, on his or her appointment, be furnished
by the Commission with a certificate of his or her appointment and, when exercising a
power conferred by this Act shall, on request by any person thereby affected, produce
such certificate together with a form of personal identification to that person for
inspection.
(3) A person who, immediately before the commencement of this section, was an
authorised officer under section 24 of the Act of 1988 shall—
(a) for the unexpired period of his or her term of appointment under that section, and
(b) subject to the same terms and conditions as applied to that appointment,
be deemed to be an authorised officer appointed under subsection (1), and accordingly
paragraph (a) of subsection (4) shall apply in respect of that authorised officer.
(4) An appointment shall cease—
(a) if the Commission revokes, in writing, the appointment,
(b) in the case of a person who at the time of his or her appointment was a member of
staff of the Commission, upon the person ceasing to be such a member of staff, or
(c) in the case of an appointment for a fixed period, upon the expiry of that period.
(5) In this section, “suitably qualified person” means a person other than a member of
staff of the Commission who, in the opinion of the Commission, has the expertise and
experience necessary to perform the functions conferred on an authorised officer by
this Act.
Powers of authorised officers
125. (1) For the purposes of this Act, a relevant enactment or a relevant provision, an
authorised officer may—
(a) subject to subsection (6), enter, at any reasonable time, any place—
(i) where any activity connected with the processing of personal data takes
place,
(ii) where the authorised officer has reasonable grounds for believing any
activity connected with the processing of personal data takes place, or
(iii) at which the authorised officer has reasonable grounds for believing
documents, records, statements or other information relating to the
processing of personal data is being kept,
(b) search and inspect the place and any documents, records, statements or other
information found there,
(c) require any person at the place, being a controller or processor, or an employee or
agent of either of them, to produce to him or her any documents or records
relating to the processing of personal data which are in that person’s power or
control and, in the case of information in a non-legible form, to reproduce it in a
legible form, and to give to the authorised officer such information as he or she
may reasonably require in relation to any entries in such documents or records,
(d) secure for later inspection—
(i) any documents or records so provided or found and any data equipment,
including any computer, in which those records may be held,
(ii) any such place, or part thereof, in which—
(I) documents, records, statements or data equipment are kept, or
(II) there are reasonable grounds for believing that such documents, records,
statements or data equipment are kept,
for such period as the authorised officer may reasonably consider necessary for
the purposes of the performance of his or her functions or the functions of the
Commission under this Act, a relevant enactment or a relevant provision,
(e) inspect and take extracts from or make copies of any such documents or records
(including, in the case of information in a non-legible form, a copy of or extract
from such information in a permanent legible form),
(f) remove and retain such documents or records for such period as the authorised
officer reasonably considers necessary for the purposes of the performance of his
or her functions or the functions of the Commission under this Act, a relevant
enactment or a relevant provision, or require any person referred to in paragraph
(c) to retain and maintain such documents or records for such period of time, as
the authorised officer reasonably considers necessary for those purposes,
(g) if a person who is required under paragraph (c) to provide a particular record is
unable to provide it, require the person to state, to the best of that person’s
knowledge and belief, where the record is located or from whom it may be
obtained, and
(h) require any person referred to in paragraph (c) to give to the authorised officer
any information relating to the processing of personal data that the officer may
reasonably require for the purposes of the performance of his or her functions or
the functions of the Commission under this Act, a relevant enactment or a
relevant provision and to afford the officer all reasonable assistance in relation
thereto.
(2) An authorised officer may, in the performance of his or her functions under this Act, a
relevant enactment or a relevant provision—
(a) operate any data equipment, including any computer, or cause any such data
equipment or computer to be operated by a person accompanying the authorised
officer, and
(b) require any person who appears to the authorised officer to be in a position to
facilitate access to the documents or records stored in any data equipment or
computer or which can be accessed by the use of that data equipment or computer
to give the authorised officer all reasonable assistance in relation to the operation
of the data equipment or computer or access to the records stored in it, including
by—
(i) providing the documents or records to the authorised officer in a form in
which they can be taken and in which they are, or can be made, legible and
comprehensible,
(ii) giving to the authorised officer any password necessary to make the
documents or records concerned legible and comprehensible, or
(iii) otherwise enabling the authorised officer to examine the documents or
records in a form in which they are legible and comprehensible.
(3) When performing a function under this Act, a relevant enactment or a relevant
provision, an authorised officer may, subject to any warrant under section 126, be
accompanied by such and so many other authorised officers or members of the Garda
Síochána as he or she considers appropriate.
(4) An authorised officer may require a person to provide him or her with his or her name
and address where the authorised officer has reasonable grounds for requiring such
information for the purpose of applying for a warrant under section 126.
(5) Where an authorised officer in the performance of his or her functions or the
functions of the Commission under this Act, a relevant enactment or a relevant
provision is prevented from entering any place, he or she may make an application
under section 126 for a warrant to authorise such entry.
(6) An authorised officer shall not enter a dwelling, other than—
(a) with the consent of the occupier, or
(b) in accordance with a warrant under section 126.
(7) A person shall be guilty of an offence if he or she—
(a) obstructs, impedes or assaults an authorised officer in the performance of his or
her functions under this Act, a relevant enactment or a relevant provision,
(b) fails or refuses to comply with a requirement of an authorised officer under this
section,
(c) alters, suppresses or destroys any documents, records, statements or other
information which the person concerned has been required by an authorised
officer to produce, or may reasonably expect to be so required to produce,
(d) in purported compliance with a requirement under this section, gives to an
authorised officer information, documents or records which the person knows to
be false or misleading in a material respect,
(e) falsely represents himself or herself to be an authorised officer, or
(f) procures or attempts to procure any action referred to in paragraphs (a) to (e).
(8) A person guilty of an offence under subsection (7) shall be liable—
(a) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months, or both, or
(b) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment
for a term not exceeding 5 years, or both.
