Enforcement
Data Protection Act
The Data Protection Commissioner
The Commissioner.
9.— (1) For the purposes of this Act, there shall be a person (referred to in this Act as the Commissioner) who shall be known as an Coimisinéir Cosanta Sonraí or, in the English language, the Data Protection Commissioner; the Commissioner shall perform the functions conferred on him by this Act.
F26 [ (1A) ( a ) The lawfulness of the processing of personal data (including their transmission to the Central Unit of Eurodac established pursuant to the Council Regulation) in accordance with the Council Regulation shall be monitored by the Commissioner.
( b ) In paragraph ( a ) of this subsection, ‘ the Council Regulation ’ means Council Regulation (EC) No. 2725/2000 of 11 December 2000 (2) concerning the establishment of Eurodac for the comparison of fingerprints for the effective application of the Dublin Convention.
(1B) The Commissioner shall arrange for the dissemination in such form and manner as he or she considers appropriate of —
( a ) any Community finding (within the meaning of subsection (2)( b ) (inserted by the Act of 2003 ) of section 11 of this Act),
( b ) any decision of the European Commission or the European Council under the procedure provided for in Article 31(2) of the Directive that is made for the purposes of paragraph 3 or 4 of Article 26 of the Directive, and
( c ) such other information as may appear to him or her to be expedient to give to data controllers in relation to the protection of the rights and freedoms of data subjects in respect of the processing of personal data in countries and territories outside the European Economic Area.
(1C) The Commissioner shall be the supervisory authority in the State for the purposes of the Directive.
(1D) The Commissioner shall also perform any functions in relation to data protection that the Minister may confer on him or her by regulations for the purpose of enabling the Government to give effect to any international obligations of the State. ]
(2) The provisions of the Second Schedule to this Act shall have effect in relation to the Commissioner.
F27 [ (3) The Commissioner shall be the supervisory authority in the State for the purposes of Articles 4, 17, 25 and 26 of the Directive. ]
Annotations:
Amendments:
F26
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 10, S.I. No. 207 of 2003.
F27
Inserted (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 4.
Modifications (not altering text):
C45
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(g), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— …
(g) in section 9, the insertion of the following subsection after subsection (1D):
“(1E) (a) The Commissioner shall be the competent data protection authority in the State for the purposes of a European Union or international instrument.
(b) The lawfulness of the processing of personal data supplied or received pursuant to—
(i) Chapter 2 of Part 12 of the Act of 2014,
(ii) Chapter 3 of that Part of that Act, and
(iii) an Article 7 request,
shall be monitored by the Commissioner.
(c) The performance by the Commissioner of his or her function under paragraph (b) shall include the carrying out of random checks on the processing of personal data referred to in that paragraph.
(d) The Commissioner may request the data protection authority of a designated state to perform its functions under the law of that designated state with regard to checking the lawfulness of the processing of personal data supplied by the State to that designated state pursuant to the relevant European Union or international instrument.
(e) The Commissioner may receive information from the data protection authority of a designated state arising from the performance by it of the functions referred to in paragraph (d) with regard to the processing of the personal data concerned.
(f) The Commissioner shall, at the request of the data protection authority of a designated state, perform his or her functions under paragraphs (a) to (c) of this subsection and he or she shall furnish information to that authority with regard to the processing of the personal data the subject of the request.”.
C46
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
Editorial Notes:
E27
Power pursuant to section exercised (25.05.1993) by Data Protection Commissioner Superannuation Scheme 1993 (S.I. No. 141 of 1993).
(2) O.J. No. L 316, 15.12.00, p. 0001-0010.
Enforcement of data protection.
10.— (1) ( a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened F28 [ … ] in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.
( b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall—
(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and
F29 [ (ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the individual who made the complaint of his or her decision in relation to it and that the individual may, if aggrieved by the decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him or her of the notification. ]
F30 [ (1A) The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof. ]
(2) If the Commissioner is of opinion that a person F31 [ … ] has contravened or is contravening a provision of this Act (other than a provision the contravention of which is an offence), the Commissioner may, by notice in writing (referred to in this Act as an enforcement notice) served on the person, require him to take such steps as are specified in the notice within such time as may be so specified to comply with the provision concerned.
(3) Without prejudice to the generality of subsection (2) of this section, if the Commissioner is of opinion that a data controller has contravened section 2 (1) of this Act, the relevant enforcement notice may require him—
F29 [ ( a ) to block, rectify, erase or destroy any of the data concerned, or ]
( b) to supplement the data with such statement relating to the matters dealt with by them as the Commissioner may approve of; and as respects data that are inaccurate or not kept up to date, if he supplements them as aforesaid, he shall be deemed not to be in contravention of paragraph (b) of the said section 2 (1) .
(4) An enforcement notice shall—
( a) specify any provision of this Act that, in the opinion of the Commissioner, has been or is being contravened and the reasons for his having formed that opinion, and
( b) subject to subsection (6) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him.
(5) Subject to subsection (6) of this section, the time specified in an enforcement notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (4) (b) of this section and, if an appeal is brought against the requirement, the requirement need not be complied with and subsection (9) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.
(6) If the Commissioner—
( a) by reason of special circumstances, is of opinion that a requirement specified in an enforcement notice should be complied with urgently, and
( b) includes a statement to that effect in the notice,
subsections (4) (b) and (5) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.
(7) On compliance by a data controller with a requirement under subsection (3) of this section, he shall, as soon as may be and in any event not more than 40 days after such compliance, notify—
( a) the data subject concerned, and
F29 [ ( b ) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period beginning 12 months before the date of the service of the enforcement notice concerned and ending immediately before such compliance unless such notification proves impossible or involves a disproportionate effort,
of the blocking, rectification, erasure, destruction or statement concerned. ]
(8) The Commissioner may cancel an enforcement notice and, if he does so, shall notify in writing the person on whom it was served accordingly.
(9) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence.
