Data Protection Act 2018

/static/images/base/harp.jpg


Number 7 of 2018


DATA PROTECTION ACT 2018


CONTENTS

PART 1

Preliminary and General

1. Short title, citation and commencement

2. Interpretation

3. Designation by appropriate authority

4. Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances

5. Expenses

6. Regulations

7. Repeals and revocations

8. Application of Data Protection Act 1988

PART 2

Data Protection Commission

9. Establishment day

10. Establishment of Data Protection Commission

11. Supervisory authority for Data Protection Regulation and Directive

12. Functions of Commission

13. Performance of functions of Commission by Commissioner or member of staff

14. Transfer of functions of Data Protection Commissioner to Commission

15. Membership of Commission

16. Appointment of chairperson of Commission

17. Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner

18. Acting Commissioner

19. Accountability of Commissioner to Oireachtas Committees

20. Assignment and transfer of staff to Commission

21. Staff of Commission

22. Superannuation of Commissioners

23. Accounts of Commission

24. Annual report

25. Accountability for accounts of Commission

26. Prohibition on disclosure of confidential information

27. Civil proceedings for contravention of section 26

PART 3

Data Protection Regulation

Chapter 1

General

28. Fees

29. Child for purposes of application of Data Protection Regulation

30. Micro-targeting and profiling of children

31. Consent of child in relation to information society services

32. Codes of conduct: children

33. Right to be forgotten: children

34. Designation of data protection officer

35. Accreditation of certification bodies by Irish National Accreditation Board

36. Suitable and specific measures for processing

37. Limitation on transfers of personal data outside the European Union

38. Processing for a task carried out in the public interest or in the exercise of official authority

39. Communication with data subjects by political parties, candidates for and holders of certain elective political offices

40. Processing of personal data and special categories of personal data by elected representatives

41. Processing for purpose other than purpose for which data collected

42. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

43. Data processing and freedom of expression and information

44. Data processing and public access to official documents

Chapter 2

Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences

45. Processing of special categories of personal data

46. Processing of special categories of personal data for purposes of employment and social welfare law

47. Processing of special categories of personal data for purpose of legal advice and legal proceedings

48. Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission

49. Processing of special categories of personal data for purposes of administration of justice and performance of functions

50. Processing of special categories of personal data for insurance and pension purposes

51. Processing of special categories of personal data and Article 10 data for reasons of substantial public interest

52. Processing of special categories of personal data for purposes of Article 9(2)(h)

53. Processing of special categories of personal data for purposes of public interest in the area of public health

54. Processing of special categories of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

55. Processing of personal data relating to criminal convictions and offences

Chapter 3

Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers

56. Right of access to results and scripts of examination and results of appeal

57. Rights in relation to automated decision making

58. Direct marketing for purposes of Article 21

59. Restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission

60. Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest

61. Restriction on exercise of data subjects’ rights: archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

PART 4

Provisions Consequent on Repeal of Certain Provisions of Data Protection Act 1988

62. Transfer of property of Data Protection Commissioner to Commission

63. Transfer of rights and liabilities of Data Protection Commissioner to Commission

64. Liability for loss occurring before establishment day

65. Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission

66. Final accounts and final annual report of Data Protection Commissioner

67. Saver for scheme relating to superannuation

68. Saver for regulations under Act of 1988

PART 5

Processing of Personal Data for Law Enforcement Purposes

Chapter 1

Preliminary and general (Part 5)

69. Interpretation (Part 5)

70. Application of Part 5

Chapter 2

General principles of data protection

71. Processing of personal data

72. Security measures for personal data

73. Processing of special categories of personal data (Part 5)

74. Data quality

Chapter 3

Obligations of controllers and processors

75. General obligations of controller with regard to technical and organisational measures

76. Data protection by design and by default

77. Security of automated processing

78. Technical and organisational measures

79. Joint controllers

80. Processors

81. Record of data processing activities

82. Data logging for automated processing system

83. Cooperation with Commission

84. Data protection impact assessment and prior consultation with Commission

85. Notification of personal data breach by processor

86. Notification of personal data breach to Commission, etc.

87. Communication of personal data breach to data subject

88. Data protection officer

Chapter 4

Rights, and restriction of rights, of data subject (Part 5)

89. Rights in relation to automated decision making (Part 5)

90. Right to information

91. Right of access

92. Right to rectification or erasure and restriction of processing

93. Communication with data subject

94. Restrictions on exercise of data subject rights (Part 5)

95. Indirect exercise of rights and verification by Commission

Chapter 5

Transfers of personal data to third countries or international organisations

96. Transfer to third country or international organisation

97. Adequacy decision

98. Transfer subject to appropriate safeguards

99. Derogations for specific situations

100. Transfer to recipient in third country

Chapter 6

Independent supervisory authority

101. Functions of Commission under Part 5

102. Power of the Commission to advise and issue opinions

103. Mutual assistance

104. Requests by Commission for mutual assistance

PART 6

Enforcement of Data Protection Regulation and Directive

Chapter 1

Preliminary

105. Interpretation (Part 6)

106. Service of documents (Part 6)

Chapter 2

Enforcement of Data Protection Regulation

107. Interpretation (Chapter 2)

108. Complaints under Chapter 2: General

109. Commission to handle complaint under Chapter 2

110. Commission may conduct inquiry into suspected infringement of relevant enactment

111. Decision of Commission where inquiry under Chapter 2 conducted of own volition

112. Decision of Commission where inquiry conducted in respect of complaint to which Article 55 or 56(5) applies

113. Complaint to which Article 60 applies

114. Commission to adopt decision in certain circumstances

115. Exercise by Commission of corrective power

116. Notification of decision of Commission under Chapter 2

117. Judicial remedy for infringement of relevant enactment

Chapter 3

Enforcement of Directive

118. Interpretation (Chapter 3)

119. Data subject may lodge complaint with Commission

120. Representation of data subjects

121. Complaints under Chapter 3: General

122. Commission to handle complaint under Chapter 3

123. Commission may conduct inquiry into suspected infringements of relevant provision

124. Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition

125. Decision of Commission where inquiry conducted in respect of complaint under Chapter 3

126. Notification of decision of Commission under Chapter 3

127. Corrective powers of Commission (Chapter 3)

128. Judicial remedy for infringement of relevant provision

Chapter 4

Inspection, Audit and Enforcement

129. Authorised officers

130. Powers of authorised officers

131. Search warrants

132. Information notice

133. Enforcement notice

134. Circumstances in which application may be made to the High Court for suspension or restriction of processing of data

135. Power to require report

136. Data Protection Audit

Chapter 5

Investigations

137. Investigations

138. Conduct of investigation under section 137

139. Investigation report

140. Commission to consider investigation report

Chapter 6

Administrative Fines

141. Power of Commission to decide to impose administrative fine: General

142. Appeal against administrative fine

143. Circuit Court to confirm decision to impose administrative fine

Chapter 7

Offences

144. Unauthorised disclosure by processor

145. Disclosure of personal data obtained without authority

146. Offences by directors, etc., of bodies corporate

147. Prosecution of summary offences by Commission

Chapter 8

Miscellaneous

148. General provisions relating to complaints

149. Publication of convictions, sanctions, etc.

150. Right to effective judicial remedy (Part 6)

151. Privileged legal material

152. Presumptions

153. Expert evidence

154. Immunity from suit

155. Jurisdiction of Circuit Court

156. Hearing of proceedings

PART 7

Miscellaneous Provisions

157. Supervisory authority for courts acting in judicial capacity

158. Restrictions on obligations of controllers and rights of data subjects for objective of safeguarding judicial independence and court proceedings

159. Processing of personal data where court is controller

160. Publication of judgment or decision of court or court list

161. Rules of court for data protection actions

162. Legal privilege

163. Application to High Court concerning adequate level of protection or appropriate safeguards

164. Court may order destruction, erasure of data

PART 8

Amendments of other Acts of Oireachtas

165. Reference to personal data in enactment

166. Reference to processing in enactment

167. Amendment of Firearms Act 1925

168. Amendment of section 33AK of Central Bank Act 1942

169. Amendment of section 2 of Civil Service Regulation Act 1956

170. Amendment of section 24 of Misuse of Drugs Act 1977

171. Amendment of section 15A of Control of Clinical Trials Act 1987

172. Amendment of Data Protection Act 1988

173. Amendment of Bankruptcy Act 1988

174. Amendment of Firearms and Offensive Weapons Act 1990

175. Amendment of section 13A of Electoral Act 1992

176. Amendment of Comptroller and Auditor General (Amendment) Act 1993

177. Amendment of section 8 of Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993

178. Amendment of section 24 of Statistics Act 1993

179. Amendment of section 57B of Irish Aviation Authority Act 1993

180. Amendment of section 18F of Health Insurance Act 1994

181. Amendment of section 142 of Consumer Credit Act 1995

182. Amendment of section 32B of Irish Medicines Board Act 1995

183. Amendment of section 77 of Central Bank Act 1997

184. Amendment of section 1 of Health (Provision of Information) Act 1997

185. Amendment of section 9M of Electricity Regulation Act 1999

186. Amendment of British-Irish Agreement Act 1999

187. Amendment of section 7D of Comhairle Act 2000

188. Amendment of section 33 of Commission To Inquire Into Child Abuse Act 2000

189. Amendment of section 2 of Merchant Shipping (Investigation of Marine Casualties) Act 2000

190. Amendment of section 28 of Education (Welfare) Act 2000

191. Amendment of section 38 of Planning and Development Act 2000

192. Amendment of section 14 of Dormant Accounts Act 2001

193. Amendment of section 30 of Residential Institutions Redress Act 2002

194. Amendment of section 2 of Official Languages Act 2003

195. Amendment of section 86 of Personal Injuries Assessment Board Act 2003

196. Amendment of section 12 of Unclaimed Life Assurance Policies Act 2003

197. Amendment of section 66 of Civil Registration Act 2004

198. Amendment of section 39 of Commissions of Investigation Act 2004

199. Amendment of section 55H of Health Act 2004

200. Amendment of section 2 of Safety, Health and Welfare at Work Act 2005

201. Amendment of section 265 of Social Welfare Consolidation Act 2005

202. Amendment of Disability Act 2005

203. Amendment of section 2 of Railway Safety Act 2005

204. Amendment of section 12 of Health (Repayment Scheme) Act 2006

205. Amendment of section 19 of Electoral (Amendment) Act 2006

206. Amendment of section 67 of Pharmacy Act 2007

207. Amendment of Passports Act 2008

208. Amendment of Criminal Justice (Mutual Assistance) Act 2008

209. Amendment of section 2 of Chemicals Act 2008

210. Amendment of Nursing Homes Support Scheme Act 2009

211. Amendment of section 23 of Criminal Justice (Miscellaneous Provisions) Act 2009

212. Amendment of section 201 of National Asset Management Agency Act 2009

213. Amendment of Criminal Justice (Money Laundering and Terrorist Financing) Act 2010

214. Amendment of section 12 of Communications (Retention of Data) Act 2011

215. Amendment of section 17A of Ministers and Secretaries (Amendment) Act 2011

216. Amendment of section 28 of Student Support Act 2011

217. Amendment of Communications Regulation (Postal Services) Act 2011

218. Amendment of Property Services (Regulation) Act 2011

219. Amendment of section 56 of Credit Union and Co-operation with Overseas Regulators Act 2012

220. Amendment of Europol Act 2012

221. Amendment of Personal Insolvency Act 2012

222. Amendment of section 2 of Animal Health and Welfare Act 2013

223. Amendment of section 8 of Health (Alteration of Criteria for Eligibility) Act 2013

224. Insertion of section 957A to Companies Act 2014

225. Amendment of Health Identifiers Act 2014

226. Amendment of section 15 of Freedom of Information Act 2014

227. Amendment of section 41 of Customs Act 2015

228. Amendment of section 7 of Regulation of Lobbying Act 2015

229. Amendment of Sport Ireland Act 2015

230. Amendment of section 12 of Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016

231. Amendment of section 62 of Financial Services and Pensions Ombudsman Act 2017

232. Amendment of National Shared Services Office Act 2017

SCHEDULE 1

Statutory Instruments Revoked

SCHEDULE 2

Data Protection Commission

SCHEDULE 3

Provisions Applicable to Oral Hearing Conducted by an Authorised Officer Under Section 138


Acts Referred to

Animal Health and Welfare Act 2013 (No. 15)

Bankruptcy Act 1988 (No. 27)

British-Irish Agreement Act 1999 (No. 1)

Central Bank Act 1942 (No. 22)

Central Bank Act 1997 (No. 8)

Chemicals Act 2008 (No. 13)

Children Act 2001 (No. 24)

Civil Registration Act 2004 (No. 3)

Civil Service Regulation Act 1956 (No. 46)

Comhairle Act 2000 (No. 1)

Commission To Inquire Into Child Abuse Act 2000 (No. 7)

Commissions of Investigation Act 2004 (No. 23)

Communications (Retention of Data) Act 2011 (No. 3)

Communications Regulation (Postal Services) Act 2011 (No. 21)

Companies Act 2014 (No. 38)

Competition Act 2002 (No. 14)

Comptroller and Auditor General (Amendment) Act 1993 (No. 8)

Consumer Credit Act 1995 (No. 24)

Control of Clinical Trials Act 1987 (No. 28)

Credit Union and Co-operation with Overseas Regulators Act 2012 (No. 40)

Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (No. 11)

Criminal Justice (Miscellaneous Provisions) Act 2009 (No. 28)

Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6)

Criminal Justice (Mutual Assistance) Act 2008 (No. 7)

Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (No. 4)

Customs Act 2015 (No. 18)

Data Protection (Amendment) Act 2003 (No. 6)

Data Protection Act 1988 (No. 25)

Data Protection Acts 1988 and 2003

Data Protection Acts 1988 to 2003

Defence Act 1954 (No. 18)

Dentists Act 1985 (No. 9)

Disability Act 2005 (No. 14)

Dormant Accounts Act 2001 (No. 32)

Education (Welfare) Act 2000 (No. 22)

Education Act 1998 (No. 51)

Electoral (Amendment) Act 2006 (No. 33)

Electoral Act 1992 (No. 23)

Electricity Regulation Act 1999 (No. 23)

European Parliament Elections Act 1997 (No. 2)

Europol Act 2012 (No. 53)

Financial Services and Pensions Ombudsman Act 2017 (No. 22)

Firearms (Firearm Certificates For Non-Residents) Act 2000 (No. 20)

Firearms Act 1925 (No. 17)

Firearms and Offensive Weapons Act 1990 (No. 12)

Freedom of Information Act 2014 (No. 30)

Health (Alteration of Criteria for Eligibility) Act 2013 (No. 10)

Health (Corporate Bodies) Act 1961 (No. 27)

Health (Provision of Information) Act 1997 (No. 9)

Health (Repayment Scheme) Act 2006 (No. 17)

Health Act 2004 (No. 42)

Health Identifiers Act 2014 (No. 15)

Health Insurance Act 1994 (No. 16)

Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 (No. 10)

Interpretation Act 2005 (No. 23)

Irish Aviation Authority Act 1993 (No. 29)

Irish Medicines Board Act 1995 (No. 29)

Local Government Act 2001 (No. 37)

Medical Practitioners Act 1978 (No. 4)

Medical Practitioners Act 2007 (No. 25)

Merchant Shipping (Investigation of Marine Casualties) Act 2000 (No. 14)

Ministers and Secretaries (Amendment) Act 2011 (No. 10)

Misuse of Drugs Act 1977 (No. 12)

National Asset Management Agency Act 2009 (No. 34)

National Shared Services Office Act 2017 (No. 26)

Nursing Homes Support Scheme Act 2009 (No. 15)

Official Languages Act 2003 (No. 32)

Passports Act 2008 (No. 4)

Personal Injuries Assessment Board Act 2003 (No. 46)

Personal Insolvency Act 2012 (No. 44)

Petty Sessions (Ireland) Act 1851 (14 & 15 Vict., c.93)

Pharmacy Act 2007 (No. 20)

Planning and Development Act 2000 (No. 30)

Prisons Acts 1826 to 2015

Property Services (Regulation) Act 2011 (No. 40)

Public Service Superannuation (Miscellaneous Provisions) Act 2004 (No. 7)

Railway Safety Act 2005 (No. 31)

Regulation of Lobbying Act 2015 (No. 5)

Residential Institutions Redress Act 2002 (No. 13)

Safety, Health and Welfare at Work Act 2005 (No. 10)

Social Welfare Consolidation Act 2005 (No. 26)

Sport Ireland Act 2015 (No. 15)

Statistics Act 1993 (No. 21)

Student Support Act 2011 (No. 4)

Unclaimed Life Assurance Policies Act 2003 (No. 2)

Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (No. 5)

/static/images/base/harp.jpg


Number 7 of 2018


DATA PROTECTION ACT 2018


An Act to establish a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission; to give further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); to give effect to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; to give further effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981 and for those and other purposes to amend the Data Protection Act 1988; to provide for the consequential amendment of certain other enactments; and to provide for related matters.

[24th May , 2018]

Be it enacted by the Oireachtas as follows:

PART 1

Preliminary and General

Short title, citation and commencement

1. (1) This Act may be cited as the Data Protection Act 2018.

(2) This Act and the Data Protection Acts 1988 and 2003 may be cited together as the Data Protection Acts 1988 to 2018.

(3) This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions, and for the repeal of different enactments or provisions of enactments effected by section 7 .

Interpretation

2. (1) In this Act—

“Act of 1988” means the Data Protection Act 1988 ;

“Act of 2014” means the Companies Act 2014 ;

“authorised officer” means a person appointed, or deemed to be appointed, to be an authorised officer under section 129 ;

“chairperson” means the chairperson of the Commission;

“civil servant” has the meaning assigned to it by the Civil Service Regulation Act 1956 ;

“Commission” has the meaning assigned to it by section 10 ;

“Commissioner” has the meaning assigned to it by section 15 and includes a member of staff authorised to act in place of a Commissioner under section 18 ;

“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20163 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20164 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;

“enactment” has the same meaning as it has in the Interpretation Act 2005 ;

“local authority” means a local authority within the meaning of section 2 of the Local Government Act 2001 ;

“Minister” means the Minister for Justice and Equality;

“political party” means a political party registered in the Register of Political Parties in accordance with section 25 of the Electoral Act 1992 ;

“prescribe” means prescribe by regulations;

“public authority” means—

(a) a Department of State,

(b) a regional assembly,

(c) a local authority,

(d) the office of the Director of Corporate Enforcement,

(e) the Irish Auditing and Accounting Supervisory Authority,

(f) any other person established by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act) other than—

(i) a recognised school or board within the meaning of section 2 of the Education Act 1998 but including a recognised school established and maintained by an education and training board and a board of a school so established and maintained, and

(ii) a management committee established under section 37 (3) of the Education Act 1998 ,

(g) a person with whom the Health Service Executive has, under section 38 (1) of the Health Act 2004 , entered into an arrangement for the provision of a health or personal social service by that person on behalf of the Executive,

(h) the Garda Síochána;

“public body” means—

(a) a company (within the meaning of the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act) a majority of the shares in which are held by or on behalf of a Minister of the Government,

(b) a subsidiary (within the meaning of section 7 of the Act of 2014) of a company referred to in paragraph (a);

“special categories of personal data”, other than in Part 5 , means—

(a) personal data revealing—

(i) the racial or ethnic origin of the data subject,

(ii) the political opinions or the religious or philosophical beliefs of the data subject, or

(iii) whether the data subject is a member of a trade union,

(b) genetic data,

(c) biometric data for the purposes of uniquely identifying an individual,

(d) data concerning health, or

(e) personal data concerning an individual’s sex life or sexual orientation.