(9) A statement or admission made by a person pursuant to a requirement under
subsection (1) or (2) shall not be admissible in evidence in proceedings for an offence
(other than an offence under paragraph (b) of subsection (7)) brought against the
person.
(10) In this section and section 126, “place” includes—
(a) a dwelling or a part thereof,
(b) a building or a part thereof,
(c) any other premises or part thereof, and
(d) a vehicle, vessel, aircraft or any other means of transport.
Search warrants
126. (1) If a judge of the District Court is satisfied on the sworn information of an authorised
officer that there are reasonable grounds for suspecting that information required by
an authorised officer for the purpose of performing his or her functions under this Part
is held at any place, the judge may issue a warrant authorising him or her,
accompanied if the officer considers it necessary by such other person or a member of
the Garda Síochána, at any time or times from the date of issue of the warrant, on
production, if so required, of the warrant, to enter, if need be by reasonable force, the
place and exercise all or any of the powers conferred on an authorised officer under
section 125.
(2) The period of validity of a warrant shall be 28 days from its date of issue, but that
period of validity may be extended in accordance with subsections (3) and (4).
(3) The authorised officer may, during the period of validity of a warrant (including such
period as previously extended under subsection (4)), apply to a judge of the District
Court for an order extending the period of validity of the warrant and such an
application shall be grounded upon information on oath laid by the authorised officer
stating, by reference to the purpose or purposes for which the warrant was issued, the
reasons why the authorised officer considers the extension to be necessary.
(4) If, on the making of an application under subsection (3), the judge of the District
Court is satisfied that there are reasonable grounds for believing, having regard to that
information so laid, that further time is needed so that the purpose or purposes for
which the warrant was issued can be fulfilled, the judge may make an order extending
the period of validity of the warrant by such period as, in the opinion of the judge, is
appropriate and just; and where such an order is made, the judge shall cause the
warrant to be suitably endorsed to indicate its extended period of validity.
(5) Nothing in subsections (1) to (4) prevents a judge of the District Court from issuing,
on the making of a new application under subsection (1), a further search warrant
under this section in relation to the same place.
Information notice
127. (1) The Commission or an authorised officer may, by notice in writing (referred to in this
Act as an “information notice”) served on a controller or processor, require the
controller or processor to furnish, in writing, within such period as may be specified
in the notice and, if applicable, in the format or manner specified in the notice, such
information in relation to matters specified in the notice as is necessary or expedient
for the performance by the Commission of its, or by the authorised officer of his or
her, functions under this Part.
(2) Subject to subsection (3)—
(a) an information notice shall include a statement informing the controller or
processor concerned of his entitlement under section 145(1) to appeal against the
requirement specified in the notice,
(b) the period, referred to in subsection (1), specified in an information notice shall
not be less than 28 days from the date on which the notice is served, and
(c) if an appeal is brought under section 145(1) against a requirement specified in an
information notice, the requirement need not be complied with and subsection (6)
shall not apply in relation to the requirement, pending the determination or
withdrawal of the appeal.
(3) Where the Commission or authorised officer—
(a) by reason of special circumstances, is of the opinion that a requirement specified
in an information notice should be complied with urgently, and
(b) includes a statement to that effect in the information notice,
subsection (2) shall not apply in relation to the notice, but the notice—
(i) shall include a statement of the effect of subsections (3) and (4) of section 145,
and
(ii) shall not require compliance with the requirement before the end of the period of
7 days beginning on the date on which the notice is served.
(4) (a) Nothing in this section shall be taken to compel a controller or processor, in
complying with an information notice, to furnish information that would be
exempt from production in proceedings in a court on the ground of legal
professional privilege.
(b) A document furnished in compliance with an information notice shall not be
admissible in evidence in proceedings for an offence (other than an offence under
this section) brought against any person who furnishes or concurs in the
furnishing of the document.
(5) The controller or processor concerned shall inform the Commission of any
documents, records, statements or other information withheld by it under subsection
(4)(a).
(6) A controller or processor that without reasonable excuse fails to comply with a
requirement specified in an information notice or that, in purported compliance with
such a requirement, gives to the Commission or an authorised officer information
which the controller or processor knows to be false or misleading in a material
respect, shall be guilty of an offence and shall be liable—
(a) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months, or both, or
(b) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment
for a term not exceeding 5 years, or both.
(7) (a) An information notice may be cancelled—
(i) where it has been issued by the Commission, by the Commission, and
(ii) where it has been issued by an authorised officer, by the Commission or that
authorised officer.
(b) A person who cancels an information notice under paragraph (a) shall notify in
writing the controller or processor on which the notice was served.
Enforcement notice
128. (1) In this Part, “enforcement notice” means a notice in writing served in accordance with
subsection (5), subsection (6) or section 104(5)(d), 110(2), 117(4)(d) or 122(2), on a
controller or processor, requiring the controller or processor to take such steps as are
specified in the notice, within such time as may be so specified.
(2) Notwithstanding anything contained in Chapter 2, the Commission or an authorised
officer, where of the opinion that a controller or processor has contravened or is
contravening a relevant enactment, may serve on the controller or processor an
enforcement notice requiring the controller or processor to take one or more than one
of the steps specified in section 104(5)(d).
(3) Notwithstanding anything contained in Chapter 3, the Commission or an authorised
officer, where of the opinion that a controller or processor has contravened or is
contravening a relevant provision, may serve on the controller or processor an
enforcement notice requiring the controller or processor to take one or more than one
of the steps specified in section 117(4)(d).
(4) An enforcement notice shall include a statement informing the controller or processor
concerned of its entitlement under section 145(1) to appeal against a requirement
specified in the notice.