Annotations:
Amendments:
F28
Deleted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(a)(i), S.I. No. 207 of 2003.
F29
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(a)(ii), (d) and (e), S.I. No. 207 of 2003; subs. (7)(b), substituted by s. 11(e), commenced (18.07.2014) by S.I. No. 337 of 2014.
F30
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(b), S.I. No. 207 of 2003.
F31
Deleted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(c), S.I. No. 207 of 2003.
Modifications (not altering text):
C47
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C48
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(9) Section 10 of the Act applies as if —
(a) in subsection (1)(a), “in relation to a person either where the person complains” were substituted for “by a data controller or a data processor in relation to an individual either where the individual complains”,
(b) in subsection (1)(b), the following subparagraph were substituted for subparagraph (ii):
“(ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the person who made the complaint of his or her decision in relation to it and that the person may, if aggrieved by the decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by the person of the notification.”,
(c) the following subsection were inserted after subsection (1):
“(1A) The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with Regulation 9 of the Regulations of 2003 and to identify any contravention thereof.”,
(d) in subsection (2), there were deleted, “being a data controller or a data processor,”,
(e) in subsection (3), there were substituted the following paragraph for paragraph (a):
“(a) to block, rectify, erase or destroy any of the data concerned, or”, and ,
(f) in subsection (7), there were substituted the following for so much of the subsection as follows paragraph (a):
“(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the previous 12 months before the date of the service of the enforcement notice concerned and ending immediately before such compliance unless such notification proves impossible or involves a disproportionate effort,
of the blocking, rectification, erasure, destruction or statement concerned.”.
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
Editorial Notes:
E28
Previous affecting provision: subs. 7(b) as enacted not commenced; substituted as per F-Note above.
E29
Previous affecting provision: application of section extended (from the date on which the declaration by the State under Article 32 (4) of the Customs Co-operation Convention took effect to 24 October 2007) by Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004 (S.I. No. 254 of 2004), reg. 10(2).
E30
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35, subject to transitional provisions in reg. 34.
E31
Previous affecting provision: non-textual amendments identical to those made by Data Protection (Amendment) Act 2003 above were made by the European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(9).
E32
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
Prohibition on transfer of personal data outside State.
F32 [ 11. — (1) The transfer of personal data to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to —
( a ) the nature of the data,
( b ) the purposes for which and the period during which the data are intended to be processed,
( c ) the country or territory of origin of the information contained in the data,
( d ) the country or territory of final destination of that information,
( e ) the law in force in the country or territory referred to in paragraph ( d ),
( f ) any relevant codes of conduct or other rules which are enforceable in that country or territory,
( g ) any security measures taken in respect of the data in that country or territory, and
( h ) the international obligations of that country or territory.
(2) ( a ) Where in any proceedings under this Act a question arises —
(i) whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area to which personal data are to be transferred, and
(ii) a Community finding has been made in relation to transfers of the kind in question,
the question shall be determined in accordance with that finding.
( b ) In paragraph ( a ) of this subsection ‘ Community finding ’ means a finding of the European Commission made for the purposes of paragraph (4) or (6) of Article 25 of the Directive under the procedure provided for in Article 31(2) of the Directive in relation to whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area.
(3) The Commissioner shall inform the Commission and the supervisory authorities of the other Member States of any case where he or she considers that a country or territory outside the European Economic Area does not ensure the adequate level of protection referred to in subsection (1) of this section.
(4) ( a ) This section shall not apply to a transfer of data if —
(i) the transfer of the data or the information constituting the data is required or authorised by or under —
(I) any enactment, or
(II) any convention or other instrument imposing an international obligation on the State,
(ii) the data subject has given his or her consent to the transfer,
(iii) the transfer is necessary —
(I) for the performance of a contract between the data subject and the data controller, or
(II) for the taking of steps at the request of the data subject with a view to his or her entering into a contract with the data controller,
(iv) the transfer is necessary —
(I) for the conclusion of a contract between the data controller and a person other than the data subject that —
(A) is entered into at the request of the data subject, and
(B) is in the interests of the data subject, or
(II) for the performance of such a contract,
(v) the transfer is necessary for reasons of substantial public interest,
(vi) the transfer is necessary for the purpose of obtaining legal advice or for the purpose of or in connection with legal proceedings or prospective legal proceedings or is otherwise necessary for the purposes of establishing or defending legal rights,
(vii) the transfer is necessary in order to prevent injury or other damage to the health of the data subject or serious loss of or damage to property of the data subject or otherwise to protect his or her vital interests, and informing the data subject of, or seeking his or her consent to, the transfer is likely to damage his or her vital interests,
(viii) the transfer is of part only of the personal data on a register established by or under an enactment, being —
(I) a register intended for consultation by the public, or
(II) a register intended for consultation by persons having a legitimate interest in its subject matter,
and, in the case of a register referred to in clause (II) of this subparagraph, the transfer is made, at the request of, or to, a person referred to in that clause and any conditions to which such consultation is subject are complied with by any person to whom the data are or are to be transferred, or
(ix) the transfer has been authorised by the Commissioner where the data controller adduces adequate safeguards with respect to the privacy and fundamental rights and freedoms of individuals and for the exercise by individuals of their relevant rights under this Act or the transfer is made on terms of a kind approved by the Commissioner as ensuring such safeguards.
( b ) The Commissioner shall inform the European Commission and the supervisory authorities of the other states in the European Economic Area of any authorisation or approval under paragraph ( a )(ix) of this subsection.
( c ) The Commissioner shall comply with any decision of the European Commission under the procedure laid down in Article 31.2 of the Directive made for the purposes of paragraph 3 or 4 of Article 26 of the Directive.
(5) The Minister may, after consultation with the Commissioner, by regulations specify —
( a ) the circumstances in which a transfer of data is to be taken for the purposes of subsection (4)( a )(v) of this section to be necessary for reasons of substantial public interest, and
( b ) the circumstances in which such a transfer which is not required by or under an enactment is not to be so taken.