(2) Subject to subsection (1), a word or expression used in this Act, other than in Part 5 , that is also used in the Data Protection Regulation has, unless the context otherwise requires, the same meaning in this Act as it has in that Regulation.

(3) Unless the context otherwise requires, a reference in this Act (other than in Part 5 ) to a numbered Article is a reference to the Article so numbered of the Data Protection Regulation.

Designation by appropriate authority

3. (1) An appropriate authority (within the meaning of the Civil Service Regulation Act 1956 ) may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a controller and while the designation is in force the civil servant so designated shall, other than for the purposes of sections 105 (3) and 141 (2) and (3), be deemed, for the purposes of this Act and the Data Protection Regulation, to be the controller in respect of the data concerned.

(2) Without prejudice to subsection (1), the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a controller and while the designation is in force the officer so designated shall, other than for the purposes of sections 105 (3) and 141 (2) and (3), be deemed, for the purposes of this Act and the Data Protection Regulation, to be the controller in respect of the data concerned.

(3) For the purposes of this Act and the Data Protection Regulation—

(a) where a designation by the relevant appropriate authority under subsection (1) is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(b) where a designation under subsection (2) is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(c) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the Commissioner of the Garda Síochána.

Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances

4. (1) A person shall not, in connection with—

(a) the recruitment of an individual as an employee,

(b) the continued employment of the individual, or

(c) a contract for the provision of services to the person by an individual,

require that individual to—

(i) make a request under Article 15 or under section 91 , or

(ii) supply the person with data relating to that individual obtained as a result of such a request.

(2) A person who contravenes subsection (1) shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

Expenses

5. The expenses incurred by the Commission and any Minister of the Government in the administration of this Act shall, to such an extent as may be sanctioned by the Minister for Public Expenditure and Reform, be paid out of moneys provided by the Oireachtas.

Regulations

6. (1) Regulations made under this Act may contain such incidental, supplementary and consequential provisions as appear to the person making the regulations to be necessary or expedient for the purposes of the regulations.

(2) Every regulation made under this Act, other than under section 51 , 60 or 73 , shall be laid before each House of the Oireachtas as soon as may be after it is made.

(3) Either House of the Oireachtas may, by a resolution passed within 21 sitting days after the day on which a regulation is laid before it under subsection (2), annul the regulation.

(4) The annulment of a regulation under subsection (3) takes effect immediately on the passing of the resolution concerned but does not affect the validity of anything done under the regulation before the passing of the resolution.

(5) Regulations may be made under section 51 , 60 or 73 only if—

(a) a draft of the proposed regulations has been laid before each House of the Oireachtas, and

(b) a resolution approving the draft has been passed by each House.

Repeals and revocations

7. (1) Subject to subsection (4), the following provisions of the Act of 1988 are repealed:

(a) in section 1—

(i) subsection (1), the definition of “direct marketing”, “financial institution” and “the register”, and

(ii) subsection (5);

(b) section 2(7) and (8);

(c) section 4(2), (6), (8) and (13);

(d) section 5(1)(d);

(e) section 9 and the Second Schedule;

(f) section 11(3) and (4)(b);

(g) sections 13, 14, 16, 17, 18, 19, 20, 22A and 33.

(2) Subject to subsection (4), section 14 (2) of the Data Protection (Amendment) Act 2003 is repealed.

(3) Subject to subsection (4), the enactments specified in column (3) of Schedule 1 are revoked to the extent specified in column (4) of that Schedule.

(4) The repeals and revocations effected by this section shall not apply for the purposes of subsections (1)(b), (2) and (3) of section 8 .

Application of Data Protection Act 1988

8. (1) Subject to this section, the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data (within the meaning of that Act) other than—

(a) the processing of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, or

(b) the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 to the extent that the Act of 1988 is applied in those Acts.

(2) The Act of 1988 shall apply to—

(a) a complaint by an individual under section 10 of that Act made before the commencement of this section, and

(b) a contravention of that Act that occurred before such commencement.

(3) An investigation under section 10 of the Act of 1988 that was begun but not completed before the commencement of this section shall be completed in accordance with that Act and that Act shall apply to such an investigation.

PART 2

Data Protection Commission

Establishment day

9. The Minister shall, by order, appoint a day to be the establishment day for the purposes of this Act.

Establishment of Data Protection Commission

10. (1) On the establishment day there shall stand established a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission (in this Act referred to as the “Commission”).

(2) Schedule 2 shall have effect in relation to the Commission.

Supervisory authority for Data Protection Regulation and Directive

11. The Commission shall be the supervisory authority within the meaning of, and for the purposes specified in—

(a) the Data Protection Regulation, and

(b) the Directive.

Functions of Commission

12. (1) In addition to the functions assigned to the Commission by virtue of its being the supervisory authority for the purposes of the Data Protection Regulation and the Directive, the general functions of the Commission shall include—

(a) any functions assigned to it by or under this Act,

(b) functions transferred to the Commission under section 14 , and

(c) such other functions as may be assigned to it from time to time by or under any other enactment.

(2) The Commission shall monitor the lawfulness of processing of personal data in accordance with—

(a) Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 20135 on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast), and

(b) Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 20136 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast).

(3) The Commission is designated for the purposes of Chapter IV (Mutual assistance) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981.

(4) The Minister may, following consultation with the Commission, make any regulations that he or she considers necessary or expedient for the purpose of enabling Chapter IV (as referred to in subsection (3)) to have full effect.

(5) The Commission shall have all such powers as are necessary or expedient for the performance of its functions.

(6) The Commission shall disseminate, to such extent and in such manner as it considers appropriate, information in relation to the functions performed by it.

(7) The Commission shall be independent in the performance of its functions.

(8) Subject to this Act, the Commission shall regulate its own procedures.

Performance of functions of Commission by Commissioner or member of staff

13. (1) Where more than one Commissioner stands appointed under section 15 , the functions of the Commission, other than the functions specified in subsection (3), may be performed through or by a Commissioner where he or she is authorised in that behalf by the Commission.

(2) The functions of the Commission, other than the functions specified in subsection (3), may be performed through or by any member of staff of the Commission where he or she is authorised in that behalf by the Commission.

(3) The functions referred to in subsections (1) and (2) are the functions of the Commission under sections 12 (8), 21 , 28 , 43 , 84 (9) and (10), 129 , 134 (1) and (4), 135 (1), 149 (other than subsection (1)), paragraph 1 of Schedule 2 and its function, as supervisory authority, under Article 35(4) and (5) of the Data Protection Regulation.

(4) A Commissioner or member of staff of the Commission who performs any of the functions of the Commission is presumed in any proceedings to have been authorised to do so on its behalf unless the contrary is shown.

Transfer of functions of Data Protection Commissioner to Commission

14. (1) All functions that, immediately before the establishment day, were vested in the Data Protection Commissioner are transferred to the Commission.

(2) A reference in any enactment or instrument under an enactment to the Data Protection Commissioner or to the Office of the Data Protection Commissioner shall be construed as a reference to the Commission.

(3) A reference in the Act of 1988 (other than in section 1(3)(c)(iii) in so far as it refers to to the Commissioner of the Garda Síochána) to the Commissioner shall be construed as a reference to the Commission.

(4) This section shall come into operation on the establishment day.

Membership of Commission

15. (1) The Commission shall consist of such and so many members (not being more than 3) as the Government determines.

(2) Each member of the Commission shall be known as a Commissioner for Data Protection (in this Act referred to as a “Commissioner”).

(3) Subject to subsections (4), (8) and (9) and section 18 , a Commissioner shall be appointed by the Government on the recommendation of the Public Appointments Service and the appointment shall be for a period of not less than 4 and not more than 5 years from the date of his or her appointment.

(4) If, immediately before the establishment day, there is a person holding office as the Data Protection Commissioner, he or she shall, on the establishment day, be a Commissioner for the remainder of the term of office, and upon the same terms and conditions, for which he or she was appointed as the Data Protection Commissioner.

(5) Subject to subsection (7), the Public Appointments Service shall recommend a person for appointment as Commissioner following an open selection competition held by the Service for that purpose.

(6) The Public Appointments Service shall appoint a selection panel to assist it in holding an open selection competition.

(7) The Public Appointments Service shall ensure that a person is recommended under subsection (5) for appointment only if it is satisfied that the person has the qualifications, experience and skills necessary to enable the Commission to effectively perform its functions.

(8) A Commissioner to whom subsection (3) applies and whose term of office expires by the efflux of time may be reappointed to the Commission by the Government for one further period of not less than 4 and not more than 5 years without the need for a further recommendation by the Public Appointments Service.

(9) A Commissioner to whom subsection (4) applies and whose term of office expires by the efflux of time may be reappointed to the Commission by the Government for one further period of not less than 4 and not more than 5 years.

(10) A Commissioner shall—

(a) act on a full-time basis subject to such terms and conditions (other than the payment of remuneration and allowances for expenses) as the Government may determine,

(b) be paid by the Commission such remuneration and allowances for expenses (if any) as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time determine,

(c) not hold any other office or occupy any other position in respect of which emoluments are payable or carry on any business, and

(d) cease to be a Commissioner on reaching the age of 70 years, but where the person is a new entrant (within the meaning of section 2 of the Public Service Superannuation (Miscellaneous Provisions) Act 2004 ) the requirement to cease to be a Commissioner on grounds of age shall not apply.

Appointment of chairperson of Commission

16. (1) The Minister shall, where the Commission consists of more than one Commissioner, appoint one of the Commissioners to be chairperson and such allowance (if any) may be paid by the Commission to the chairperson as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time determine.

(2) The chairperson shall have a casting vote in the case of decisions to be taken by the Commission in the event of a tied vote.

(3) Where a chairperson stands appointed under subsection (1), and is unavailable to perform his or her duties due to absence or incapacity, the Minister shall appoint another existing Commissioner to act as chairperson for the duration of the period of absence or incapacity.

Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner

17. (1) A Commissioner may resign from office by giving notice in writing to the Government of his or her resignation and the resignation shall take effect from such date as is specified in the notice which date shall be at least 90 days after the giving of the notice to the Government.

(2) The Government may remove a Commissioner from office if they are satisfied that one or more of the grounds referred to in subsection (3) apply to the Commissioner.

(3) The grounds referred to in subsection (2) are that a Commissioner—

(a) has become incapable through ill health or otherwise of effectively performing the functions of the office, or

(b) has engaged in serious misconduct.

(4) Where the Government propose to remove a Commissioner under subsection (2), they shall notify the Commissioner concerned in writing of their proposal.

(5) A notification under subsection (4) shall include a statement—

(a) of the reasons for the proposed removal,

(b) that the Commissioner may, within a period of 30 working days from the sending of the notification or such other period as the Government may, having regard to the requirements of natural justice, specify in the notice, make representations to the Government in such form and manner as may be specified by the Government, as to why the Commissioner should not be removed from office, and

(c) that where no representations are received within the period referred to in paragraph (b) the Government will, without further notice to the Commissioner, proceed with the removal of the Commissioner from office in accordance with this section.

(6) In considering whether to remove a Commissioner from office under subsection (2), the Government shall take into account—

(a) any representations made by the Commissioner under subsection (5)(b) within the period referred to in that subsection, and

(b) any other matter the Government consider relevant for the purpose of their decision.

(7) Where, having taken into account the matters referred to in subsection (6), the Government decide the Commissioner should be removed from office in accordance with this section, they shall notify the Commissioner in writing of their decision and the reasons for their decision.

(8) Where the Government decide to remove a Commissioner from office in accordance with this section, they shall prepare a statement of the reason or reasons for such removal and cause that statement to be laid before each House of the Oireachtas as soon as practicable after the decision is made.

(9) A Commissioner shall cease to hold office if he or she—

(a) is convicted on indictment of an offence,

(b) is convicted of an offence involving fraud or dishonesty,

(c) has a declaration made against him or her under section 819 of the Act of 2014 or is deemed to be subject to such a declaration by virtue of Chapter 5 of Part 14 of that Act, or

(d) is subject to, or is deemed to be subject to, a disqualification order within the meaning of Chapter 4 of Part 14 of the Act of 2014 whether by virtue of that Chapter or of any other provision of that Act.

(10) A person shall not be eligible for appointment as a Commissioner if any of paragraphs (a) to (d) of subsection (9) are applicable in respect of the person.

Acting Commissioner

18. (1) Where one Commissioner only stands appointed for the time being under section 15 , the Minister may authorise a member of staff of the Commission to perform the functions of a Commissioner during any period when that Commissioner is absent from duty or absent from the State or is, for any other reason, unable to perform the functions of a Commissioner.

(2) Where a vacancy occurs in the office of Commissioner and no Commissioner stands appointed for the time being under section 15 , the Minister may authorise a member of staff of the Commission to perform the functions of a Commissioner during the period of that vacancy, but an authorisation under this subsection shall cease upon the appointment of a Commissioner under section 15 whether or not such appointment was made for the purpose of filling that vacancy.

(3) An authorisation under subsection (2) shall not remain in force for a period of more than 6 months unless the Minister is satisfied that it is not reasonably practicable for an appointment under section 15 to be made within that period, in which case he or she may extend that period by such further period as he or she is satisfied is a period within which it is reasonably practicable for an appointment to be made under that section.

(4) The Minister may at any time terminate an authorisation under this section.

(5) A member of staff of the Commission in respect of whom an authorisation under this section is in force may perform the functions of a Commissioner under this Act, and, for that purpose, references to a Commissioner in this Act (other than in sections 15 (3), 17 (2) to (8) and 22 ) shall be construed as including references to such member of staff.

Accountability of Commissioner to Oireachtas Committees

19. (1) In this section, “Committee” means a Committee appointed by either House of the Oireachtas or jointly by both Houses of the Oireachtas (other than a committee referred to in section 19 (1) of the Comptroller and Auditor General (Amendment) Act 1993 or the Committee on Members’ Interests of Dáil Éireann or the Committee on Members’ Interests of Seanad Éireann) or a sub-committee of such a Committee.

(2) Subject to subsection (3), a Commissioner shall, at the request in writing of a Committee, attend before it to give account for the general administration of the Commission.

(3) The Commissioner shall not be required to give account before a Committee for any matter which is or has been or may at a future time be the subject of proceedings before a court or tribunal.

(4) Where the Commissioner is of the opinion that a matter in respect of which he or she is requested to give an account before a Committee is a matter to which subsection (3) applies, he or she shall inform the Committee of that opinion and the reasons for the opinion and, unless the information is conveyed to the Committee at a time when the Commissioner is before it, the information shall be so conveyed in writing.

(5) Where the Commissioner has informed a Committee of his or her opinion in accordance with subsection (4) and the Committee does not withdraw the request referred to in subsection (2) in so far as it relates to a matter the subject of that opinion—

(a) the Commissioner may, not later than 21 days after being informed by the Committee of its decision not to do so, apply to the High Court in a summary manner for determination of the question whether the matter is one to which subsection (3) applies, or

(b) the Chairperson of the Committee may, on behalf of the Committee, make such an application,

and the High Court shall determine the matter.

(6) Pending the determination of an application under subsection (5), the Commissioner shall not attend before the Committee to give account for the matter the subject of the application.

(7) If the High Court determines that the matter concerned is one to which subsection (3) applies, the Committee shall withdraw the request referred to in subsection (2), but if the High Court determines that subsection (3) does not apply, the Commissioner shall attend before the Committee and give account for the matter.

(8) In this section, a reference to “Commissioner” shall, where more than one Commissioner has been appointed under section 15 , be taken to be a reference to the chairperson.

Assignment and transfer of staff to Commission

20. (1) Every civil servant who, immediately before the establishment day, stands assigned to act as a member of staff of the Data Protection Commissioner shall, on the establishment day, stand assigned to act as a member of staff of the Commission.

(2) The Minister may, as he or she considers appropriate, designate in writing such and so many persons who stand assigned under subsection (1) to act as members of staff of the Commission to become and be members of staff of the Commission on and from such date as the Minister may specify in the designation (in this section referred to as the “effective date”).

(3) A member of staff designated in accordance with subsection (2) shall become and be a member of staff of the Commission on and from the effective date.

Staff of Commission

21. (1) The Commission may, subject to the approval of the Minister given with the consent of the Minister for Public Expenditure and Reform, appoint such number of persons to be members of its staff as it may determine.

(2) The Commission shall, subject to the approval of the Minister given with the consent of the Minister for Public Expenditure and Reform, determine the grades of members of its staff and the numbers in each grade.

(3) Members of staff of the Commission shall be civil servants.

Superannuation of Commissioners

22. (1) The Minister may, with the consent of the Minister for Public Expenditure and Reform, make a scheme or schemes for—

(a) the granting of superannuation benefits to or in respect of a Commissioner ceasing to hold office, or

(b) the making of contributions to a pension scheme approved of by the Minister with the consent of the Minister for Public Expenditure and Reform which has been entered into by the Commissioner.

(2) The Minister may, with the consent of the Minister for Public Expenditure and Reform, make a scheme amending or revoking a scheme made under subsection (1), including a scheme amended under this subsection.

(3) If any dispute arises as to the claim of a Commissioner to, or the amount of, any superannuation benefit payable in pursuance of a scheme made under subsection (1), such dispute shall be submitted to the Minister who shall refer it to the Minister for Public Expenditure and Reform for determination by him or her.

(4) A scheme made under subsection (1) shall be carried out by the Minister in accordance with its terms.

(5) No superannuation benefit shall be granted by the Minister to or in respect of any Commissioner ceasing to hold office otherwise than—

(a) in accordance with a scheme under subsection (1), or

(b) with the consent of the Minister for Public Expenditure and Reform.

(6) A scheme made under subsection (1) shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the scheme is passed by either such House within the next 21 days on which that House has sat after the scheme is laid before it, the scheme shall be annulled accordingly but without prejudice to the validity of anything previously done under that scheme prior to the resolution.

(7) In this section, “superannuation benefits” means pensions, gratuities and other allowances payable on resignation, retirement or death.

Accounts of Commission

23. (1) The Commission shall keep, in such form as may be approved by the Minister with the consent of the Minister for Public Expenditure and Reform, all proper and usual accounts of all money received or expended by it and, in particular, shall keep in such form as aforesaid all such special accounts as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time direct.

(2) Accounts kept in accordance with this section shall be submitted, not later than 1 April in the year immediately following the financial year to which they relate or on such earlier date as the Minister may from time to time specify, by the Commission to the Comptroller and Auditor General for audit and, immediately after the audit, a copy of the accounts, and of such other special accounts (if any) kept in accordance with this section as the Minister, after consultation with the Minister for Public Expenditure and Reform, may direct and a copy of the Comptroller and Auditor General’s report on the accounts shall be presented to the Minister and the Commission shall, as soon as may be thereafter, cause copies thereof to be laid before each House of the Oireachtas.

(3) Subject to subsections (4) and (5), subsections (1) and (2) shall cease to have effect on the date of the coming into operation of section 176 (b).