(5) Where an enforcement notice is served under section 104(5)(d), 117(4)(d), subsection
(2) or subsection (3)—
(a) the notice shall specify the relevant enactment or relevant provision, as
applicable, that in the opinion of the Commission or, where applicable,
authorised officer, has been or is being contravened and the reasons for having
formed that opinion, and
(b) subject to subsection (6)—
(i) the period, referred to in subsection (1), specified in an enforcement notice
shall be not less than 28 days from the date on which the notice is served,
and
(ii) if an appeal is brought under section 145(1) against a requirement specified
in the notice, the requirement need not be complied with and, pending the
determination or withdrawal of the appeal, subsections (9) and (10) shall not
apply in relation to the requirement.
(6) Where the Commission or authorised officer—
(a) by reason of special circumstances, is of the opinion that a requirement specified
in an enforcement notice referred to in subsection (5) should be complied with
urgently, and
(b) includes a statement to that effect in the enforcement notice,
subsection (5)(b) shall not apply in relation to the notice, but the notice—
(i) shall include a statement of the effect of subsections (3) and (4) of section
145, and
(ii) shall not require compliance with the requirement before the end of the
period of 7 days beginning on the date on which the notice is served.
(7) (a) Subject to paragraph (b), a controller or processor, having complied with an
enforcement notice, shall, as soon as may be and in any event not more than 28
days after such compliance, notify the following of the steps taken to comply
with the enforcement notice:
(i) the Commission or the authorised officer concerned;
(ii) any data subject concerned.
(b) Where the compliance with an enforcement notice has involved the rectification
or erasure of personal data or the restriction of processing, the controller and
processor shall, in complying with paragraph (a), in addition—
(i) notify any recipient to whom the data have been disclosed, or
(ii) where compliance with subparagraph (i) proves impossible or involves a
disproportionate effort, and where the data subject so requests, notify the
data subject of the recipients or the categories of recipients.
(8) (a) An enforcement notice may be cancelled—
(i) where it has been issued by the Commission, by the Commission, and
(ii) where it has been issued by an authorised officer, by the Commission or that
authorised officer.
(b) A person who cancels an enforcement notice under paragraph (a) shall notify in
writing the controller or processor on which the notice was served.
(9) (a) The Commission may, subject to Chapter 6, decide to impose an administrative
fine on a controller or processor that, without reasonable excuse, fails to comply
with a requirement specified in an enforcement notice served on the controller or
processor under section 104(5)(d), 110(2) or subsection (2).
(b) The Commission, as soon as practicable after making its decision under
paragraph (a), shall give the controller or processor concerned a notice in writing
informing it of the decision.
(10) Subject to subsection (11), a controller or processor that, without reasonable excuse,
fails to comply with—
(a) a requirement specified in an enforcement notice, or
(b) subsection (7),
shall be guilty of an offence and shall be liable—
(i) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months, or both, or
(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment
for a term not exceeding 5 years, or both.
(11) Subsection (10)(a) shall not apply to a controller or processor on which, in respect of
the failure concerned, an administrative fine has been imposed under subsection (9).
Application to the High Court for suspension or restriction of processing of data
129. (1) Without prejudice to Articles 58(2) and 66 of the Data Protection Regulation and
subsection (4), the Commission, where it considers that there is an urgent need to act
in order to protect the rights and freedoms of data subjects under a relevant
enactment, until steps or further steps are taken under the relevant enactment, may, on
notice to the controller or processor concerned, make an application in a summary
manner to the High Court for an order under subsection (2).
(2) The High Court may determine an application under subsection (1) by—
(a) making any order that it considers appropriate, including an order suspending,
restricting or prohibiting—
(i) the processing by the controller or processor of the personal data concerned,
or
(ii) the transfer by the controller or processor of such data to a recipient in a
third country or to an international organisation,
for such period, or until the occurrence of such event, as is specified in the order,
and
(b) giving to the Commission any other direction that the High Court considers
appropriate.
(3) The Commission shall, on complying with a direction of the High Court under
subsection (2)(b), give notice in writing to the controller or processor concerned of
the Commission’s compliance with the direction.
(4) Where the Commission considers that the immediate suspension, restriction or
prohibition of the processing of personal data or the transfer of such data to a
recipient in a third country or to an international organisation is necessary in order to
protect the rights and freedoms of data subjects under a relevant enactment, it may
apply in a summary manner ex parte to the High Court for an interim order under
subsection (6).
(5) An application under subsection (4) shall be grounded on an affidavit sworn by or on
behalf of the Commission.
(6) (a) The High Court may, on an application under subsection (4), where, having
regard to the circumstances of the case, the Court considers it necessary to do so
for the protection of the rights and freedoms of data subjects, make an interim
order suspending, restricting or prohibiting—
(i) the processing by the controller or processor of the personal data concerned,
or
(ii) the transfer by the controller or processor of such data to a recipient in a
third country or to an international organisation.
(b) Without prejudice to subsection (7), where an interim order is made under this
subsection, the Commission shall, as soon as is practicable, serve a copy of the
order and of the affidavit referred to in subsection (5) on the controller or
processor concerned.
(c) An interim order under this subsection shall have effect for such period, not
exceeding 7 working days, as is specified in the order, and shall cease to have
effect on the determination by the High Court of an application under subsection
(1).
(7) (a) An interim order under subsection (6) shall take effect on notification of its
making being given to the controller or processor.
(b) Oral communication to the controller or processor by or on behalf of the
Commission of the fact that an interim order has been made, together with
production of a copy of such order, shall, without prejudice to any other form of
notification, be taken to be sufficient notification to the controller or processor
concerned of the making of the order.
(8) The Commission shall communicate the details of an order made by the High Court
under this section to the—
(a) European Commission,
(b) European Data Protection Board, and
(c) other supervisory authorities concerned.
Power to require report
130. (1) The Commission may, for the purposes of proper and effective monitoring of the
application of a relevant enactment, and having regard to the matters set out in
subsection (3), by notice in writing given to a controller or processor, require the
controller or processor to provide to the Commission, in accordance with such notice,
a report on any matter specified in the notice about which the Commission has
required or could require the provision of information, or the production of any
statement, record or document under any provision of a relevant enactment.