(6) Where, in relation to a transfer of data to a country or territory outside the European Economic Area, a data controller adduces the safeguards for the data subject concerned referred to in subsection (4)( a )(ix) of this section by means of a contract embodying the contractual clauses referred to in paragraph 2 or 4 of Article 26 of the Directive, the data subject shall have the same right —
( a ) to enforce a clause of the contract conferring rights on him or her or relating to such rights, and
( b ) to compensation or damages for breach of such a clause,
that he or she would have if he or she were a party to the contract.
(7) The Commissioner may, subject to the provisions of this section, prohibit the transfer of personal data from the State to a place outside the State unless such transfer is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the State.
(8) In determining whether to prohibit a transfer of personal data under this section, the Commissioner shall also consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.
(9) A prohibition under subsection (7) of this section shall be effected by the service of a notice (referred to in this Act as a prohibition notice) on the person proposing to transfer the data concerned.
(10) A prohibition notice shall —
( a ) prohibit the transfer concerned either absolutely or until the person aforesaid has taken such steps as are specified in the notice for protecting the interests of the data subjects concerned,
( b ) specify the time when it is to take effect,
( c ) specify the grounds for the prohibition, and
( d ) subject to subsection (12) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the prohibition specified in the notice within 21 days from the service of the notice on him or her.
(11) Subject to subsection (12) of this section, the time specified in a prohibition notice for compliance with the prohibition specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (10)( d ) of this section and, if an appeal is brought against the prohibition, the prohibition need not be complied with and subsection (15) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.
(12) If the Commissioner —
( a ) by reason of special circumstances, is of opinion that a prohibition specified in a prohibition notice should be complied with urgently, and
( b ) includes a statement to that effect in the notice,
subsections (10)( d ) and (11) of this section shall not apply in relation to the notice but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the prohibition before the end of the period of 7 days beginning on the date on which the notice is served.
(13) The Commissioner may cancel a prohibition notice and, if he or she does so, shall notify in writing the person on whom it was served accordingly.
(14) ( a ) This section applies, with any necessary modifications, to a transfer of information from the State to a place outside the State for conversion into personal data as it applies to a transfer of personal data from the State to such a place.
( b ) In paragraph ( a ) of this subsection ‘ information ’ means information (not being data) relating to a living individual who can be identified from it.
(15) A person who, without reasonable excuse, fails or refuses to comply with a prohibition specified in a prohibition notice shall be guilty of an offence. ]
Annotations:
Amendments:
F32
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 12, S.I. No. 207 of 2003.
Editorial Notes:
E33
Previous affecting provision: section substituted (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 5; substituted as per F-note above.
Power to require information.
12.— (1) The Commissioner may, by notice in writing (referred to in this Act as an information notice) served on a person, require the person to furnish to him in writing within such time as may be specified in the notice such information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commissioner of his functions.
(2) Subject to subsection (3) of this section—
( a) an information notice shall state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him, and
( b) the time specified in the notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in paragraph (a) of this subsection and, if an appeal is brought against the requirement, the requirement need not be complied with and subsection (5) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.
(3) If the Commissioner—
( a) by reason of special circumstances, is of opinion that a requirement specified in an information notice should be complied with urgently, and
( b) includes a statement to that effect in the notice,
subsection (2) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.
(4) ( a) No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing to the Commissioner any information that is necessary or expedient for the performance by the Commissioner of his functions.
( b) Paragraph (a) of this subsection does not apply to information that in the opinion of the Minister or the Minister for Defence is, or at any time was, kept for the purpose of safeguarding the security of the State or information that is privileged from disclosure in proceedings in any court.
(5) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an information notice or who in purported compliance with such a requirement furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.
Annotations:
Modifications (not altering text):
C49
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C50
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
Editorial Notes:
E34
Previous affecting provision: section applied to extend performance of Commissioner’s functions (from the date on which the declaration by the State under Article 32 (4) of the Customs Co-operation Convention took effect to 24 October 2007) by Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004 (S.I. No. 254 of 2004), reg. 10(3).
E35
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35 subject to transitional provisions in reg. 34.
E36
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a)) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
F33 [
Prior checking of processing by Commissioner.
12A. — (1) This section applies to any processing that is of a prescribed description, being processing that appears to the Commissioner to be particularly likely —
( a ) to cause substantial damage or substantial distress to data subjects, or
( b ) otherwise significantly to prejudice the rights and freedoms of data subjects.
(2) The Commissioner, on receiving —
( a ) an application under section 17 of this Act by a person to whom section 16 of this Act applies for registration in the register and any prescribed information and any other information that he or she may require, or
( b ) a request from a data controller in that behalf,
shall consider and determine —
(i) whether any of the processing to which the application or request relates is processing to which this section applies,
(ii) if it does, whether the processing to which this section applies is likely to comply with the provisions of this Act.
(3) Subject to subsection (4) of this section, the Commissioner shall, within the period of 90 days from the day on which he or she receives an application or a request referred to in subsection (2) of this section, serve a notice on the data controller concerned stating the extent to which, in the opinion of the Commissioner, the proposed processing is likely or unlikely to comply with the provisions of this Act.
(4) Before the end of the period referred to in subsection (3), the Commissioner may, by reason of special circumstances, extend that period once only, by notice in writing served on the data controller concerned, by such further period not exceeding 90 days as the Commissioner may specify in the notice.
(5) If, for the purposes of his or her functions under this section, the Commissioner serves an information notice on the data controller concerned before the end of the period referred to in subsection (3) of this section or that period as extended under subsection (4) of this section —
( a ) the period from the date of service of the notice to the date of compliance with the requirement in the notice, or
( b ) if the requirement is set aside under section 26 of this Act, the period from the date of such service to the date of such setting aside,
shall be added to the period referred to in the said subsection (3) or that period as so extended as aforesaid.
