Data Protection Act, 1988

/static/images/base/harp.jpg


Number 25 of 1988


DATA PROTECTION ACT, 1988


ARRANGEMENT OF SECTIONS

Preliminary

Section

1.

Interpretation and application of Act.

Protection of Privacy of Individuals with regard to Personal Data

2.

Collection, processing, keeping, use and disclosure of personal data.

3.

Right to establish existence of personal data.

4.

Right of access.

5.

Restriction of right of access.

6.

Right of rectification or erasure.

7.

Duty of care owed by data controllers and data processors.

8.

Disclosure of personal data in certain cases.

The Data Protection Commissioner

9.

The Commissioner.

10.

Enforcement of data protection.

11.

Prohibition on transfer of personal data outside State.

12.

Power to require information.

13.

Codes of practice.

14.

Annual report.

15.

Mutual assistance between parties to Convention.

Registration

16.

The register.

17.

Applications for registration.

18.

Duration and continuance of registration.

19.

Effect of registration.

20.

Regulations for registration.

Miscellaneous

21.

Unauthorised disclosure by data processor.

22.

Disclosure of personal data obtained without authority.

23.

Provisions in relation to certain non-residents and to data kept or processed outside State.

24.

Powers of authorised officers.

25.

Service of notices.

26.

Appeals to Circuit Court.

27.

Evidence in proceedings.

28.

Hearing of proceedings.

29.

Offences by directors, etc., of bodies corporate.

30.

Prosecution of summary offences by Commissioner.

31.

Penalties.

32.

Laying of regulations before Houses of Oireachtas.

33.

Fees.

34.

Expenses of Minister.

35.

Short title and commencement.

FIRST SCHEDULE

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981

SECOND SCHEDULE

The Data Protection Commissioner

THIRD SCHEDULE

Public Authorities and Other Bodies and Persons


Acts Referred to

Central Bank Act, 1971

1971, No. 24

Civil Service Commissioners Act, 1956

1956, No. 45

Civil Service Regulation Acts, 1956 and 1958

Companies Act, 1963

1963, No. 33

Companies Acts, 1963 to 1987

Defence Act, 1954

1954, No. 18

European Assembly Elections Act, 1977

1977, No. 30

European Assembly Elections Act, 1984

1984, No. 6

Interpretation Act, 1937

1937, No. 38

Local Government Act, 1941

1941, No. 23

Official Secrets Act, 1963

1963, No. 1

Petty Sessions (Ireland) Act, 1851

1851, c. 93

Prison Act, 1970

1970, No. 11

Public Offices Fees Act, 1879

1879, c. 58

Statutory Instruments Act, 1947

1947, No. 44

/static/images/base/harp.jpg


Number 25 of 1988


DATA PROTECTION ACT, 1988


AN ACT TO GIVE EFFECT TO THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA DONE AT STRASBOURG ON THE 28TH DAY OF JANUARY, 1981, AND FOR THAT PURPOSE TO REGULATE IN ACCORDANCE WITH ITS PROVISIONS THE COLLECTION, PROCESSING, KEEPING, USE AND DISCLOSURE OF CERTAIN INFORMATION RELATING TO INDIVIDUALS THAT IS PROCESSED AUTOMATICALLY. [13th July, 1988]

BE IT ENACTED BY THE OIREACHTAS AS FOLLOWS:

Preliminary

Interpretation and application of Act.

1.(1) In this Act, unless the context otherwise requires—

appropriate authority” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

back-up data” means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged;

civil servant” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

the Commissioner” has the meaning assigned to it by section 9 of this Act;

company” has the meaning assigned to it by the Companies Act, 1963 ;

the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981, the text of which is set out in the First Schedule to this Act;

the Court” means the Circuit Court;

data” means information in a form in which it can be processed;

data controller” means a person who, either alone or with others, controls the contents and use of personal data;

data equipment” means equipment for processing data;

data material” means any document or other material used in connection with, or produced by, data equipment;

data processor” means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;

data subject” means an individual who is the subject of personal data;

direct marketing” includes direct mailing;

disclosure”, in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed;

enforcement notice” means a notice under section 10 of this Act;

financial institution” means—

(a) a person who holds or has held a licence under section 9 of the Central Bank Act, 1971 , or

(b) a person referred to in section 7 (4) of that Act;

information notice” means a notice under section 12 of this Act;

local authority” means a local authority for the purposes of the Local Government Act, 1941 ;

the Minister” means the Minister for Justice;

personal data” means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller;

prescribed”, in the case of fees, means prescribed by regulations made by the Minister with the consent of the Minister for Finance and, in any other case, means prescribed by regulations made by the Commissioner with the consent of the Minister;

processing” means performing automatically logical or arithmetical operations on data and includes—

(a) extracting any information constituting the data, and

(b) in relation to a data processor, the use by a data controller of data equipment in the possession of the data processor and any other services provided by him for a data controller,

but does not include an operation performed solely for the purpose of preparing the text of documents;

prohibition notice” means a notice under section 11 of this Act;

the register” means the register established and maintained under section 16 of this Act;

and any cognate words shall be construed accordingly.

(2) For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.

(3) (a) An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force—

(i) the civil servant so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the authority,

as respects the data concerned.

(b) Without prejudice to paragraph (a) of this subsection, the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a data controller or a data processor and, while the designation is in force—

(i) the officer so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the Minister for Defence,

as respects the data concerned.

(c) For the purposes of this Act, as respects any personal data—

(i) where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(ii) where a designation under paragraph (b) of this subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(iii) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the said Commissioner.

(4) This Act does not apply to—

(a) personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,

(b) personal data consisting of information that the person keeping the data is required by law to make available to the public, or

(c) personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.

Protection of Privacy of Individuals with regard to Personal Data

Collection, processing, keeping, use and disclosure of personal data.

2.(1) A data controller shall, as respects personal data kept by him, comply with the following provisions:

(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,

(b) the data shall be accurate and, where necessary, kept up to date,

(c) the data—

(i) shall be kept only for one or more specified and lawful purposes,

(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes,

(iii) shall be adequate, relevant and not excessive in relation to that purpose or those purposes, and

(iv) shall not be kept for longer than is necessary for that purpose or those purposes,

(d) appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.

(2) A data processor shall, as respects personal data processed by him, comply with paragraph (d) of subsection (1) of this section.

(3) Paragraph (a) of the said subsection (1) does not apply to information intended for inclusion in data, or to data, kept for a purpose mentioned in section 5 (1) (a) of this Act, in any case in which the application of that paragraph to the data would be likely to prejudice any of the matters mentioned in the said section 5 (1) (a).

(4) Paragraph (b) of the said subsection (1) does not apply to backup data.

(5) (a) Paragraph (c) (iv) of the said subsection (1) does not apply to personal data kept for historical, statistical or research purposes, and

(b) the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained,

if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject.

(6) (a) The Minister may, for the purpose of providing additional safeguards in relation to personal data as to racial origin, political opinions, religious or other beliefs, physical or mental health, sexual life or criminal convictions, by regulations amend subsection (1) of this section.

(b) Regulations under this section may make different provision in relation to data of different descriptions.

(c) References in this Act to subsection (1) of this section or to a provision of that subsection shall be construed in accordance with any amendment under this section.

(d) Regulations under this section shall be made only after consultation with any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted.

