Penalties
Data Protection Act 2018
CHAPTER 7
Offences
Unauthorised disclosure by processor
139. (1) Personal data processed by a processor shall not be disclosed by the processor or by
an employee or agent of the processor, without the prior authority of the controller on
behalf of whom the data are processed.
(2) A person who knowingly or recklessly contravenes subsection (1) shall be guilty of an
offence and shall be liable—
(a) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months or both, or
(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for
a term not exceeding 5 years, or both.
(3) Subsection (1) does not apply to a person who shows that the disclosing concerned
was required or authorised by or under any enactment, rule of law or order of a court.
Disclosure of personal data obtained without authority
140. (1) A person who, without the prior authority of the controller or processor by whom the
data are kept—
(a) obtains personal data or any information constituting personal data, and
(b) discloses the data or information to another person,
shall be guilty of an offence and shall be liable—
(i) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months or both, or
(ii) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for
a term not exceeding 5 years, or both.
(2) Subsection (1) does not apply to a person who shows that the obtaining or disclosing
was required or authorised by or under any enactment, rule of law or order of a court.
(3) A person who sells personal data obtained in contravention of subsection (1) shall be
guilty of an offence and shall be liable—
(a) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months or both, or
(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for
a term not exceeding 5 years, or both.
(4) A person who offers to sell personal data obtained, or intended to be obtained, in
contravention of subsection (1) shall be guilty of an offence and shall be liable—
(a) on summary conviction, to a class A fine or imprisonment for a term not
exceeding 12 months or both, or
(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for
a term not exceeding 5 years, or both.
Offences by directors, etc., of bodies corporate
141. Where an offence under this Act is committed by a body corporate and is proved to have
been committed with the consent or connivance of, or to be attributable to any neglect on
the part of, a person being a director, manager, secretary or other officer of the body
corporate or a person who was purporting to act in any such capacity, that person, as well
as the body corporate, shall be guilty of that offence and shall be liable to be proceeded
against and punished as if he or she were guilty of the first-mentioned offence.
rosecution of summary offences by Commission
142. (1) Summary proceedings for an offence under this Act may be brought and prosecuted
by the Commission.
(2) Notwithstanding section 10(4) of the Petty Sessions (Ireland) Act 1851, summary
proceedings for an offence under this Act may be brought—
(a) at any time within 3 years from the date on which the offence was alleged to have
been committed, or
(b) if, at the expiry of that period, the person against whom the proceedings are to be
brought is outside the State, within 6 months of the date on which he or she next
enters the State,
whichever is the later, provided that no such proceedings shall be commenced later
than 5 years from the date on which the offence concerned was alleged to have been
committed.
(3) Where a person is convicted of an offence under this Act, the court may, where it is
satisfied that there are good reasons for so doing, order the person to pay the costs and
expenses, measured by the court, incurred by the Commission in relation to the
investigation, detection and prosecution of the offence, including the expenses of and
incidental to an examination of any information provided to the Commission or an
authorised officer.
(4) An order for costs and expenses under subsection (3) is in addition to and not instead
of any fine or other penalty the court may impose.
CHAPTER 8
Miscellaneous
General provisions relating to complaints
143. (1) Subject to subsection (2), sections 103 and 116 shall cease to apply where the
complaint concerned is withdrawn, or deemed to have been withdrawn, by the data
subject concerned, or on behalf of the data subject by a body mandated by the data
subject in accordance with Article 80(1) of the Data Protection Regulation or section
115, as the case may be.
(2) Where subsection (1) applies, nothing in that subsection shall be construed as
preventing the Commission, where it is satisfied that there is good and sufficient
reason for so doing, from proceeding or, as the case may be, continuing to examine, in
accordance with Chapter 2 or 3, as applicable, the subject matter of the complaint.
(3) Where it has reasonable doubts concerning the identity of a complainant, the
Commission may request from the complainant or, where applicable, the supervisory
authority with which the complaint was lodged, such additional information as is
necessary to confirm such identity.
Publication of convictions, sanctions, etc.
144. (1) The Commission shall publish particulars of any—
(a) conviction of a person for a contravention of this Act,
(b) exercise by it of its power—
(i) to impose an administrative fine, or
(ii) to order the suspension of data transfers to a recipient in a third country or to
an international organisation, under Article 58(2)(j),
or
(c) order of the Court under section 129.
(2) The publication under subsection (1) of the particulars referred to in that subsection
shall be in such form and manner and in respect of such period as the Commission
thinks fit.
(3) The Commission may publish particulars, in such form and manner and in respect of
such period as it thinks fit, of the exercise by it of its corrective powers under Article
58(2) (other than those referred to in subsection (1)) or section 122.