(6) Processing to which this section applies shall not be carried on unless —
( a ) the data controller has —
(i) previously made an application under section 17 of this Act and furnished the information specified in that section to the Commissioner, or
(ii) made a request under subsection (2) of this section,
and
( b ) the data controller has complied with any information notice served on him or her in relation to the matter, and
( c ) (i) the period of 90 days from the date of the receipt of the application or request referred to in subsection (3) of this section (or that period as extended under subsections (4) and (5) of this section or either of them) has elapsed without the receipt by the data controller of a notice under the said subsection (3), or
(ii) the data controller has received a notice under the said subsection (3) stating that the particular processing proposed to be carried on is likely to comply with the provisions of this Act, or
(iii) the data controller —
(I) has received a notice under the said subsection (3) stating that, if the requirements specified by the Commissioner (which he or she is hereby authorised to specify) and appended to the notice are complied with by the data controller, the processing proposed to be carried on is likely to comply with the provisions of this Act, and
(II) has complied with those requirements.
(7) A person who contravenes subsection (6) of this section shall be guilty of an offence.
(8) An appeal against a notice under subsection (3) of this section or a requirement appended to the notice may be made to and heard and determined by the Court under section 26 of this Act and that section shall apply as if such a notice and such a requirement were specified in subsection (1) of the said section 26.
(9) The Minister, after consultation with the Commissioner, may by regulations amend subsections (3), (4) and (6) of this section by substituting for the number of days for the time being specified therein a different number specified in the regulations.
(10) A data controller shall pay to the Commissioner such fee (if any) as may be prescribed in respect of the consideration by the Commissioner, in relation to proposed processing by the data controller, of the matters referred to in paragraphs (i) and (ii) of subsection (2) of this section and different fees may be prescribed in relation to different categories of processing.
(11) In this section a reference to a data controller includes a reference to a data processor. ]
Annotations:
Amendments:
F33
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 13, S.I. No. 207 of 2003.
Editorial Notes:
E37
Power pursuant to section exercised (8.10.2007) by Data Protection (Processing of Genetic Data) Regulations 2007 (S.I. No. 687 of 2007).
E38
Power pursuant to subs. (10) exercised (1.10.2007) by Data Protection (Fees) Regulations 2007 (S.I. No. 658 of 2007).
Codes of practice.
13.— (1) The Commissioner shall encourage trade associations and other bodies representing categories of data controllers to prepare codes of practice to be complied with by those categories in dealing with personal data.
F34 [ (2) The Commissioner shall —
( a ) where a code of practice (referred to subsequently in this section as a code) so prepared is submitted to him or her for consideration, consider the code and, after such consultation with such data subjects or persons representing data subjects and with the relevant trade associations or other bodies aforesaid as appears to him or her to be appropriate —
(i) if he or she is of opinion that the code provides for the data subjects concerned a measure of protection with regard to personal data relating to them that conforms with that provided for by section 2, sections 2A to 2D (inserted by the Act of 2003 ) and sections 3 and 4 (other than subsection (8)) and 6 of this Act, approve of the code and encourage its dissemination to the data controllers concerned, and
(ii) in any event notify the association or body concerned of his or her decision to approve or not to approve the code,
( b ) where he or she considers it necessary or desirable to do so and after such consultation with any trade associations or other bodies referred to in subsection (1) of this section having an interest in the matter and data subjects or persons representing data subjects as he or she considers appropriate, prepare, and arrange for the dissemination to such persons as he or she considers appropriate of, codes of practice for guidance as to good practice in dealing with personal data, and subsection (3) of this section shall apply to a code of practice prepared under this subsection as it applies to a code,
( c ) in such manner and by such means as he or she considers most effective for the purposes of this paragraph, promote the following of good practice by data controllers and, in particular, so perform his or her functions under this Act as to promote compliance with this Act by data controllers,
( d ) arrange for the dissemination in such form and manner as he or she considers appropriate of such information as appears to him or her to be expedient to give to the public about the operation of this Act, about the practices in processing of personal data (including compliance with the requirements of this Act) that appear to the Commissioner to be desirable having regard to the interests of data subjects and other persons likely to be affected by such processing and about other matters within the scope of his or her functions under this Act, and may give advice to any person in relation to any of those matters. ]
(3) Any such code that is so approved of may be laid by the Minister before each House of the Oireachtas and, if each such House passes a resolution approving of it, then—
( a) in so far as it relates to dealing with personal data by the categories of data controllers concerned—
(i) it shall have the force of law in accordance with its terms, and
(ii) upon its commencement, references (whether specific or general) in this Act to any of the provisions of the said sections shall be construed (or, if the code is in substitution for a code having the force of law by virtue of this subsection, continue to be construed) as if they were also references to the relevant provisions of the code for the time being having the force of law,
and
( b) it shall be deemed to be a statutory instrument to which the Statutory Instruments Act, 1947, primarily applies.
(4) This section shall apply in relation to data processors as it applies in relation to categories of data controllers with the modification that the references in this section to the said sections shall be construed as references to section 2 (1) (d) of this Act and with any other necessary modifications.
F35 [ (5) The Commissioner shall be paid by a person in relation to whom a service is provided under this section such fee (if any) as may be prescribed and different fees may be prescribed in relation to different such services and different classes of persons.
(6) In proceedings in any court or other tribunal, any provision of a code, or a code of practice, approved under subsection (3) of this section that appears to the court or other tribunal concerned to be relevant to the proceedings may be taken into account in determining the question concerned. ]
Annotations:
Amendments:
F34
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 14(1)(a), S.I. No. 207 of 2003.
F35
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 14(1)(b), S.I. No. 207 of 2003.
Modifications (not altering text):
C51
Application of section extended (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 28.
Power to include requirements under these Regulations in codes of practice under the Act of 1988
28. The Commissioner’s functions under section 13 of the Act of 1988 extend to requirements imposed under these Regulations.