(2) A notice under subsection (1) shall be in writing and shall state—
(a) the date on which the notice is given,
(b) the period within which the controller or processor shall nominate a person to the
Commission for approval under subsection (4),
(c) the purpose, scope and form of the report,
(d) the matters required to be reported on,
(e) the timetable for completion of the report,
(f) whether the report is to include recommendations in relation to the improved
compliance by the controller or processor with a relevant enactment,
(g) where appropriate, the methodology to be used in preparation of the report, and
(h) such other matters relating to the report as the Commission considers appropriate.
(3) Before giving a notice under this section, the Commission, taking account of the
purpose for which the report is required, shall have regard to at least the following
matters—
(a) whether any other powers that may be exercised by the Commission may be more
appropriate in the circumstances concerned,
(b) the relevant knowledge and expertise available to the controller or processor, and
(c) the level of resources available to the controller or processor and the likely
benefit to the controller or processor of providing the report.
(4) A report required to be provided to the Commission under this section shall be
prepared by a person (referred to as the “reviewer”)—
(a) nominated by the controller or processor, within such period as is specified in the
notice given under subsection (1), and approved by the Commission, or
(b) nominated by the Commission, where—
(i) no person is nominated by the controller or processor within the period
specified in the notice under subsection (1), or
(ii) the Commission is not satisfied with the person so nominated.
(5) When considering whether to approve a nomination under subsection (4)(a) or make a
nomination under subsection (4)(b), the Commission shall have regard to the
circumstances giving rise to the requirement for a report and whether the person it
proposes to so approve or nominate as reviewer appears to have—
(a) the competence and expertise necessary to prepare the report,
(b) the ability to complete the report within the period specified by the Commission
in the notice given under subsection (1),
(c) any relevant specialised knowledge, including specialised knowledge of the data
processing activities carried on by the controller or processor and the matters to
be reported on,
(d) any potential conflict of interest in reviewing the matters to be reported on,
(e) sufficient detachment, having regard to any existing professional or commercial
relationship, to give an objective opinion, and
(f) any previous experience in preparing reports under this section or reports of a
similar nature.
(6) Where the Commission approves a nomination under subsection (4)(a) or makes a
nomination under subsection (4)(b), it shall notify the controller or processor, in
writing, accordingly.
(7) Where the nomination of a reviewer is approved or made by the Commission under
subsection (4), the controller or processor shall enter into a contract with the reviewer.
(8) It shall be a term of the contract referred to in subsection (7)—
(a) that the reviewer is required to prepare for the controller or processor a report in
accordance with the notice given under subsection (1),
(b) that the reviewer is required and permitted to provide to the Commission the
following where the Commission so requests:
(i) periodic updates on progress and issues arising;
(ii) interim reports; and
(iii) copies of any draft reports given to the controller or processor,
and
(c) that the contract is governed by the law of the State.
(9) If the Commission considers it appropriate, it may request the controller or processor
to provide the Commission with a copy of the draft contract before it is made and the
Commission may require such modifications to the draft contract as it considers
appropriate.
(10) The costs of and incidental to the preparation of a report under this section shall be
borne by the controller or processor.
(11) A controller or processor shall give all such assistance to a reviewer as he or she may
reasonably require for the purposes of the preparation of a report under this section.
(12) A reviewer shall, where requested by the Commission, in such form and within such
period as the Commission may specify, provide an explanation of all or any part of a
report under this section or the recommendations, if any, made in the report, or of
such other matters relating to the report as the Commission considers appropriate.
(13) The Commission shall not be bound by the content of a report under this section and
such a report shall not be taken to be a decision or opinion of the Commission for any
purpose.
(14) The Commission shall not be liable for any acts or omissions of a reviewer or
controller or processor relating to a report under this section.
(15) A person who—
(a) obstructs or impedes a reviewer in the preparation of a report under this section,
(b) in relation to the preparation of a report under this section, gives information to a
reviewer that the person knows to be false or misleading in a material respect, or
(c) is a reviewer and in relation to the preparation of a report under this section gives
information to the Commission which the reviewer knows to be false or
misleading in a material respect,
shall be guilty of an offence and shall be liable—
(i) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months, or both, or
(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment
for a term not exceeding 5 years, or both.
Data Protection Audit
131. (1) The Commission may carry out or cause to be carried out such examination in the
form of an audit as it considers appropriate in order to determine whether the
practices and procedures of a controller to which, or a processor to whom, Part 5
applies are in compliance with that Part and regulations made under it.
(2) The Commission may, for the purposes of an audit under subsection (1) or a data
protection audit, require the controller or processor concerned to produce any
documents, records, statements or other information within that person’s possession
or control, or within that person’s procurement, that are relevant to or required for the
conduct of the audit.
(3) Before commencing an audit under subsection (1), or a data protection audit, the
Commission shall give the controller or processor concerned notice of its proposal to
conduct such an audit, which notice shall—
(a) specify the matters to which the proposed audit will relate, and
(b) specify the date, which shall be not earlier than 7 days from the date on which the
notice is given on which the audit will be commenced.
(4) In this section, “data protection audit” means a data protection audit conducted for the
purpose of Article 58(1)(b) of the Data Protection Regulation.
CHAPTER 5
Investigations
Investigations
132. (1) The Commission may, for the purposes of an inquiry referred to in section 105(1) or
118(1), cause such investigation as it thinks fit to be carried out.
(2) The Commission may, for the purposes of subsection (1), direct one or more
authorised officers—
(a) to carry out the investigation, and
(b) to submit to the Commission an investigation report following the completion of
the investigation.
(3) The Commission may define the scope and terms of the investigation to be carried
out, whether as respects the matters or the period to which it is to extend or otherwise,
and may, in particular, limit the investigation to matters connected with particular
circumstances.
(4) Where more than one authorised officer has been directed to carry out an
investigation, the investigation report shall be prepared jointly by the authorised
officers so directed and this section and sections 133 to 135 shall, with all necessary
modifications, be construed accordingly.