(4) Subject to subsection (5), the Commission may, if it considers it in the public interest
to do so, publish particulars of any report under section 130, report by the
Commission of any investigation or audit carried out, or other function performed, by
it under the Data Protection Regulation or this Act, or any matter relating to or arising
in the course of such an investigation, audit or performance.
(5) The Commission shall ensure that the publication under subsection (4) of information
referred to in that subsection is done in such a manner that commercially sensitive
information relating to a person is not disclosed.
(6) The publication by the Commission of particulars of any report or matters referred to
in subsection (3) or (4) and any other report of the Commission shall, for the purposes
of the law of defamation, be absolutely privileged.
(7) In this section, “commercially sensitive information” means—
(a) financial, commercial, scientific, technical or other information the disclosure of
which could reasonably be expected to result in a material financial loss or gain
to the person to whom it relates, or could prejudice the competitive position of
that person in the conduct of his or her business or otherwise in his or her
occupation, or
(b) information the disclosure of which could prejudice the conduct or outcome of
contractual or other negotiations of the person to whom it relates.
Right to effective judicial remedy (Part 6)
145. (1) A controller or processor on which an information notice or enforcement notice or a
notice under section 130(1) is served may, within 28 days from the date on which the
notice is served, appeal against a requirement specified in the notice.
(2) The court, on hearing an appeal under subsection (1), shall—
(a) annul the requirement concerned,
(b) substitute a different requirement for the requirement concerned, or
(c) dismiss the appeal.
(3) This subsection applies to an appeal brought under subsection (1)—
(a) against a requirement specified in an information notice to which section 127(3)
applies, or an enforcement notice to which section 128(6) applies, and
(b) that is brought within the period specified in the notice concerned.
(4) Notwithstanding any provision of this Act, the court, on hearing an appeal to which
subsection (3) applies, may on application to it in that behalf, determine that noncompliance
by the controller or processor concerned with a requirement specified in
the notice, during the period ending with the determination or withdrawal of the
appeal or during such other period as the court may determine, shall not constitute an
offence.
(5) A data subject or other person affected by a legally binding decision of the
Commission under Chapter 2 or 3 may, within 28 days from the date on which notice
of the decision is received by him or her, appeal against the decision.
(6) The court, on hearing an appeal under subsection (5), shall—
(a) annul the decision concerned,
(b) substitute its own determination for the decision, or
(c) dismiss the appeal.
(7) Where the Commission, being the competent supervisory authority in respect of a
complaint within the meaning of Chapter 2 or 3, does not comply with section 103(2)
or, as the case may be, section 116(2), the complainant concerned may apply to the
court for an order under subsection (8)(a).
(8) The court, on hearing an application under subsection (7), shall—
(a) order the Commission to comply with the provision concerned, or
(b) dismiss the application.
(9) The Circuit Court shall, concurrently with the High Court, have jurisdiction to hear
and determine proceedings under this section.
(10) The jurisdiction conferred on the Circuit Court by this section shall be exercised by
the judge for the time being assigned to the circuit where—
(a) in the case of an appeal under subsection (1), the controller or processor is
established,
(b) in the case of an appeal under subsection (5), the data subject or other person
resides or is established, or
(c) in the case of an application under subsection (7), the data subject resides,
or, at the option of the controller, processor, data subject or person concerned, by a
judge of the Circuit Court for the time being assigned to the Dublin circuit.
(11) A decision of the Circuit Court or High Court, as the case may be, under this section
shall be final save that, by leave of that Court, an appeal shall lie to the High Court or
Court of Appeal, as the case may be, on a point of law.
(12) For the purposes of this section, a “legally binding decision” means a decision—
(a) under paragraph (a) or (b) of section 104(5) or paragraph (a) or (b) of section
117(4),
(b) under section 106(1)(a), 107(1), 108(2)(b), 109, 119(1)(a) or 120(1), or
(c) to exercise a corrective power under Chapter 2 or 3.
Privileged legal material
146. (1) Where a controller or processor, when requested under this Part to produce
information, or provide access to it, refuses to do so on the grounds that the
information contains privileged legal material, the Commission or an authorised
officer may, at any time within 28 days or such longer period as the High Court may
allow of the date of such refusal, apply to the High Court for a determination as to
whether the information, or any part of the information, is privileged legal material
where—
(a) in relation to the information concerned—
(i) the Commission or authorised officer has reasonable grounds for believing
that it is not privileged legal material, or
(ii) due to the manner or extent to which such information is presented together
with any other information, it is impossible or impractical to extract only
such information,
and
(b) the Commission or authorised officer has reasonable grounds to suspect that the
information contains evidence relating to an infringement of a relevant enactment
or a relevant provision.
(2) A controller or processor referred to in subsection (1) who refuses to produce
information or provide access to it on the grounds that the information contains
privileged legal material shall preserve the information and keep it in a safe and
secure place and manner pending the determination of an application under
subsection (1) and shall, if the information is so determined not to be privileged legal
material, produce it in accordance with such order as the High Court considers
appropriate.