Editorial Notes:
E39
Data Protection (Amendment) Act 2003 (6/2003), s. 14(2) provides for the continuation in force of a code of practice approved under s. 13(2) before its amendment. It appears that no such code of practice exists.
E40
Previous affecting provision: power of Commissioner extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 17L as inserted (20.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked (1.07.2011) by European
Annual report.
14.— (1) The Commissioner shall in each year after the year in which the first Commissioner is appointed prepare a report in relation to his F36 [ activities under the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 and this Act ] in the preceding year and cause copies of the report to be laid before each House of the Oireachtas.
(2) Notwithstanding subsection (1) of this section, if, but for this subsection, the first report under that subsection would relate to a period of less than 6 months, the report shall relate to that period and to the year immediately following that period and shall be prepared as soon as may be after the end of that year.
F37 [ (3) For the purposes of the law of defamation, a report under subsection (1) shall be absolutely privileged. ]
Annotations:
Amendments:
F36
Substituted (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 23(1) as amended (20.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 10 which provides that ‘[t]he reference in Regulation 23(1) of the Principal Regulations to the Data Protection Acts 1988 and 2003 is to be read as, and is to be always taken to have been, a reference to the Data Protection Act 1988 (as amended by the Data Protection Act 2003)’.
F37
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 15, S.I. No. 207 of 2003.
Editorial Notes:
E41
The European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 mentioned in subs. (1) were repealed and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 , S.I. No. 336 of 2011, reg. 35, subject to transitional provisions in reg. 34.
E42
Previous affecting provision: subs. (1) amended (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 19; amendment substituted as per F-note above.
Mutual assistance between parties to Convention.
15.— (1) The Commissioner is hereby designated for the purposes of Chapter IV (which relates to mutual assistance) of the Convention.
(2) The Minister may make any regulations that he considers necessary or expedient for the purpose of enabling the said Chapter IV to have full effect.
Registration
The register.
16.— F38 [ (1) In this section ‘ person to whom this section applies ’ means a data controller and a data processor (other than such (if any) categories of data controller and data processor as may be specified in regulations made by the Minister after consultation with the Commissioner) except in so far as —
( a ) they carry out —
(i) processing whose sole purpose is the keeping in accordance with law of a register that is intended to provide information to the public and is open to consultation either by the public in general or by any person demonstrating a legitimate interest,
(ii) processing of manual data (other than such categories, if any, of such data as may be prescribed), or
(iii) any combination of the foregoing categories of processing,
or
( b ) the data controller is a body that is not established or conducted for profit and is carrying out processing for the purposes of establishing or maintaining membership of or support for the body or providing or administering activities for individuals who are either members of the body or have regular contact with it. ]
(2) The Commissioner shall establish and maintain a register (referred to in this Act as the register) of persons to whom this section applies and shall make, as appropriate, an entry or entries in the register in respect of each person whose application for registration therein is accepted by the Commissioner.
(3) ( a) Members of the public may inspect the register free of charge at all reasonable times and may take copies of, or of extracts from, entries in the register.
( b) A member of the public may, on payment to the Commissioner of such fee (if any) as may be prescribed, obtain from the Commissioner a copy (certified by him or by a member of his staff to be a true copy) of, or of an extract from, any entry in the register.
( c) In any proceedings—
(i) a copy of, or of an extract from, an entry in the register certified by the Commissioner or by a member of his staff to be a true copy shall be evidence of the entry or extract, and
(ii) a document purporting to be such a copy, and to be certified, as aforesaid shall be deemed to be such a copy and to be so certified unless the contrary is proved.
( d) In any proceedings—
(i) a certificate signed by the Commissioner or by a member of his staff and stating that there is not an entry in the register in respect of a specified person as a data controller or as a data processor shall be evidence of that fact, and
(ii) a document purporting to be such a certificate, and to be signed, as aforesaid shall be deemed to be such a certificate and to be so signed unless the contrary is proved.
Annotations:
Amendments:
F38
Substituted (1.10.2007) by Data Protection (Amendment) Act 2003 (6/2003), s. 16, S.I. No. 656 of 2007.
Editorial Notes:
E43
Power pursuant to subs. (1) exercised (1.10.2007) by Data Protection Act 1988 (Section 16(1)) Regulations 2007 (S.I. No. 657 of 2007).
E44
Power pursuant to section exercised (16.12.1988) by Data Protection (Fees) Regulations 1988 (S.I. No. 347 of 1988); regs. 5 and 6 revoked (4.04.1990) by Data Protection (Fees) Regulations 1990 (S.I. No. 80 of 1990), reg. 5.
E45
Previous affecting provision: power pursuant to subs. (1)(e) exercised (10.1.2001) by Data Protection (Registration) Regulations 2001 (S.I. No. 2 of 2001); revoked (1.10.2007) by Data Protection Act 1988 (Section 16(1)) Regulations 2007 (S.I. No. 657 of 2007), reg. 5.
Applications for registration.
17.— (1) ( a) A person wishing to be registered in the register or to have a registration continued under section 18 of this Act or to have the particulars in an entry in the register altered shall make an application in writing in that behalf to the Commissioner and shall furnish to him such information as may be prescribed and any other information that he may require.
F39 [ ( b ) Where a data controller intends to keep personal data for two or more related purposes, he or she shall make an application for registration in respect of those purposes and, subject to the provisions of this Act, entries shall be made in the register in accordance with any such application, ]
F40 [ ( c ) Where a data controller intends to keep personal data for two or more unrelated purposes, he shall make an application for separate registration in respect of each of those purposes and, subject to the provisions of this Act, entries shall be made in the register in accordance with each such application. ]
(2) Subject to subsection (3) of this section, the Commissioner shall accept an application for registration, made in the prescribed manner and in respect of which such fee as may be prescribed has been paid, from a person to whom section 16 of this Act applies unless he is of opinion that—
( a) the particulars proposed for inclusion in an entry in the register are insufficient or any other information required by the Commissioner either has not been furnished or is insufficient, or
( b) the person applying for registration is likely to contravene any of the provisions of this Act.