(4) Accounts kept in accordance with this section that relate to the period specified under subsection (5) shall be submitted by the Commission to the Comptroller and Auditor General for audit not later than 3 months after the date of the coming into operation of section 176 (b).

(5) The Minister may, for the purposes of subsection (4), specify a period which—

(a) shall end on the date immediately preceding the date of the coming into operation of section 176 (b), and

(b) may be longer or shorter than a financial year of the Commission.

Annual report

24. (1) The Commission shall, not later than 30 June in each year—

(a) prepare a report on its activities in the immediately preceding year, and

(b) cause copies of the report to be laid before each House of the Oireachtas.

(2) Notwithstanding subsection (1), if but for this subsection, the first report under this section would relate to a period of less than 6 months, the report shall relate to that period and to the year immediately following that period and shall be made as soon as may be, but not later than 6 months after the end of that year.

(3) The Commission may, at any time after subsection (1)(b) has been complied with, publish its annual report in such form and manner as it considers appropriate.

(4) For the purposes of the law of defamation, a report under subsection (1) shall be absolutely privileged.

Accountability for accounts of Commission

25. (1) The Commissioner, or where more than one Commissioner has been appointed under section 15 , the chairperson, is the accounting officer in relation to the appropriation accounts of the Commission for the purpose of the Comptroller and Auditor General Acts 1866 to 1998.

(2) Section 19 (2) of the Comptroller and Auditor General (Amendment) Act 1993 shall, in so far as it relates to data protection matters, not apply to the Commissioner or chairperson who is the accounting officer pursuant to subsection (1).

Prohibition on disclosure of confidential information

26. (1) A relevant person shall not disclose confidential information obtained by him or her while performing functions under this Act or the Data Protection Regulation unless he or she is required or permitted by law, or duly authorised by the Commission, to do so.

(2) Subsection (1) shall not operate to prevent the disclosure by a relevant person of information—

(a) in a report to the Commission or a Commissioner,

(b) to a Minister of the Government, and

(c) to a public authority, whether in the State or otherwise, for the purposes of facilitating cooperation between the Commission and such authority in the performance of their respective functions.

(3) Subject to section 154 , a person who contravenes subsection (1) commits an offence and is liable on summary conviction to a class A fine.

(4) In this section—

“confidential information” includes information that is expressed by the Commission to be confidential either as regards particular information or as regards information of a particular class or description;

“relevant person” means—

(a) a Commissioner,

(b) a member of staff of the Commission,

(c) an authorised officer,

(d) any other person engaged under a contract for services by the Commission or a member of the staff of such a person, or

(e) a person who has acted in a capacity referred to in any of paragraphs (a) to (d).

Civil proceedings for contravention of section 26

27. (1) A person who suffers loss or harm as a result of a contravention of section 26 (1) may, subject to section 154 , bring proceedings against the person specified in subsection (2) seeking relief by way of—

(a) an injunction or declaration, or

(b) damages,

or both.

(2) The person specified for the purposes of subsection (1) is—

(a) where it is alleged that the contravention was committed by a Commissioner, member of staff of the Commission or an authorised officer and the applicant under that subsection is seeking an injunction or declaration, the Commissioner, member of staff or authorised officer concerned,

(b) where it is alleged that the contravention was committed by a Commissioner, member of staff of the Commission or an authorised officer and the applicant under that subsection is seeking damages, the Commission, and

(c) where it is alleged that the contravention was committed by a person other than a Commissioner, member of staff of the Commission or an authorised officer, that person.

(3) Proceedings under subsection (1), in so far as they seek the relief referred to in paragraph (b) of that subsection, shall be founded on tort.

PART 3

Data Protection Regulation

Chapter 1

General

Fees

28. The Commission may, with the consent of the Minister, prescribe the fees to be paid to it—

(a) for the performance of its functions under Article 57(1)(r) and (s), and

(b) in relation to requests that are manifestly unfounded or excessive in accordance with Article 57(4).

Child for purposes of application of Data Protection Regulation

29. For the purposes of the application of the Data Protection Regulation in the State, a reference to “child” in the Regulation shall be taken to be a reference to a person under the age of 18 years.

Micro-targeting and profiling of children

30. It shall be an offence under this Act for any company or corporate body to process the personal data of a child as defined by section 29 for the purposes of direct marketing, profiling or micro-targeting. Such an offence shall be punishable by an administrative fine under section 141 .

Consent of child in relation to information society services

31. (1) The age of a child specified for the purposes of Article 8 is 16 years of age.

(2) For the purposes of the application of Article 8 in the State, the reference in that Article to “information society services” does not include a reference to preventative or counselling services.

(3) The Minister shall—

(a) not later than 3 years after the coming into operation of this section, commence a review of the operation of subsection (1), and

(b) complete that review not later than one year after its commencement.

Codes of conduct: children

32. (1) Without prejudice to the generality of Article 40, the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the Data Protection Regulation with regard to—

(a) the protection of children,

(b) the information to be provided by a controller to children,

(c) the manner in which the consent of the holders of parental responsibility over a child is to be obtained for the purposes of Article 8,

(d) integrating the necessary safeguards into processing in order to protect the rights of children in an age-appropriate manner for the purpose of Article 25, and

(e) the processing of the personal data of children for the purposes of direct marketing and creating personality and user profiles.

(2) For the purpose of considering whether a draft code of conduct or an extension or amendment to an existing code of conduct referred to in Article 40 provides sufficient appropriate safeguards referred to in that Article, the Commission may, where the draft, extension or amendment, as the case may be, concerns the application of the Data Protection Regulation to children, consult with such persons as it considers appropriate including—

(a) children and bodies who appear to the Commission to represent the interests of children,

(b) the holders of parental responsibility over children, and

(c) the Ombudsman for Children.

Right to be forgotten: children

33. (1) Subject to subsection (3), in accordance with Article 17, a controller shall, at the request of a data subject, without undue delay erase personal data of the data subject where the data have been collected in relation to the offer to that data subject of information society services referred to in Article 8(1).

(2) Subject to subsection (3), where a controller has disclosed the personal data which are the subject of a request under subsection (1) to another controller or controllers, the first-mentioned controller shall, taking account of available technology and the cost of implementation, take all reasonable steps, including technical measures, to inform the other controller or controllers which are processing that personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.

(3) Subsections (1) and (2) shall not apply to the extent that the processing of the personal data concerned is necessary for the purposes set out in Article 17(3).

Designation of data protection officer

34. (1) The Minister may, following consultation with such other Minister of the Government as he or she considers appropriate and the Commission, make regulations requiring controllers, processors, associations or other bodies representing categories of controllers or processors to designate a data protection officer in accordance with Article 37(4).

(2) Regulations under subsection (1) may apply to—

(a) one or more than one class of controller,

(b) one or more than one class of processor, or

(c) one or more than one class of association or other body representing categories of controllers or processors.

(3) In making regulations under subsection (1) the Minister shall have regard to the need for the protection of individuals with regard to the processing of their personal data and, without prejudice to the generality of the foregoing, shall have regard in particular to—

(a) the nature, scope, context and purposes of the processing,

(b) risks arising for the rights and freedoms of individuals,

(c) the likelihood and the severity of such risk for the individuals concerned, and

(d) the costs of implementation of any requirement if it were imposed under that subsection.

Accreditation of certification bodies by Irish National Accreditation Board

35. The Irish National Accreditation Board is the accreditation body for the purposes of Article 43(1).

Suitable and specific measures for processing

36. (1) Where a requirement that suitable and specific measures be taken to safeguard the fundamental rights and freedoms of data subjects in processing personal data of those subjects is imposed by this Act or regulations made under this Act, those measures may include in particular the following—

(a) explicit consent of the data subject for the processing of his or her personal data for one or more specified purposes,

(b) limitations on access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data,

(c) strict time limits for the erasure of personal data and mechanisms to ensure that such limits are observed,

(d) specific targeted training for those involved in processing operations, and

(e) having regard to the state of the art, the context, nature, scope and purposes of data processing and the likelihood of risk to, and the severity of any risk to, the rights and freedoms of data subjects—

(i) logging mechanisms to permit verification of whether and by whom the personal data have been consulted, altered, disclosed or erased,

(ii) in cases in which it is not mandatory under the Data Protection Regulation, designation of a data protection officer,

(iii) where the processing involves data relating to the health of a data subject, a requirement that the processing is undertaken by a person referred to in section 52 (2),

(iv) pseudonymisation of the personal data, and

(v) encryption of the personal data.

(2) Regulations may be made for either or both of the following purposes—

(a) to identify additional suitable and specific measures (to those referred to in paragraphs (a) to (e) of subsection (1)) that may be taken to safeguard the fundamental rights and freedoms of data subjects in the processing of personal data of those subjects for the purposes of the requirement referred to in subsection (1),

(b) to specify that a measure or measures referred to in paragraphs (a) to (e) of subsection (1) or an additional measure or measures identified under paragraph (a), or both, is or are mandatory in respect of the processing to which they are stated to apply.

(3) Without prejudice to the generality of subsection (2)(a), additional suitable and specific measures identified in regulations made under that subsection may relate to—

(a) governance structures,

(b) processes or procedures for risk assessment purposes,

(c) processes or procedures for the management and conduct of research projects, and

(d) other technical and organisational measures designed to ensure that the processing is carried out in accordance with the Data Protection Regulation and processes for testing and evaluating the effectiveness of such measures.

(4) Regulations under subsection (2) may—

(a) identify different measures for different categories of personal data, different categories of controllers, different types of processing or categories of processing, and

(b) specify that a measure or measures referred to in subsection (2)(b) is or are mandatory in respect of the processing of different categories of personal data, processing by different categories of controllers and in respect of different types of processing or categories of processing.

(5) Subject to subsection (6), regulations may be made under subsection (2)

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(6) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (2).

(7) The Commission may, on being consulted under subsection (6), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19 (1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(8) In making regulations under subsection (2), the Minister or any other Minister of the Government, as the case may be, shall have regard to the public interest and the need for protection of individuals with regard to the processing of their personal data and, without prejudice to the generality of the foregoing shall have regard to—

(a) the nature, scope, context and purposes of the processing,

(b) risks arising for the rights and freedoms of individuals, and

(c) the likelihood and the severity of the risks for the individuals concerned.

Limitation on transfers of personal data outside the European Union

37. (1) The Minister may, in the absence of an adequacy decision under Article 45, following consultation with such other Minister of the Government as he or she considers appropriate and the Commission, make regulations restricting the transfer of categories of personal data to a third country or an international organisation for important reasons of public policy.

(2) Regulations under subsection (1) shall specify the important reasons of public policy for restricting the transfer concerned and may be expressed to apply by reference to one or more of the following—

(a) a category or categories of personal data,

(b) a third country or classes of third country, or

(c) an international organisation.

(3) In making regulations under subsection (1), the Minister shall have regard to the public interest and the need for protection of individuals with regard to the processing of their personal data and, without prejudice to the generality of the foregoing, shall in particular have regard to—

(a) the nature, scope, context and purposes of the processing,

(b) the desirability of facilitating international transfers of data,

(c) risks arising for the rights and freedoms of individuals, and

(d) the likelihood and the severity of such risks for individuals concerned.

Processing for a task carried out in the public interest or in the exercise of official authority

38. (1) The processing of personal data shall be lawful to the extent that such processing is necessary and proportionate for—

(a) the performance of a function of a controller conferred by or under an enactment or by the Constitution, or

(b) the administration by or on behalf of a controller of any non-statutory scheme, programme or funds where the legal basis for such administration is a function of a controller conferred by or under an enactment or by the Constitution.

(2) Subject to subsection (3), the processing of personal data and disclosure of that data to a person for the purposes of preserving the Common Travel Area, or any part of that Area, shall be lawful where the controller is an Irish air carrier, an air carrier or a sea carrier.

(3) The Minister shall, following consultation with such other Minister of the Government as he or she considers appropriate and the Commission, make regulations for the purposes of subsection (2) specifying—

(a) the part of the Common Travel Area to which the regulations apply,

(b) the personal data that may be processed,

(c) the circumstances in which the personal data may be disclosed, including specifying the person to whom the data may be disclosed, and

(d) such other conditions (if any) as the Minister considers appropriate to impose on such processing.

(4) Subject to subsection (5), the processing of personal data which is necessary for the performance of a task carried out in the public interest by a controller or which is necessary in the exercise of official authority vested in a controller may be specified in regulations made—

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(5) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (4).

(6) The Commission may, on being consulted under subsection (5), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19 (1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(7) Regulations made under subsection (4) shall specify—

(a) the personal data that may be processed,

(b) the circumstances in which the personal data may be processed, including specifying the persons to whom the data may be disclosed, and

(c) such other conditions (if any) as the Minister or any other Minister of the Government, as the case may be, considers appropriate to impose on such processing.

(8) In this section—

“air carrier” means an undertaking established in the State that provides air services;

“air service” has the meaning it has in Regulation (EC) No. 1008/2008 of the European Parliament and of the Council of 24 September 20087 on common rules for the operation of air services in the Community (Recast);

“Common Travel Area” means the State, the United Kingdom of Great Britain and Northern Ireland, the Channel Islands and the Isle of Man;

“Irish air carrier” means an undertaking with a valid operating licence, within the meaning of Regulation (EC) No. 1008/2008 of the European Parliament and of the Council of 24 September 20088 , granted by the Commission for Aviation Regulation;

“passenger” means a person carried by an air carrier on an aircraft, or as the case may be, a sea carrier in a passenger ship, other than a member of the crew of the aircraft or passenger ship concerned;

“passenger ship” means a sea-going ship that carries more than 12 passengers;

“sea carrier” means an undertaking established in the State that, for remuneration, carries passengers by sea in a passenger ship.

Communication with data subjects by political parties, candidates for and holders of certain elective political offices

39. (1) A specified person may, in the course of that person’s electoral activities in the State, use the personal data of a data subject for the purpose of communicating in writing (including by way of newsletter or circular) with the data subject.

(2) Communicating in accordance with subsection (1) shall, for the purposes of Article 6(1)(e), be considered to be the performance of a task carried out in the public interest.

(3) In this section, “specified person” means—

(a) a political party,

(b) a member of either House of the Oireachtas, the European Parliament or a local authority, or

(c) a candidate for election to the office of President of Ireland or for membership of either House of the Oireachtas, the European Parliament or a local authority.

(4) In this section and in sections 48 , 58 and 59 , “electoral activities” includes the dissemination of information, including information as to a person’s activities and policies, that might reasonably be of interest to electors.

Processing of personal data and special categories of personal data by elected representatives

40. (1) For the purpose of enabling an elected representative to perform his or her functions as such a representative, the processing of personal data and special categories of personal data of a data subject by or on behalf of that representative shall be lawful where he or she receives a request or representation from the data subject or where, in accordance with subsection (2), he or she receives a request or representation from another person on behalf of the data subject.

(2) A person may make a request or representation on behalf of a data subject where the data subject—

(a) has given his or her consent to the making of the request or representation, as the case may be, or

(b) is, by reason of his or her physical or mental incapacity or age, unable to make a request or representation on his or her own behalf.

(3) In processing special categories of personal data under subsection (1), an elected representative shall impose limitations on access to that data to prevent unauthorised consultation, alteration, disclosure or erasure of that data.

(4) For the purpose referred to in subsection (1) and to the extent that disclosure is necessary and proportionate to enable an elected representative to deal with a request or representation referred to in that subsection, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, it shall be lawful for a person to disclose to the representative or a person acting on his or her behalf personal data and special categories of personal data of a data subject who makes the request or representation, or on whose behalf the request or representation is made, as the case may be, to enable that representative respond to that request or representation.

(5) In this section, “elected representative” means—

(a) a member of either House of the Oireachtas,

(b) a member of the European Parliament,

(c) a member of a local authority.

Processing for purpose other than purpose for which data collected

41. Without prejudice to the processing of personal data for a purpose other than the purpose for which the data has been collected which is lawful under the Data Protection Regulation, the processing of personal data and special categories of personal data for a purpose other than the purpose for which the data has been collected shall be lawful to the extent that such processing is necessary and proportionate for the purposes—

(a) of preventing a threat to national security, defence or public security,

(b) of preventing, detecting, investigating or prosecuting criminal offences, or

(c) set out in paragraph (a) or (b) of section 47 .

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

42. (1) Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, personal data may be processed, in accordance with Article 89, for—

(a) archiving purposes in the public interest,

(b) scientific or historical research purposes, or

(c) statistical purposes.

(2) Processing of personal data for the purposes referred to in subsection (1) shall respect the principle of data minimisation.

(3) Where the purposes referred to in paragraph (a), (b) or (c) of subsection (1) can be fulfilled by processing which does not permit, or no longer permits, identification of data subjects, the processing of information for such purposes shall be fulfilled in that manner.

Data processing and freedom of expression and information

43. (1) The processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression, shall be exempt from compliance with a provision of the Data Protection Regulation specified in subsection (2) where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with the provision would be incompatible with such purposes.

(2) The provisions of the Data Protection Regulation specified for the purposes of subsection (1) are Chapter II (principles), other than Article 5(1)(f), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries and international organisations), Chapter VI (independent supervisory authorities) and Chapter VII (cooperation and consistency).

(3) The Commission may, on its own initiative, refer any question of law which involves consideration of whether processing of personal data is exempt in accordance with subsection (1) to the High Court for its determination.

(4) An appeal shall, by leave of the High Court, lie from a determination of that Court on a question of law under subsection (3) to the Court of Appeal.

(5) In order to take account of the importance of the right to freedom of expression and information in a democratic society that right shall be interpreted in a broad manner.

Data processing and public access to official documents

44. (1) For the purposes of Article 86, personal data contained in a record may be disclosed where a request for access to the record is granted under and in accordance with the Act of 2014 pursuant to an FOI request.

(2) For the purposes of Article 86, personal data contained in environmental information may be disclosed where the information is made available under and in accordance with the Access to Information on the Environment Regulations pursuant to a request within the meaning of those Regulations.

(3) In this section—

“Access to Information on the Environment Regulations” means the European Communities (Access to Information on the Environment) Regulations 2007 ( S.I. No. 133 of 2007 );

“Act of 2014” means the Freedom of Information Act 2014 ;

“environmental information” has the same meaning as it has in the Access to Information on the Environment Regulations;

“FOI request” has the same meaning as it has in the Act of 2014;

“record” has the same meaning as it has in the Act of 2014.

Chapter 2

Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences

Processing of special categories of personal data

45. Subject to compliance with the Data Protection Regulation and any other relevant enactment or rule of law, the processing of special categories of personal data shall be lawful to the extent the processing is—

(a) authorised by section 41 and sections 46 to 54 , or

(b) otherwise authorised by Article 9.

Processing of special categories of personal data for purposes of employment and social welfare law

46. Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.

Processing of special categories of personal data for purpose of legal advice and legal proceedings

47. The processing of special categories of personal data shall be lawful where the processing—

(a) is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or

(b) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission

48. Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of personal data revealing political opinions shall be lawful where the processing is carried out—

(a) in the course of electoral activities in the State for the purpose of compiling data on peoples’ political opinions by—

(i) a political party, or

(ii) a candidate for election to, or a holder of, elective political office in the State,

and

(b) by the Referendum Commission in the performance of its functions.

