S.I. No. 351/1988 - Data Protection (Registration) Regulations, 1988.


S.I. No. 351 of 1988.

DATA PROTECTION (REGISTRATION) REGULATIONS, 1988.

I, DONAL C. LINEHAN, Data Protection Commissioner, by virtue of the powers conferred on me by section 20 of the Data protection Act, 1988 (No. 25 of 1988), hereby, with the consent of the Minister for Justice, make the following regulations:

1. These Regulations may be cited as the Data Protection (Registration) Regulations, 1988.

2. These Regulations shall come into force on the 9th day of January, 1989.

3. In these Regulations "the Act" means the Data Protection Act, 1988 .

4. An application by a person wishing to be registered in the register established and maintained by the Data Protection Commissioner under section 16 (2) of the Act or to have a registration continued under section 18 of the Act or to have particulars in an entry in the register altered shall be made by completing the appropriate form specified in the Schedule to these Regulations or a form to the like effect.

5. The information required to be furnished to the Data Protection Commissioner by a person referred to in Regulation 4 shall be that specified in the appropriate form and any other information that the Commissioner may require to enable him to deal either with a particular application or with applications generally (in which case he may require the information to be furnished by way of an addition to the appropriate form).

6. The particulars to be included in an entry in the register in relation to a data controller to whom section 16 of the Act applies shall be:

(a) name and address;

(b) purpose or purposes for which he keeps or uses personal data;

(c) description of the data;

(d) persons or categories of persons (other than persons to whom data are disclosed pursuant to section 8 of the Act) to whom the data may be disclosed;

(e) countries or territories to which the data may be directly or indirectly transferred;

(f) if the source from which the data, and any information intended for inclusion in the data, are obtained is required by the Commissioner to be described in the entry, the persons or categories of persons from whom the data and information are obtained;

(g) if the data controller is not the person to whom requests for information under section 4 (1) (a) of the Act should be addressed, the name or job status and address of that person;

(h) date on which the entry was made or, as the case may be, from which the relevant registration was continued;

(i) a reference to any other entry in the register relating to the data controller.

7. In the case of a data processor whose business consists wholly or partly in processing personal data on behalf of data controllers and who is not himself a data controller to whom section 16 of the Act applies, the particulars to be included in the relevant entry in the register shall be his name and address.

8. (a) In the case of a partnership which has applied to be registered in the register, the name of the partnership and of each of the partners shall be included in the entry in the register.

(b) In the case of a company (within the meaning of the Companies Acts, 1963 to 1987) which has so applied, the address to be so included shall be that of its registered office.

(c) In the case of a person (other than such a company) carrying on a business who has so applied, the address shall be that of his principal place of business.

SCHEDULE.

DATA PROTECTION (REGISTRATION) REGULATIONS, 1988

FORM DPA1

APPLICATION FOR REGISTRATION AS A DATA CONTROLLER (OR AS BOTH A DATA CONTROLLER AND A DATA PROCESSOR)

1. Name and address:

(If a partnership, state its name and the name of each partner; if a company, give the address of the registered office; in the case of any other business, give the address of the principal place of business.)

2. Name or job status of person to whom applications for access to personal data should be sent:

(Give address also if different from above.)

Note: Paragraphs 3 to 7 do not apply to personal data processed on behalf of another.

3. Purpose(s) for which you keep or use personal data:

(If the personal data are kept for the purposes of a business, trade, profession or public service, state in general (but comprehensive) terms the purpose(s) for which it is carried on. In any other case, specify the purpose(s) for which the data are kept or used.)

4. Description of all personal data so kept or used:

(a) The personal data normally associated with each of the following applications, namely: (Describe briefly, but adequately, the various applications.)

(b) Personal data not normally associated with any of the applications specified at (a) above:(Give full details.)

5. Persons or bodies (or categories of them) to whom the persona] data may be disclosed (other than persons or bodies to whom a disclosure may be made in the circumstances specified in section 8 of the Act):

Note: A disclosure of any personal data to a person or body specified above must not be made in any manner incompatible with the purpose's) for which those data are kept. Otherwise the disclosure will be in contravention of section 2(1) (c) (ii) of the Act.

6. Countries or territories (if any) to which you transfer, or intend to transfer, personal data directly or indirectly:

(State countries or territories concerned, description of data to be transferred and purpose of transfer.)