(e) Where it is proposed to make regulations under this section, a draft of the regulations shall be laid before each House of the Oireachtas and the regulations shall not be made until a resolution approving of the draft shall have been passed by each such House.

(7) Where—

(a) personal data are kept for the purpose of direct marketing, and

(b) the data subject concerned requests the data controller in writing to cease using the data for that purpose,

the data controller shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him—

(i) if the data are kept only for the purpose aforesaid, erase the data,

(ii) if the data are kept for that purpose and other purposes, cease using the data for that purpose, and

(iii) notify the data subject in writing accordingly and, where appropriate, inform him of those other purposes.

Right to establish existence of personal data.

3.An individual who believes that a person keeps personal data shall, if he so requests the person in writing—

(a) be informed by the person whether he keeps any such data, and

(b) if he does, be given by the person a description of the data and the purposes for which they are kept,

as soon as may be and in any event not more than 21 days after the request has been given or sent to him.

Right of access.

4.(1) (a) Subject to the provisions of this Act, an individual shall, if he so requests a data controller in writing—

(i) be informed by the data controller whether the data kept by him include personal data relating to the individual, and

(ii) be supplied by the data controller with a copy of the information constituting any such data,

as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section; and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms.

(b) A request for the information specified in subparagraph (i) of subsection (1) (a) of this section shall, in the absence of any indication to the contrary, be treated as including a request for a copy of the information specified in subparagraph (ii) of the said subsection (1) (a).

(c) (i) A fee may be payable to the data controller concerned in respect of such a request as aforesaid and the amount thereof shall not exceed such amount as may be prescribed or an amount that in the opinion of the Commissioner is reasonable, having regard to the estimated cost to the data controller of compliance with the request, whichever is the lesser.

(ii) A fee paid by an individual to a data controller under subparagraph (i) of this paragraph shall be returned to him if his request is not complied with or the data controller rectifies or supplements, or erases part of, the data concerned (and thereby materially modifies the data) or erases all of the data on the application of the individual or in accordance with an enforcement notice or an order of a court.

(2) Where pursuant to provision made in that behalf under this Act there are separate entries in the register in respect of data kept by a data controller for different purposes, subsection (1) of this section shall apply as if it provided for the making of a separate request and the payment of a separate fee in respect of the data to which each entry relates.

(3) An individual making a request under this section shall supply the data controller concerned with such information as he may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information.

(4) Nothing in subsection (1) of this section obliges a data controller to disclose to a data subject personal data relating to another individual unless that other individual has consented to the disclosure:

Provided that, where the circumstances are such that it would be reasonable for the data controller to conclude that, if any particulars identifying that other individual were omitted, the data could then be disclosed as aforesaid without his being thereby identified to the data subject, the data controller shall be obliged to disclose the data to the data subject with the omission of those particulars.

(5) Information supplied pursuant to a request under subsection (1) of this section may take account of any amendment of the personal data concerned made since the receipt of the request by the data controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.

(6) (a) A request by an individual under subsection (1) of this section in relation to the results of an examination at which he was a candidate shall be deemed, for the purposes of this section, to be made on—

(i) the date of the first publication of the results of the examination, or

(ii) the date of the request,

whichever is the later; and paragraph (a) of the said subsection (1) shall be construed and have effect in relation to such a request as if for “40 days” there were substituted “60 days”.

(b) In this subsection “examination” means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his performance in any test, work or other activity.

(7) A notification of a refusal of a request made by an individual under and in compliance with the preceding provisions of this section shall be in writing and shall include a statement of the reasons for the refusal and an indication that the individual may complain to the Commissioner about the refusal.

(8) (a) If and whenever the Minister considers it desirable in the interests of data subjects to do so and by regulations so declares, the application of this section to personal data—

(i) relating to physical or mental health, or

(ii) kept for, or obtained in the course of, carrying out social work by a Minister of the Government, a local authority, a health board or a specified voluntary organisation or other body,

may be modified by the regulations in such manner, in such circumstances, subject to such safeguards and to such extent as may be specified therein.

(b) Regulations under paragraph (a) of this subsection shall be made only after consultation with the Minister for Health and any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted and may make different provision in relation to data of different descriptions.

Restriction of right of access.

5.(1) Section 4 of this Act does not apply to personal data—

(a) kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid,

(b) to which, by virtue of paragraph (a) of this subsection, the said section 4 does not apply and which are kept for the purpose of discharging a function conferred by or under any enactment and consisting of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in paragraph (a) of this subsection,

(c) in any case in which the application of that section would be likely to prejudice the security of, or the maintenance of good order and discipline in—

(i) a prison,

(ii) a place of detention provided under section 2 of the Prison Act, 1970 ,

(iii) a military prison or detention barrack within the meaning of the Defence Act, 1954 , or

(iv) Saint Patrick's Institution,

(d) kept for the purpose of performing such functions conferred by or under any enactment as may be specified by regulations made by the Minister, being functions that, in the opinion of the Minister, are designed to protect members of the public against financial loss occasioned by—

(i) dishonesty, incompetence or malpractice on the part of persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or similar organisations, or

(ii) the conduct of persons who have at any time been adjudicated bankrupt,

in any case in which the application of that section to the data would be likely to prejudice the proper performance of any of those functions,

(e) in respect of which the application of that section would be contrary to the interests of protecting the international relations of the State,

(f) consisting of an estimate of, or kept for the purpose of estimating, the amount of the liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim,

(g) in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers,

(h) kept only for the purpose of preparing statistics or carrying out research if the data are not used or disclosed (other than to a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of this Act) for any other purpose and the resulting statistics or the results of the research are not made available in a form that identifies any of the data subjects, or

(i) that are back-up data.

(2) Regulations under subsections (1) (d) and (3) (b) of this section shall be made only after consultation with any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted.

(3) (a) Subject to paragraph (b) of this subsection, section 4 of this Act, as modified by any other provisions thereof, shall apply notwithstanding any provision of or made under any enactment or rule of law that is in force immediately before the passing of this Act and prohibits or restricts the disclosure, or authorises the withholding, of information.

(b) If and whenever the Minister is of opinion that a prohibition, restriction or authorisation referred to in paragraph (a) of this subsection in relation to any information ought to prevail in the interests of the data subjects concerned or any other individuals and by regulations so declares, then, while the regulations are in force, the said paragraph (a) shall not apply as respects the provision or rule of law concerned and accordingly section 4 of this Act, as modified as aforesaid, shall not apply in relation to that information.

Right of rectification or erasure.

6.(1) An individual shall, if he so requests in writing a data controller who keeps personal data relating to him, be entitled to have rectified or, where appropriate, erased any such data in relation to which there has been a contravention by the data controller of section 2 (1) of this Act; and the data controller shall comply with the request as soon as may be and in any event not more than 40 days after it has been given or sent to him:

Provided that the data controller shall, as respects data that are inaccurate or not kept up to date, be deemed—

(a) to have complied with the request if he supplements the data with a statement (to the terms of which the individual has assented) relating to the matters dealt with by the data, and

(b) if he supplements the data as aforesaid, not to be in contravention of paragraph (b) of the said section 2 (1).

(2) On compliance by a data controller with a request under subsection (1) of this section, he shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him, notify—

(a) the individual making the request, and

(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period of 12 months immediately before the giving or sending of the request,

of the rectification, erasure or statement concerned.