(5) As soon as is practicable after being appointed to carry out an investigation, the
authorised officer shall—
(a) give the controller or processor concerned notice in writing—
(i) where the examination concerned is being carried out in respect of a
complaint within the meaning of Chapter 2 or 3, setting out the particulars of
the complaint concerned, or
(ii) where the examination is being carried out of the Commission’s own
volition, setting out the matters to which the investigation relates,
and
(b) afford to the controller or processor an opportunity to respond to the notice under
paragraph (a) within 7 days from the date on which the notice was given (or such
further period not exceeding 28 days as the authorised officer allows).
Conduct of investigation under section 132
133. (1) An authorised officer who has been directed under section 132(2) to carry out an
investigation may, for the purposes of the investigation—
(a) require a person, being a controller or processor, or an employee or agent of such
controller or processor, who, in the authorised officer’s opinion—
(i) possesses information that is relevant to the investigation, or
(ii) has any record or document within the person’s possession or control or
within the person’s procurement that are relevant to the investigation,
to provide that record or document, as the case may be, to the authorised officer,
and
(b) where the authorised officer thinks fit, require that person to attend before him or
her for the purpose of so providing that information, record or document, as the
case may be,
and the person shall comply with the requirement.
(2) A requirement under subsection (1) shall specify—
(a) a period within which, or a date and time on which, the person the subject of the
requirement is to comply with the requirement, and
(b) as the authorised officer concerned thinks fit—
(i) the place at which the person shall attend to give the information concerned
or to which the person shall deliver the record or document concerned, or
(ii) the place to which the person shall send the information, record or document
concerned.
(3) A person required to attend before an authorised officer under subsection (2)—
(a) is also required to answer fully and truthfully any question put by the authorised
officer, and
(b) if so required by the authorised officer, shall answer any such question under
oath.
(4) Where it appears to an authorised officer that a person has failed or is failing to
comply or fully comply with a requirement under subsection (2) or (3), the authorised
officer may, on notice to the person and with the consent of the Commission, apply in
a summary manner to the Circuit Court for an order under subsection (5).
(5) The Circuit Court, on hearing an application under subsection (4), where satisfied that
the person concerned has failed or is failing to comply or fully comply with the
requirement concerned, may—
(a) make an order requiring the person, within such period as the Court may specify,
to comply or fully comply, as the case may be, with the requirement, or
(b) substitute a different requirement for the requirement concerned.
(6) The administration of an oath referred to in subsection (3)(b) by an authorised officer
is hereby authorised.
(7) A person the subject of a requirement under subsection (1) or (3) shall be entitled to
the same immunities and privileges in respect of compliance with such requirement as
if the person were a witness before the High Court.
(8) Any statement or admission made by a person pursuant to a requirement under
subsection (1) or (3) shall not be admissible in evidence in proceedings for an offence
(other than an offence under subsection (12)) brought against the person, and this
shall be explained to the person in ordinary language by the authorised officer
concerned.
(9) Nothing in this section shall be taken to compel the production by any person of
statements, records or other documents or other information which would be exempt
from production in proceedings in a court on the ground of legal professional
privilege.
(10) For the purposes of an investigation, an authorised officer may, if he or she thinks it
proper to do so, of his or her own volition conduct an oral hearing.
(11) Schedule 3 shall have effect for the purposes of an oral hearing referred to in
subsection (10).
(12) Subject to subsection (9), a person who—
(a) withholds, destroys, conceals or refuses to provide any information or statements,
records or other documents required for the purposes of an investigation,
(b) fails or refuses to comply with any requirement of an authorised officer under this
section,
(c) in purported compliance with a requirement under this section, gives to an
authorised officer information, documents or records which the person knows to
be false or misleading in a material respect, or
(d) otherwise obstructs or hinders an authorised officer in the performance of
functions under this Act,
shall be guilty of an offence and shall be liable—
(i) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months or both, or
(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment
for a term not exceeding 5 years, or both.
(13) In this section, a reference to a document or record includes a reference to copies of
such document or record.
(14) The powers conferred under this section on an authorised officer to whom subsection
(1) applies are in addition to the powers conferred on such an authorised officer under
Chapter 4.
Investigation report
134. (1) Where an authorised officer has completed an investigation, he or she shall, as soon
as is practicable after having considered, in so far as they are relevant to the
investigation—
(a) any information, records or other documents provided to him or her,
(b) any statement or admission made by any person,
(c) any submissions made, and
(d) any evidence presented (whether at an oral hearing or otherwise),
prepare a draft, in writing, of the investigation report (“draft investigation report”) and
give, or cause to be given, to the controller or processor to which the investigation
relates—
(i) a copy of the draft investigation report, and
(ii) a notice in writing stating that the controller or processor concerned may, not
later than 28 days from the date on which the notice was served on it (or such
further period not exceeding 28 days as the authorised officer allows), make
submissions in writing to the authorised officer on the content of the draft
investigation report.
(2) An authorised officer shall—
(a) as soon as is practicable after the expiration of the period referred to in
subparagraph (ii) of subsection (1), and
(b) having—
(i) considered the submissions (if any) made in accordance with subsection (1)
(ii), and
(ii) made any revisions to the draft investigation report which, in the opinion of
the authorised officer, are warranted following such consideration,
prepare the investigation report and submit it to the Commission with any such
submissions annexed to it.
(3) An investigation report and a draft investigation report under this section shall be in
writing and shall state—
(a) whether the authorised officer—
(i) is satisfied that an infringement of a relevant provision or, as the case may
be, a relevant enactment by the controller or processor to which the
investigation relates has occurred or is occurring, or
(ii) is not so satisfied,
(b) where paragraph (a)(i) applies, the grounds on which the authorised officer is so
satisfied, and
(c) where paragraph (a)(ii) applies—
(i) the basis on which the authorised officer is not so satisfied, and
(ii) the authorised officer’s opinion, in view of such basis, on whether or not a
further investigation of the controller or processor is warranted and, if
warranted, the authorised officer’s opinion on the principal matters to which
the further investigation should relate.