F39 [ (3) The Commissioner shall not accept such an application for registration as aforesaid from a data controller who keeps sensitive personal data unless he or she is of opinion that appropriate safeguards for the protection of the privacy of the data subjects are being, and will continue to be, provided by him or her. ]
(4) Where the Commissioner refuses an application for registration, he shall, as soon as may be, notify in writing the person applying for registration of the refusal and the notification shall—
( a) specify the reasons for the refusal, and
( b) state that the person may appeal to the Court under section 26 of this Act against the refusal within 21 days from the receipt by him of the notification.
(5) If—
( a) the Commissioner, by reason of special circumstances, is of opinion that a refusal of an application for registration should take effect urgently, and
( b) the notification of the refusal includes a statement to that effect and a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act,
paragraph (b) of subsection (4) of this section shall not apply in relation to the notification and paragraph (b) of subsection (6) of this section shall be construed and have effect as if for the words from and including “21 days” to the end of the paragraph there were substituted “7 days beginning on the date on which the notification was received,”.
(6) Subject to subsection (5) of this section, a person who has made an application for registration shall—
( a) until he is notified that it has been accepted or it is withdrawn, or
( b) if he is notified that the application has been refused, until the end of the period of 21 days within which an appeal may be brought under section 26 of this Act against the refusal and, if such an appeal is brought, until the determination or withdrawal of the appeal,
be treated for the purposes of section 19 of this Act as if the application had been accepted and the particulars contained in it had been included in an entry in the register on the date on which the application was made.
(7) Subsections (2) to (6) of this section apply, with any necessary modifications, to an application for continuance of registration and an application for alteration of the particulars in an entry in the register as they apply to an application for registration.
Annotations:
Amendments:
F39
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 17(a)(i) and (b), S.I. No. 207 of 2003.
F40
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 17(a)(ii), S.I. No. 207 of 2003.
Editorial Notes:
E46
Power pursuant to section exercised (1.10.2007) by Data Protection (Fees) Regulations 2007 (S.I. No. 658 of 2007).
E47
Power pursuant to section exercised (16.12.1988) by Data Protection (Fees) Regulations 1988 (S.I. No. 347 of 1988); regs. 5 and 6 revoked (4.04.1990) by Data Protection (Fees) Regulations 1990 (S.I. No. 80 of 1990), reg. 5.
E48
Previous affecting provision: power pursuant to section exercised (19.05.1996) by Data Protection (Fees) Regulations 1996 (S.I. No. 105 of 1996); revoked (1.10.2007) by Data Protection (Fees) Regulations 2007 (S.I. 658 of 2007), reg. 6.
E49
Previous affecting provision: power pursuant to section exercised (4.04.1990) by Data Protection (Fees) Regulations 1990 (S.I. No. 80 of 1990); revoked (19.05.1996) by Data Protection (Fees) Regulations 1996 (S.I. No. 105 of 1996), reg. 5.
Duration and continuance of registration.
18.— (1) A registration (whether it is the first registration or a registration continued under this section) shall be for the prescribed period and on the expiry thereof the relevant entry shall be removed from the register unless the registration is continued as aforesaid.
F41 [ (2) The prescribed period (which shall not be less than one year) shall be calculated —
( a ) in the case of a first registration from the date on which the relevant entry was made in the register, and
( b ) in the case of a registration which has been continued under this section, from the day following the expiration of the latest prescribed period. ]
(3) The Commissioner shall, subject to the provisions of this Act, continue a registration, whether it has previously been continued under this section or not.
(4) Notwithstanding the foregoing provisions of this section, the Commissioner may at any time, at the request of the person to whom an entry relates, remove it from the register.
Annotations:
Amendments:
F41
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 18, S.I. No. 207 of 2003.
Editorial Notes:
E50
Power pursuant to section exercised (15.12.1988) by Data Protection (Registration Period) Regulations 1988 (S.I. No. 350 of 1988).
Effect of registration.
19.— (1) A data controller to whom section 16 of this Act applies shall not keep personal data unless there is for the time being an entry in the register in respect of him.
(2) A data controller in respect of whom there is an entry in the register shall not—
( a) keep personal data of any description other than that specified in the entry,
( b) keep or use personal data for a purpose other than the purpose or purposes described in the entry,
( c) if the source from which such data, and any information intended for inclusion in such data, are obtained is required to be described in the entry, obtain such data or information from a source that is not so described,
( d) disclose such data to a person who is not described in the entry (other than a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of this Act),
( e) directly or indirectly transfer such data to a place outside the State other than one named or described in the entry.
(3) An employee or agent (not being a data processor) of a data controller mentioned in subsection (2) of this section shall, as respects personal data kept or, as the case may be, to be kept by the data controller, be subject to the same restrictions in relation to the use, source, disclosure or transfer of the data as those to which the data controller is subject under that subsection.
(4) A data processor to whom section 16 applies shall not process personal data unless there is for the time being an entry in the register in respect of him.
(5) If and whenever a person in respect of whom there is an entry in the register changes his address, he shall thereupon notify the Commissioner of the change.
(6) A person who contravenes subsection (1), (4) or (5), or knowingly contravenes any other provision, of this section shall be guilty of an offence.
Regulations for registration.
20.— (1) The following matters, and such other matters (if any) as may be necessary or expedient for the purpose of enabling sections 16 to 19 of this Act to have full effect, may be prescribed:
( a) the procedure to be followed in relation to applications by persons for registration, continuance of registration or alteration of the particulars in an entry in the register or for withdrawal of such applications,
( b) the information required to be furnished to the Commissioner by such persons, and
( c) the particulars to be included in entries in the register,
and different provision may be made in relation to the matters aforesaid as respects different categories of persons.
(2) A person who in purported compliance with a requirement prescribed under this section furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.