Duty of care owed by data controllers and data processors.

7.For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned:

Provided that, for the purposes only of this section, a data controller shall be deemed to have complied with the provisions of section 2 (1) (b) of this Act if and so long as the personal data concerned accurately record data or other information received or obtained by him from the data subject or a third party and include (and, if the data are disclosed, the disclosure is accompanied by)—

(a) an indication that the information constituting the data was received or obtained as aforesaid,

(b) if appropriate, an indication that the data subject has informed the data controller that he regards the information as inaccurate or not kept up to date, and

(c) any statement with which, pursuant to this Act, the data are supplemented.

Disclosure of personal data in certain cases.

8.Any restrictions in this Act on the disclosure of personal data do not apply if the disclosure is—

(a) in the opinion of a member of the Garda Síochána not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State,

(b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid,

(c) required in the interests of protecting the international relations of the State,

(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property,

(e) required by or under any enactment or by a rule of law or order of a court,

(f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness,

(g) made to the data subject concerned or to a person acting on his behalf, or

(h) made at the request or with the consent of the data subject or a person acting on his behalf.

The Data Protection Commissioner

The Commissioner.

9.(1) For the purposes of this Act, there shall be a person (referred to in this Act as the Commissioner) who shall be known as an Coimisinéir Cosanta Sonraí or, in the English language, the Data Protection Commissioner; the Commissioner shall perform the functions conferred on him by this Act.

(2) The provisions of the Second Schedule to this Act shall have effect in relation to the Commissioner.

Enforcement of data protection.

10.(1) (a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened by a data controller or a data processor in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.

(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall—

(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and

(ii) as soon as may be, notify the individual concerned in writing of his decision in relation to the complaint and that the individual may, if aggrieved by his decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him of the notification.

(2) If the Commissioner is of opinion that a person, being a data controller or a data processor, has contravened or is contravening a provision of this Act (other than a provision the contravention of which is an offence), the Commissioner may, by notice in writing (referred to in this Act as an enforcement notice) served on the person, require him to take such steps as are specified in the notice within such time as may be so specified to comply with the provision concerned.

(3) Without prejudice to the generality of subsection (2) of this section, if the Commissioner is of opinion that a data controller has contravened section 2 (1) of this Act, the relevant enforcement notice may require him—

(a) to rectify or erase any of the data concerned, or

(b) to supplement the data with such statement relating to the matters dealt with by them as the Commissioner may approve of; and as respects data that are inaccurate or not kept up to date, if he supplements them as aforesaid, he shall be deemed not to be in contravention of paragraph (b) of the said section 2 (1).

(4) An enforcement notice shall—

(a) specify any provision of this Act that, in the opinion of the Commissioner, has been or is being contravened and the reasons for his having formed that opinion, and

(b) subject to subsection (6) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him.

(5) Subject to subsection (6) of this section, the time specified in an enforcement notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (4) (b) of this section and, if an appeal is brought against the requirement, the requirement need not be complied with and subsection (9) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(6) If the Commissioner—

(a) by reason of special circumstances, is of opinion that a requirement specified in an enforcement notice should be complied with urgently, and

(b) includes a statement to that effect in the notice,

subsections (4) (b) and (5) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.

(7) On compliance by a data controller with a requirement under subsection (3) of this section, he shall, as soon as may be and in any event not more than 40 days after such compliance, notify—

(a) the data subject concerned, and

(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period beginning 12 months before the date of the service of the enforcement notice concerned and ending immediately before such compliance,

of the rectification, erasure or statement concerned.

(8) The Commissioner may cancel an enforcement notice and, if he does so, shall notify in writing the person on whom it was served accordingly.

(9) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence.

Prohibition on transfer of personal data outside State.

11.(1) The Commissioner may, subject to the provisions of this section, prohibit the transfer of personal data from the State to a place outside the State.

(2) The Commissioner, when considering whether to prohibit a proposed transfer of personal data from the State to a place in a state bound by the Convention, shall have regard to the provisions of Article 12 of the Convention.

(3) The Commissioner shall not prohibit a proposed transfer of personal data from the State to a place outside the State unless he is of opinion that the transfer would, if the place were in a state bound by the Convention, be likely to lead to a contravention of the basic principles for data protection set out in Chapter II of the Convention.

(4) In determining whether to prohibit a transfer of personal data under this section, the Commissioner shall also consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.

(5) A prohibition under subsection (1) of this section shall be effected by the service of a notice (referred to in this Act as a prohibition notice) on the person proposing to transfer the data concerned.

(6) A prohibition notice shall—

(a) prohibit the transfer concerned either absolutely or until the person aforesaid has taken such steps as are specified in the notice for protecting the interests of the data subjects concerned,

(b) specify the time when it is to take effect,

(c) specify the grounds for the prohibition, and

(d) subject to subsection (8) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the prohibition specified in the notice within 21 days from the service of the notice on him.

(7) Subject to subsection (8) of this section, the time specified in a prohibition notice for compliance with the prohibition specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (6) (d) of this section and, if an appeal is brought against the prohibition, the prohibition need not be complied with and subsection (13) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(8) If the Commissioner—

(a) by reason of special circumstances, is of opinion that a prohibition specified in a prohibition notice should be complied with urgently, and

(b) includes a statement to that effect in the notice,

subsections (6) (d) and (7) of this section shall not apply in relation to the notice but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the prohibition before the end of the period of 7 days beginning on the date on which the notice is served.

(9) The Commissioner may cancel a prohibition notice and, if he does so, shall notify in writing the person on whom it was served accordingly.

(10) This section shall not apply to a transfer of data if the transfer of the data or the information constituting the data is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the State.

(11) For the purposes of this section, a place shall be deemed to be in a state bound by the Convention if it is in any territory in respect of which the state is so bound.

(12) (a) This section applies, with any necessary modifications, to a transfer of information from the State to a place outside the State for conversion into personal data as it applies to a transfer of personal data from the State to such a place.

(b) In paragraph (a) of this subsection “information” means information (not being data) relating to a living individual who can be identified from it.

(13) A person who, without reasonable excuse, fails or refuses to comply with a prohibition specified in a prohibition notice shall be guilty of an offence.

Power to require information.

12.(1) The Commissioner may, by notice in writing (referred to in this Act as an information notice) served on a person, require the person to furnish to him in writing within such time as may be specified in the notice such information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commissioner of his functions.

(2) Subject to subsection (3) of this section—

(a) an information notice shall state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him, and

(b) the time specified in the notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in paragraph (a) of this subsection and, if an appeal is brought against the requirement, the requirement need not be complied with and subsection (5) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(3) If the Commissioner—

(a) by reason of special circumstances, is of opinion that a requirement specified in an information notice should be complied with urgently, and

(b) includes a statement to that effect in the notice,

subsection (2) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.

(4) (a) No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing to the Commissioner any information that is necessary or expedient for the performance by the Commissioner of his functions.

(b) Paragraph (a) of this subsection does not apply to information that in the opinion of the Minister or the Minister for Defence is, or at any time was, kept for the purpose of safeguarding the security of the State or information that is privileged from disclosure in proceedings in any court.

(5) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an information notice or who in purported compliance with such a requirement furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.