(4) Where an investigation report or a draft investigation report contains a statement
referred to in subsection (3)(a)(i), the authorised officer shall not make any
recommendation, or express any opinion, in such report as to the corrective power
under Chapter 2 or 3, as applicable, that he or she considers ought to be exercised in
respect of the controller or processor in respect of such infringement in the event that
the Commission is also satisfied that an infringement has occurred or is occurring.
Commission to consider investigation report
135. (1) The Commission, on receipt under section 134(2) of an investigation report, shall, for
the purposes of the inquiry concerned, consider the report and any submissions
annexed to it.
(2) Where the Commission, in considering the documents referred to in subsection (1),
forms the view that further information is required for the purpose of enabling it to
make a decision under section 106, 107, 119 or 120, or a draft decision under section
108, as the case may be, it may, as it considers appropriate, do one or more than one
of the following:
(a) conduct an oral hearing;
(b) give the controller or processor to which the investigation concerned relates—
(i) a copy of the investigation report, and
(ii) a notice in writing stating that the controller or processor concerned may,
within 21 days from the date on which the notice was served on it (or such
further period not exceeding 21 days as the Commission allows), make
submissions in writing to the Commission in relation to such matters as the
Commission may specify in the notice;
or
(c) direct an authorised officer to conduct such further investigation into such
matters as the Commission considers necessary having regard to the investigation
report and submissions (if any) annexed to it.
(3) Schedule 3 shall, with any necessary modification, have effect for the purposes of an
oral hearing referred to in subsection (2)(a).
(4) Sections 133 and 134 and this section shall apply to a further investigation conducted
in compliance with a direction under subsection (2)(c), as if the reference to an
authorised officer in those sections was a reference to an authorised officer directed
under subsection (2)(c) to conduct the further investigation.
CHAPTER 8
Miscellaneous
General provisions relating to complaints
143. (1) Subject to subsection (2), sections 103 and 116 shall cease to apply where the
complaint concerned is withdrawn, or deemed to have been withdrawn, by the data
subject concerned, or on behalf of the data subject by a body mandated by the data
subject in accordance with Article 80(1) of the Data Protection Regulation or section
115, as the case may be.
(2) Where subsection (1) applies, nothing in that subsection shall be construed as
preventing the Commission, where it is satisfied that there is good and sufficient
reason for so doing, from proceeding or, as the case may be, continuing to examine, in
accordance with Chapter 2 or 3, as applicable, the subject matter of the complaint.
(3) Where it has reasonable doubts concerning the identity of a complainant, the
Commission may request from the complainant or, where applicable, the supervisory
authority with which the complaint was lodged, such additional information as is
necessary to confirm such identity.
Publication of convictions, sanctions, etc.
144. (1) The Commission shall publish particulars of any—
(a) conviction of a person for a contravention of this Act,
(b) exercise by it of its power—
(i) to impose an administrative fine, or
(ii) to order the suspension of data transfers to a recipient in a third country or to
an international organisation, under Article 58(2)(j),
or
(c) order of the Court under section 129.
(2) The publication under subsection (1) of the particulars referred to in that subsection
shall be in such form and manner and in respect of such period as the Commission
thinks fit.
(3) The Commission may publish particulars, in such form and manner and in respect of
such period as it thinks fit, of the exercise by it of its corrective powers under Article
58(2) (other than those referred to in subsection (1)) or section 122.
(4) Subject to subsection (5), the Commission may, if it considers it in the public interest
to do so, publish particulars of any report under section 130, report by the
Commission of any investigation or audit carried out, or other function performed, by
it under the Data Protection Regulation or this Act, or any matter relating to or arising
in the course of such an investigation, audit or performance.
(5) The Commission shall ensure that the publication under subsection (4) of information
referred to in that subsection is done in such a manner that commercially sensitive
information relating to a person is not disclosed.
(6) The publication by the Commission of particulars of any report or matters referred to
in subsection (3) or (4) and any other report of the Commission shall, for the purposes
of the law of defamation, be absolutely privileged.
(7) In this section, “commercially sensitive information” means—
(a) financial, commercial, scientific, technical or other information the disclosure of
which could reasonably be expected to result in a material financial loss or gain
to the person to whom it relates, or could prejudice the competitive position of
that person in the conduct of his or her business or otherwise in his or her
occupation, or
(b) information the disclosure of which could prejudice the conduct or outcome of
contractual or other negotiations of the person to whom it relates.
Right to effective judicial remedy (Part 6)
145. (1) A controller or processor on which an information notice or enforcement notice or a
notice under section 130(1) is served may, within 28 days from the date on which the
notice is served, appeal against a requirement specified in the notice.
(2) The court, on hearing an appeal under subsection (1), shall—
(a) annul the requirement concerned,
(b) substitute a different requirement for the requirement concerned, or
(c) dismiss the appeal.
(3) This subsection applies to an appeal brought under subsection (1)—
(a) against a requirement specified in an information notice to which section 127(3)
applies, or an enforcement notice to which section 128(6) applies, and
(b) that is brought within the period specified in the notice concerned.
(4) Notwithstanding any provision of this Act, the court, on hearing an appeal to which
subsection (3) applies, may on application to it in that behalf, determine that noncompliance
by the controller or processor concerned with a requirement specified in
the notice, during the period ending with the determination or withdrawal of the
appeal or during such other period as the court may determine, shall not constitute an
offence.
(5) A data subject or other person affected by a legally binding decision of the
Commission under Chapter 2 or 3 may, within 28 days from the date on which notice
of the decision is received by him or her, appeal against the decision.
(6) The court, on hearing an appeal under subsection (5), shall—
(a) annul the decision concerned,
(b) substitute its own determination for the decision, or
(c) dismiss the appeal.
(7) Where the Commission, being the competent supervisory authority in respect of a
complaint within the meaning of Chapter 2 or 3, does not comply with section 103(2)
or, as the case may be, section 116(2), the complainant concerned may apply to the
court for an order under subsection (8)(a).