Processing of special categories of personal data for purposes of administration of justice and performance of functions

49. Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where the processing respects the essence of the right to data protection and is necessary and proportionate for—

(a) the administration of justice, or

(b) the performance of a function conferred on a person by or under an enactment or by the Constitution.

Processing of special categories of personal data for insurance and pension purposes

50. Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of data concerning health shall be lawful where the processing is necessary and proportionate for the purposes of the following:

(a) a policy of insurance or life assurance,

(b) a policy of health insurance or health-related insurance,

(c) an occupational pension, a retirement annuity contract or any other pension arrangement, or

(d) the mortgaging of property.

Processing of special categories of personal data and Article 10 data for reasons of substantial public interest

51. (1) Processing of special categories of personal data shall be lawful where the processing is carried out in accordance with regulations made under subsection (3).

(2) Article 10 data may be processed where the processing is carried out in accordance with regulations made under subsection (3).

(3) Regulations may be made authorising the processing, where necessary for reasons of substantial public interest, of either or both of the following—

(a) special categories of personal data, and

(b) without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 , Article 10 data.

(4) Without prejudice to the generality of subsection (3), regulations made under that subsection shall identify—

(a) the substantial public interest concerned, and

(b) the suitable and specific measures to be taken to safeguard the fundamental rights and freedoms of data subjects in processing the personal data which is authorised by the regulations.

(5) For the purposes of subsection (4)(b), subsections (2) to (8) of section 36 shall apply in like manner to regulations made under subsection (3) as they apply to regulations made under section 36 .

(6) Regulations may be made under subsection (3) by—

(a) the Minister, following consultation with such other Minister of the Government as he or she considers appropriate and the Commission, or

(b) any other Minister of the Government following consultation with the Minister, such other Minister of the Government as he or she considers appropriate and the Commission.

(7) The Minister or any other Minister of the Government, as the case may be, making regulations under subsection (3) shall have regard to the need for the protection of individuals with regard to the processing of their personal data, and without prejudice to the generality of that need, have regard to—

(a) the nature, scope and purposes of the processing,

(b) the nature of the substantial public interest concerned,

(c) any benefits likely to arise for the data subjects concerned,

(d) any risks arising for the rights and freedoms of such subjects, and

(e) the likelihood of any such risks arising and the severity of such risks.

(8) Regulations made under subsection (3) shall—

(a) respect the essence of the right to data protection, and

(b) enable processing of such data only in so far as is necessary and proportionate to the aim sought to be achieved.

(9) In this section, “Article 10 data” has the meaning assigned to it by section 55 .

Processing of special categories of personal data for purposes of Article 9(2)(h)

52. (1) Subject to subsection (2) and to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary—

(a) for the purposes of preventative or occupational medicine,

(b) for the assessment of the working capacity of an employee,

(c) for medical diagnosis,

(d) for the provision of medical care, treatment or social care,

(e) for the management of health or social care systems and services, or

(f) pursuant to a contract with a health practitioner.

(2) Processing shall be lawful in accordance with subsection (1) where it is undertaken by or under the responsibility of—

(a) a health practitioner, or

(b) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner.

(3) In this section, “health practitioner” has the same meaning as it has in the Health Identifiers Act 2014 .

Processing of special categories of personal data for purposes of public interest in the area of public health

53. Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including—

(a) protecting against serious cross-border threats to health, and

(b) ensuring high standards of quality and safety of health care and of medicinal products and medical devices.

Processing of special categories of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

54. Subject to compliance with section 42 , the processing of special categories of personal data is lawful where such processing is necessary and proportionate for—

(a) archiving purposes in the public interest,

(b) scientific or historical research purposes, or

(c) statistical purposes.

Processing of personal data relating to criminal convictions and offences

55. (1) Without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and subject to compliance with Article 6(1) and to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, personal data referred to in Article 10 (in this section referred to as “Article 10 data”) may be processed—

(a) under the control of official authority, or

(b) where—

(i) the data subject has given explicit consent to the processing for one or more specified purposes except where the law of the European Union or the law of the State prohibits such processing,

(ii) processing is necessary and proportionate for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,

(iii) processing is—

(I) necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or

(II) otherwise necessary for the purposes of establishing, exercising or defending legal rights,

(iv) processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person, or

(v) processing is permitted in regulations made under subsection (3) or is otherwise authorised by the law of the State.

(2) Processing under the control of official authority referred to in subsection (1)(a) includes processing required for the following purposes:

(a) the administration of justice;

(b) the exercise of a regulatory, authorising or licensing function or determination of eligibility for benefits or services;

(c) protection of the public against harm arising from dishonesty, malpractice, breaches of ethics or other improper conduct by, or the unfitness or incompetence of, persons who are or were authorised to carry on a profession or other activity;

(d) enforcement actions aimed at preventing, detecting or investigating breaches of the law of the European Union or the law of the State that are subject to civil or administrative sanctions;

(e) archiving in the public interest, scientific or historical research purposes or statistical purposes where the processing is carried out in accordance with section 42 for those purposes by or on behalf of a public authority or public body.

(3) Without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject and subject to subsection (7), regulations may be made permitting the processing of Article 10 data where the processing is necessary and proportionate to—

(a) assess the risk of fraud or prevent fraud,

(b) assess the risk of bribery or corruption, or both, or to prevent bribery or corruption, or both, or

(c) ensure network and information systems security, and prevent attacks on and damage to computer and electronic communications systems.

(4) Subject to subsection (5), regulations may be made under subsection (3)

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(5) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (3).

(6) The Commission may, on being consulted under subsection (5), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19 (1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(7) The Minister or any other Minister of the Government, as the case may be, making regulations under subsection (3) shall have regard to the need for the protection of individuals with regard to the processing of their personal data and without prejudice to the generality of that need, have regard to—

(a) the nature, scope and purposes of the processing,

(b) any risks arising for the rights and freedoms of individuals, and

(c) the likelihood of any such risks arising and the severity of such risks.

(8) A person who knowingly or recklessly contravenes this section or any regulations made under subsection (3) shall be guilty of an offence and shall be liable—

(a) on summary conviction to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

(9) In this section, “Article 10 data” shall include personal data relating to the alleged commission of an offence and any proceedings in relation to such an offence.

Chapter 3

Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers

Right of access to results and scripts of examination and results of appeal

56. (1) Subject to subsection (3), a request by a data subject under Article 15 in relation to the result of an examination at which he or she was a candidate, or in relation to a script completed by him or her in the course of such an examination shall, for the purposes of that Article, be taken to have been made on the later of—

(a) the date of the first publication of the results of the examination, or

(b) the date of the request.

(2) A request by a data subject under Article 15 in relation to the result of an appeal by the data subject against the result of an examination at which he or she was a candidate shall, for the purposes of that Article, be taken to have been made on the later of—

(a) the date of the first publication of the results of the appeal, or

(b) the date of the request.

(3) Where—

(a) a request by a data subject referred to in subsection (1) relates to a script completed by him or her in the course of an examination in the Leaving Certificate Examinations conducted by the State Examinations Commission, and

(b) the data subject, whether before or after the making of that request, appeals the result of the examination referred to in paragraph (a),

that request shall be taken to have been made on the date of the first publication of the results of the appeal referred to in paragraph (b).

(4) In this section—

“appeal” means any formal process to enable a candidate to request a recheck of an examination result which is specified by a person who operates the examination;

“examination” means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his or her performance in any test, work or other activity;

“script” means any work produced by a candidate as part of an examination including any examination answer-book (whether in written or digital form), journal, portfolio, audio and visual recording, practical piece or artefact and, for the purposes of this definition, shall be deemed to include—

(a) an audio or visual recording, produced in the course of an examination, of the performance of the candidate in the examination, and

(b) any marks or comments added to the script, or made in relation to the script, by an examiner in the course of his or her marking of the script.

Rights in relation to automated decision making

57. (1) Subject to Article 22(4) and to suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject, for the purposes of Article 22(2)(b), the right of a data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her shall, in addition to the grounds identified in Article 22(2)(a) and (c), not apply where—

(a) the decision is authorised or required by or under an enactment, and

(b) either—

(i) the effect of that decision is to grant a request of the data subject, or

(ii) in all other cases (where subparagraph (i) is not applicable), adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject which steps shall include the making of arrangements to enable him or her to—

(I) make representations to the controller in relation to the decision,

(II) request human intervention in the decision-making process,

(III) request to appeal the decision.

(2) In the case of requests made under subsection (1)(b)(ii)(II) or (III) the controller shall—

(a) comply with the request, and

(b) notify the data subject in writing of—

(i) the steps taken to comply with the request, and

(ii) in the case of an appeal under subsection (1)(b)(ii)(III), the outcome of the appeal.

Direct marketing for purposes of Article 21

58. For the purposes of the application of Article 21 in the State, the reference to “direct marketing” includes a reference to direct mailing other than direct mailing carried out—

(a) in the course of electoral activities in the State by—

(i) a political party or its members, or

(ii) a candidate for election to, or a holder of, elective political office in the State,

and

(b) by the Referendum Commission in the performance of its functions.

Restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission

59. The right of a data subject to object at any time to the processing of personal data concerning him or her under Article 21 shall not apply to processing carried out—

(a) in the course of electoral activities in the State by—

(i) a political party, or

(ii) a candidate for election to, or a holder of, elective political office in the State,

and

(b) by the Referendum Commission in the performance of its functions.

Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest

60. (1) The rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22—

(a) are restricted to the extent specified in subsection (3), and

(b) may be restricted in regulations made under subsections (5) or (6).

(2) Subsection (1) is without prejudice to any other enactment or rule of law which restricts the rights and obligations referred to in that subsection.

(3) Subject to subsection (4), the rights and obligations referred to in subsection (1) are restricted to the extent that—

(a) the restrictions are necessary and proportionate—

(i) to safeguard cabinet confidentiality, parliamentary privilege, national security, defence and the international relations of the State,

(ii) for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties,

(iii) for the administration of any tax, duty or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration,

(iv) in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure,

(v) for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim, or

(vi) for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim,

(b) the personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information, or

(c) the personal data concerned are kept—

(i) by the Commission for the performance of its functions,

(ii) by the Information Commissioner for the performance of his or her functions, or

(iii) by the Comptroller and Auditor General for the performance of his or her functions.

(4) The Minister may prescribe requirements to be complied with when the rights and obligations referred to in subsection (1) are restricted in accordance with subsection (3).

(5) Subject to subsection (9), regulations may be made by a Minister of the Government where he or she considers it necessary for the protection of a data subject or the rights and freedoms of others restricting the rights and obligations referred to in subsection (1)

(a) (i) if the application of those rights and obligations would be likely to cause serious harm to the physical or mental health of the data subject, and

(ii) to the extent to which, and for as long as, such application would be likely to cause such serious harm,

and

(b) in relation to personal data kept for, or obtained in the course of, the carrying out of social work by a public authority, public body, a voluntary organisation or other body.

(6) Subject to subsection (9), regulations may be made restricting the rights and obligations referred to in subsection (1) where such restrictions are necessary for the purposes of safeguarding important objectives of general public interest and such regulations shall include, where appropriate, specific provisions required by Article 23(2).

(7) Important objectives of general public interest referred to in subsection (6) include:

(a) preventing threats to public security and public safety;

(b) avoiding obstructions to any official or legal inquiry, investigation or process, including any out-of-court redress procedure, proceedings pending or due before a court, tribunal of inquiry or commission of investigation;

(c) preventing, detecting, investigating and prosecuting breaches of discipline by, or the unfitness or incompetence of, persons who are or were authorised by law to carry on a profession or any other regulated activity and the imposition of sanctions for same;

(d) preventing, detecting, investigating or prosecuting breaches of ethics for regulated professions;

(e) taking any action for the purposes of considering and investigating a complaint made to a regulatory body in respect of a person carrying out a profession or other regulated activity where the profession or activity is regulated by that body and the imposition of sanctions on foot of such a complaint;

(f) preventing, detecting, investigating or prosecuting, whether in the State or elsewhere, breaches of the law which are subject to civil or administrative sanctions and enforcing such sanctions;

(g) the identification of assets which are derived from, or are suspected to derive from, criminal conduct and the taking of appropriate action to deprive or deny persons of those assets or the benefits of those assets and any investigation or preparatory work in relation to any related proceedings;

(h) ensuring the effective operation of the immigration system, the system for granting persons international protection in the State and the system for the acquisition by persons of Irish citizenship, including by preventing, detecting and investigating abuses of those systems or breaches of the law relating to those systems;

(i) safeguarding the economic or financial interests of the European Union or the State, including on monetary, budgetary and taxation matters;

(j) safeguarding monetary policy, the smooth operation of payment systems, the resolution of regulated financial service providers (within the meaning of the Central Bank Act 1942 ), the operation of deposit-guarantee schemes, the protection of consumers and the effective regulation of financial service providers (within the meaning of the Central Bank Act 1942 );

(k) protecting members of the public against—

(i) financial loss or detriment due to the dishonesty, malpractice or other improper conduct of, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate or other entities,

(ii) financial loss or detriment due to the conduct of individuals who have been adjudicated bankrupt, or

(iii) financial loss or detriment due to the conduct of individuals who have been involved in the management of a body corporate which has been the subject of a receivership, examinership or liquidation under the Act of 2014;

(l) protecting—

(i) the health, safety, dignity, well-being of individuals at work against risks arising out of or in connection with their employment, and

(ii) members of the public against discrimination or unfair treatment in the provision of goods or services to them;

(m) the keeping of public registers for reasons of general public interest, whether the registers are accessible to the public on a general or restricted basis;

(n) safeguarding the integrity and security of examinations systems;

(o) safeguarding public health, social security, social protection and humanitarian activities.

(8) Where the rights and obligations referred to in subsection (1) are restricted in regulations made under subsection (6) on the basis of important objectives of general public interest of the State, other than the objectives referred to in subsection (7), the important objective or objectives of general public interest shall be identified in those regulations.

(9) Subject to subsection (10), regulations may be made under subsection (5) or (6)

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(10) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (5) or (6).

(11) The Commission may, on being consulted under subsection (10), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19 (1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(12) Regulations made under this section shall—

(a) respect the essence of the right to data protection and protect the interests of the data subject, and

(b) restrict the exercise of data subjects’ rights only in so far as is necessary and proportionate to the aim sought to be achieved.

Restriction on exercise of data subjects’ rights: archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

61. (1) Subject to subsection (3), where processing of data is for archiving purposes in the public interest, the rights of a data subject set out in Articles 15, 16, 18, 19, 20 and 21 are restricted to the extent that—

(a) the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes, and

(b) such restriction is necessary for the fulfilment of those purposes.

(2) Subject to subsection (4), where processing of data is for scientific or historical research purposes or statistical purposes, the rights of a data subject set out in Articles 15, 16, 18 and 21 are restricted to the extent that—

(a) the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes, and

(b) such restriction is necessary for the fulfilment of those purposes.

(3) Where data is being processed for purposes referred to in subsection (1) and the processing serves another purpose at the same time, that subsection applies only to the extent that the processing relates to the purposes referred to in that subsection.

(4) Where data is being processed for purposes referred to in subsection (2) and the processing serves another purpose at the same time, that subsection applies only to the extent that the processing relates to the purposes referred to in that subsection.

PART 4

Provisions Consequent on Repeal of Certain Provisions of Data Protection Act 1988

Transfer of property of Data Protection Commissioner to Commission

62. (1) On the establishment day, all property (other than land), including choses-in-action, that immediately before that day was vested in the Data Protection Commissioner shall stand vested in the Commission.

(2) Every chose-in-action vested in the Commission by virtue of subsection (1) may, on and from the establishment day, be sued on, recovered or enforced by the Commission in its own name, and it shall not be necessary for the Commission to give notice to any person bound by the chose-in-action of the vesting effected by that subsection.

(3) On the establishment day all records that, immediately before that day, were records of the Data Protection Commissioner shall be records of the Commission and shall, accordingly, be transferred to the Commission.

Transfer of rights and liabilities of Data Protection Commissioner to Commission

63. (1) All rights and liabilities of the Data Protection Commissioner subsisting immediately before the establishment day and arising by virtue of any contract or commitment (express or implied) shall on that day stand transferred to the Commission.

(2) Every right and liability transferred by subsection (1) to the Commission may, on and after the establishment day, be sued on, recovered or enforced by or against the Commission in its own name, and it shall not be necessary for the Commission to give notice to the person whose right or liability is transferred by that subsection of such transfer.

Liability for loss occurring before establishment day

64. (1) A claim in respect of any loss or injury alleged to have been suffered by any person arising out of the performance before the establishment day of any of the functions of the Data Protection Commissioner shall after that day, lie against the Commission and not against the Data Protection Commissioner.

(2) Any legal proceedings pending immediately before the establishment day to which the Data Protection Commissioner is a party, shall be continued, with the substitution in the proceedings of the Commission for the Data Protection Commissioner.

(3) Where, before the establishment day, agreement has been reached between the parties concerned in settlement of a claim to which subsection (1) relates, the terms of which have not been implemented, or judgment in such a claim has been given in favour of a person but has not been enforced, the terms of the agreement or judgment, as the case may be, shall, in so far as they are enforceable against the Data Protection Commissioner, be enforceable against the Commission and not the Data Protection Commissioner.

(4) Any claim made or proper to be made by the Data Protection Commissioner in respect of any loss or injury arising from the act or default of any person before the establishment day shall be regarded as having been made by or proper to be made by the Commission and may be pursued and sued for by the Commission as if the loss or injury had been suffered by the Commission.

Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission

65. (1) Anything commenced and not completed before the establishment day by or under the authority of the Data Protection Commissioner may, in so far as it relates to a function transferred to the Commission under section 14 , be carried on or completed on or after the establishment day by the Commission.

(2) Every instrument made under an enactment and every document (including any certificate or notice) granted, made or issued, in the performance of a function transferred by section 14 , shall, if and in so far as it was operative immediately before the establishment day, have effect on and after that day as if it had been granted, made or issued by the Commission.

(3) References to the Data Protection Commissioner in the memorandum or articles of association of any company shall, on and after the establishment day, be construed as references to the Commission.

(4) A certificate signed by the Minister that any property, right or liability has or, as the case may be, has not vested in the Commission under section 62 or 63 shall be sufficient evidence, unless the contrary is shown, of the fact so certified for all purposes.

Final accounts and final annual report of Data Protection Commissioner

66. (1) The Commission shall, in respect of the period specified under subsection (3), prepare final accounts of the Data Protection Commissioner.

(2) The Commission shall submit the final accounts to the Comptroller and Auditor General for audit not later than 3 months after the establishment day.

(3) For the purposes of subsection (1), the Minister may specify a period that is longer or shorter than a financial year of the Data Protection Commissioner.

(4) The Commission shall prepare the final annual report for the Data Protection Commissioner and cause a copy of the report to be laid before each House of the Oireachtas not later than 6 months after the establishment day.

Saver for scheme relating to superannuation

67. A scheme made under section 9 and paragraph 7(a) of the Second Schedule to the Act of 1988 that was in force immediately prior to coming into operation of section 7 in so far as it relates to the repeal of section 9 and paragraph 7(a) of the Second Schedule to the Act of 1988 shall continue in force on and after that coming into operation as if the scheme had been made under section 22 and—

(a) a person who was a member of the scheme on that coming into operation shall continue to be a member, and

(b) the provisions of that section shall apply accordingly.