Codes of practice.

13.(1) The Commissioner shall encourage trade associations and other bodies representing categories of data controllers to prepare codes of practice to be complied with by those categories in dealing with personal data.

(2) The Commissioner may approve of any code of practice so prepared (referred to subsequently in this section as a code) if he is of opinion that it provides for the data subjects concerned a measure of protection with regard to personal data relating to them that conforms with that provided for by sections 2 , 3 , 4 (other than subsection (8)) and 6 of this Act and shall encourage its dissemination to the data controllers concerned.

(3) Any such code that is so approved of may be laid by the Minister before each House of the Oireachtas and, if each such House passes a resolution approving of it, then—

(a) in so far as it relates to dealing with personal data by the categories of data controllers concerned—

(i) it shall have the force of law in accordance with its terms, and

(ii) upon its commencement, references (whether specific or general) in this Act to any of the provisions of the said sections shall be construed (or, if the code is in substitution for a code having the force of law by virtue of this subsection, continue to be construed) as if they were also references to the relevant provisions of the code for the time being having the force of law,

and

(b) it shall be deemed to be a statutory instrument to which the Statutory Instruments Act, 1947 , primarily applies.

(4) This section shall apply in relation to data processors as it applies in relation to categories of data controllers with the modification that the references in this section to the said sections shall be construed as references to section 2 (1) (d) of this Act and with any other necessary modifications.

Annual report.

14.(1) The Commissioner shall in each year after the year in which the first Commissioner is appointed prepare a report in relation to his activities under this Act in the preceding year and cause copies of the report to be laid before each House of the Oireachtas.

(2) Notwithstanding subsection (1) of this section, if, but for this subsection, the first report under that subsection would relate to a period of less than 6 months, the report shall relate to that period and to the year immediately following that period and shall be prepared as soon as may be after the end of that year.

Mutual assistance between parties to Convention.

15.(1) The Commissioner is hereby designated for the purposes of Chapter IV (which relates to mutual assistance) of the Convention.

(2) The Minister may make any regulations that he considers necessary or expedient for the purpose of enabling the said Chapter IV to have full effect.

Registration

The register.

16.(1) This section applies to the following persons, that is to say:

(a) data controllers, being public authorities and other bodies and persons referred to in the Third Schedule to this Act,

(b) data controllers, being financial institutions, persons holding authorisations under the European Communities (Non-Life) Insurance Regulations, 1976 (S.I. No. 115 of 1976), or the European Communities (Life Assurance) Regulations, 1984 (S.I. No. 57 of 1984), or persons whose business consists wholly or mainly in direct marketing, providing credit references or collecting debts,

(c) any other data controllers who keep personal data relating to—

(i) racial origin,

(ii) political opinions or religious or other beliefs,

(iii) physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental health of their employees in the ordinary course of personnel administration and not used or disclosed for any other purpose),

(iv) sexual life, or

(v) criminal convictions,

(d) data processors whose business consists wholly or partly in processing personal data on behalf of data controllers, and

(e) such categories of data controllers and data processors as may stand prescribed for the time being (which categories may include data controllers and data processors to whom this section would not otherwise apply and on whom enforcement notices, prohibition notices or information notices have been served if the notices are in force and either the time for bringing an appeal against them under section 26 of this Act has expired without such an appeal having been brought or any such appeal has been withdrawn).

(2) The Commissioner shall establish and maintain a register (referred to in this Act as the register) of persons to whom this section applies and shall make, as appropriate, an entry or entries in the register in respect of each person whose application for registration therein is accepted by the Commissioner.

(3) (a) Members of the public may inspect the register free of charge at all reasonable times and may take copies of, or of extracts from, entries in the register.

(b) A member of the public may, on payment to the Commissioner of such fee (if any) as may be prescribed, obtain from the Commissioner a copy (certified by him or by a member of his staff to be a true copy) of, or of an extract from, any entry in the register.

(c) In any proceedings—

(i) a copy of, or of an extract from, an entry in the register certified by the Commissioner or by a member of his staff to be a true copy shall be evidence of the entry or extract, and

(ii) a document purporting to be such a copy, and to be certified, as aforesaid shall be deemed to be such a copy and to be so certified unless the contrary is proved.

(d) In any proceedings—

(i) a certificate signed by the Commissioner or by a member of his staff and stating that there is not an entry in the register in respect of a specified person as a data controller or as a data processor shall be evidence of that fact, and

(ii) a document purporting to be such a certificate, and to be signed, as aforesaid shall be deemed to be such a certificate and to be so signed unless the contrary is proved.

Applications for registration.

17.—(1) (a) A person wishing to be registered in the register or to have a registration continued under section 18 of this Act or to have the particulars in an entry in the register altered shall make an application in writing in that behalf to the Commissioner and shall furnish to him such information as may be prescribed and any other information that he may require.

(b) Where a data controller intends to keep personal data for two or more purposes, he may make an application for separate registration in respect of any of those purposes and, subject to the provisions of this Act, entries shall be made in the register in accordance with any such applications.

(2) Subject to subsection (3) of this section, the Commissioner shall accept an application for registration, made in the prescribed manner and in respect of which such fee as may be prescribed has been paid, from a person to whom section 16 of this Act applies unless he is of opinion that—

(a) the particulars proposed for inclusion in an entry in the register are insufficient or any other information required by the Commissioner either has not been furnished or is insufficient, or

(b) the person applying for registration is likely to contravene any of the provisions of this Act.

(3) The Commissioner shall not accept such an application for registration as aforesaid from a data controller who keeps personal data specified in section 16 (1) (c) of this Act unless he is of opinion that appropriate safeguards for the protection of the privacy of the data subjects concerned are being, and will continue to be, provided by him.

(4) Where the Commissioner refuses an application for registration, he shall, as soon as may be, notify in writing the person applying for registration of the refusal and the notification shall—

(a) specify the reasons for the refusal, and

(b) state that the person may appeal to the Court under section 26 of this Act against the refusal within 21 days from the receipt by him of the notification.

(5) If—

(a) the Commissioner, by reason of special circumstances, is of opinion that a refusal of an application for registration should take effect urgently, and

(b) the notification of the refusal includes a statement to that effect and a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act,

paragraph (b) of subsection (4) of this section shall not apply in relation to the notification and paragraph (b) of subsection (6) of this section shall be construed and have effect as if for the words from and including “21 days” to the end of the paragraph there were substituted “7 days beginning on the date on which the notification was received,”.

(6) Subject to subsection (5) of this section, a person who has made an application for registration shall—

(a) until he is notified that it has been accepted or it is withdrawn, or

(b) if he is notified that the application has been refused, until the end of the period of 21 days within which an appeal may be brought under section 26 of this Act against the refusal and, if such an appeal is brought, until the determination or withdrawal of the appeal,

be treated for the purposes of section 19 of this Act as if the application had been accepted and the particulars contained in it had been included in an entry in the register on the date on which the application was made.

(7) Subsections (2) to (6) of this section apply, with any necessary modifications, to an application for continuance of registration and an application for alteration of the particulars in an entry in the register as they apply to an application for registration.

Duration and continuance of registration.

18.(1) A registration (whether it is the first registration or a registration continued under this section) shall be for the prescribed period and on the expiry thereof the relevant entry shall be removed from the register unless the registration is continued as aforesaid.

