Data Protection Commissioner Office
The Data Protection Commissioner was the independent body established under and which enforced the Data Protection Act 1988 -2003. The earlier EU Directives on Data Protection (also) required that there must be an independent body with the necessary means to perform its duties.
The Commissioner was appointed for a five-year term and could be re-appointed. He could be e removed during his term, only if he had become incapable, through ill-health from effectively performing his functions or had committed stated misbehaviour. The Data Protection Commissioner could not be a member of the Oireachtas or European Parliament. He could not hold other office or employment.
The EU Directive required that the Commissioner should have effective powers of intervention, such as
- power to deliver opinions before processing operations are carried out;
- power to ensure appropriate publication of such opinions;
- power to order the blocking, erasure or destruction of data;
- power to impose a temporary or definitive ban on processing;
- power to warn or admonish the data controller
- power to refer the matter to the Parliament or other political institutions;
- power to engage in legal proceedings where the national provisions adopted by the Directive have been violated.
The commencement of the GDPR increased the volume of supervisory, investigative and enforcement work. The GDPR provides for higher standards of data protection for individuals and imposes increased obligations on bodies in the public and private sectors that process personal data. It also increases the range of possible sanctions for infringements of these standards and obligations.
The GDPR made renewed, and further requirements of EU member states in relation to their Data Protection supervisory authorities. The General Data Protection Directive and the Data Protection Act 2018 conferred a range of additional tasks and powers, including investigative, corrective, authorisation and advisory powers, on supervisory authorities.
The number of cross-border cases arising was believed likely to increase after entry into force of the GDPR because of the presence of a significant number of multinational companies providing their digital services to data subjects across the EU from Ireland.
It was in this context that the Data Protection Commission was established by the 2018 Act with at least one but not more than 3 Commissioners.
GDPR Requirements for National Supervisory Authorities I
Every Member State of the EU must establish an independent public authority as the supervisory authority for the purpose of the General Data Protection Regulation. The supervisory authorities are to contribute to the consistent application of the GDPR throughout the EU. The role is performed in Ireland by the Data Protection Commission.
The supervisory authority must be independent in performing its functions. It must be free from any direct or indirect influence and neither seek nor take instructions from anybody. Members of the authority must refrain from any action incompatible with their duties.
Every State must ensure that the supervisory authority is provided with the human, technical and financial resources, premises and infrastructure for the effective performance of its duties and the exercise of its powers, including cooperation with the EU authorities.
Each authority must draw up an annual report, which may include a list of types of infringements notified and measures taken. They must be transmitted to the national parliament, government and other bodies designated by law. They must be available to the public, Commission and the EU Board.
GDPR Requirements for National Supervisory Authorities II
States must provide for appointments to the authority by a transparent procedure by governmental bodies or an independent body entrusted by law with this function. Members are to have the qualifications, experience and skills, in particular in the area of data protection, required to perform their duties.
Members may be dismissed only in the case of serious misconduct or if they fail to fulfil a condition associated with their duties. The duration of the term of members must be at least four years. Provision may be made for reappointment.
Members and staff of the authority are to be subject to duties of professional secrecy both before and after office, with regard to any confidential information which has come to their attention.The supervisory authorities are to be competent to perform the functions assigned by the Regulation.
The supervisory authorities are not competent to supervise the operations of courts in their judicial capacity.The exercise of the authority’s powers is to be subject to appropriate safeguards, including judicial remedy and due process, in accordance with national and EU law.
GDPR Required Functions of Supervisory Authority
The supervisory authority is obliged to
- monitor and enforce the GDPR;
- promote public awareness and understanding of the risks, rules, safeguards and rights relating to data processing;
- advise national parliaments, governments and other institutions on legislative and administrative measures relating to persons’ rights and freedoms with regard to processing;
- promote the awareness of controllers and processors of their obligations under the regulation;
- provide information to the persons the subject of data regarding the exercise of their rights;
- handle complaints lodged by a person, a body or organisation under the regulation;
- cooperate with other supervisory authorities;
- conduct investigations in accordance with information received from other authorities or other public authorities;
- monitor developments, insofar as they impact upon data protection;
- adopt standard contractual clauses for the purpose of transfer of information;
- encourage the drawing up of codes of conduct;
- encourage the establishment of data protection certification mechanisms, seals and marks;
- carry out reviews of them;
- draft and publish the criteria for accreditations of bodies for monitoring codes of conduct;
- approve binding corporate rules;
- contribute to the activities of the central body.
Data Protection Commission I
All functions that, immediately before the establishment day, were vested in the Data Protection Commissioner were transferred to the Data Protection Commission. The Commission is the supervisory authority for the purposes specified in the GDPR, the Data Protection Directive and the Data Protection Acts.