Saver for regulations under Act of 1988

68. (1) Notwithstanding subsection (1) of section 8 , the Data Protection Act 1988 (Section 2A) Regulations 2013 ( S.I. No. 313 of 2013 ) and the Data Protection Act 1988 (Section 2A) Regulations 2016 ( S.I. No. 220 of 2016 ) shall, in addition to applying for the purposes referred to in that subsection, apply for all other purposes for which they applied immediately before the commencement of that subsection and, in so far only as they apply for the second-mentioned purposes, they shall be deemed to have been made under section 38 and may be amended or revoked accordingly.

(2) (a) The Data Protection Health Regulations shall continue in force upon and after the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) until the first set of regulations are made under section 60 (5)(a).

(b) The Data Protection Health Regulations are amended—

(i) in Regulation 3, by—

(I) the deletion of the definition of “the Act”,

(II) the deletion of the definition of “health professional”, and

(III) the insertion of the following definitions:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20169 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘health practitioner’ has the same meaning as it has in the Health Identifiers Act 2014 .”,

(ii) in Regulation 4(1), by—

(I) the substitution of “a request under Article 15 of the Data Protection Regulation” for “a request under section 4(1)(a) of the Act”, and

(II) the substitution of “the physical or mental health of the data subject, but this restriction on providing information applies only to the extent to which, and for so long as, that likelihood pertains.” for “the physical or mental health of the data subject.”,

(iii) in Regulation 5, by—

(I) the substitution of “health practitioner” for “health professional” in each place it occurs,

(II) the substitution, in paragraph (1)(a), of “a request under the said Article 15 of the Data Protection Regulation” for “a request under the said section 4(1)(a)”, and

(III) the substitution, in paragraph (2)(a), of “within the meaning of section 2 of the Medical Practitioners Act 2007 or a medical practitioner practising medicine pursuant to section 50 of that Act” for “within the meaning of the Medical Practitioners Act 1978 (No. 4 of 1978), or registered dentist, within the meaning of the Dentists Act 1985 (No. 9 of 1985)”,

and

(iv) by the deletion of Regulation 6.

(c) A request referred to in Regulation 4(1) of the Data Protection Health Regulations which includes a request for health data (within the meaning of those Regulations) that was received but not responded to before the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) shall be treated as if it were a request under Article 15 of the Data Protection Regulation.

(3) (a) The Data Protection Social Work Regulations shall continue in force upon and after the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) until the first set of regulations are made under section 60 (5)(b).

(b) The Data Protection Social Work Regulations are amended—

(i) in Regulation 3, by—

(I) the deletion of the definition of “the Act”,

(II) the insertion of the following definition:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201610 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,

and

(III) the substitution of the following definition for the definition of “social work data”:

“ ‘social work data’ means personal data kept for, or obtained in the course of, carrying out social work by a public authority, public body, voluntary organisation or other body but excludes any health data within the meaning of the Data Protection (Access Modification) (Health) (Regulations) 1989 ( S.I. No. 82 of 1989 ) and ‘social work’ shall be construed accordingly.”,

(ii) in Regulation 4—

(I) in paragraph (1), by—

(A) the substitution of “a request under Article 15 of the Data Protection Regulation” for “a request under section 4(1)(a) of the Act”, and

(B) the substitution of “the physical or mental health or emotional condition of the data subject, but this restriction on providing information applies only to the extent to which, and for as long as, that likelihood pertains.” for “the physical or mental health or emotional condition of the data subject.”,

and

(II) in paragraph (3), by the substitution of “under Article 15 of the Data Protection Regulation” for “under section 4(1)(a) of the Act”,

and

(iii) the deletion of Regulation 5.

(c) A request referred to in Regulation 4(1) of the Data Protection Social Work Regulations which includes a request for social work data (within the meaning of those Regulations) that was received but not responded to before the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) shall be treated as if it were a request under Article 15 of the Data Protection Regulation.

(4) The Regulations of 2011 shall apply to—

(a) each special category of personal data that, immediately before the coming into operation of this section—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

and

(b) Article 10 data that, immediately before such coming into operation—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.

(5) The Regulations of 2011 are amended—

(a) in Regulation 3, by the substitution of “Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, processing” for “Processing”,

(b) in Regulation 4, by the substitution of “Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, processing” for “Processing”, and

(c) by the insertion of the following Regulation after Regulation 6:

“7. In these Regulations, “suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects” shall be construed in accordance with section 36 of the Data Protection Act 2018.”.

(6) The Regulations of 2015 shall, in addition to applying to sensitive personal data to which the Act of 1988 applies, apply to—

(a) each special category of personal data that, immediately before the coming into operation of this section—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

and

(b) Article 10 data that, immediately before such coming into operation—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.

(7) The Regulations of 2015 are amended—

(a) in Regulation 2, by the substitution of “Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing” for “The processing”, and

(b) by the insertion of the following Regulation after Regulation 2:

“3. In these Regulations, “suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects” shall be construed in accordance with section 36 of the Data Protection Act 2018.”.

(8) The Regulations of 2016 shall, in addition to applying to sensitive personal data to which the Act of 1988 applies, apply to—

(a) each special category of personal data that, immediately before the coming into operation of this section—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

and

(b) Article 10 data that, immediately before such coming into operation—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.

(9) The Regulations of 2016 are amended—

(a) in Regulation 2, by the substitution of “Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing” for “The processing”, and

(b) by the insertion of the following Regulation after Regulation 2:

“3. In these Regulations, “suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects” shall be construed in accordance with section 36 of the Data Protection Act 2018.”.

(10) In this section—

“Article 10 data” has the meaning assigned to it in section 55 ;

“Data Protection Health Regulations” means the Data Protection (Access Modification) (Health) Regulations 1989 ( S.I. No. 82 of 1989 );

“Data Protection Social Work Regulations” means the Data Protection (Access Modification) (Social Work) Regulations 1989 ( S.I. No. 83 of 1989 );

“Regulations of 2011” means the Data Protection Act 1988 (Section 2B) Regulations 2011 ( S.I. No. 486 of 2011 );

“Regulations of 2015” means the Data Protection Act 1988 (Section 2B) Regulations 2015 ( S.I. No. 240 of 2015 );

“Regulations of 2016” means the Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016 ( S.I. No. 427 of 2016 );

“sensitive personal data” has the meaning assigned to it by the Act of 1988.

PART 5

Processing of Personal Data for Law Enforcement Purposes

Chapter 1

Preliminary and general (Part 5)

Interpretation (Part 5)

69. (1) In this Part—

“biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual that allow or confirm the unique identification of the individual, including facial images or dactyloscopic data;

“competent authority”, subject to subsection (2), means—

(a) a public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security, or

(b) any other body or entity authorised by law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security;

“controller”, subject to subsection (2), means—

(a) a competent authority that, whether alone or jointly with others, determines the purposes and means of the processing of personal data, or

(b) where the purposes and means of the processing of personal data are determined by the law of the European Union or otherwise by the law of the State, a controller nominated—

(i) by that law, or

(ii) in accordance with criteria specified in that law;

“data concerning health” means personal data relating to the physical or mental health of an individual, including the provision of health care services to the individual, that reveal information about the status of his or her health;

“data protection impact assessment” has the meaning assigned to it by section 84 (1);

“data protection officer” has the meaning assigned to it by section 88 (1);

“data subject” means an individual to whom personal data relate;

“genetic data” means personal data relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of the individual and that result, in particular, from an analysis of a biological sample from the individual in question;

“international organisation” means—

(a) an organisation, and subordinate bodies of an organisation, governed by public international law, or

(b) any other body that is established by, or on the basis of, an agreement between two or more states;

“joint controller” has the meaning assigned to it by section 79 (1);

“online identifier” includes an internet protocol address, a cookie identifier or other identifier such as a radio frequency identification tag;

“personal data” means information relating to—

(a) an identified living individual, or

(b) a living individual who can be identified from the data, directly or indirectly, in particular by reference to—

(i) an identifier such as a name, an identification number, location data or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual;

“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“processing”, of or in relation to personal data, means an operation or a set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, including—

(a) the collection, recording, organisation, structuring or storing of the data,

(b) the adaptation or alteration of the data,

(c) the retrieval, consultation or use of the data,

(d) the disclosure of the data by their transmission, dissemination or otherwise making the data available,

(e) the alignment or combination of the data, or

(f) the restriction, erasure or destruction of the data;

“processor” means an individual who, or a legal person, public authority, agency or other body that, processes personal data on behalf of a controller, but does not include an employee of a controller who processes such data in the course of his or her employment;

“profiling” means any form of automated processing of personal data consisting of the use of the data to evaluate certain personal aspects relating to an individual, including to analyse or predict aspects concerning the individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“pseudonymisation” means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that—

(a) such additional information is kept separately from the data, and

(b) is subject to technical and organisational measures to ensure that the data are not attributed to an identified or identifiable individual;

“rectification”, of or in relation to personal data, includes, where the data concerned are incomplete, the completion of the data, whether by means of a supplementary statement or otherwise;

“recipient”, of or in relation to personal data, means an individual to whom, or a legal person, public authority, agency or other body to which, the data are disclosed, and includes a third party;

“relevant filing system” means a set of personal data, whether centralised, decentralised or dispersed on a functional or geographical basis, where the set is structured according to specific criteria in such a way that the data are readily accessible according to those criteria;

“restrict”—

(a) in relation to the exercise of the right of a data subject—

(i) under section 87 (1) to be notified of a personal data breach,

(ii) under section 92 (10) to be notified of the restriction of the processing of personal data under subsection (9) of that section, or

(iii) under section 92 (11) to be notified of a decision not to rectify or erase data pursuant to a request under subsection (1) or (3) of that section, as the case may be,

means—

(I) to delay the notification concerned,

(II) to limit the information contained in the notification concerned, or

(III) not to make the notification concerned,

and

(b) in relation to the exercise of the right of a data subject—

(i) under section 90 (1) in so far as relates to the provision to the data subject of information specified in subsection (2)(f) of that section, or

(ii) under section 91 (1)(a) or (b),

means—

(I) to delay the provision of the information concerned,

(II) to limit the information concerned provided to the data subject, or

(III) not to provide the information concerned;

“restriction of processing” means the marking, by or on behalf of a controller, of personal data for which the controller is responsible for the purpose of limiting their processing in the future;

“special categories of personal data” means—

(a) personal data revealing—

(i) the racial or ethnic origin of the data subject,

(ii) the political opinions or the religious or philosophical beliefs of the data subject, or

(iii) whether the data subject is a member of a trade union,

(b) genetic data,

(c) biometric data for the purposes of uniquely identifying an individual,

(d) data concerning health, or

(e) personal data concerning an individual’s sex life or sexual orientation.

(2) Where a reference is made in this Part—

(a) to a controller in a Member State other than the State, for the purposes of that reference—

(i) in the definition of “competent authority” in subsection (1), the references to “in the State” shall be construed as meaning “in the Member State concerned”, and

(ii) in the definition of “controller” in subsection (1), the reference to “the law of the State” shall be construed as meaning “the law of the Member State concerned”,

or

(b) to a controller in a third country, for the purposes of that reference—

(i) in the definition of “competent authority” in subsection (1), the references to “in the State” shall be construed as meaning “in the state concerned”, and

(ii) in the definition of “controller” in subsection (1), the reference to “the law of the European Union or the law of the State” shall be construed as meaning “the law of the state concerned”.

(3) A word or expression that is used in this Part and is also used in the Directive has, unless the context otherwise requires, the same meaning in this Part as it has in the Directive.

Application of Part 5

70. (1) This Part applies, subject to subsection (2), to the processing of personal data by or on behalf of a controller where the processing is carried out—

(a) for the purposes of—

(i) the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security, or

(ii) the execution of criminal penalties,

and

(b) by means that—

(i) are wholly or partly automated, or

(ii) where the personal data form part of, or are intended to form part of, a relevant filing system, are not automated.

(2) This Part shall not apply to the processing of personal data—

(a) that occurs in the course of an activity falling outside the scope of the law of the European Union,

(b) by an institution, body, office or agency of the European Union, or

(c) to which section 8 (1)(b) applies.

Chapter 2

General principles of data protection

Processing of personal data

71. (1) A controller shall, as respects personal data for which it is responsible, comply with the following provisions:

(a) the data shall be processed lawfully and fairly;

(b) the data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with such purposes;

(c) the data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed;

(d) the data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) the data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed;

(f) the data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against—

(i) unauthorised or unlawful processing, and

(ii) accidental loss, destruction or damage.

(2) The processing of personal data shall be lawful where, and to the extent that—

(a) the processing is necessary for the performance of a function of a controller for a purpose specified in section 70 (1)(a) and the function has a legal basis in the law of the European Union or the law of the State, or

(b) the data subject has, subject to subsection (3), given his or her consent to the processing.

(3) Where the processing of personal data is to be carried out on the basis of the consent of the data subject referred to in subsection (2)(b), the processing shall be lawful only where, and to the extent that—

(a) having been informed of the intended purpose of the processing and the identity of the controller, the data subject gives his or her consent freely and explicitly,

(b) the request for consent is expressed in clear and plain language, and where such consent is given in the context of a written statement that also concerns other matters, the request for consent is presented to the data subject in a manner that is clearly distinguishable from those other matters, and

(c) the data subject may withdraw his or her consent at any time, and he or she shall be informed of this possibility prior to giving consent.

(4) Where a data subject withdraws his or her consent to the processing of personal data pursuant to subsection (3)(c), the withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to the consent being withdrawn.

(5) Where a controller collects personal data for a purpose specified in section 70 (1)(a), the controller or another controller may process the data for a purpose so specified other than the purpose for which the data were collected, in so far as—

(a) the controller is authorised to process such personal data for such a purpose in accordance with the law of the European Union or the law of the State, and

(b) the processing is necessary and proportionate to the purpose for which the data are being processed.

(6) A controller may process personal data, whether the data were collected by the controller or another controller, for—

(a) archiving purposes in the public interest,

(b) scientific or historical research purposes, or

(c) statistical purposes,

provided that the said processing—

(i) is for a purpose specified in section 70 (1)(a), and

(ii) is subject to appropriate safeguards for the rights and freedoms of data subjects.

(7) A controller shall ensure, in relation to personal data for which it is responsible, that an appropriate time limit is established for—

(a) the erasure of the data, or

(b) the carrying out of periodic reviews of the need for the retention of the data.

(8) Where a time limit is established in accordance with subsection (7), the controller shall ensure, by means of procedural measures, that the time limit is observed.

(9) A processor, or any person acting under the authority of the controller or of the processor who has access to personal data, shall not process the data unless the processor or person is—

(a) authorised to do so by the controller, or

(b) required to do so by the law of the European Union or the law of the State,

and then only to the extent so authorised or required, as the case may be.

(10) A controller shall ensure that it is in a position to demonstrate that the processing of personal data for which it is responsible is in compliance with subsections (1) to (8) of this section.

Security measures for personal data

72. (1) In determining appropriate technical or organisational measures for the purposes of section 71 (1)(f), a controller shall ensure that the measures provide a level of security appropriate to the harm that might result from accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, the data concerned.

(2) A controller or processor shall take all reasonable steps to ensure that—

(a) persons employed by the controller or the processor, as the case may be, and

(b) other persons at the place of work concerned,

are aware of and comply with the relevant technical or organisational measures referred to in subsection (1).

Processing of special categories of personal data (Part 5)

73. (1) The processing of a special category of personal data shall be lawful only where—

(a) section 71 is complied with, and

(b) at least one of the following conditions is met:

(i) where the processing is to be carried out on the basis of the consent of the data subject pursuant to section 71 (2)(b), the consent referred to in that paragraph explicitly refers to the special category of personal data concerned;

(ii) the processing is necessary—

(I) to prevent injury or other damage to the data subject or another individual,

(II) to prevent loss in respect of, or damage to, property, or

(III) otherwise to protect the vital interests of the data subject or another individual;

(iii) the personal data to which the processing relates have been made public as a result of steps deliberately taken by the data subject;

(iv) the processing is necessary for—

(I) the administration of justice,

(II) the performance of a function conferred on a person by or under an enactment, or

(III) the performance of a function of the Government or a Minister of the Government;

(v) the processing—

(I) is required for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or

(II) is otherwise required for the purposes of establishing, exercising or defending legal rights;

(vi) the processing is necessary for medical purposes and is carried out by, or under the responsibility of—

(I) a health practitioner, or

(II) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner;

(vii) the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law;

(viii) the processing is carried out pursuant to section 71 (6);

(ix) the processing is authorised by regulations made under subsection (2).

(2) Regulations may be made permitting the processing of special categories of personal data for the purposes of subsection (1)(b)(ix) where the processing is necessary for reasons of substantial public interest, and without prejudice to the generality of the foregoing, such regulations shall identify the public interest concerned.

(3) Subject to subsection (4), regulations may be made under subsection (2)

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(4) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (2).

(5) The Commission may, on being consulted under subsection (4), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19 (1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(6) The Minister or any other Minister of the Government, as the case may be, making regulations under subsection (2) shall have regard to the need for the protection of individuals with regard to the processing of their personal data and without prejudice to the generality of that need, have regard to—

(a) the nature, scope and purposes of the processing,

(b) the nature of the substantial public interest concerned,

(c) any benefits likely to arise for the data subjects concerned,

(d) any risks arising for the rights and freedoms of such subjects, and

(e) the likelihood of any such risks arising and the severity of such risks.

(7) Where a special category of personal data is processed in accordance with this section, the controller shall ensure that the processing is carried out with appropriate safeguards for the rights and freedoms of the data subject.

(8) In this section—

“health practitioner” has the same meaning as it has in the Health Identifiers Act 2014 ;

“medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of medical care and treatment and the management of healthcare services.

Data quality

74. (1) A controller shall, where relevant and in so far as is possible, make a distinction between the personal data of different categories of data subject.

(2) A controller shall, in so far as is possible, ensure that personal data based on facts are distinguished from personal data based on personal assessments.

(3) A controller shall—

(a) take all reasonable steps to ensure that personal data that are inaccurate, incomplete or no longer up to date are not transmitted or otherwise made available,

(b) verify, in so far as is possible, the quality of personal data before they are transmitted or otherwise made available, and

(c) provide, in so far as is possible, in a transmission of personal data, the information necessary for the recipient to assess the accuracy, completeness and reliability of the data and the extent to which the data are up to date.

(4) Other than where section 92 applies, where a controller becomes aware that incorrect personal data have been transmitted or personal data have been unlawfully transmitted—

(a) the controller shall ensure that the recipient of the personal data is notified without delay of that fact, and

(b) the recipient shall ensure that the personal data are rectified or erased or the processing of the data is restricted, as may be appropriate.

Chapter 3

Obligations of controllers and processors

General obligations of controller with regard to technical and organisational measures

75. (1) A controller shall implement appropriate technical and organisational measures for the purposes of—

(a) ensuring that the processing of personal data for which it is responsible is performed in compliance with this Part, and

(b) demonstrating such compliance.

(2) A controller shall ensure that measures implemented in accordance with subsection (1) are reviewed at regular intervals and, where required, updated.

(3) The measures referred to in subsection (1) shall include the implementation of an appropriate data protection policy by the controller, where such implementation is proportionate in relation to the processing activities carried out by the controller.