(2) The prescribed period (which shall not be less than one year) shall be calculated—

(a) in the case of a first registration, from the date on which the relevant entry was made in the register, and

(b) in the case of a registration which has been continued under this section, from the date from which it was so continued.

(3) The Commissioner shall, subject to the provisions of this Act, continue a registration, whether it has previously been continued under this section or not.

(4) Notwithstanding the foregoing provisions of this section, the Commissioner may at any time, at the request of the person to whom an entry relates, remove it from the register.

Effect of registration.

19.(1) A data controller to whom section 16 of this Act applies shall not keep personal data unless there is for the time being an entry in the register in respect of him.

(2) A data controller in respect of whom there is an entry in the register shall not—

(a) keep personal data of any description other than that specified in the entry,

(b) keep or use personal data for a purpose other than the purpose or purposes described in the entry,

(c) if the source from which such data, and any information intended for inclusion in such data, are obtained is required to be described in the entry, obtain such data or information from a source that is not so described,

(d) disclose such data to a person who is not described in the entry (other than a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of this Act),

(e) directly or indirectly transfer such data to a place outside the State other than one named or described in the entry.

(3) An employee or agent (not being a data processor) of a data controller mentioned in subsection (2) of this section shall, as respects personal data kept or, as the case may be, to be kept by the data controller, be subject to the same restrictions in relation to the use, source, disclosure or transfer of the data as those to which the data controller is subject under that subsection.

(4) A data processor to whom section 16 applies shall not process personal data unless there is for the time being an entry in the register in respect of him.

(5) If and whenever a person in respect of whom there is an entry in the register changes his address, he shall thereupon notify the Commissioner of the change.

(6) A person who contravenes subsection (1), (4) or (5), or knowingly contravenes any other provision, of this section shall be guilty of an offence.

Regulations for registration.

20.(1) The following matters, and such other matters (if any) as may be necessary or expedient for the purpose of enabling sections 16 to 19 of this Act to have full effect, may be prescribed:

(a) the procedure to be followed in relation to applications by persons for registration, continuance of registration or alteration of the particulars in an entry in the register or for withdrawal of such applications,

(b) the information required to be furnished to the Commissioner by such persons, and

(c) the particulars to be included in entries in the register,

and different provision may be made in relation to the matters aforesaid as respects different categories of persons.

(2) A person who in purported compliance with a requirement prescribed under this section furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.

Miscellaneous

Unauthorised disclosure by data processor.

21.(1) Personal data processed by a data processor shall not be disclosed by him, or by an employee or agent of his, without the prior authority of the data controller on behalf of whom the data are processed.

(2) A person who knowingly contravenes subsection (1) of this section shall be guilty of an offence.

Disclosure of personal data obtained without authority.

22.(1) A person who—

(a) obtains access to personal data, or obtains any information constituting such data, without the prior authority of the data controller or data processor by whom the data are kept, and

(b) discloses the data or information to another person,

shall be guilty of an offence.

(2) Subsection (1) of this section does not apply to a person who is an employee or agent of the data controller or data processor concerned.

Provisions in relation to certain non-residents and to data kept or processed outside State.

23.(1) Subject to the provisions of this section, this Act does not apply to a data controller in respect of data kept, or to a data processor in respect of data processed, outside the State.

(2) For the purposes of this section, data shall be deemed to be—

(a) kept by a data controller in the place where he controls their contents and use, and

(b) processed by a data processor in the place where the relevant data equipment is located.

(3) Where a person who is not resident in the State controls the contents and use of personal data kept within the State, or processes any such data, through an employee or agent in the State, this Act shall apply as if that control was exercised or, as the case may be, the data were processed by the employee or agent acting on his own account.

(4) This Act does not apply to data processed wholly outside the State unless the data are used or intended to be used in the State.

(5) Section 19 (2) (e) of this Act does not apply to the transfer of data that are already outside the State.

Powers of authorised officers.

24.(1) In this section “authorised officer” means a person authorised in writing by the Commissioner to exercise, for the purposes of this Act, the powers conferred by this section.

(2) An authorised officer may, for the purpose of obtaining any information that is necessary or expedient for the performance by the Commissioner of his functions, on production of the officer's authorisation, if so required—

(a) at all reasonable times enter premises that he reasonably believes to be occupied by a data controller or a data processor, inspect the premises and any data therein (other than data consisting of information specified in section 12 (4) (b) of this Act) and inspect, examine, operate and test any data equipment therein,

(b) require any person on the premises, being a data controller, a data processor or an employee of either of them, to disclose to the officer any such data and produce to him any data material (other than data material consisting of information so specified) that is in that person's power or control and to give to him such information as he may reasonably require in regard to such data and material,

(c) either on the premises or elsewhere, inspect and copy or extract information from such data, or inspect and copy or take extracts from such material, and

(d) require any person mentioned in paragraph (b) of this subsection to give to the officer such information as he may reasonably require in regard to the procedures employed for complying with the provisions of this Act, the sources from which such data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment in the premises.

(3) Subject to subsection (5) of this section, subsection (2) of this section shall not apply in relation to a financial institution.

(4) Whenever the Commissioner considers it necessary or expedient for the performance by him of his functions that an authorised officer should exercise, in relation to a financial institution, the powers conferred by subsection (2) of this section, the Commissioner may apply to the High Court for an order under this section.

(5) Whenever, on an application to it under subsection (4) of this section, the High Court is satisfied that it is reasonable to do so and is satisfied that the exigencies of the common good so warrant, it may make an order authorising an authorised officer to exercise the powers conferred by subsection (2) of this section in relation to the financial institution concerned, subject to such conditions (if any) as it thinks proper and specifies in the order.

(6) A person who obstructs or impedes an authorised officer in the exercise of a power, or, without reasonable excuse, does not comply with a requirement, under this section or who in purported compliance with such a requirement gives information to an authorised officer that he knows to be false or misleading in a material respect shall be guilty of an offence.

Service of notices.

25.Any notice authorised by this Act to be served on a person by the Commissioner may be served—

(a) if the person is an individual—

(i) by delivering it to him or

(ii) by sending it to him by post addressed to him at his usual or last-known place of residence or business, or

(iii) by leaving it for him at that place,

(b) if the person is a body corporate or an unincorporated body of persons, by sending it to the body by post to, or addressing it to and leaving it at, in the case of a company, its registered office (within the meaning of the Companies Act, 1963 ) and, in any other case, its principal place of business.

Appeals to Circuit Court.

26.(1) An appeal may be made to and heard and determined by the Court against—

(a) a requirement specified in an enforcement notice or an information notice,

(b) a prohibition specified in a prohibition notice,

(c) a refusal by the Commissioner under section 17 of this Act, notified by him under that section, and

(d) a decision of the Commissioner in relation to a complaint under section 10 (1) (a) of this Act,

and such an appeal shall be brought within 21 days from the service on the person concerned of the relevant notice or, as the case may be, the receipt by such person of the notification of the relevant refusal or decision.

(2) The jurisdiction conferred on the Court by this Act shall be exercised by the judge for the time being assigned to the circuit where the appellant ordinarily resides or carries on any profession, business or occupation or, at the option of the appellant, by a judge of the Court for the time being assigned to the Dublin circuit.