In addition to the functions assigned to the Commission by virtue of its being the supervisory authority for those purposes the general functions of the Commission include—
- such other functions as may be assigned to it from time to time by or under any another enactment.
- establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person
- certain aspects of requests for comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes,
Data Protection Commission II
The Commission has all such powers as are necessary or expedient for the performance of its functions.The Commission shall disseminate, to such extent and in such manner as it considers appropriate, information in relation to the functions performed by it.
The Commission is independent in the performance of its functions. The Commission regulates its own procedures.
The Data Protection Commission and its staff are subject to obligations of confidentiality. The staff are civil servants. There is a prohibition on the disclosure of confidential information in the possession of the Commission while performing functions under the Regulation or this Act.
Membership of Commission
The Commission shall consist of such and so many members (not being more than 3 as the Government determines. Each member of the Commission is known as a Commissioner for Data. A Commissioner shall be appointed by the Government on the recommendation of the Public Appointments Service, and the appointment is for a period of not less than 4 and not more than 5 years from the date of his or her appointment.
The Minister shall, where the Commission consists of more than one Commissioner, appoint one of the Commissioners to be chairperson and such allowance (if any) may be paid by the Commission to the chairperson as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time determine.
Most functions of the Commission may be performed through or by any member of the staff of the Commission where he or she is authorised in that behalf by the Commission.
A Commissioner shall act on a full-time basis subject to such terms and conditions (as the Government may determine. He may be paid by the Commission such remuneration and allowances for expenses (if any) as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time determine, and not hold any other office or occupy any other position in respect of which emoluments are payable or carry on any business.
Accountability of Commissioner to Oireachtas Committees
A Commissioner shall, at the request in writing of an Oireachtas Committee, attend before it to give account for the general administration of the Commission. The Commissioner shall not be required to give an account before a Committee for any matter which is or has been or may at a future time be the subject of proceedings before a court or tribunal. The question may be referred to the High Court for an opinion in the case of a dispute.
The Commission shall, not later than 30 June in each year prepare a report on its activities in the immediately preceding year, and cause copies of the report to be laid before each House of the Oireachtas. The Commission may, at any time after this publish its annual report in such form and manner as it considers appropriate.
The Commissioner, or where more than one Commissioner has been appointed the chairperson is the accounting officer in relation to the appropriation accounts of the Commission for the purpose of the Comptroller and Auditor General Acts.
European Data Protection Board
Under the pre-GDPR legislation, the EU had established a working party, made up of representatives of the States. This was known as the Article 29 Working Party. It advised the Commission in relation to the level of data protection and on proposed amendments to the relevant Directives. It gave an opinion on codes of conduct at EU level. It issued extensive guidance in the area of data protection and processing/
The European Data Protection Board was established by the GDPR and replaces the Article 29 Working Party. It is composed of the head of one supervisory authority of each State and the European Data Protection Supervisor. The Commission has the right to participate in the activities of the Board. The Board is the European Data Protection Board.
The Board is to draw up annual reports and present it to the Parliament, Council and Commission. The Board acts by a simple majority of its members unless otherwise provided for. It elects a chair and deputy chairman. The Board has a permanent secretary, provided by the European Data Protection Supervisor.
Functions of European Data Protection Board
The European Data Protection Board is independent in performing its tasks and powers. Its functions are:
- monitoring the correct application of the GDPR;
- advising the Commission in relation to issues related to data protection;
- advising the Commission on the format and procedures for the exchange of information between controllers and processors;
- issuing guidelines, recommendations and best practices in various context;
- drawing up guidelines for the supervisory authorities;
- reviewing their application;
- encouraging the drawing up of codes of practice;
- data protection certification;
- accreditation of certification bodies in certain cases;
- providing informal opinions on various matters on certain issues;
- promoting cooperation and the exchange of information and best practices between supervisory authorities;
- promoting common training programmes and facilitating personnel exchanges;
- promoting the exchange of documentation and knowledge on data protection.
The Data Protection Commission may investigate contraventions of the Acts. It may issue information notices. It may enforce the Act by enforcement notices. It may prohibit the transfer of personal data outside the State. It may engage in prior checking of processing operations which may cause substantial damage or distress to the data subjects.
The Data Protection Commission must be consulted in drawing up administrative measures and regulations relating to the protection of individual rights and freedoms in respect of data processing.
The Data Protection Commission may draw up and approve codes of practice. It may produce his own codes of practice where it considers it desirable. It must conduct appropriate prior consultations. It must encourage the development of codes of practice by trade associations. It may approve codes made by bodies, where they provide the data subjects concerned, protection in regard to personal data relating to them which conforms with the provisions of the legislation.
The Data Protection Commission publicises and raises awareness of the Act. It publishes regular reports which are made public. It must publish an annual report.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008