Data protection by design and by default

76. (1) A controller shall, without prejudice to the generality of section 75 (1), for the purposes of meeting the requirements of this Part and protecting the rights of data subjects—

(a) when determining the means of processing personal data, and

(b) when carrying out the said processing,

implement appropriate technical and organisational measures that are designed—

(i) to implement the principles of the protection of personal data contained in this Part in an effective manner, and

(ii) to integrate the necessary safeguards into the said processing.

(2) Without prejudice to the generality of section 75 (1) and subsection (1), a controller shall, subject to subsection (3), when processing personal data implement appropriate technical and organisational measures to ensure that only personal data that are necessary for each specific purpose of the processing are processed.

(3) The requirement in subsection (2) applies in relation to—

(a) the amount of personal data collected for the processing concerned,

(b) the extent of the processing of the personal data concerned,

(c) the period for which the personal data concerned are stored, and

(d) the accessibility of the personal data concerned.

(4) Technical and organisational measures implemented in accordance with subsection (2) shall ensure that personal data are not made generally available unless, and only to the extent, authorised by the controller.

Security of automated processing

77. A controller or processor, prior to carrying out automated processing, shall—

(a) evaluate the risks to the rights and freedoms of individuals arising from the processing concerned, and

(b) implement measures designed to—

(i) deny access to the processing equipment used for the processing to any person other than the persons authorised in that regard by the controller or processor, as the case may be,

(ii) prevent the reading, copying, modification or removal of the data media concerned, other than in so far as is authorised by the controller or processor, as the case may be,

(iii) prevent the input of personal data other than in so far as is authorised by the controller or processor, as the case may be,

(iv) prevent the inspection, modification or deletion of the data other than in so far as is authorised by the controller or processor, as the case may be,

(v) prevent the use of the automated processing system by persons using data communication equipment who are not authorised to do so by the controller or processor, as the case may be,

(vi) ensure that where a person is authorised to use the automated processing system concerned, he or she has access to personal data on the system only in so far as he or she is so authorised by the controller or processor, as the case may be,

(vii) ensure that it is possible to verify or establish the persons to whom personal data have been or may be transmitted or made available using data communication equipment,

(viii) ensure that it is possible to verify or establish which personal data have been input into an automated processing system, and in relation to such data, to verify and establish the person who input the data and when the data were input,

(ix) prevent the reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media, other than in so far as is authorised by the controller or processor, as the case may be,

(x) ensure that an installed automated system may be restored in the event of an interruption in the service of the system,

(xi) ensure that the automated processing system properly performs its function and the appearance of a fault in the automated processing system is reported to the controller or processor, as the case may be, and

(xii) ensure that personal data that are stored on the automated processing system cannot be corrupted by means of a malfunctioning of the system.

Technical and organisational measures

78. For the purposes of determining the appropriate technical and organisational measures in relation to personal data that are required to be taken by a controller or processor in order to ensure compliance with this Part, and in particular sections 71 (1)(f), 75 (1), 76 and 80 , the controller or processor, as the case may be, shall, where relevant, have regard to the following matters:

(a) the nature of the personal data concerned;

(b) the accessibility of the data;

(c) the nature, scope, context and purpose of the processing concerned;

(d) any risks to the rights and freedoms of individuals arising from the processing concerned;

(e) the likelihood of any such risks arising and the severity of such risks;

(f) the state of the art and the cost of implementation;

(g) guidelines, recommendations and descriptions of best practice issued by the Commission or the European Data Protection Board.

Joint controllers

79. (1) Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State.

(2) An agreement in writing referred to in subsection (1)

(a) shall include a determination of—

(i) the respective responsibilities of the joint controllers concerned as regards the exercise by data subjects of their rights under this Part, and

(ii) the respective duties of the joint controllers concerned as regards the provision to a data subject of the information specified in section 90 (2),

and

(b) may designate a single point of contact in respect of the processing concerned for the data subject to whom it relates, where such designation is not otherwise determined by the law of the State.

Processors

80. (1) A controller shall engage a processor to carry out processing on its behalf only where—

(a) the processing is carried out, subject to subsection (3), in pursuance of a contract in writing between the controller and the processor that provides for the matters specified in subsection (2), and

(b) the processor provides sufficient guarantees to implement appropriate technical and organisational measures to ensure that—

(i) the processing shall comply with the provisions of this Part, and

(ii) the rights and freedoms of the data subjects are protected.

(2) A contract entered into between a controller and a processor in accordance with subsection (1)(a) shall—

(a) specify the subject matter, duration, nature and purpose of the processing to be carried out thereunder,

(b) specify the type of personal data to be processed thereunder and the categories of data subjects to whom the personal data relate,

(c) specify the obligations and rights of the controller in relation to the processing, and

(d) provide that the processor shall—

(i) act only on instructions from the controller in relation to the processing, except in so far as the law of the European Union or the law of the State requires the processor to act otherwise,

(ii) procure the services of another processor (in this section referred to as a “secondary processor”) in relation to the processing only where authorised to do so in advance and in writing by the controller, which authorisation may be specific or general in nature,

(iii) ensure that any person authorised to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so,

(iv) assist the controller in ensuring compliance with this Part in so far as it relates to the exercise by a data subject of his or her rights,

(v) erase or return to the controller, at the election of the controller, all personal data upon completion of the processing services carried out by the processor on behalf of the controller and erase any copy of the data, unless the processor is required by the law of the European Union or the law of the State to retain the data, and

(vi) make available to the controller all information necessary to demonstrate compliance by the processor with this section.

(3) Subsection (1)(a) shall not apply in relation to processing where the form of the processing and the role of the controller and the processor concerned are otherwise specified in the law of the European Union or the law of the State.

(4) Where a controller gives an authorisation, whether specific or general in nature, to a processor, including a secondary processor (in this section referred to as “the procuring processor”) to procure the services of a secondary processor, the procuring processor shall inform—

(a) the controller, and

(b) where relevant, any processor who procured the services of the procuring processor in relation to the processing concerned,

in advance of any such procurement or of a change in the terms of such procurement.

(5) Where a procuring processor procures the services of a secondary processor to carry out processing on behalf of a controller, subsections (1) and (2) shall apply to the procuring processor and the secondary processor, subject to the following modifications and any other necessary modifications:

(a) a reference to a “controller”, other than in subparagraphs (ii), (iv), (v) and (vi) of subsection (2)(d), shall be construed as a reference to the procuring processor;

(b) a reference to a “controller” in subsection (2)(d)(iv) shall be construed as a reference to the controller and the procuring processor;

(c) a reference to a “controller” in subsection (2)(d)(v) shall be construed as a reference to the controller or the procuring processor, as appropriate; and

(d) a reference to a “processor” shall be construed as a reference to a secondary processor.

(6) Where a person, who by virtue of the operation of this Part is a processor of personal data, when purporting to act as such a processor, determines the purpose and means of the processing of the data, the obligations that are placed on a controller under this Part shall apply thereafter to the person as though the person were a controller of the data.

Record of data processing activities

81. (1) A controller shall create and maintain a record in writing containing the following information in relation to each category of processing activity for which it is responsible:

(a) the identity and contact details of the controller and, where applicable, the controller’s data protection officer or any joint controller;

(b) a description of—

(i) the purpose of the processing,

(ii) the categories of personal data concerned,

(iii) the categories of data subjects to which the personal data relate,

(iv) the categories of recipients to which the personal data have been or will be disclosed, including recipients in a third country or an international organisation, if any,

(v) the categories of transfer of personal data to a third country or an international organisation, if any,

(vi) the legal basis for the processing operation for which the personal data are intended, including the transfer of the data, where applicable, and

(vii) where possible, the proposed time limit within which each category of personal data shall be erased;

(c) whether the processing involves the use of profiling;

(d) where possible, a general description of the technical and organisational security measures implemented in respect of the processing activity in accordance with section 72 (1).

(2) A processor shall create and maintain a record in writing of each category of processing activity carried out by the processor on behalf of a controller containing the following information:

(a) the identity and contact details of—

(i) the processor,

(ii) each controller on behalf of which the processor is carrying out the processing, and

(iii) the processor’s data protection officer, where applicable;

(b) a description of each category of processing carried out on behalf of each controller;

(c) details of any transfer of personal data to a third country or an international organisation, if applicable, including the identification of the third country or international organisation to which the data are transferred;

(d) where possible, a general description of the technical and organisational security measures implemented in respect of the processing activity in accordance with section 72 (1).

(3) A controller or processor shall, where requested to do so, make a record created and maintained pursuant to subsection (1) or (2), as the case may be, available to the Commission for inspection and examination.

Data logging for automated processing system

82. (1) Subject to subsection (5), where a controller or processor carries out processing of personal data by automated means, the controller or processor, as the case may be, shall create and maintain a log (in this section referred to as a “data log”) of the following processing operations carried out in automated processing systems in respect of that processing:

(a) the collection of personal data for the purposes of such processing and the alteration of any such data;

(b) the consultation of the personal data by any person;

(c) the disclosure of the personal data, including the transfer of the data, to any other person;

(d) the combination of the personal data with other data;

(e) the erasure of the personal data, or some of the data.

(2) Where a data log contains information specified in paragraph (b) or (c) of subsection (1), the controller or processor, as the case may be, shall ensure that the data log contains sufficient information to establish the following:

(a) the date and time of the consultation or disclosure, as the case may be;

(b) the reason for the consultation or disclosure, as the case may be;

(c) in so far as is possible, the identification of the person who consulted or disclosed, as the case may be, the personal data;

(d) the identity of any recipient to whom the personal data were disclosed.

(3) A data log shall not be used by any person for any purpose other than—

(a) verifying the lawfulness of the processing,

(b) the monitoring by the controller of processing carried out by the controller,

(c) the monitoring by the processor of processing carried out by the processor,

(d) ensuring the integrity and security of the personal data concerned, or

(e) for the purposes of criminal proceedings.

(4) A controller or processor shall, where requested to do so, make a data log created and maintained by the controller or processor, as the case may be, available to the Commission for inspection and examination.

(5) This section shall not apply, in respect of an automated processing system established on or before 6 May 2016—

(a) prior to 6 May 2023, where compliance by a controller or processor, as the case may be, with this section prior to that date would involve disproportionate effort, or

(b) prior to 6 May 2026, where compliance by a controller or a processor, as the case may be, with this section prior to that date would cause serious difficulties for the operation of the automated processing system to which the data log relates.

(6) A controller or processor who intends to rely upon subsection (5)(b) in respect of an automated processing system operated by the controller or processor, as the case may be, shall notify the Minister in writing of the said intention on or before 31 December 2022.

(7) A notification referred to in subsection (6) shall include a description of the serious difficulties referred to in subsection (5)(b) in respect of the automated processing system concerned.

Cooperation with Commission

83. A controller or a processor shall, on request by the Commission, cooperate with and assist the Commission in the performance of its functions under this Part.

Data protection impact assessment and prior consultation with Commission

84. (1) Where having regard to its nature, scope, context and purposes, a type of processing, and in particular a type of processing using new technology, is likely to result in a high risk to the rights and freedoms of individuals, the controller that is proposing to carry out the processing shall conduct an assessment of the likely impact of the proposed processing operations on the protection of personal data (in this Part referred to as a “data protection impact assessment”) prior to carrying out the processing.

(2) A data protection impact assessment carried out in accordance with subsection (1) shall include:

(a) a general description of the proposed processing operations to which it relates;

(b) an assessment of the potential risks to the rights and freedoms of data subjects as a result of the proposed processing; and

(c) a description of any safeguards, security measures or mechanisms proposed to be implemented by the controller to mitigate any risk referred to in paragraph (b) and to ensure the protection of the personal data in compliance with this Part.

(3) Where—

(a) it appears to a controller, having conducted a data protection impact assessment, that the processing concerned would, despite the implementation of safeguards, security measures or mechanisms referred to in subsection (2)(c), result in a high risk to the rights and freedoms of individuals, or

(b) the controller proposes to carry out processing of a type prescribed by the Commission under subsection (9),

the controller shall, prior to commencing the processing, consult the Commission by request in that regard in writing.

(4) A controller shall, when making a request under subsection (3), provide the Commission with—

(a) the data protection impact assessment conducted in relation to the processing concerned, and

(b) any other information required by the Commission to enable it to assess—

(i) the potential risks to the rights and freedoms of individuals arising from the proposed processing, and

(ii) the compliance of the proposed processing with this Part.

(5) The Commission shall, where it is of the view that the proposed processing would not comply with this Part, in particular where it is of the view that the controller has insufficiently identified or mitigated the potential risks to the rights and freedoms of individuals arising from the proposed processing, issue written advice in relation to the processing to the controller and, where applicable, any proposed processor.

(6) Subject to subsection (8), where the Commission issues written advice pursuant to subsection (5), it shall do so within a period of 6 weeks from the date on which it receives the request under subsection (3).

(7) For the purposes of responding to a request under subsection (3), the Commission may use any of its powers referred to in Chapter 4 of Part 6.

(8) Where, taking into account the complexity of the proposed processing, the Commission is of the opinion that it requires additional time to consider a request made under subsection (3), it may, once only and within one month from the date of the receipt of the request, extend the time period referred to in subsection (6) by such further period not exceeding one month as it may specify by notice in writing to the controller concerned.

(9) The Commission may, following consultation with the Minister, make regulations prescribing a type of processing for the purposes of subsection (3)(b) as a type of processing in relation to which a controller shall consult the Commission prior to commencing the processing.

(10) The Commission shall, when prescribing a type of processing under subsection (9), have regard to—

(a) the nature, scope and purposes of the type of processing,

(b) the type of processing involved, in particular where the use of new technology is likely to result in a high risk to the rights and freedoms of individuals,

(c) the likelihood of any such risks arising and the severity of such risks, and

(d) any submissions received pursuant to subsection (11)(c) in relation to the proposed regulations.

(11) The Commission shall, prior to making regulations under subsection (9), publish a notice on the website of the Commission and in at least one daily newspaper circulating generally in the State—

(a) indicating that it proposes to make regulations under this section,

(b) indicating that a draft of the regulations is available for inspection on that website for a period specified in the notice, being not less than 28 days from the date of the publication of the notice in the newspaper, and

(c) stating that submissions in relation to the draft regulations may be made in writing to the Commission before a date specified in the notice, which shall be not less than 28 days after the end of the period referred to in paragraph (b).

(12) Where there is a proposal for a legislative measure for which a Minister of the Government is responsible that relates to the processing of personal data, the relevant Minister shall consult with the Commission during the process of the preparation of the legislative measure.

Notification of personal data breach by processor

85. Where a processor becomes aware of a personal data breach, the processor shall notify the controller on whose behalf the data are being processed of the breach—

(a) in writing, and

(b) without undue delay.

Notification of personal data breach to Commission, etc.

86. (1) Subject to subsection (3), where a personal data breach occurs, the controller shall, without undue delay and where feasible within 72 hours of becoming aware of the breach, notify the Commission of the breach.

(2) Where a controller does not notify the Commission under subsection (1) of a personal data breach within 72 hours of becoming aware of the breach, the controller shall include in the notification the reason for not so notifying.

(3) Subsection (1) shall not apply where, taking into account the nature of the personal data and the scope, context and purposes of the processing, the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

(4) A notification under subsection (1) shall include—

(a) a description of the personal data breach, including, where possible the categories and number, or approximate number, of—

(i) data subjects concerned, and

(ii) personal data records concerned,

(b) a description of the likely consequences of the personal data breach,

(c) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including any measures taken or proposed to be taken to mitigate its possible adverse effects, and

(d) the name and contact details of the controller’s data protection officer (if any) or other point of contact.

(5) Where, at the time of the making of a notification under subsection (1), it is not possible for a controller to include in the notification all the information specified in subsection (4) in relation to the personal data breach concerned, the controller shall—

(a) nevertheless make the notification including such information as is possible to include at that time, and

(b) supply the Commission with such information specified in subsection (4) as is outstanding without undue delay.

(6) A controller shall create and maintain a detailed record in writing of a personal data breach, including a description of—

(a) the breach,

(b) the effects of the breach, and

(c) the measures taken to address the breach, including any measures taken to mitigate its possible adverse effects.

(7) A controller shall, where so requested by the Commission, provide a copy of a record created and maintained under subsection (6) to the Commission.

(8) Where a personal data breach involves personal data that have been transmitted—

(a) by a controller in the State to a controller in another Member State, or

(b) by a controller in another Member State to a controller in the State,

the controller in the State shall provide the controller in the other Member State with the information specified in subsection (4) without undue delay.

Communication of personal data breach to data subject

87. (1) Subject to subsections (2), (4) and (7), where a personal data breach occurs that is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall, without undue delay, notify the data subject to whom the breach relates.

(2) Subsection (1) shall not apply where—

(a) the controller has implemented appropriate technological and organisational protection measures that were applied to the personal data affected by the personal data breach, in particular where the said measures, including encryption, render the personal data unintelligible to any person who is not authorised to access it, or

(b) the controller has taken measures in response to the personal data breach that ensure that the high risk to the rights and freedoms of a data subject from the breach is no longer likely to materialise.

(3) A notification under subsection (1) shall—

(a) describe, in clear and plain language, the nature of the personal data breach concerned, and

(b) contain at least the information specified in paragraphs (b) to (d) of section 86 (4).

(4) Where a notification under subsection (1) would involve a disproportionate effort, the controller shall notify the data subjects concerned of the personal data breach by way of public communication or other similar measure that ensures the data subjects are informed of the personal data breach in an equally effective manner.

(5) A notification under subsection (4) shall—

(a) describe, in clear and plain language, the nature of the personal data breach concerned, and

(b) contain such other information as is appropriate in all the circumstances.

(6) Where—

(a) a controller notifies the Commission under section 86 of a personal data breach, and

(b) the controller has not notified the data subject to whom the personal data relate under subsection (1) or (4), as the case may be, of the personal data breach,

the Commission may, having considered the likelihood of the data breach resulting in a high risk to the rights and freedoms of a data subject—

(i) require the controller to notify the data subject under subsection (1) or (4), as the case may be, or

(ii) determine that subsection (2) applies in relation to the personal data breach.

(7) A controller may, in relation to the exercise of the right of a data subject to be notified under subsection (1) of a personal data breach, restrict the exercise of the said right where to do so constitutes a necessary and proportionate measure in a democratic society, with due regard for the fundamental rights and legitimate interests of the data subject, for a purpose specified in section 94 (2).

(8) Where a controller restricts the exercise of the right of a data subject under subsection (7), subsections (5), (6) and (7) of section 94 shall apply in respect of the said restriction, with all necessary modifications.

Data protection officer

88. (1) A controller, other than—

(a) a court, or

(b) another independent judicial authority,

acting in its judicial capacity, shall, subject to subsections (2) and (3), appoint a person to carry out the functions specified in subsection (5) in respect of the controller (in this Part referred to as a “data protection officer”).

(2) Two or more controllers may, subject to subsection (3), having regard to their organisational structure and size, appoint a single data protection officer to carry out the functions specified in subsection (5) in respect of each of the controllers.

(3) A controller, when appointing a data protection officer, shall do so on the basis of—

(a) the person’s expert knowledge of the law and the practice relating to the protection of personal data, and

(b) his or her ability to carry out the functions specified in subsection (5).