(3) (a) Subject to paragraph (b) of this subsection, a decision of the Court under this section shall be final.

(b) An appeal may be brought to the High Court on a point of law against such a decision; and references in this Act to the determination of an appeal shall be construed as including references to the determination of any such appeal to the High Court and of any appeal from the decision of that Court.

(4) Where—

(a) a person appeals to the Court pursuant to paragraph (a), (b) or (c) of subsection (1) of this section,

(b) the appeal is brought within the period specified in the notice or notification mentioned in paragraph (c) of this subsection, and

(c) the Commissioner has included a statement in the relevant notice or notification to the effect that by reason of special circumstances he is of opinion that the requirement or prohibition specified in the notice should be complied with, or the refusal specified in the notification should take effect, urgently,

then, notwithstanding any provision of this Act, if the Court, on application to it in that behalf, so determines, non-compliance by the person with a requirement or prohibition specified in the notice, or, as the case may be, a contravention by him of section 19 of this Act, during the period ending with the determination or withdrawal of the appeal or during such other period as may be determined as aforesaid shall not constitute an offence.

Evidence in proceedings.

27.(1) In any proceedings—

(a) a certificate signed by the Minister or the Minister for Defence and stating that in his opinion personal data are, or at any time were, kept for the purpose of safeguarding the security of the State shall be evidence of that opinion,

(b) a certificate—

(i) signed by a member of the Garda Síochána not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under section 8 (a) of this Act, and

(ii) stating that in the opinion of the member or, as the case may be, the officer a disclosure of personal data is required for the purpose aforesaid,

shall be evidence of that opinion, and

(c) a document purporting to be a certificate under paragraph (a) or (b) of this subsection and to be signed by a person specified in the said paragraph (a) or (b), as appropriate, shall be deemed to be such a certificate and to be so signed unless the contrary is proved.

(2) Information supplied by a person in compliance with a request under section 3 or 4 (1) of this Act, a requirement under this Act or a direction of a court in proceedings under this Act shall not be admissible in evidence against him or his spouse in proceedings for an offence under this Act.

Hearing of proceedings.

28.The whole or any part of any proceedings under this Act may, at the discretion of the court, be heard otherwise than in public.

Offences by directors, etc., of bodies corporate.

29.(1) Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of a person, being a director, manager, secretary or other officer of that body corporate, or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and be liable to be proceeded against and punished accordingly.

(2) Where the affairs of a body corporate are managed by its members, subsection (1) of this section shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director or manager of the body corporate.

Prosecution of summary offences by Commissioner.

30.(1) Summary proceedings for an offence under this Act may be brought and prosecuted by the Commissioner.

(2) Notwithstanding section 10 (4) of the Petty Sessions (Ireland) Act, 1851, summary proceedings for an offence under this Act may be instituted within one year from the date of the offence.

Penalties.

31.(1) A person guilty of an offence under this Act shall be liable—

(a) on summary conviction, to a fine not exceeding £1,000, or

(b) on conviction on indictment, to a fine not exceeding £50,000.

(2) Where a person is convicted of an offence under this Act, the court may order any data material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any relevant data to be erased.

(3) The court shall not make an order under subsection (2) of this section in relation to data material or data where it considers that some person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data unless such steps as are reasonably practicable have been taken for notifying that person and giving him an opportunity to show cause why the order should not be made.

(4) Section 13 of the Criminal Procedure Act, 1967, shall apply in relation to an offence under this Act that is not being prosecuted summarily as if, in lieu of the penalties provided for in subsection (3) (a) of that section, there were specified therein the fine provided for in subsection (1) (a) of this section and the reference in subsection (2) (a) of the said section 13 to the penalties provided for by subsection (3) shall be construed and have effect accordingly.

Laying of regulations before Houses of Oireachtas.

32.Every regulation made under this Act (other than section 2 ) shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the regulation is passed by either such House within the next 21 days on which that House has sat after the regulation is laid before it, the regulation shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder.

Fees.

33.(1) Fees under this Act shall be paid into or disposed of for the benefit of the Exchequer in accordance with the directions of the Minister for Finance.

(2) The Public Offices Fees Act, 1879, shall not apply in respect of any fees under this Act.

Expenses of Minister.

34.The expenses incurred by the Minister in the administration of this Act shall, to such extent as may be sanctioned by the Minister for Finance, be paid out of moneys provided by the Oireachtas.

Short title and commencement.

35.(1) This Act may be cited as the Data Protection Act, 1988.

(2) This Act shall come into operation on such day or days as, by order or orders made by the Minister under this section, may be fixed therefor either generally or with reference to any particular purpose or provision and different days may be so fixed for different purposes and different provisions.

FIRST SCHEDULE

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981

Section 1 (1).

PREAMBLE

The member States of the Council of Europe, signatory hereto,

Considering that the aim of the Council of Europe is to achieve greater unity between its members, based in particular on respect for the rule of law, as well as human rights and fundamental freedoms;

Considering that it is desirable to extend the safeguards for everyone's rights and fundamental freedoms, and in particular the right to the respect for privacy, taking account of the increasing flow across frontiers of personal data undergoing automatic processing;

Reaffirming at the same time their commitment to freedom of information regardless of frontiers;

Recognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples,

Have agreed as follows:

CHAPTER I—GENERAL PROVISIONS

Article 1

Object and purpose

The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (“data protection”).

Article 2

Definitions

For the purposes of this convention:

a. personal data” means any information relating to an identified or identifiable individual (“data subject”);

b. automated data file” means any set of data undergoing automatic processing;

c. automatic processing” includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination;

d. controller of the file” means the natural or legal person, public authority, agency or any other body who is competent according to the national law to decide what should be the purpose of the automated data file, which categories of personal data should be stored and which operations should be applied to them.

Article 3

Scope

1. The Parties undertake to apply this convention to automated personal data files and automatic processing of personal data in the public and private sectors.

2. Any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, or at any later time, give notice by a declaration addressed to the Secretary General of the Council of Europe:

a. that it will not apply this convention to certain categories of automated personal data files, a list of which will be deposited. In this list it shall not include, however, categories of automated data files subject under its domestic law to data protection provisions. Consequently, it shall amend this list by a new declaration whenever additional categories of automated personal data files are subjected to data protection provisions under its domestic law;

b. that it will also apply this convention to information relating to groups of persons, associations, foundations, companies, corporations and any other bodies consisting directly or indirectly of individuals, whether or not such bodies possess legal personality;

c. that it will also apply this convention to personal data files which are not processed automatically.

3. Any State which has extended the scope of this convention by any of the declarations provided for in sub-paragraph 2.b or c above may give notice in the said declaration that such extensions shall apply only to certain categories of personal data files, a list of which will be deposited.

4. Any Party which has excluded certain categories of automated personal data files by a declaration provided for in sub-paragraph 2.a above may not claim the application of this convention to such categories by a Party which has not excluded them.

5. Likewise, a Party which has not made one or other of the extensions provided for in sub-paragraphs 2.b or c above may not claim the application of this convention on these points with respect to a Party which has made such extensions.

6. The declarations provided for in paragraph 2 above shall take effect from the moment of the entry into force of the convention with regard to the State which has made them if they have been made at the time of signature or deposit of its instrument of ratification, acceptance, approval or accession, or three months after their receipt by the Secretary General of the Council of Europe if they have been made at any later time. These declarations may be withdrawn, in whole or in part, by a notification addressed to the Secretary General of the Council of Europe. Such withdrawals shall take effect three months after the date of receipt of such notification.

