Digital Services Act 2024
|
Disclosure of personal data | ||
|
47. (1) The Commission may, in the circumstances referred to in subsection (2), disclose personal data to any of the following: | ||
(a) Coimisiún na Meán; | ||
(b) the Garda Síochána; | ||
(c) an intermediary service provider; | ||
(d) a body prescribed in regulations made by the Minister. | ||
(2) The circumstances referred to in subsection (1) are: | ||
(a) in the case of subsection (1)(a), where the Commission considers that the disclosure is necessary and proportionate— | ||
(i) for the effective implementation of the Digital Services Regulation, or | ||
(ii) for the purposes of transferring a complaint or part of a complaint to Coimisiún na Meán, where the complaint, or part of the complaint, made to the Commission relates to the failure to comply with the Digital Services Regulation; | ||
(b) in the case of subsection (1)(b), where the Commission considers that the disclosure is necessary and proportionate for the prevention or investigation of a criminal offence; | ||
(c) in the case of subsection (1)(c), where a complaint, or part of a complaint, made under section 48 is made in relation to an intermediary service provider, and the Commission considers that the disclosure is necessary and proportionate for the purposes of considering the complaint or part of the complaint under that section; | ||
(d) in the case of subsection (1)(d), where the Commission considers that the disclosure is necessary and proportionate in such other circumstances as may be prescribed in regulations made by the Minister. | ||
(3) Where the Commission discloses a person’s personal data under this section, the Commission shall notify the person of the disclosure in so far as it is practicable to do so. | ||
(4) Where the Commission processes or discloses special categories of personal data in accordance with this section, it shall only do so where the Commission considers that the disclosure is necessary and proportionate in accordance with the Data Protection Regulation and the Act of 2018. | ||
(5) The Minister may prescribe suitable and specific measures for the processing of special categories of personal data under this section. | ||
(6) Where personal data processed by the Commission is required for the purposes of the prevention, investigation, detection or prosecution of a criminal offence, the data— | ||
(a) may be processed for as long as it is required for such prevention, investigation, detection or prosecution, and | ||
(b) shall be permanently deleted after it is no longer required for such prevention, investigation, detection or prosecution. | ||
(7) The matters that section 19 (1) of the Data Sharing and Governance Act 2019 requires to be specified or included in a data-sharing agreement shall be specified or included in any agreement entered into by the Commission for the disclosure to another body of personal data in accordance with subsection (1), subject to the following modifications to the description of those matters in section 19(1) of that Act: | ||
(a) references to the data-sharing shall be construed as references to any disclosure under the agreement; | ||
(b) the reference in paragraph (d) to the public body concerned shall be construed as a reference to the body with whom the agreement is entered into; | ||
(c) the reference in paragraph (f) to a public body shall be construed as a reference to a party to the agreement; | ||
(d) the following paragraph shall be substituted for paragraph (r): | ||
“(r) include in a schedule to the agreement a statement summarising the grounds on which the Commission considers the disclosure of the information to be necessary and proportionate as described in any paragraph of section 47 (2) of the Digital Services Act 2024.”. | ||
(8) The Minister may prescribe a body for the purposes of subsection (1)(d) where he or she is satisfied that disclosure by the Commission of personal data to the body, in the circumstances referred to in subsection (2), is necessary for the performance by the Commission or the body prescribed of functions in the public interest or for the effective implementation of the Digital Services Regulation. | ||
(9) The Minister may prescribe a body for the purposes of subsection (2)(d) where he or she is satisfied that disclosure by the Commission of personal data to the body, in the circumstances prescribed, is necessary for the performance by the Commission or such a body of functions in the public interest or for the effective implementation of the Digital Services Regulation. | ||
(10) The Minister shall consider whether it is necessary to carry out an assessment of the impact of regulations made for the purposes of subsection (1)(d) or (2)(d) on the processing of personal data before making the regulations and, where he or she considers it necessary to do so, shall carry out the assessment. | ||
(11) The Commission shall give a copy of any agreement referred to in subsection (7) to the Minister. | ||
(12) In this section— | ||
“Act of 2018” means the Data Protection Act 2018 ; | ||
“personal data” has the same meaning as it has in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20164 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); | ||
“special categories of personal data” has the same meaning as it has in the Act of 2018; | ||
“suitable and specific measures” means measures to be taken to safeguard the fundamental rights and freedoms of data subjects in processing the personal data of those data subjects and may include measures specified in section 36(1) of the Act of 2018. | ||