Hide Nav Show Nav
SOLR_PROP

S.I. No. 657/2007 - Data Protection Act 1988 (Section 16(1)) Regulations 2007

S.I. No. 657 of 2007

DATA PROTECTION ACT 1988 (SECTION 16(1)) REGULATIONS 2007

Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 2nd October, 2007.

I, BRIAN LENIHAN, Minister for Justice, Equality and Law Reform, in exercise of the powers conferred on me by section 16 (1) (inserted by section 16 of the Data Protection (Amendment) Act 2003 (No. 6 of 2003)) of the Data Protection Act 1988 (No. 25 of 1988) and the Justice (Alteration of Name of Department and Title of Minister) Order 1997 ( S.I. No. 298 of 1997 ), andafter consultation with the Data Protection Commissioner, hereby make the following regulations:

Citation and commencement.

1. (1) These Regulations may be cited as the Data Protection Act 1988 (Section 16(1)) Regulations 2007.

(2) These Regulations come into operation on 1 October 2007.

Interpretation.

2. In these Regulations—

“Act of 2003” means the Data Protection (Amendment) Act 2003 (No. 6 of 2003);

“health professional” means a registered medical practitioner within themeaning of the Medical Practitioners Act 1978 (No. 4 of 1978), a registered dentist within the meaning of the Dentists Act 1985 (No. 9 of 1985) or a member of a designated profession within the meaning of section 3 of the Health and Social Care Professionals Act 2005 (No. 27 of 2005);

“legal services” has the same meaning as it has in section 2 (as amended by section 45 of the Investor Companies Act 1998 (No. 37 of 1998)) of the Solicitors (Amendment) Act 1994 (No. 27 of 1994);

“local authority” means a local authority for the purposes of the Local Government Act 2001 (No. 37 of 2001);

“medical purposes” means the purposes of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services;

“political office” means—

(a) the office of President of Ireland, or

(b) membership of—

(i) either House of the Oireachtas,

(ii) the European Parliament, or

(iii) a local authority;

“Principal Act” means the Data Protection Act 1988 (No. 25 of 1988);

“publication”, in relation to journalistic, artistic or literary material, means the act of making the material available to the public or any section of the public in any form or by any means;

“solicitor” has the same meaning as it has in section 3 (as amended by section 3 of the Solicitors (Amendment) Act 1994 ) of the Solicitors Act 1954 (No. 36 of 1954).

Data controllers and data processors specified.

3. (1) Subject to paragraph (2) and Regulation 4, the following categories of data controller and data processor are specified for the purposes of section 16(1) (inserted by section 16 of the Act of 2003) of the Principal Act:

(a) a data controller who processes personal data relating to the data controller’s past, existing or prospective employees in the ordinary course of personnel administration and not for any other purpose, where the data are not processed other than where it is necessary to carry out such processing in the ordinary course of personnel administration;

(b) a data controller, being a person—

(i) who is seeking or intends to seek nomination as a candidate for election to a political office,

(ii) who is nominated as a candidate for election to a political office, or

(iii) who holds a political office,

and who processes personal data relating to—

(I) electors, for the purpose of electoral activities,

(II) persons from whom donations are sought by the data controller, for political purposes,

(III) persons by whom or on whose behalf donations are made to the data controller, for political purposes,

(IV) persons seeking advice or assistance from the data controller in his or her capacity as a person falling under clause (i), (ii) or (iii), for the purpose of providing such advice or assistance,

where the data are not processed other than where it is necessary to carry out such processing for the purpose of electoral activities, for political purposes or providing such advice or assistance to a data subject, as the case may be;

(c) a data controller, being a person who sought nomination as a candidate for election to a political office but was not so nominated, or who was so nominated, but who was not elected to such office at the election in respect of which he or she was so nominated, who, for a reasonable period thereafter, processes personal data relating to—

(i) electors, for the purpose of electoral activities,

(ii) persons from whom donations are sought by the data controller, for political purposes,

(iii) persons by whom or on whose behalf donations are made to the data controller, for political purposes,

(iv) persons seeking advice or assistance from the data controller in his or her capacity as a person who sought nomination as a candidate for election to a political office or election to such office, as the case may be, for the purpose of providing such advice or assistance,

where the data are not processed other than where it is necessary to carry out such processing for the purpose of electoral activities, for political purposes or providing such advice or assistance to a data subject, as the case may be;

(d) a data controller, being an educational establishment, that is—

(i) a preschool service within the meaning of Part VII of the Child Care Act 1991 (No. 17 of 1991),

(ii) a primary school,

(iii) a post-primary school,

(iv) an institution providing adult, continuing or further education, or

(v) a university or any other third-level or higher-level institution,

whether or not supported by public funds and which processes personal data relating to the students of such an establishment and the parents (within the meaning of section 2 of the Education Act 1998 (No. 51 of 1998)) of such students for purposes relating to the students’ education, where the data are not processed other than where it is necessary to carry out such processing for purposes relating to the students’ education;

(e) a data controller, being a solicitor who, for the purpose of providing legal services to his or her clients, processes personal data relating to—

(i) his or her clients, or

(ii) persons who are, or may be, connected with the provision by him or her of such services to his or her clients,

where the data are not processed other than where it is necessary to carry out such processing for the purpose of providing legal services;

(f) a data controller, being a barrister who processes personal data relating to—

(i) his or her clients, or

(ii) persons who are, or may be, connected with the provision by him or her of legal professional services to his or her clients,

for legal professional purposes, where the data are not processed other than where it is necessary to carry out such processing for legal professional purposes;