CHAPTER II—BASIC PRINCIPLES FOR DATA PROTECTION

Article 4

Duties of the Parties

1. Each Party shall take the necessary measures in its domestic law to give effect to the basic principles for data protection set out in this chapter.

2. These measures shall be taken at the latest at the time of entry into force of this convention in respect of that Party.

Article 5

Quality of data

Personal data undergoing automatic processing shall be:

a. obtained and processed fairly and lawfully;

b. stored for specified and legitimate purposes and not used in a way incompatible with those purposes;

c. adequate, relevant and not excessive in relation to the purposes for which they are stored;

d. accurate and, where necessary, kept up to date;

e. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.

Article 6

Special categories of data

Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.

Article 7

Data security

Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination.

Article 8

Additional safeguards for the data subject

Any person shall be enabled:

a. to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;

b. to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;

c. to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out in Articles 5 and 6 of this convention;

d. to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with.

Article 9

Exceptions and restrictions

1. No exception to the provisions of Articles 5, 6 and 8 of this convention shall be allowed except within the limits defined in this article.

2. Derogation from the provisions of Articles 5, 6 and 8 of this convention shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:

a. protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;

b. protecting the data subject or the rights and freedoms of others.

3. Restrictions on the exercise of the rights specified in Article 8, paragraphs b, c and d, may be provided by law with respect to automated personal data files used for statistics or for scientific research purposes when there is obviously no risk of an infringement of the privacy of the data subjects.

Article 10

Sanctions and remedies

Each Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter.

Article 11

Extended protection

None of the provisions of this chapter shall be interpreted as limiting or otherwise affecting the possibility for a Party to grant data subjects a wider measure of protection than that stipulated in this convention.

CHAPTER III—TRANSBORDER DATA FLOWS

Article 12

Transborder flows of personal data and domestic law

1. The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.

2. A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.

3. Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:

a. insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;

b. when the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.

CHAPTER IV—MUTUAL ASSISTANCE

Article 13

Co-operation between Parties

1. The Parties agree to render each other mutual assistance in order to implement this convention.

2. For that purpose:

a. each Party shall designate one or more authorities, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;

b. each Party which has designated more than one authority shall specify in its communication referred to in the previous sub-paragraph the competence of each authority.

3. An authority designated by a Party shall at the request of an authority designated by another Party:

a. furnish information on its law and administrative practice in the field of data protection;

b. take, in conformity with its domestic law and for the sole purpose of protection of privacy, all appropriate measures for furnishing factual information relating to specific automatic processing carried out in its territory, with the exception however of the personal data being processed.

Article 14

Assistance to data subjects resident abroad

1. Each Party shall assist any person resident abroad to exercise the rights conferred by its domestic law giving effect to the principles set out in Article 8 of this convention.

2. When such a person resides in the territory of another Party he shall be given the option of submitting his request through the intermediary of the authority designated by that Party.

3. The request for assistance shall contain all the necessary particulars, relating inter alia to:

a. the name, address and any other relevant particulars identifying the person making the request;

b. the automated personal data file to which the request pertains, or its controller;

c. the purpose of the request.

Article 15

Safeguards concerning assistance rendered by designated authorities

1. An authority designated by a Party which has received information from an authority designated by another Party either accompanying a request for assistance or in reply to its own request for assistance shall not use that information for purposes other than those specified in the request for assistance.

2. Each Party shall see to it that the persons belonging to or acting on behalf of the designated authority shall be bound by appropriate obligations of secrecy or confidentiality with regard to that information.

3. In no case may a designated authority be allowed to make under Article 14, paragraph 2, a request for assistance on behalf of a data subject resident abroad, of its own accord and without the express consent of the person concerned.

Article 16

Refusal of requests for assistance

A designated authority to which a request for assistance is addressed under Articles 13 or 14 of this convention may not refuse to comply with it unless:

a. the request is not compatible with the powers in the field of data protection of the authorities responsible for replying;

b. the request does not comply with the provisions of this convention;

c. compliance with the request would be incompatible with the sovereignty, security or public policy (ordre public) of the Party by which it was designated, or with the rights and fundamental freedoms of persons under the jurisdiction of that Party.

Article 17

Costs and procedures of assistance

1. Mutual assistance which the Parties render each other under Article 13 and assistance they render to data subjects abroad under Article 14 shall not give rise to the payment of any costs or fees other than those incurred for experts and interpreters. The latter costs or fees shall be borne by the Party which has designated the authority making the request for assistance.

2. The data subject may not be charged costs or fees in connection with the steps taken on his behalf in the territory of another Party other than those lawfully payable by residents of that Party.

3. Other details concerning the assistance relating in particular to the forms and procedures and the languages to be used, shall be established directly between the Parties concerned.

CHAPTER V—CONSULTATIVE COMMITTEE

Article 18

Composition of the committee

1. A Consultative Committee shall be set up after the entry into force of this convention.

2. Each Party shall appoint a representative to the committee and a deputy representative. Any member State of the Council of Europe which is not a Party to the convention shall have the right to be represented on the committee by an observer.

3. The Consultative Committee may, by unanimous decision, invite any non-member State of the Council of Europe which is not a Party to the convention to be represented by an observer at a given meeting.

Article 19

Functions of the committee

The Consultative Committee:

a. may make proposals with a view to facilitating or improving the application of the convention;

b. may make proposals for amendment of this convention in accordance with Article 21;

c. shall formulate its opinion on any proposal for amendment of this convention which is referred to it in accordance with Article 21, paragraph 3;

d. may, at the request of a Party, express an opinion on any question concerning the application of this convention.

Article 20

Procedure

1. The Consultative Committee shall be convened by the Secretary General of the Council of Europe. Its first meeting shall be held within twelve months of the entry into force of this convention. It shall subsequently meet at least once every two years and in any case when one-third of the representatives of the Parties request its convocation.

2. A majority of representatives of the Parties shall constitute a quorum for a meeting of the Consultative Committee.

3. After each of its meetings, the Consultative Committee shall submit to the Committee of Ministers of the Council of Europe a report on its work and on the functioning of the convention.

4. Subject to the provisions of this convention, the Consultative Committee shall draw up its own Rules of Procedure.

CHAPTER VI—AMENDMENTS

Article 21

Amendments

1. Amendments to this convention may be proposed by a Party, the Committee of Ministers of the Council of Europe or the Consultative Committee.

2. Any proposal for amendment shall be communicated by the Secretary General of the Council of Europe to the member States of the Council of Europe and to every non-member State which has acceded to or has been invited to accede to this convention in accordance with the provisions of Article 23.

3. Moreover, any amendment proposed by a Party or the Committee of Ministers shall be communicated to the Consultative Committee, which shall submit to the Committee of Ministers its opinion on that proposed amendment.

4. The Committee of Ministers shall consider the proposed amendment and any opinion submitted by the Consultative Committee and may approve the amendment.

5. The text of any amendment approved by the Committee of Ministers in accordance with paragraph 4 of this article shall be forwarded to the Parties for acceptance.

6. Any amendment approved in accordance with paragraph 4 of this article shall come into force on the thirtieth day after all Parties have informed the Secretary General of their acceptance thereof.