Note: This paragraph relates only to personal information when transferred abroad in automated form.

7. If you keep personal data relating to (a) racial origin, (b) political opinions, (c) religious or (d)other beliefs, (e) physical or mental health (other than any such data reasonably kept by you in relation to the physical or mental health of your employees and not used or disclosed for any other purpose), (f) sexual life or (g) criminal convictions—

(a) state which of these kinds of personal data you keep;

(b) state for which of the applications specified at 4 above each of these kinds of data is kept;

(c) specify under the following headings the safeguards in operation for the protection of the privacy of the data subjects concerned:

1. physical safeguards,

2. technical safeguards.

8. (a) Does any of the personal data kept by you consist of information that you are required by law to make available to the public? *Yes/*No.

(b) If the answer is "Yes", give details:

9. (a) Are you a data processor who is required to register (i.e. are you a person whose business consists wholly or partly in processing personal data on behalf of others)? *Yes/*No.

(b) If the answer is "Yes", state the countries or territories (if any) to which you transfer, or intend to transfer, such data for processing directly or indirectly:

10. Name or job status of individual (if any) who will supervise the application of the Act within your organisation:

I certify that the above information is correct and complete and apply to be registered in the register maintained pursuant to section 16 (2) of the Data Protection Act 1988 .

I enclose the prescribed fee (£100).

Signature............................................................ ....................................

Date.................................................

*Authorised to sign on behalf of applicant.

*Applicant.

Notes:

1. Knowingly to furnish false or misleading information is an offence.

2. It is also an offence knowingly (a) to keep or use personal data for any purpose not described at 3 above, (b) to keep personal data not specified at 4 above, (c) to disclose personal data to any person or body not described at 5 above or (d) to transfer personal data to a country or territory not named at 6 above.

*Delete whichever is inapplicable.

Data Protection (Registration) Regulations, 1988

FORM DPA2

APPLICATION FOR SEPARATE REGISTRATION

1. Name and address:

(In the case of a partnership, state its name and the name of each partner; if a company, give the address of the registered office; in the case of any other business, give the address of the principal place of business.)

2. Name or job status of person to whom applications for access to the personal data with which this application for separate registration is concerned should be sent:

(Give address also if different from above.)

Note: Paragraphs 3 to 7 do not apply to personal data processed on behalf of another.

3. Purpose(s) for which you keep or use the personal data with which this application for separate registration is concerned:

(State the particular purpose or purposes you wish to have separately registered.)

4. Description of personal data kept or used for the purpose or purposes mentioned in preceding paragraph:

(a) The personal data normally associated with each of the following applications, namely:

(Describe briefly, out adequately, the applications with which this application for separate registration is concerned.)

(b) Personal data not normally associated with any of the applications specified at (a) above:

(Give full details.)

5. Persons or bodies (or categories of them) to whom the personal data with which this application for separate registration is concerned may be disclosed (other than persons or bodies to whom a disclosure may be made in the circumstances specified in section 8 of the Act):

Note: A disclosure of any personal data to a person specified above must not be made in any manner incompatible with the purpose(s) for which those data are kept. Otherwise the disclosure will be in contravention of section 2 (1) (c) (ii) of the Act.

6. Countries or territories (if any) to which you transfer, or intend to transfer, the personal data with which this application for separate registration is concerned directly or indirectly:

(State countries or territories concerned, description of data to be transferred and purpose of transfer.)

Note: This paragraph relates only to personal information when transferred abroad in automated form.

7. If the personal data with which this application for separate registration is concerned relate to (a) racial origin, (b) political opinions, (c) religious or (d) other beliefs, (e) physical or mental health (other than any such data reasonably kept by you in relation to the physical or mental health of your employees and not used or disclosed for any other purpose), (f) sexual life or (g) criminal convictions—

(a) state which of these kinds of personal data you keep;

(b) state for which of the applications specified at 4 above each of these kinds of data is kept;

(c) specify under the following headings the safeguards in operation for the protection of the privacy of the data subjects concerned:

1. physical safeguards,

2. technical safeguards.

8. (a) Does any of the personal data kept by you consist of information that you are required by law to make available to the public? *Yes/*No

(b) If the answer is "Yes", give details:

9. (a) Are you a data processor who is required to register (i.e. are you a person whose business consists wholly or partly in processing personal data on behalf of others)? *Yes/*No.