(4) Where a controller appoints a data protection officer, the controller shall—

(a) publish or cause to be published the contact details of the data protection officer,

(b) inform the Commission of the appointment of the data protection officer and provide the Commission with his or her contact details,

(c) ensure that the data protection officer—

(i) reports directly, in relation to his or her functions under subsection (5), to the highest level of management of the controller,

(ii) does not receive any instructions regarding the exercise of such functions, and

(iii) is involved in an appropriate and timely manner in all matters relating to the protection of personal data, and

(d) support the data protection officer in performing his or her functions under subsection (5), including by—

(i) providing him or her with the resources that he or she requires to perform those functions,

(ii) ensuring that he or she has access to processing operations carried out by the controller, and

(iii) assisting him or her to maintain his or her expert knowledge in the law and practice relating to the protection of personal data.

(5) The functions of a data protection officer shall include the following:

(a) informing and advising the controller, and the employees of the controller who carry out processing, of their obligations under this Part and under any other law of the European Union or law of the State that relates to the protection of personal data;

(b) monitoring the compliance of the controller with—

(i) this Part,

(ii) any other law of the European Union or law of the State that relates to the protection of personal data, and

(iii) the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities in the controller in relation to the protection of personal data, the raising of awareness and the training of staff involved in processing operations in that regard, and any audit activity related to the protection of personal data;

(c) providing advice, where requested to do so, in relation to the carrying out of a data protection impact assessment in accordance with section 84 and monitoring any steps taken on foot of that assessment;

(d) acting as the contact point for data subjects with regard to all issues related to the processing of their personal data and to the exercise of their rights under this Part;

(e) cooperating with the Commission and acting as a contact point for the Commission for issues related to processing carried out by the controller, including consultation by the controller with the Commission under section 84 .

Chapter 4

Rights, and restriction of rights, of data subject (Part 5)

Rights in relation to automated decision making (Part 5)

89. (1) Subject to subsection (2), a decision that produces an adverse legal effect for a data subject or significantly affects a data subject shall not be based solely on automated processing, including profiling, of personal data that relate to him or her.

(2) Subsection (1) shall not apply where—

(a) the taking of a decision based solely on automated processing is authorised by the law of the European Union or the law of the State and the law so authorising contains appropriate safeguards for the rights and freedoms of the data subject, including the right of the data subject to make representations to the controller in relation to the decision, and

(b) the controller has taken adequate steps to safeguard the legitimate interests of the data subject.

(3) Profiling that results in discrimination against an individual on the basis of a special category of personal data shall be prohibited.

Right to information

90. (1) Subject to subsection (4) and section 94 , a controller shall ensure that the data subject is provided with, or, as appropriate, has made available to him or her, the information specified in subsection (2) in relation to personal data relating to him or her within a reasonable period after the date on which the controller obtains the personal data concerned, having regard to the circumstances in which the data are or are to be processed.

(2) The information to which subsection (1) applies is:

(a) the identity and the contact details of the controller;

(b) the contact details of the data protection officer of the controller, where applicable;

(c) the purpose for which the personal data are intended to be processed or are being processed;

(d) information detailing the right of the data subject to request from the controller access to, and the rectification or erasure of, the personal data;

(e) information detailing the right of the data subject to lodge a complaint with the Commission and the contact details of the Commission;

(f) in individual cases where further information is necessary to enable the data subject to exercise his or her rights under this Part, having regard to the circumstances in which the personal data are or are to be processed, including the manner in which the data are or have been collected, any such information including:

(i) the legal basis for the processing of the data concerned, including the legal basis for any transfers of data;

(ii) the period for which the data concerned will be retained, or where it is not possible to determine the said period at the time of the giving of the information, the criteria used to determine the said period;

(iii) where applicable, each category of recipients of the data.

(3) The information referred to in paragraphs (a) to (e) of subsection (2) may be made available to the data subject by means of publication on the website of the controller.

(4) Without prejudice to section 94 , subsection (1) shall not apply to information specified in subsection (2)

(a) where the information is already in the possession of the data subject, or

(b) where, in particular in the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the provision of the information proves impossible or would involve a disproportionate effort.

Right of access

91. (1) Subject to subsections (7), (9) and (12) and sections 93 (4)(ii) and 94 , an individual who believes that personal data relating to him or her have been or are being processed by or on behalf of a controller, if he or she so requests the controller by notice in writing shall—

(a) be informed by the controller whether personal data relating to him or her have been or are being processed by or on behalf of the controller, and

(b) where such data have been or are being so processed, be provided by the controller with the following information:

(i) a description of—

(I) the purpose of, and the legal basis for, the processing,

(II) the categories of personal data concerned,

(III) the recipients or categories of recipients to whom the personal data concerned have been disclosed, and

(IV) the period for which the personal data concerned will be retained, or where it is not possible to determine the said period at the time of the giving of the information, the criteria used to determine the said period;

(ii) information detailing the right of the data subject to request from the controller the rectification or erasure of the personal data concerned;

(iii) information detailing the right of the data subject to lodge a complaint with the Commission and the contact details of the Commission;

(iv) a communication of the personal data concerned;

(v) any available information as to the origin of the personal data concerned, unless the communication of that information is contrary to the public interest.

(2) A controller shall respond to a request made under subsection (1) and provide the information specified in paragraph (b) thereof to the data subject as soon as may be and, subject to subsections (4) and (5), in any event not later than one month after the date on which the request is made.

(3) When making a request under subsection (1), the individual making the request shall provide the controller with such information as the controller may reasonably require to satisfy itself of the identity of the individual and to locate any relevant personal data or information.

(4) Where a controller has reasonable doubts as to the identity of an individual making a request under subsection (1) or reasonably requires additional information to locate any relevant personal data, it may request such additional information from the data subject as may be necessary to confirm his or her identity or to enable it to locate such personal data or information, as the case may be, and the period of time from the making of such a request for additional information until the request is complied with shall not be reckonable for the purposes of subsection (2).

(5) Where, taking into account the complexity of a request made under subsection (1) and the number of such requests received by the controller, the controller is of the opinion that it requires additional time to consider the request, it may, once only and within one month from the date of the receipt of the request, extend the time period referred to in subsection (2) by such further period not exceeding 2 months as it may specify by notice in writing to the individual making the request.

(6) A notice in writing referred to in subsection (5) shall include the reason for which the controller is of the opinion that it requires additional time to consider the request made under subsection (1).

(7) Where information that a controller would otherwise be required to provide to a data subject pursuant to subsection (1) includes personal data relating to another individual that would reveal, or would be capable of revealing, the identity of the individual, the controller—

(a) shall not, subject to subsection (8), provide the data subject with the information that constitutes such personal data relating to the other individual, and

(b) shall provide the data subject with a summary of the personal data concerned that—

(i) in so far as is possible, permits the data subject to exercise his or her rights under this Part, and

(ii) does not reveal, or is not capable of revealing, the identity of the other individual.

(8) Subsection (7) shall not apply where the individual to whom the personal data that would reveal, or would be capable of revealing, his or her identity, relate consents to the provision of the information concerned to the data subject making a request pursuant to subsection (1).

(9) Subsection (1) shall not apply—

(a) in respect of personal data relating to the data subject that consists of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential, or

(b) to information specified in paragraph (b)(i)(III) of that subsection in so far as a recipient referred to therein is a public authority which may receive data in the context of a particular inquiry in accordance with the law of the State.

(10) Information provided pursuant to a request under subsection (1) may take account of any amendment of the personal data concerned made since the receipt of the request by the controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.

(11) The obligations imposed by subparagraphs (iv) and (v) of subsection (1)(b) shall be complied with by supplying the data subject with a copy of the information concerned in permanent form unless—

(a) the supply of such a copy is not possible or would involve disproportionate effort, or

(b) the data subject agrees otherwise.

(12) Where a controller has previously complied with a request under subsection (1), the controller is not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in the opinion of the controller, a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(13) In determining for the purposes of subsection (12) whether the reasonable interval specified in that subsection has elapsed, regard shall be had to the nature of the personal data, the purpose for which the personal data are processed and the frequency with which the personal data are altered.

(14) Where a controller, pursuant to subsection (12) refuses to act upon a request under subsection (1), it shall, as soon as practicable, so notify the data subject in writing.

Right to rectification or erasure and restriction of processing

92. (1) Where a data subject is of the opinion that a controller is processing personal data relating to him or her that are inaccurate, the data subject may make a request in writing to the controller for the controller to rectify the data concerned.

(2) A controller that receives a request under subsection (1) shall, subject to subsections (6), (7) and (9) and section 93 (4)(ii), where it is satisfied that the personal data to which the request relates are inaccurate, rectify the data as soon as may be and in any event no later than one month after the date on which the request is made.

(3) Where a data subject is of the opinion that a controller is processing personal data relating to him or her—

(a) in a manner that contravenes subsections (1) to (6) of section 71 or section 73 (1), or

(b) that are required to be erased by the controller in accordance with a legal obligation to which the controller is subject,

the data subject may make a request in writing to the controller to erase the data concerned.

(4) A controller that receives a request under subsection (3) shall, subject to subsections (6), (7) and (9) and section 93 (4)(ii), where it is satisfied that paragraph (a) or (b) of subsection (3) applies to the personal data to which the request relates, erase the data as soon as may be and in any event no later than one month after the date on which the request is made.

(5) When making a request under subsection (1) or (3), the data subject shall provide such information as the controller may reasonably require to—

(a) satisfy itself as to the identity of the data subject,

(b) locate any relevant personal data, and

(c) satisfy itself as to whether the personal data concerned are inaccurate or as to the basis on which the data should be erased, as the case may be.

(6) Where a controller—

(a) has reasonable doubts as to the identity of an individual making a request under subsection (1) or (3), or

(b) reasonably requires additional information—

(i) to locate any relevant personal data, or

(ii) to satisfy itself as to whether the personal data concerned are inaccurate or as to the basis on which the data should be erased, as the case may be,

it may request such additional information from the data subject as may be necessary to confirm his or her identity or to so locate or satisfy itself, as the case may be, and the period of time from the making of such a request for additional information until the request is complied with shall not be reckonable for the purposes of subsection (2) or (4), as the case may be.

(7) Where, taking into account the complexity of a request made under subsection (1) or (3) and the number of such requests received by the controller, the controller is of the opinion that it requires additional time to consider the request, it may, once only and within one month from the date of the receipt of the request, extend the time period referred to in subsection (2) or (4), as the case may be, by such further period not exceeding 2 months as it may specify by notice in writing to the data subject making the request.

(8) A notice in writing referred to in subsection (7) shall include the reason for which the controller is of the opinion that it requires additional time to consider the request made under subsection (1) or (3), as the case may be.

(9) Where a data subject makes a request under subsection (1) or (3), and—

(a) the accuracy of the data is contested by the data subject and it is not possible to ascertain whether the data are so inaccurate, or

(b) the personal data are required for the purposes of evidence in proceedings before a court or tribunal or in another form of official inquiry,

the controller shall restrict the processing of the data and shall not rectify or erase the data, as the case may be.

(10) Where a controller—

(a) complies with a request under subsection (1) or (3), or

(b) restricts the processing of personal data under subsection (9),

the controller shall, as soon as practicable, notify in writing—

(i) subject to section 94 , the data subject concerned,

(ii) each controller from which the personal data concerned were received, and

(iii) each person to whom the personal data concerned were disclosed,

of the rectification, erasure or restriction concerned, as the case may be.

(11) Where a controller receives a request under subsection (1) or (3), and—

(a) the controller is not satisfied that, as the case may be,—

(i) in relation to a request under subsection (1), the personal data to which the request relates should be rectified pursuant to subsection (2), or

(ii) in relation to a request under subsection (3), the personal data to which the request relates should be erased pursuant to subsection (4),

and

(b) subsection (9) does not apply to the data,

the controller shall, subject to section 94 , as soon as practicable, so notify the data subject in writing.

(12) A notification under subsection (11) shall include—

(a) the reasons for the controller’s decision under that subsection, and

(b) information relating to the data subject’s right under section 95 to request the Commission to verify the lawfulness of the processing concerned.

(13) Where a person to whom personal data were disclosed is notified under subsection (10) of—

(a) the rectification or erasure of the data pursuant to a request under subsection (1) or (3), as the case may be, or

(b) the restriction of the processing of the data under subsection (9),

the person shall rectify or erase, or restrict the processing of, as the case may be, any of the data concerned that the person has under his or her control in the same manner, and to the same extent, as the controller making the notification has rectified or erased, or restricted the processing of, as the case may be, the data concerned.

(14) Where a controller has restricted the processing of personal data pursuant to subsection (9) and proposes to lift the said restriction, the controller shall inform the data subject prior to the lifting of the restriction.

(15) Where a controller that restricted the processing of personal data pursuant to subsection (9) lifts the said restriction—

(a) the controller shall notify any person who was notified under subsection (10) of the said restriction of the lifting of the restriction as soon as practicable, and

(b) the person so notified shall lift any restriction of the processing of the data concerned implemented under subsection (13) in the same manner, and to the same extent, as the controller making the notification has lifted the restriction on the processing of the data concerned.

(16) This section shall not apply to personal data that are contained in witness statements.

(17) For the purposes of this section, personal data are inaccurate if—

(a) they are incorrect or misleading as to any matter of fact, or

(b) they are incomplete in a material manner.

Communication with data subject

93. (1) Where a controller—

(a) provides or makes available information to a data subject under section 90 ,

(b) provides or makes available information to, or communicates with, a data subject pursuant to a request under section 91 or 92,

the controller shall take all reasonable steps to ensure the information is provided or made available, or the communication is made, as the case may be, in a concise, intelligible and easily accessible form using clear and plain language.

(2) The information or communication, as the case may be, referred to in subsection (1), shall—

(a) be provided to the data subject by appropriate means, including by electronic means, and

(b) in the case of a communication with a data subject pursuant to a request under section 91 or 92 , in so far as is possible, be provided in the same form as that in which the request is made.

(3) A controller shall not impose a charge on a data subject for information provided to him or her under section 90 or, subject to subsection (4)(i), pursuant to a request under section 91 or 92 .

(4) Where a data subject makes a request to a controller under section 91 or 92 that is—

(a) manifestly unfounded, or

(b) excessive in nature, having regard to the number of requests made by the data subject to the controller under those sections,

the controller may—

(i) charge a reasonable fee to the data subject in respect of the request, having regard to the administrative cost to the controller of complying with the request, or

(ii) refuse to act upon the request.

(5) Where a controller, pursuant to subsection (4)(ii), refuses to act upon a request under section 91 or 92 it shall, as soon as practicable, so notify the data subject in writing.

(6) A notification under subsection (5) shall include—

(a) the reasons for which the controller is refusing to act upon the request under section 91 or 92 , as the case may be, pursuant to subsection (4)(ii), and

(b) information relating to the right of the data subject under Chapter 3 of Part 6 to lodge a complaint with the Commission and the contact details of the Commission.

(7) Where, pursuant to subsection (4)(ii), a controller refuses to act upon a request made to the controller by a data subject under section 91 or 92 , it shall be for the controller to demonstrate that the request was manifestly unfounded or excessive in nature.

(8) In this section, a reference to a “data subject” shall be construed as including an individual who makes a request under section 91 (1), irrespective of whether the controller is processing personal data relating to the individual.

Restrictions on exercise of data subject rights (Part 5)

94. (1) Subject to subsection (2), a controller, with respect to personal data for which it is responsible, may restrict, wholly or partly, the exercise of a right of a data subject specified in subsection (4).

(2) Subsection (1) shall apply where the controller is satisfied that restricting the exercise of a right under that subsection constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject for the purposes of—

(a) avoiding obstructing official or legal inquiries, investigations or procedures,

(b) avoiding prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties,

(c) protecting public security,

(d) protecting national security, or

(e) protecting the rights and freedoms of other persons.

(3) Without prejudice to the generality of subsection (2), the purposes specified in paragraphs (a) to (e) of subsection (2) include the following:

(a) the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid;

(b) the enforcement of, compliance with or administration of any enactment related to a purpose specified in section 70 (1)(a);

(c) ensuring the safety of the public and the safety or security of individuals and property;

(d) ensuring the fairness of criminal proceedings in a court or other tribunal;

(e) ensuring the security of—

(i) a penal institution,

(ii) a children detention school within the meaning of section 3 of the Children Act 2001 ,

(iii) a remand centre designated under section 88 of the Children Act 2001 ,

(iv) the Central Mental Hospital, or

(v) any system of communications, whether internal or external, of the Garda Síochána, the Defence Forces, the Revenue Commissioners or a penal institution;

(f) protecting the life, safety or well-being of any person;

(g) preventing the facilitation of the commission of an offence;

(h) avoiding the prejudice or impairment of national security, defence or the international relations of the State;

(i) avoiding the obstruction or impairment of official or legal inquiries, investigations or procedures or the operation of legal privilege;

(j) the performance by the Commission of its functions.

(4) The rights of a data subject to which subsection (1) applies are:

(a) the right of the data subject under section 90 (1) in so far as relates to information specified in subsection (2)(f) of that section;

(b) the rights of the data subject under paragraphs (a) and (b) of section 91 (1);

(c) the right of the data subject to be notified—

(i) under section 92 (10) of the restriction of the processing of personal data under subsection (9) of that section, or

(ii) under section 92 (11) of a decision not to rectify or erase data pursuant to a request under subsection (1) or (3) of that section, as the case may be.

(5) Subject to subsection (6), where a controller restricts, pursuant to subsection (1), the exercise of the right of a data subject specified in paragraph (b) or (c) of subsection (4), the controller shall notify the data subject in writing of—

(a) the restriction of the exercise of the said right and the reasons for such restriction, and

(b) the right of the data subject—

(i) under section 95 to request the Commission to verify the lawfulness of the processing concerned, or

(ii) under section 128 to seek a judicial remedy in relation to the said restriction.

(6) Subsection (5) shall not apply where to notify the data subject in accordance with that subsection of the matters specified therein would be contrary to a purpose specified in subsection (2).

(7) Where a controller restricts, pursuant to subsection (1), the exercise of the right of a data subject specified in paragraph (b) or (c) of subsection (4), the controller shall—

(a) create and maintain a record in writing of the factual or legal basis for the decision to so restrict the right concerned, and

(b) make such a record available to the Commission, if so requested by the Commission.

(8) Regulations may be made specifying a category of processing to be a category of processing in respect of which the exercise of the rights specified in subsection (4) may, in accordance with subsection (2), be restricted under subsection (1).

(9) Regulations under subsection (8) may be made by—

(a) the Minister, following consultation with such other Minister of the Government as he or she considers appropriate and the Commission, or

(b) any other Minister of the Government, following consultation with the Minister, such other Minister of the Government as he or she considers appropriate and the Commission.

(10) The Minister of the Government making regulations under subsection (8) shall have regard to—

(a) the nature, scope and purposes of the category of processing concerned,

(b) whether, having regard to the matters referred to in paragraph (a), the restriction concerned is one to which subsection (2) would apply, and

(c) any risks arising for the rights and freedoms of data subjects.

(11) Regulations made under this section shall—

(a) respect the essence of the right to data protection and protect the interests of the data subject, and

(b) restrict the exercise of data subject rights only in so far as is necessary and proportionate to the aim sought to be achieved.