(g) a data controller, other than a health professional who processes personal data relating to the physical or mental health or condition of a data subject for medical purposes, who processes personal data relating to the past, existing or prospective customers or suppliers of the data controller for the purposes of—

(i) advertising or marketing the data controller’s business, activity, goods or services,

(ii) keeping accounts relating to any business or other activity carried on by the data controller,

(iii) deciding whether to accept any person as a customer or supplier,

(iv) keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions,

(v) making financial or management forecasts to assist in the conduct of the business or other activity carried on by the data controller, or

(vi) performing a contract with a data subject,

where the data are not processed other than where it is necessary to carry out such processing for any of the purposes specified in subparagraphs (i) to (vi);

(h) a data controller, being a company which processes personal data relating to the past or existing shareholders, directors or other officers of the company for the purpose of compliance with the Companies Acts, where the data are not processed other than where it is necessary to carry out such processing for that purpose;

(i) a data controller who processes personal data with a view to the publication of any journalistic, literary or artistic material, where the data are not processed other than where it is necessary to carry out such processing for journalistic, literary or artistic purposes;

(j) a data controller or a data processor to whom a code of practice in respect of which a resolution approving of it has been passed by each House of the Oireachtas under section 13(3) of the Principal Act applies;

(k) a data processor who processes personal data on behalf of a data controller insofar as the processing of the data would, if undertaken by the data controller, fall under any one or more of paragraphs (a) to (j).

(2) The specification of the categories of data controller and data processor referred to in paragraph (1) for the purposes of section 16(1) (inserted by section 16 of the Act of 2003) of the Principal Act shall apply even if such a data controller or data processor processes the personal data to which the specification relates in the circumstances specified in section 8 of that Act.

Data controllers and data processors to whom Regulation 3 does not apply.

4. The following categories of data controller and data processor are not specified for the purposes of section 16(1) (inserted by section 16 of the Act of 2003) of the Principal Act even if such a data controller or data processor falls under any one or more of paragraphs (a) to (k) of Regulation 3(1):

(a) a data controller, being a financial institution, other than an institution referred to in paragraphs (a) and (f) of section 7(4) (inserted by section 33 of, and Part 4 of Schedule 3 to, the Central Bank and Financial Services Authority Act 2004 (No. 21 of 2004)) of the Central Bank Act 1971 (No. 24 of 1971);

(b) a data controller, being a person authorised in accordance with the European Communities (Licensing and Supervision of Credit Institutions) Regulations 1992 ( S.I. No. 395 of 1992 ) to carry on business in the State;

(c) a data controller, being an insurance undertaking within the meaning of section 2 (as amended by section 3 of the Insurance Act 2000 (No. 42 of 2000)) of the Insurance Act 1989 (No. 3 of 1989);

(d) a data controller, being a person whose business consists wholly or mainly in direct marketing, providing credit references or collecting debts;

(e) a data controller, being an Internet access provider whose business consists wholly or partly in the connection of persons to the Internet and who holds personal data relating to such persons;

(f) a data controller, being an authorised undertaking within the meaning of the European Communities (Electronic Communications Networks and Services) (Authorisation) Regulations 2003 ( S.I. No. 306 of 2003 ) who processes personal data relating to persons to whom electronic communications networks or electronic communications services are provided;

(g) a data controller who processes genetic data within the meaning of section 41 of the Disability Act 2005 (No. 14 of 2005);

(h) a data processor who processes personal data on behalf of a data controller who falls under any one or more of paragraphs (a) to (g).

Revocation.

5. The Data Protection (Registration) Regulations 2001 ( S.I. No. 2 of 2001 ) are revoked.

/images/ls

GIVEN under my Official Seal,

26 September 2007

BRIAN LENIHAN.

Minister for Justice, Equality and Law Reform.

EXPLANATORY NOTE

This note is not part of the Instrument and does not purport to be a legal interpretation.)

Section 16 of the Data Protection Act 1988 , as amended by section 16 of the Data Protection (Amendment) Act 2003 , provides that all data controllers and processors must register with the Data Protection Commissioner unless they come within an exempt category. This is in line with Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, to which effect was given in the 2003 Act.

Section 16 exempts a limited number of specific categories of data controller from the requirement to register and also provides that the Minister for Justice, Equality and Law Reform may specify exemptions for other categories in regulations.

These Regulations provide that the following categories of data controller are exempt from the registration requirement:

(a) Data controllers who process data relating to personnel administration,

(b) Candidates for and holders of elective political office who process personal data for electoral activities or for the purpose of providing advice or assistance,

(c) Educational establishments,

(d) Solicitors and barristers who process personal data for legal professional purposes,

(e) A wide exemption is proposed for normal commercial activity which by definition requires the processing of personal data, e.g. keeping details of customers and suppliers (with the exception of data controllers who process personal data relating to physical or mental health),

(f) Companies which process personal data relating to shareholders, directors or other officers of the company with a view to compliance with the Companies Acts,

(g) Data controllers who process personal data with a view to the publication of journalistic, literary or artistic material,

(h) Categories of data controller or data processor to which a code of practice approved under section 13 of the 1988 Act applies,

(i) Data processors who process personal data on behalf of data controllers where the processing of the data would fall under one or more of the above categories.

However, the following categories of data controller are not exempt and are required to register:

(a) financial institutions;

(b) credit institutions;

(c) insurance undertakings;

(d) persons whose business consists wholly or mainly in direct marketing, providing credit references or collecting debts;

(e) Internet access providers;

(f) electronic communications network or service providers;

(g) persons who process genetic data;

(h) data processors who process personal data on behalf of data controllers who fall under one or more of the above categories.

These Regulations come into operation on the 1st of October, 2007