(b) If the answer is "Yes", state the countries or territories (if any) to which you transfer, or intend to transfer, such data for processing directly or indirectly:

10. Name or job status of individual (if any) who will supervise the application of the Act within your organisation in relation to the personal data with which this application for separate registration is concerned:

11. Number of separate registrations:

I certify that the above information is correct and complete and apply to be separately registered in the register maintained under section two (2) of the Data Protection Act 1988 in respect of the purpose(s) specified at 3 above.

I enclose the prescribed fee (£100).

Signature............................................................ .............................

Date.....................................................

* Authorised to sign on behalf of applicant.

*Applicant.

Notes:

1. Knowingly to furnish false or misleading information is an offence.

2. It is also an offence knowingly (a) to keep personal data not specified in your application, (b) to keep or use personal data for any purpose, or disclose personal data to any person or body, not described in those applications or (c) to transfer personal data to a country or territory not named at 6 above.

*Delete whichever is inapplicable.

Data Protection (Registration) Regulations, 1988.

FORM DPA3

APPLICATION FOR REGISTRATION AS A DATA PROCESSOR

1. Name and address:

(If a partnership, state its name and the name of each partner; if a company, give the address of the registered office; in the case of any other business, give the address of the principal place of business.)

2. Countries or territories (if any) to which you transfer, or intend to transfer, personal data for processing directly or indirectly:

I apply to be registered in the register maintained pursuant to section 16 (2) of the Data Protection Act 1988 .

My business consists *wholly/*partly in processing personal data on behalf of data controllers.

*I do not control the contents and use of any personal data.

*I control the contents and use of personal data but I am not a data controller who is required by section 16 of the Act to register in that capacity.

I enclose the prescribed fee (£100).

Signature............................................................ ..........................

Date..........................................................

*Authorised to sign on behalf of applicant.

*Applicant.

Note: Knowingly to furnish false or misleading information is an offence.

*Delete whichever is inapplicable.

Data Protection (Registration) Regulations, 1988

FORM DPA4

APPLICATION FOR CONTINUANCE OF REGISTRATION

1. Name and address:

2. Registration No.

I apply to have my registration continued under section 18 of the Data Protection Act 1988 .

I enclose a statement† containing—

A the particulars in the entry relating to me under the above registration number, and

B certain other particulars concerning the personal data to which the entry relates.

*The particulars in the entry, as set out at A of the enclosed statement†, do not require amendment.

*The particulars in the entry, as set out at A of the enclosed statement†, require amendment in the following respects—

*The particulars set out at B of the enclosed statement† do not require amendment.

*The particulars set out at B of the enclosed statement† require amendment in the following respects:

I certify that the above information is correct.

I enclose the prescribed fee (£100).

Signature ............................................................ ...........................

Date.........................................................

*Authorised to sign on behalf of applicant.

*Applicant.

Note: Knowingly to furnish false or misleading information is an offence.

Data protection (Registration) Regulations, 1988

†A copy of the statement is available on request from the Office of the Data protection Commissioner.

*Delete whichever is inapplicable.

Data protection (Registration) Regulations, 1988

FORM DPA5

APPLICATION FOR ALTERATION IN REGISTRATION PARTICULARS

1. Name and address:

2. Registration No.

I apply to have the particulars in the entry in the register relating to me under the above registration number altered as follows:

I certify that the above information is correct.

I enclose the prescribed fee (£50).

Signature............................................................ ................................

Date.......................................................

*Authorised to sign on behalf of applicant.

*Applicant.

Note: Knowingly to furnish false or misleading information is an offence.

*Delete whichever is inapplicable.

GIVEN under my hand, this 15th day of December, 1988.

DONAL C. LINEHAN,

Data protection Commissioner.

The Minister for Justice consents to the making of the foregoing Regulations.

GIVEN under the Official Seal of the Minister for Justice, this 19th day of December, 1988.

GERARD COLLINS,

Minister for Justice.

EXPLANATORY NOTE.

These Regulations prescribe (a) the procedure to be followed in relation to registration in the register established under the Data Protection Act 1988 ; (b) the information required by the Data Protection Commissioner to be furnished in that regard and (c) the particulars to be included in entries in the register.