(8) The court, on hearing an application under subsection (7), shall—
(a) order the Commission to comply with the provision concerned, or
(b) dismiss the application.
(9) The Circuit Court shall, concurrently with the High Court, have jurisdiction to hear
and determine proceedings under this section.
(10) The jurisdiction conferred on the Circuit Court by this section shall be exercised by
the judge for the time being assigned to the circuit where—
(a) in the case of an appeal under subsection (1), the controller or processor is
established,
(b) in the case of an appeal under subsection (5), the data subject or other person
resides or is established, or
(c) in the case of an application under subsection (7), the data subject resides,
or, at the option of the controller, processor, data subject or person concerned, by a
judge of the Circuit Court for the time being assigned to the Dublin circuit.
(11) A decision of the Circuit Court or High Court, as the case may be, under this section
shall be final save that, by leave of that Court, an appeal shall lie to the High Court or
Court of Appeal, as the case may be, on a point of law.
(12) For the purposes of this section, a “legally binding decision” means a decision—
(a) under paragraph (a) or (b) of section 104(5) or paragraph (a) or (b) of section
117(4),
(b) under section 106(1)(a), 107(1), 108(2)(b), 109, 119(1)(a) or 120(1), or
(c) to exercise a corrective power under Chapter 2 or 3.
Privileged legal material
146. (1) Where a controller or processor, when requested under this Part to produce
information, or provide access to it, refuses to do so on the grounds that the
information contains privileged legal material, the Commission or an authorised
officer may, at any time within 28 days or such longer period as the High Court may
allow of the date of such refusal, apply to the High Court for a determination as to
whether the information, or any part of the information, is privileged legal material
where—
(a) in relation to the information concerned—
(i) the Commission or authorised officer has reasonable grounds for believing
that it is not privileged legal material, or
(ii) due to the manner or extent to which such information is presented together
with any other information, it is impossible or impractical to extract only
such information,
and
(b) the Commission or authorised officer has reasonable grounds to suspect that the
information contains evidence relating to an infringement of a relevant enactment
or a relevant provision.
(2) A controller or processor referred to in subsection (1) who refuses to produce
information or provide access to it on the grounds that the information contains
privileged legal material shall preserve the information and keep it in a safe and
secure place and manner pending the determination of an application under
subsection (1) and shall, if the information is so determined not to be privileged legal
material, produce it in accordance with such order as the High Court considers
appropriate.
(3) A person shall be considered to have complied with the requirement under subsection
(2) to preserve information where the person has complied with such requirements as
may be imposed by an authorised officer under paragraph (d) of section 125(1).
(4) Where an application is made by the Commission or an authorised officer under
subsection (1), the High Court may give such interim or interlocutory directions as it
considers appropriate including, without prejudice to the generality of the foregoing,
directions as to the appointment of a person with suitable legal qualifications
possessing the level of experience and independence from any interest falling to be
determined between the parties concerned, that the Court considers to be appropriate
for the purpose of—
(a) examining the information, and
(b) preparing a report for the Court with a view to assisting or facilitating the Court
in the making of its determination as to whether the information is privileged
legal material.
(5) An application under subsection (1) shall be by motion and may, if so directed, be
heard otherwise than in public.
Presumptions
147. (1) The presumptions specified in this section shall apply in any proceedings under the
Data Protection Regulation or this Act.
(2) Where a document purports to have been created by a person it shall be presumed,
unless the contrary is shown, that the document was created by that person and that
any statement or record contained in it, unless the document expressly attributes its
making to some other person, was made by that person.
(3) Where a document purports to have been created by a person and addressed and sent
to a second person, it shall be presumed, unless the contrary is shown, that the
document or record was created and sent by the first person and received by the
second person, and that any statement or record contained in it—
(a) unless the document or record expressly attributes its making to some other
person, was made by the first person, and
(b) came to the notice of the second person.
1(4) Where a document or record is retrieved from an electronic storage and retrieval
system, it shall be presumed, unless the contrary is shown, that the author of the
document is the person who ordinarily uses that electronic storage and retrieval
system in the course of his or her business.
(5) Where an authorised officer who, in the exercise of his or her powers, has removed
one or more documents or records from any premises or place, gives evidence in any
proceedings that, to the best of his or her knowledge and belief, the material is the
property of any person, then the material shall be presumed, unless the contrary is
shown, to be the property of that person.
(6) Where, in accordance with subsection (5), material is presumed in proceedings to be
the property of a person and the authorised officer concerned gives evidence that, to
the best of his or her knowledge and belief, the material is material which relates to
any trade, profession, or, as the case may be, other activity, carried on by that person,
the material shall be presumed, unless the contrary is proved, to be material which
relates to that trade, profession, or, as the case may be, other activity, carried on by
that person.
(7) References in this section to a document or record are references to a document or
record in written or electronic form and, for this purpose “written” includes any form
of notation or code whether by hand or otherwise and regardless of the method by
which, or medium in or on which, the document or record concerned is recorded.
Expert evidence
148. (1) In any proceedings under the Data Protection Regulation or this Act, the opinion of
any witness who appears to possess the appropriate qualifications or experience as
respects the matter to which his or her evidence relates shall, subject to subsection (2),
be admissible in evidence as regards any matter calling for expertise or special
knowledge that is relevant to the proceedings and, in particular and without prejudice
to the generality of the foregoing, the following matters, namely—
(a) the effects that types of data processing such as profiling may have, or have had,
on the protection of personal data,
(b) an explanation of any relevant practices or the application of such practice, where
such an explanation would assist the proceedings.
(2) Notwithstanding subsection (1), a court may, where in its opinion the interests of
justice require it to so direct in the proceedings concerned, direct that evidence of a
general or specific kind referred to in that subsection shall not be admissible in
proceedings or shall be admissible in such proceedings for specified purposes only.