(3) A person shall be considered to have complied with the requirement under subsection
(2) to preserve information where the person has complied with such requirements as
may be imposed by an authorised officer under paragraph (d) of section 125(1).
(4) Where an application is made by the Commission or an authorised officer under
subsection (1), the High Court may give such interim or interlocutory directions as it
considers appropriate including, without prejudice to the generality of the foregoing,
directions as to the appointment of a person with suitable legal qualifications
possessing the level of experience and independence from any interest falling to be
determined between the parties concerned, that the Court considers to be appropriate
for the purpose of—
(a) examining the information, and
(b) preparing a report for the Court with a view to assisting or facilitating the Court
in the making of its determination as to whether the information is privileged
legal material.
(5) An application under subsection (1) shall be by motion and may, if so directed, be
heard otherwise than in public.
Presumptions
147. (1) The presumptions specified in this section shall apply in any proceedings under the
Data Protection Regulation or this Act.
(2) Where a document purports to have been created by a person it shall be presumed,
unless the contrary is shown, that the document was created by that person and that
any statement or record contained in it, unless the document expressly attributes its
making to some other person, was made by that person.
(3) Where a document purports to have been created by a person and addressed and sent
to a second person, it shall be presumed, unless the contrary is shown, that the
document or record was created and sent by the first person and received by the
second person, and that any statement or record contained in it—
(a) unless the document or record expressly attributes its making to some other
person, was made by the first person, and
(b) came to the notice of the second person.
1(4) Where a document or record is retrieved from an electronic storage and retrieval
system, it shall be presumed, unless the contrary is shown, that the author of the
document is the person who ordinarily uses that electronic storage and retrieval
system in the course of his or her business.
(5) Where an authorised officer who, in the exercise of his or her powers, has removed
one or more documents or records from any premises or place, gives evidence in any
proceedings that, to the best of his or her knowledge and belief, the material is the
property of any person, then the material shall be presumed, unless the contrary is
shown, to be the property of that person.
(6) Where, in accordance with subsection (5), material is presumed in proceedings to be
the property of a person and the authorised officer concerned gives evidence that, to
the best of his or her knowledge and belief, the material is material which relates to
any trade, profession, or, as the case may be, other activity, carried on by that person,
the material shall be presumed, unless the contrary is proved, to be material which
relates to that trade, profession, or, as the case may be, other activity, carried on by
that person.
(7) References in this section to a document or record are references to a document or
record in written or electronic form and, for this purpose “written” includes any form
of notation or code whether by hand or otherwise and regardless of the method by
which, or medium in or on which, the document or record concerned is recorded.
Expert evidence
148. (1) In any proceedings under the Data Protection Regulation or this Act, the opinion of
any witness who appears to possess the appropriate qualifications or experience as
respects the matter to which his or her evidence relates shall, subject to subsection (2),
be admissible in evidence as regards any matter calling for expertise or special
knowledge that is relevant to the proceedings and, in particular and without prejudice
to the generality of the foregoing, the following matters, namely—
(a) the effects that types of data processing such as profiling may have, or have had,
on the protection of personal data,
(b) an explanation of any relevant practices or the application of such practice, where
such an explanation would assist the proceedings.
(2) Notwithstanding subsection (1), a court may, where in its opinion the interests of
justice require it to so direct in the proceedings concerned, direct that evidence of a
general or specific kind referred to in that subsection shall not be admissible in
proceedings or shall be admissible in such proceedings for specified purposes only.
Immunity from suit
149. Civil or criminal proceedings shall not lie in any court against the Commission, a
Commissioner, an authorised officer or a member of the staff of the Commission in
respect of anything said or done in good faith by the Commission, Commissioner,
authorised officer or member of staff in the course of the performance or purported
performance of a function of the Commission, Commissioner, authorised officer or
member of staff.
Jurisdiction of Circuit Court
150. An application under section 133(4), 137(1) or 138(1) shall be made to a judge of that
Court for the circuit in which the person to whom the application relates ordinarily
resides or, if a controller or processor, has an establishment or, at the option of the
person, by a judge of the Circuit Court for the time being assigned to the Dublin circuit.
Hearing of proceedings
151. The whole or any part of any proceedings under this Part may, at the discretion of the
court, be heard otherwise than in public.
PART 7
MISCELLANEOUS PROVISIONS
Supervisory authority for courts acting in judicial capacity
152. (1) The judge (“assigned judge”) for the time being assigned for that purpose by the
Chief Justice shall be competent for supervision of data processing operations of the
courts when acting in their judicial capacity.