CHAPTER VII—FINAL CLAUSES

Article 22

Entry into force

1. This convention shall be open for signature by the member States of the Council of Europe. It is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.

2. This convention shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five member States of the Council of Europe have expressed their consent to be bound by the convention in accordance with the provisions of the preceding paragraph.

3. In respect of any member State which subsequently expresses its consent to be bound by it, the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of the deposit of the instrument of ratification, acceptance or approval.

Article 23

Accession by non-member States

1. After the entry into force of this convention, the Committee of Ministers of the Council of Europe may invite any State not a member of the Council of Europe to accede to this convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the committee.

2. In respect of any acceding State, the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe.

Article 24

Territorial clause

1. Any State may at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this convention shall apply.

2. Any State may at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this convention to any other territory specified in the declaration. In respect of such territory the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of such declaration by the Secretary General.

3. Any declaration made under the two preceding paragraphs may, in respect of any territory specified in such declaration be withdrawn by a notification addressed to the Secretary General. The withdrawal shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of such notification by the Secretary General.

Article 25

Reservations

No reservation may be made in respect of the provisions of this convention.

Article 26

Denunciation

1. Any Party may at any time denounce this convention by means of a notification addressed to the Secretary General of the Council of Europe.

2. Such denunciation shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of the notification by the Secretary General.

Article 27

Notifications

The Secretary General of the Council of Europe shall notify the member States of the Council and any State which has acceded to this convention of:

a. any signature;

b. the deposit of any instrument of ratification, acceptance, approval or accession;

c. any date of entry into force of this convention in accordance with Articles 22, 23 and 24;

d. any other act, notification or communication relating to this convention.

In witness whereof the undersigned, being duly authorised thereto, have signed this Convention.

Done at Strasbourg, the 28th day of January 1981, in English and in French, both texts being equally authoritative, in a single copy which shall remain deposited in the archives of the Council of Europe. The Secretary General of the Council of Europe shall transmit certified copies to each member State of the Council of Europe and to any State invited to accede to this Convention.

SECOND SCHEDULE

The Data Protection Commissioner

Section 9 .

1. The Commissioner shall be a body corporate and shall be independent in the performance of his functions.

2. (1) The Commissioner shall be appointed by the Government and, subject to the provisions of this Schedule, shall hold office upon such terms and conditions as the Government may determine.

(2) The Commissioner—

(a) may at any time resign his office as Commissioner by letter addressed to the Secretary to the Government and the resignation shall take effect on and from the date of receipt of the letter,

(b) may at any time be removed from office by the Government if, in the opinion of the Government, he has become incapable through ill-health of effectively performing his functions or has committed stated misbehaviour, and

(c) shall, in any case, vacate the office of Commissioner on reaching the age of 65 years.

3. The term of office of a person appointed to be the Commissioner shall be such term not exceeding 5 years as the Government may determine at the time of his appointment and, subject to the provisions of this Schedule, he shall be eligible for re-appointment to the office.

4. (1) Where the Commissioner is—

(a) nominated as a member of Seanad Éireann,

(b) elected as a member of either House of the Oireachtas, the European Parliament or a local authority, or

(c) regarded pursuant to section 15 (inserted by the European Assembly Elections Act, 1984 ) of the European Assembly Elections Act, 1977 , as having been elected to such Parliament to fill a vacancy,

he shall thereupon cease to be the Commissioner.

(2) A person who is for the time being—

(i) entitled under the standing orders of either House of the Oireachtas to sit therein,

(ii) a member of the European Parliament, or

(iii) entitled under the standing orders of a local authority to sit therein,

shall, while he is so entitled or is such a member, be disqualified for holding the office of Commissioner.

5. The Commissioner shall not hold any other office or employment in respect of which emoluments are payable.

6. There shall be paid to the Commissioner, out of moneys provided by the Oireachtas, such remuneration and allowances for expenses as the Minister, with the consent of the Minister for Finance, may from time to time determine.

7. (a) The Minister shall, with the consent of the Minister for Finance, make and carry out, in accordance with its terms, a scheme or schemes for the granting of pensions, gratuities or other allowances on retirement or death to or in respect of persons who have held the office of Commissioner.

(b) The Minister may, with the consent of the Minister for Finance, at any time make and carry out, in accordance with its terms, a scheme or schemes amending or revoking a scheme under this paragraph.

(c) A scheme under this paragraph shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the scheme is passed by either such House within the next 21 days on which that House has sat after the scheme is laid before it, the scheme shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder.

8. (1) The Minister may appoint to be members of the staff of the Commissioner such number of persons as may be determined from time to time by the Minister, with the consent of the Minister for Finance.

(2) Members of the staff of the Commissioner shall be civil servants.

(3) The functions of the Commissioner under this Act may be performed during his temporary absence by such member of the staff of the Commissioner as he may designate for that purpose.

(4) The Minister may delegate to the Commissioner the powers exercisable by him under the Civil Service Commissioners Act, 1956 , and the Civil Service Regulation Acts, 1956 and 1958, as the appropriate authority in relation to members of the staff of the Commissioner and, if he does so, then so long as the delegation remains in force—

(a) those powers shall, in lieu of being exercisable by the Minister, be exercisable by the Commissioner, and

(b) the Commissioner shall, in lieu of the Minister, be for the purposes of this Act the appropriate authority in relation to members of the staff of the Commissioner.

9. (1) The Commissioner shall keep in such form as may be approved of by the Minister, with the consent of the Minister for Finance, all proper and usual accounts of all moneys received or expended by him and all such special accounts (if any) as the Minister, with the consent of the Minister for Finance, may direct.

(2) Accounts kept in pursuance of this paragraph in respect of each year shall be submitted by the Commissioner in the following year on a date (not later than a date specified by the Minister) to the Comptroller and Auditor General for audit and, as soon as may be after the audit, a copy of those accounts, or of such extracts from those accounts as the Minister may specify, together with the report of the Comptroller and Auditor General on the accounts, shall be presented by the Commissioner to the Minister who shall cause copies of the documents presented to him to be laid before each House of the Oireachtas.

THIRD SCHEDULE

Public Authorities and Other Bodies and Persons

Section 16 (1) (a).

1. The Government.

2. A Minister of the Government.

3. The Attorney General.

4. The Comptroller and Auditor General.

5. The Ombudsman.

6. A local authority, a health board and any other body (other than the Garda Síochána and the Defence Forces) established—

(1) by or under any enactment (other than the Companies Acts, 1963 to 1987), or

(2) under the Companies Acts, 1963 to 1987, in pursuance of powers conferred by or under another enactment,

and financed wholly or partly by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government; and a subsidiary of any such body.

7. A company the majority of the shares in which are held by or on behalf of a Minister of the Government.

8. A body (other than a body mentioned in paragraph 6 or 7 of this Schedule) appointed by the Government or a Minister of the Government.

9. An individual (other than an individual remunerated by a body mentioned in paragraph 6, 7 or 8 of this Schedule or in relation to whom the Government or a Minister of the Government is the appropriate authority) who is appointed by the Government or a Minister of the Government to an office established by or under any enactment.

10. Any other public authority, body or person standing prescribed for the time being and financed or remunerated wholly or partly out of moneys provided by the Oireachtas.