Annotations:
Editorial Notes:
E51
Power pursuant to section exercised (9.01.1989) by Data Protection (Registration) Regulations 1988 (S.I. No. 351 of 1988).
Miscellaneous
Unauthorised disclosure by data processor.
21.— (1) Personal data processed by a data processor shall not be disclosed by him, or by an employee or agent of his, without the prior authority of the data controller on behalf of whom the data are processed.
(2) A person who knowingly contravenes subsection (1) of this section shall be guilty of an offence.
Disclosure of personal data obtained without authority.
22.— (1) A person who—
( a) obtains access to personal data, or obtains any information constituting such data, without the prior authority of the data controller or data processor by whom the data are kept, and
( b) discloses the data or information to another person,
shall be guilty of an offence.
(2) Subsection (1) of this section does not apply to a person who is an employee or agent of the data controller or data processor concerned.
Journalism, literature and art.
22A. — (1) Personal data that are processed only for journalistic, artistic or literary purposes shall be exempt from compliance with any provision of this Act specified in subsection (2) of this section if —
( a ) the processing is undertaken solely with a view to the publication of any journalistic, literary or artistic material,
( b ) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, such publication would be in the public interest, and
( c ) the data controller reasonably believes that, in all the circumstances, compliance with that provision would be incompatible with journalistic, artistic or literary purposes.
(2) The provisions referred to in subsection (1) of this section are —
( a ) section 2 (as amended by the Act of 2003), other than subsection (1)( d ),
( b ) sections 2A, 2B and 2D (which sections were inserted by the Act of 2003),
( c ) section 3,
( d ) sections 4 and 6 (which sections were amended by the Act of 2003), and
( e ) sections 6A and 6B (which sections were inserted by the Act of 2003).
(3) In considering for the purposes of subsection (1)( b ) of this section whether publication of the material concerned would be in the public interest, regard may be had to any code of practice approved under subsections (1) or (2) of section 13 (as amended by the Act of 2003) of this Act.
(4) In this section ‘ publication ’ , in relation to journalistic, artistic or literary material, means the act of making the material available to the public or any section of the public in any form or by any means. ]
Annotations:
Amendments:
F42
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 21, S.I. No. 207 of 2003.
Editorial Notes:
E52
The side-note is taken from the amending section in the absence of one included in the amendment.
Provisions in relation to certain non-residents and to data kept or processed outside State.
23.— F43 [ … ]
Annotations:
Amendments:
F43
Repealed (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 6 and (1.10.2007) by Data Protection (Amendment) Act 2003 (6/2003), s. 22(1), S.I. No. 656 of 2007.
Powers of authorised officers.
24.— (1) In this section “ authorised officer” means a person authorised in writing by the Commissioner to exercise, for the purposes of this Act, the powers conferred by this section.
(2) An authorised officer may, for the purpose of obtaining any information that is necessary or expedient for the performance by the Commissioner of his functions, on production of the officer’s authorisation, if so required—
( a) at all reasonable times enter premises that he reasonably believes to be occupied by a data controller or a data processor, inspect the premises and any data therein (other than data consisting of information specified in section 12 (4) (b) of this Act) and inspect, examine, operate and test any data equipment therein,
( b) require any person on the premises, being a data controller, a data processor or an employee of either of them, to disclose to the officer any such data and produce to him any data material (other than data material consisting of information so specified) that is in that person’s power or control and to give to him such information as he may reasonably require in regard to such data and material,
( c) either on the premises or elsewhere, inspect and copy or extract information from such data, or inspect and copy or take extracts from such material, and
( d) require any person mentioned in paragraph (b) of this subsection to give to the officer such information as he may reasonably require in regard to the procedures employed for complying with the provisions of this Act, the sources from which such data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment in the premises.
(3) F44 [ … ]
(4) F44 [ … ]
(5) F44 [ … ]
(6) A person who obstructs or impedes an authorised officer in the exercise of a power, or, without reasonable excuse, does not comply with a requirement, under this section or who in purported compliance with such a requirement gives information to an authorised officer that he knows to be false or misleading in a material respect shall be guilty of an offence.
Annotations:
Amendments:
F44
Repealed (1.10.2007) by Data Protection (Amendment) Act 2003 (6/2003), s. 22(1), S.I. No. 656 of 2007.
Modifications (not altering text):
C52
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C53
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(10) Section 24 of the Act applies as if —
(a) in subsection (2)(a), there were substituted “a person to whom the Regulations of 2003 apply” for “a data controller or a data processor”,
(b) in subsection (2)(b), there were substituted “being a person to whom the Regulations of 2003 apply or an employee of such a person” for “being a data controller, a data processor or an employee of either of them”,
(c) there were deleted subsections (3), (4) and (5).
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
Editorial Notes:
E53
Previous affecting provision: section applied with modifications (from the date on which the declaration by the State under Article 32(4) of the Customs Co-operation Convention took effect to 24 October 2007) by Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004 (S.I. No. 254 of 2004), reg. 10(2).
E54
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35 subject to transitional provisions in reg. 34.
E55
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
Service of notices.
25.— Any notice authorised by this Act to be served on a person by the Commissioner may be served—
( a) if the person is an individual—
(i) by delivering it to him or
(ii) by sending it to him by post addressed to him at his usual or last-known place of residence or business, or
(iii) by leaving it for him at that place,
( b) if the person is a body corporate or an unincorporated body of persons, by sending it to the body by post to, or addressing it to and leaving it at, in the case of a company, its registered office (within the meaning of the Companies Act, 1963) and, in any other case, its principal place of business.
Annotations:
Modifications (not altering text):
C54
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C55
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
…
Editorial Notes:
E56
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35 subject to transitional provisions in reg. 34.
E57
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
Appeals to Circuit Court.