Immunity from suit
149. Civil or criminal proceedings shall not lie in any court against the Commission, a
Commissioner, an authorised officer or a member of the staff of the Commission in
respect of anything said or done in good faith by the Commission, Commissioner,
authorised officer or member of staff in the course of the performance or purported
performance of a function of the Commission, Commissioner, authorised officer or
member of staff.
Jurisdiction of Circuit Court
150. An application under section 133(4), 137(1) or 138(1) shall be made to a judge of that
Court for the circuit in which the person to whom the application relates ordinarily
resides or, if a controller or processor, has an establishment or, at the option of the
person, by a judge of the Circuit Court for the time being assigned to the Dublin circuit.
Hearing of proceedings
151. The whole or any part of any proceedings under this Part may, at the discretion of the
court, be heard otherwise than in public.
PART 7
MISCELLANEOUS PROVISIONS
Supervisory authority for courts acting in judicial capacity
152. (1) The judge (“assigned judge”) for the time being assigned for that purpose by the
Chief Justice shall be competent for supervision of data processing operations of the
courts when acting in their judicial capacity.
(2) The assigned judge shall, in particular—
(a) promote awareness of data protection rules among judges and ensure compliance
with them,
(b) handle, and investigate to the extent appropriate, complaints in relation to data
processing operations of the courts when acting in their judicial capacity.
(3) The scope of rights and obligations provided for in—
(a) Articles 12 to 22 and 34 (as well as Article 5 in so far as its provisions correspond
to the rights and obligations provided for in Articles 12 to 22),
(b) sections 81, 85, 86, 87 and 88 and section 65, insofar as it relates to those
sections,
may be restricted, to the extent necessary and proportionate in a democratic society, in
order to safeguard—
(i) the protection of judicial independence and court proceedings, and
(ii) the establishment, exercise or defence of legal claims.
(4) The restrictions referred to in subsection (3) shall be determined by a panel of three
judges nominated for that purpose by the Chief Justice.
(5) The panel referred to in subsection (4) shall publish the restrictions determined by it
under that subsection in such manner as it considers appropriate.
Publication of judgment or decision of court
153. The processing of personal data shall be lawful where that processing—
(a) consists of the publication of a judgment or decision of a court, or
(b) is necessary for the purposes of such publication.
Rules of court for data protection actions
154. (1) It shall be the function of the courts in data protection actions to ensure that parties to
such actions comply with such rules of court as apply in relation to such actions so
that the trial of data protection actions within a reasonable period of their having been
commenced is secured.
(2) Where rules of court prescribe a period of time for the service of a document, or the
doing of any other thing, in relation to a data protection action, the period within
which that document may be served or thing may be done, shall not be extended
beyond the period so prescribed unless—
(a) the parties to the action agree to the period being extended, or
(b) the court considers that—
(i) in all the circumstances the extension of the period by such further period as
it may direct is necessary or expedient to enable the action to be properly
prosecuted or defended, and
(ii) the interests of justice require the extension of the period by that further
period.
(3) For the purposes of ensuring compliance by a party to a data protection action with
rules of court, a court may make such orders as to the payment of costs as it considers
appropriate.
(4) Nothing in this section shall be construed as limiting or reducing the power of an
authority, having (for the time being) power to make rules regulating the practice and
procedure of a court, to—
(a) make such rules in relation to data protection actions provided such rules do not
derogate from, and are not inconsistent with, any provision of the Data Protection
Regulation or this Act, or
(b) make such rules in relation to proceedings or actions other than data protection
actions.
(5) In this section, “data protection action” means a data protection action under section
112 or section 123.
(6) In subsections (1) and (2), a reference to the courts or the court includes a reference to
the Master of the High Court and a county registrar.
Legal privilege
155. The rights and obligations provided for in—
(a) Articles 12 to 22 and 34 of the Data Protection Regulation (as well as Article 5 in
so far as its provisions correspond to the rights and obligations provided for in
Articles 12 to 22), and
(b) sections 81, 85, 86, 87 and 88 and section 65, insofar as it relates to those
sections,
do not apply—
(i) to personal data processed for the purpose of seeking, receiving or giving legal
advice,
(ii) to personal data in respect of which a claim of privilege could be made for the
purpose of or in the course of legal proceedings, including personal data
consisting of communications between a client and his or her legal advisers or
between those advisers,
(iii) where the exercise of such rights or performance of such obligations would
constitute a contempt of court.
Application to High Court concerning appropriate safeguards
156. (1) The Commission, where it considers that a place to which personal data are to be
transferred does not ensure an adequate level of protection, may apply to the High
Court for a determination as to whether the level of protection ensured by the place is
adequate.
(2) An application under subsection (1) may be made notwithstanding that the place
concerned is the subject of an implementing act pursuant to Article 45(3) of the Data
Protection Regulation or, as the case may be, Article 36(3) of the Directive.
(3) The Commission, where it considers that a standard data protection clause does not
provide for appropriate safeguards, may apply to the High Court for a determination
as to whether the standard data protection clause provides for appropriate safeguards.
(4) For the purposes of this section, the adequacy of the level of protection referred to in
subsection (1) shall be assessed in accordance with, as the case may be, Article 45(2)
of the Regulation or Article 36(2) of the Directive.
(5) In this section—
“place” means a third country, a territory or one or more specified sectors within a
third country, or an international organisation;
“standard data protection clause” means a standard data protection clause to which
point (c) or (d) of Article 46(1) of the Data Protection Regulation applies.
Court may order destruction, erasure of data
157. (1) Where a person is convicted of an offence under this Act, the court may order any
personal data that appears to the court to be connected with the commission of the
offence to be destroyed or erased.
(2) The court shall not make an order under subsection (1) where it considers that a
person other than the person convicted of the offence concerned may be the owner of,
or otherwise interested in, the data concerned, unless such steps as are reasonably
practicable have been taken for notifying that person and giving him or her an
opportunity to show cause why the order should not be made.