(2) The assigned judge shall, in particular—
(a) promote awareness of data protection rules among judges and ensure compliance
with them,
(b) handle, and investigate to the extent appropriate, complaints in relation to data
processing operations of the courts when acting in their judicial capacity.
(3) The scope of rights and obligations provided for in—
(a) Articles 12 to 22 and 34 (as well as Article 5 in so far as its provisions correspond
to the rights and obligations provided for in Articles 12 to 22),
(b) sections 81, 85, 86, 87 and 88 and section 65, insofar as it relates to those
sections,
may be restricted, to the extent necessary and proportionate in a democratic society, in
order to safeguard—
(i) the protection of judicial independence and court proceedings, and
(ii) the establishment, exercise or defence of legal claims.
(4) The restrictions referred to in subsection (3) shall be determined by a panel of three
judges nominated for that purpose by the Chief Justice.
(5) The panel referred to in subsection (4) shall publish the restrictions determined by it
under that subsection in such manner as it considers appropriate.
Publication of judgment or decision of court
153. The processing of personal data shall be lawful where that processing—
(a) consists of the publication of a judgment or decision of a court, or
(b) is necessary for the purposes of such publication.
Rules of court for data protection actions
154. (1) It shall be the function of the courts in data protection actions to ensure that parties to
such actions comply with such rules of court as apply in relation to such actions so
that the trial of data protection actions within a reasonable period of their having been
commenced is secured.
(2) Where rules of court prescribe a period of time for the service of a document, or the
doing of any other thing, in relation to a data protection action, the period within
which that document may be served or thing may be done, shall not be extended
beyond the period so prescribed unless—
(a) the parties to the action agree to the period being extended, or
(b) the court considers that—
(i) in all the circumstances the extension of the period by such further period as
it may direct is necessary or expedient to enable the action to be properly
prosecuted or defended, and
(ii) the interests of justice require the extension of the period by that further
period.
(3) For the purposes of ensuring compliance by a party to a data protection action with
rules of court, a court may make such orders as to the payment of costs as it considers
appropriate.
(4) Nothing in this section shall be construed as limiting or reducing the power of an
authority, having (for the time being) power to make rules regulating the practice and
procedure of a court, to—
(a) make such rules in relation to data protection actions provided such rules do not
derogate from, and are not inconsistent with, any provision of the Data Protection
Regulation or this Act, or
(b) make such rules in relation to proceedings or actions other than data protection
actions.
(5) In this section, “data protection action” means a data protection action under section
112 or section 123.
(6) In subsections (1) and (2), a reference to the courts or the court includes a reference to
the Master of the High Court and a county registrar.
Legal privilege
155. The rights and obligations provided for in—
(a) Articles 12 to 22 and 34 of the Data Protection Regulation (as well as Article 5 in
so far as its provisions correspond to the rights and obligations provided for in
Articles 12 to 22), and
(b) sections 81, 85, 86, 87 and 88 and section 65, insofar as it relates to those
sections,
do not apply—
(i) to personal data processed for the purpose of seeking, receiving or giving legal
advice,
(ii) to personal data in respect of which a claim of privilege could be made for the
purpose of or in the course of legal proceedings, including personal data
consisting of communications between a client and his or her legal advisers or
between those advisers,
(iii) where the exercise of such rights or performance of such obligations would
constitute a contempt of court.
Application to High Court for appropriate safeguards
156. (1) The Commission, where it considers that a place to which personal data are to be
transferred does not ensure an adequate level of protection, may apply to the High
Court for a determination as to whether the level of protection ensured by the place is
adequate.
(2) An application under subsection (1) may be made notwithstanding that the place
concerned is the subject of an implementing act pursuant to Article 45(3) of the Data
Protection Regulation or, as the case may be, Article 36(3) of the Directive.
(3) The Commission, where it considers that a standard data protection clause does not
provide for appropriate safeguards, may apply to the High Court for a determination
as to whether the standard data protection clause provides for appropriate safeguards.
(4) For the purposes of this section, the adequacy of the level of protection referred to in
subsection (1) shall be assessed in accordance with, as the case may be, Article 45(2)
of the Regulation or Article 36(2) of the Directive.
(5) In this section—
“place” means a third country, a territory or one or more specified sectors within a
third country, or an international organisation;
“standard data protection clause” means a standard data protection clause to which
point (c) or (d) of Article 46(1) of the Data Protection Regulation applies.
Court may order destruction, erasure of data
157. (1) Where a person is convicted of an offence under this Act, the court may order any
personal data that appears to the court to be connected with the commission of the
offence to be destroyed or erased.
(2) The court shall not make an order under subsection (1) where it considers that a
person other than the person convicted of the offence concerned may be the owner of,
or otherwise interested in, the data concerned, unless such steps as are reasonably
practicable have been taken for notifying that person and giving him or her an
opportunity to show cause why the order should not be made.