26.— (1) An appeal may be made to and heard and determined by the Court against—
( a) a requirement specified in an enforcement notice or an information notice,
( b) a prohibition specified in a prohibition notice,
( c) a refusal by the Commissioner under section 17 of this Act, notified by him under that section, and
( d) a decision of the Commissioner in relation to a complaint under section 10 (1) (a) of this Act,
and such an appeal shall be brought within 21 days from the service on the person concerned of the relevant notice or, as the case may be, the receipt by such person of the notification of the relevant refusal or decision.
(2) The jurisdiction conferred on the Court by this Act shall be exercised by the judge for the time being assigned to the circuit where the appellant ordinarily resides or carries on any profession, business or occupation or, at the option of the appellant, by a judge of the Court for the time being assigned to the Dublin circuit.
(3) ( a) Subject to paragraph (b) of this subsection, a decision of the Court under this section shall be final.
( b) An appeal may be brought to the High Court on a point of law against such a decision; and references in this Act to the determination of an appeal shall be construed as including references to the determination of any such appeal to the High Court and of any appeal from the decision of that Court.
(4) Where—
( a) a person appeals to the Court pursuant to paragraph (a), (b) or (c) of subsection (1) of this section,
( b) the appeal is brought within the period specified in the notice or notification mentioned in paragraph (c) of this subsection, and
( c) the Commissioner has included a statement in the relevant notice or notification to the effect that by reason of special circumstances he is of opinion that the requirement or prohibition specified in the notice should be complied with, or the refusal specified in the notification should take effect, urgently,
then, notwithstanding any provision of this Act, if the Court, on application to it in that behalf, so determines, non-compliance by the person with a requirement or prohibition specified in the notice, or, as the case may be, a contravention by him of section 19 of this Act, during the period ending with the determination or withdrawal of the appeal or during such other period as may be determined as aforesaid shall not constitute an offence.
Annotations:
C56
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
Editorial Notes:
E58
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9.
Evidence in proceedings.
27.— (1) In any proceedings—
( a) a certificate signed by the Minister or the Minister for Defence and stating that in his opinion personal data are, or at any time were, kept for the purpose of safeguarding the security of the State shall be evidence of that opinion,
( b) a certificate—
(i) signed by a member of the Garda Síochána not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under section 8 (a) of this Act, and
(ii) stating that in the opinion of the member or, as the case may be, the officer a disclosure of personal data is required for the purpose aforesaid,
shall be evidence of that opinion, and
( c) a document purporting to be a certificate under paragraph (a) or (b) of this subsection and to be signed by a person specified in the said paragraph (a) or (b), as appropriate, shall be deemed to be such a certificate and to be so signed unless the contrary is proved.
(2) Information supplied by a person in compliance with a request under section 3 or 4 (1) of this Act, a requirement under this Act or a direction of a court in proceedings under this Act shall not be admissible in evidence against him or his spouse in proceedings for an offence under this Act.
Annotations:
Modifications (not altering text):
C57
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C58
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
…
Editorial Notes:
E59
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9.
E60
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
Hearing of proceedings.
28.— The whole or any part of any proceedings under this Act may, at the discretion of the court, be heard otherwise than in public.
Annotations:
Modifications (not altering text):
C59
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C60
C60
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
…
Editorial Notes:
E61
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35 subject to transitional provisions in reg. 34.
E62
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
Offences by directors, etc., of bodies corporate.
29.— (1) Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of a person, being a director, manager, secretary or other officer of that body corporate, or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
(2) Where the affairs of a body corporate are managed by its members, subsection (1) of this section shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director or manager of the body corporate.
Annotations:
Modifications (not altering text):
C62
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C63
C63
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
…
Editorial Notes:
E63
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35 subject to transitional provisions in reg. 34.
E64
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
Prosecution of summary offences by Commissioner.
30.— (1) Summary proceedings for an offence under this Act may be brought and prosecuted by the Commissioner.
(2) Notwithstanding section 10 (4) of the Petty Sessions (Ireland) Act, 1851, summary proceedings for an offence under this Act may be instituted within on e year from the date of the offence.
Annotations:
Modifications (not altering text):
C65
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C66
C66
Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).
Unsolicited commercial communications.
9. …
(6) The following provisions of the Act, namely —
(a) sections 1, 10, 12, 24 and 25,
(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,
and
(c) sections 27 to 30,
apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.
(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.
…
(11) In this Regulation —
“Act” means the Data Protection Act 1988 ( No. 25 of 1988);
…
Editorial Notes:
E65
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35 subject to transitional provisions in reg. 34.
E66
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.
Penalties.
31.— (1) A person guilty of an offence under this Act shall be liable—
( a) on summary conviction, to a fine not exceeding F45 [ € 3,000 ], or
( b) on conviction on indictment, to a fine not exceeding F45 [ € 100,000 ].
(2) Where a person is convicted of an offence under this Act, the court may order any data material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any relevant data to be erased.
(3) The court shall not make an order under subsection (2) of this section in relation to data material or data where it considers that some person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data unless such steps as are reasonably practicable have been taken for notifying that person and giving him an opportunity to show cause why the order should not be made.
(4) Section 13 of the Criminal Procedure Act, 1967, shall apply in relation to an offence under this Act that is not being prosecuted summarily as if, in lieu of the penalties provided for in subsection (3) ( a) of that section, there were specified therein the fine provided for in subsection (1) (a) of this section and the reference in subsection (2) ( a) of the said section 13 to the penalties provided for by subsection (3) shall be construed and have effect accordingly.
Annotations:
Amendments:
F45
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 19, S.I. No. 207 of 2003.
Modifications (not altering text):
C68
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. …
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) …
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
…
C69
Application of Act extended (31.12.2005) by Disability Act 2005 (14/2005), s. 42(4), S.I. No. 474 of 2005.
Genetic testing and processing of genetic data.
42.—…
(4) A person who contravenes subsection (2) or (3) shall be guilty of an offence; an offence under this subsection shall be deemed to be an offence to which section 31 of the Data Protection Act 1988 applies.
Editorial Notes:
E67
Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35 subject to transitional provisions in reg. 34.
E68
Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.