(12) For the purposes of this section, “penal institution” means—

(a) a place to which the Prisons Acts 1826 to 2015 apply, or

(b) a military prison or detention barrack within the meaning, in each case, of the Defence Act 1954 .

Indirect exercise of rights and verification by Commission

95. (1) Where an individual—

(a) is aware, having been notified under section 94 (5), that the exercise of his or her rights have been restricted by a controller pursuant to section 94 , or

(b) believes that the exercise of his or her rights have been so restricted and that he or she has not been notified of the said restriction by virtue of the operation of subsection (6) of that section,

the individual may make a request in writing to the Commission to verify whether the controller is processing personal data relating to him or her and if so, whether the processing is in compliance with this Part.

(2) Where the Commission receives a request under subsection (1), it may take such steps as appear to it to be appropriate, including the exercise of its powers under section 132 .

(3) The Commission, having taken the steps referred to in subsection (2), shall inform the individual making the request under subsection (1)

(a) that all necessary verifications or reviews have been carried out by the Commission, and

(b) of his or her right to seek a judicial remedy under section 128 .

(4) Nothing in this section shall require the Commission to disclose to a data subject whether or not a controller has processed, or is processing, personal data relating to him or her.

Chapter 5

Transfers of personal data to third countries or international organisations

Transfer to third country or international organisation

96. (1) The transfer of personal data to a third country or an international organisation shall not take place, subject to section 100 , unless—

(a) the transfer is necessary for a purpose specified in section 70 (1)(a),

(b) the personal data are to be transferred to a controller in a third country or an international organisation that is an authority competent for the purposes specified in section 70 (1)(a),

(c) where the personal data were transmitted or made available to the controller making the transfer from a controller in another Member State, subject to subsection (2), the controller in the other Member State or another relevant controller in that state has given its prior authorisation to the transfer,

(d) section 97 , 98 or 99 applies, and

(e) the transfer is subject to a condition that a subsequent transfer to another third country or international organisation from the third country or international organisation to which the data are being transferred by the controller shall only occur where the controller authorises the subsequent transfer, having taken into due account all relevant factors, including—

(i) the seriousness of any criminal offence to which the data relate,

(ii) the purpose for which the data were originally transferred, and

(iii) the level of protection for personal data in the third country or the international organisation to which the data are to be transferred onwards.

(2) Subsection (1)(c) shall not apply where—

(a) the transfer of the personal data concerned is necessary for the prevention of an immediate and serious threat to—

(i) public security in a Member State or a third country, or

(ii) the essential interests of a Member State,

and

(b) an authorisation under the said subsection (1)(c) cannot be obtained in good time.

(3) Where subsection (2) applies and personal data are transferred to a third country or an international organisation without an authorisation from the controller in the other Member State that transmitted or made available the personal data, the controller making the transfer, or on whose behalf the transfer is being made, shall inform the controller in the other Member State of the transfer without delay.

(4) Without prejudice to the generality of section 71 , a processor shall not transfer personal data to a third country or an international organisation, or to a recipient in a third country, under this Chapter unless explicitly instructed in writing to do so by the controller.

Adequacy decision

97. (1) Personal data may be transferred in accordance with section 96 (1), subject to subsection (2), to a third country or an international organisation where a decision has been taken by the European Commission under Article 36 of the Directive that the third country or the international organisation, as the case may be, ensures an adequate level of protection of personal data.

(2) Where the European Commission has taken a decision under Article 36 of the Directive that applies to a specified territory within a third country or a specified sector in a third country, personal data may be transferred under subsection (1) to a controller in the specified territory or sector only, as the case may be.

Transfer subject to appropriate safeguards

98. (1) Personal data may be transferred in accordance with section 96 (1) to a third country, a territory or sector thereof, or an international organisation, in respect of which a decision has not been taken by the European Commission under Article 36 of the Directive that the third country, territory or sector thereof, or the international organisation, as the case may be, ensures an adequate level of protection of personal data, where—

(a) there is a legally binding instrument that applies to the transfer and that ensures appropriate safeguards with regard to the processing of personal data, or

(b) the controller transferring the personal data, or on whose behalf the personal data are being transferred, has—

(i) assessed all the circumstances relating to the transfer, and

(ii) is satisfied that appropriate safeguards exist with regard to the protection of the personal data.

(2) Where personal data are transferred to a third country, a territory or sector thereof, or an international organisation pursuant to subsection (1)(b), the controller transferring the personal data, or on whose behalf the personal data are being transferred, shall—

(a) inform the Commission about each category of such transfers, and

(b) create and maintain a record in writing of each such transfer containing at least the following:

(i) details of the personal data transferred;

(ii) the date and time of the transfer;

(iii) information about the controller in the third country or the international organisation to which the data were transferred;

(iv) the reasons for the transfer.

(3) A controller shall make available a record created and maintained pursuant to subsection (2)(b) to the Commission for inspection upon a request in that regard by the Commission.

Derogations for specific situations

99. (1) Where section 97 or 98 does not apply in relation to a transfer of personal data to a third country or an international organisation, personal data may be transferred in accordance with section 96 (1) to the third country or the international organisation, where the transfer is necessary—

(a) to protect the vital interests of the data subject or another individual,

(b) to safeguard the legitimate interests of a data subject,

(c) for the prevention of an immediate and serious threat to public security in a Member State or a third country,

(d) subject to subsection (2), in an individual case, for a purpose specified in section 70 (1)(a), or

(e) subject to subsection (2), in an individual case, for the establishment, exercise or defence of legal claims relating to a purpose specified in section 70 (1)(a).

(2) Paragraphs (d) and (e) of subsection (1) shall not apply where the controller transferring the personal data, or on whose behalf the personal data are being transferred, is of the opinion that the rights and freedoms of the data subject override the public interest in the transfer concerned.

(3) Where personal data are transferred to a third country or an international organisation pursuant to subsection (1), the controller transferring the personal data, or on whose behalf the personal data are being transferred, shall create and maintain a record in writing of each such transfer containing at least the following:

(a) details of the personal data transferred;

(b) the date and the time of the transfer;

(c) information about the controller in the third country or the international organisation to which the data were transferred;

(d) the reasons for the transfer.

(4) A controller shall make available a record created and maintained pursuant to subsection (3) to the Commission for inspection upon a request in that regard by the Commission.

Transfer to recipient in third country

100. (1) Notwithstanding section 96 (1)(b) and the provisions of any relevant international agreement, a controller may, in an individual case, transfer personal data directly to a recipient located in a third country who is not a controller or organisation referred to in section 96 (1)(b) where the relevant provisions of this Part are complied with and each of the following conditions are fulfilled—

(a) the transfer is necessary for the performance of a function of the controller making the transfer under the law of the European Union or the law of the State for a purpose specified in section 70 (1)(a);

(b) the transfer is in the public interest;

(c) the controller is satisfied that the fundamental rights and freedoms of the data subject do not override the public interest necessitating the transfer in the particular instance;

(d) the controller is satisfied that the transfer of the data to an authority in the third country that is competent for the purposes specified in section 70 (1)(a) would be ineffective or inappropriate, having regard to the purpose for which the data are being transferred, in particular where the transfer could not be made to such an authority in time to achieve the purpose of the transfer.

(2) A controller, when transferring personal data to a recipient pursuant to subsection (1) shall—

(a) specify to the recipient the purpose for which the recipient may process the data, and

(b) inform the recipient that the data are to be processed by the recipient for the specified purpose only and then only to the extent that such processing is necessary for that purpose.

(3) Where a controller transfers personal data to a recipient pursuant to subsection (1), the controller shall—

(a) notify the relevant authority in the third country that is competent for the purpose for which the data are transferred of the transfer without undue delay, unless to do so would be ineffective or inappropriate, having regard to the purpose for which the data are being transferred,

(b) notify the Commission of the transfer, and

(c) create and maintain a record in writing of the transfer containing at least the following information:

(i) details of the personal data transferred;

(ii) the date and the time of the transfer;

(iii) the identity of the recipient;

(iv) the reason for which the data were transferred.

(4) A controller shall make available a record created and maintained pursuant to subsection (3)(c) to the Commission for inspection upon a request in that regard by the Commission.

(5) In this section—

“controller” means a controller that is a competent authority specified in paragraph (a) of the definition of “competent authority” in section 69 ;

“relevant international agreement” means an international agreement—

(a) to which the State and the third country in which the recipient is located are parties, and

(b) that relates to judicial cooperation in criminal matters or to police cooperation.

Chapter 6

Independent supervisory authority

Functions of Commission under Part 5

101. (1) Subject to subsection (2), the functions of the Commission under this Part shall be to—

(a) monitor and enforce application of this Part and regulations made under it,

(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing,

(c) advise, on request by the body concerned, the Houses of the Oireachtas, Government and public authorities on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to processing,

(d) promote the awareness of controllers and processors of their obligations under this Part and the Directive,

(e) provide, on request by them, information to data subjects on the exercise of their rights under this Part and the Directive and, where appropriate, cooperate with the supervisory authorities of other Member States for that purpose,

(f) handle, in accordance with Part 6, complaints lodged by or on behalf of a data subject under Chapter 3 of that Part,

(g) examine the lawfulness of processing pursuant to section 95 and inform the data subject within a reasonable period of the outcome of the examination or of the reasons why the examination has not been carried out,

(h) cooperate with, and provide mutual assistance to, other supervisory authorities in accordance with section 103 and Chapter VII of the Directive with a view to ensuring consistent application and enforcement of the Directive,

(i) conduct, of its own volition or on the basis of information received from another supervisory authority or other public authority, investigations, in accordance with Part 6, on the application of this Part,

(j) monitor relevant developments insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies,

(k) provide advice to a controller or processor, as the case may be, pursuant to section 84 , and

(l) contribute to the activities of the European Data Protection Board.

(2) The Commission shall not be competent for the supervision of data processing operations of the courts when acting in their judicial capacity.

(3) Subject to subsections (4) and (5), the Commission shall not charge a data subject or data protection officer a fee in respect of the performance by it of its functions under this section.

(4) Where a request referred to in Article 46(4) of the Directive is manifestly unfounded or excessive, the Commission may—

(a) charge the person who made the request a reasonable fee, based on its administrative costs, or

(b) refuse to act on the request.

(5) It shall be for the Commission to demonstrate that a request referred to in subsection (4) is manifestly unfounded or excessive.

(6) In this section, “excessive” includes, in particular, repetitive.

(7) For the purposes of this section, a request is repetitive where it is substantially the same as a request previously made by or on behalf of the same person and dealt with under this Part.

Power of the Commission to advise and issue opinions

102. The Commission shall have the power to issue opinions on matters related to the protection of personal data to—

(a) on its own initiative or on request by the body concerned, the Houses of the Oireachtas, Government, public authorities and bodies, and

(b) on its own initiative, the public.

Mutual assistance

103. (1) The Commission shall, for the purposes referred to in section 101 (1)(h)

(a) in accordance with this Chapter, provide other supervisory authorities with mutual assistance, and

(b) put in place measures for effective cooperation with those authorities.

(2) The Commission, on receipt by it of a request of another supervisory authority (“requesting supervisory authority”) shall—

(a) without undue delay and no later than one month after receiving the request, take all appropriate measures required to reply to the request, and

(b) inform the requesting supervisory authority of the results of, or progress made in response to, the request.

(3) The measures referred to in subsection (2)(a) include the exercise by the Commission of its powers under Chapters 3, 4 and 5 of Part 6.

(4) (a) The Commission shall not refuse to comply with a request unless—

(i) it is not responsible under the Directive for the subject matter of the request or for the measures it is requested to carry out, or

(ii) compliance with the request would infringe the law of the State or European Union.

(b) The Commission shall provide the requesting supervisory authority concerned with the reasons for its refusal under paragraph (a) to comply with a request.

(5) The Commission, where providing information to a requesting supervisory authority in response to a request, shall, insofar as practicable, and in accordance with any implementing acts to which Article 50(8) of the Directive apply, do so—

(a) by electronic means, and

(b) using a standardised format, if any.

(6) Without prejudice to subsection (7), the Commission shall not charge a fee for any action taken in response to a request for mutual assistance.

(7) The Commission may enter into an agreement with other supervisory authorities on rules to indemnify each other for specific expenditure arising from the provision of mutual assistance in exceptional circumstances.

(8) In this section and section 104

“mutual assistance” includes—

(a) responding to requests for information, and

(b) undertaking supervisory measures, such as the carrying out of inspections or investigations under Part 6 or consultations;

“request” means a request for mutual assistance referred to in Article 50 of the Directive.

Requests by Commission for mutual assistance

104. (1) A request by the Commission to another supervisory authority shall contain all the information necessary for the purpose of the request, which shall include the purpose of and reasons for the request.

(2) The Commission shall use information received by it from another supervisory authority in response to a request only for the purpose for which it was requested.

PART 6

Enforcement of Data Protection Regulation and Directive

Chapter 1

Preliminary

Interpretation (Part 6)

105. (1) In this Part—

“complaint” means a complaint within the meaning of Chapter 2 or 3;

“investigation” means an investigation under Chapter 5;

“investigation report” has the meaning assigned to it by section 139 ;

“relevant enactment” means—

(a) the Data Protection Regulation, or

(b) a provision of this Act, or a regulation under this Act, that gives further effect to the Data Protection Regulation;

“relevant provision” means a provision of this Act, or a regulation under this Act, that gives effect to the Directive.

(2) A reference in this Part (other than in Chapter 2) to a controller or a processor includes a reference to a controller or a processor, as the case may be, within the meaning of Part 5.

(3) Where a person is a controller by virtue of his or her being the subject of a designation under subsection (1) or (2) of section 3

(a) a reference in sections 117 , 128 and 135 (10) to a controller shall be deemed to be a reference to the appropriate authority that, or the Minister who, made the designation, and not to the person, and

(b) a reference in sections 132 (6) and 133 (10) to a controller shall be deemed not to include a reference to the person.

(4) A reference in this Part to information obtained in an inquiry (within the meaning of section 110 or 123 ) shall be construed as including, where applicable—

(a) an investigation report prepared in the course of the inquiry, and any submissions annexed to the report, and

(b) any additional information obtained, in the course of the inquiry, by the Commission under section 140 (2).

Service of documents (Part 6)

106. (1) Subject to section 116 (4)(a), a notice or other document that is required to be served on or given to a person under this Part shall be addressed to the person concerned by name and shall be so served on or given to the person in one of the following ways:

(a) by delivering it to the person;

(b) by leaving it at the address at which the person ordinarily resides or carries on business or, in a case in which an address for service has been furnished, at that address;

(c) by sending it by post in a prepaid registered letter or by any other form of recorded delivery service to the address referred to in paragraph (b); or

(d) by electronic means, in a case in which the person has given notice in writing to the person serving or giving the notice or document concerned of his or her consent to the notice or document (or notices or documents of a class to which the notice or document belongs) being served on, or given to, him or her in that manner.

(2) For the purposes of this section, a company within the meaning of the Act of 2014 is deemed to be ordinarily resident at its registered office, and every other body corporate and every unincorporated body of persons shall be deemed to be ordinarily resident at its principal office or place of business.

Chapter 2

Enforcement of Data Protection Regulation

Interpretation (Chapter 2)

107. In this Chapter—

“complainant” means a data subject who lodges a complaint or, as the case may be, a not-for-profit body, organisation or association that, in accordance with Article 80(1), lodges a complaint on behalf of a data subject;

“complaint” means a complaint lodged pursuant to Article 77(1) or in accordance with Article 80(1), and shall be deemed to include a complaint so lodged by or on behalf of a data subject where—

(a) the data subject considers that the processing of personal data relating to him or her infringes a relevant enactment, and

(b) the Commission is the competent supervisory authority in respect of the complaint;

“corrective power” means a power conferred by Article 58(2) of the Data Protection Regulation;

“infringement” means an infringement of a relevant enactment;

“inquiry” means an inquiry referred to in section 110 (1).

Complaints under Chapter 2: General

108. (1) Where a complaint is lodged with the Commission, the Commission shall, as soon as practicable, give the complainant concerned a notice in writing acknowledging the lodging of the complaint, and informing the complainant of—

(a) where the Commission is the competent supervisory authority in respect of the complaint, the complainant’s right under section 150 (5) and (7), and

(b) where a supervisory authority other than the Commission is the competent supervisory authority in respect of the complaint, the complainant’s right to a judicial remedy against that competent supervisory authority where it does not—

(i) handle the complaint, or

(ii) inform the complainant within 3 months from the date on which the complaint is received by that authority on the progress or outcome of the complaint.

(2) Where the Commission is the competent supervisory authority in respect of a complaint, it shall—

(a) handle the complaint in accordance with this Part, and

(b) inform the complainant, within 3 months from the date on which the complaint is received by the Commission, on the progress or outcome of the complaint.

(3) For the purposes of subsection (2)(b), the Commission shall be taken to have informed a complainant of the outcome of the complaint concerned where it gives the complainant a notice under section 109 (6) or, as the case may be, section 116 .

Commission to handle complaint under Chapter 2

109. (1) For the purposes of section 108 (2)(a), the Commission shall examine the complaint and shall, in accordance with this section, take such action in respect of it as the Commission, having regard to the nature and circumstances of the complaint, considers appropriate.

(2) The Commission, where it considers that there is a reasonable likelihood of the parties concerned reaching, within a reasonable time, an amicable resolution of the subject matter of the complaint, may take such steps as it considers appropriate to arrange or facilitate such an amicable resolution.

(3) Where the parties concerned reach an amicable resolution of the subject matter of the complaint, the complaint shall, from the date on which the amicable resolution is reached, be deemed to have been withdrawn by the complainant concerned.

(4) Where the Commission considers that an amicable resolution cannot be reached by the parties within a reasonable time, it shall proceed—

(a) in the case of a complaint to which section 113 applies, to comply with section 113 (2), or

(b) in the case of any other complaint, to take an action specified in subsection (5).

(5) The actions referred to in subsection (4)(b) include one or more than one of the following:

(a) rejection of the complaint;

(b) dismissal of the complaint;

(c) provision to the complainant of advice in relation to the subject matter of the complaint;

(d) serving on the controller or processor concerned of an enforcement notice, requiring it to do one or more than one of the following:

(i) comply with the data subject’s request to exercise his or her rights pursuant to a relevant enactment;

(ii) where the enforcement notice is given to the controller, communicate a personal data breach to the data subject;

(iii) rectify or erase personal data or restrict processing pursuant to Article 16, 17 or 18, and, in respect of that action, to comply with Article 19 and, where applicable, Article 17(2);

(e) causing of such inquiry as the Commission thinks fit to be conducted in respect of the complaint;

(f) taking of such other action in respect of the complaint as the Commission considers appropriate.

(6) The Commission shall, as soon as practicable after taking an action referred to in subsection (5) (other than paragraph (e) of that subsection), give the complainant a notice in writing informing the complainant of the action taken.

Commission may conduct inquiry into suspected infringement of relevant enactment

110. (1) The Commission, whether for the purpose of section 109 (5)(e), section 113 (2), or of its own volition, may, in order to ascertain whether an infringement has occurred or is occurring, cause such inquiry as it thinks fit to be conducted for that purpose.

(2) The Commission may, for the purposes of subsection (1), where it considers it appropriate to do so, in particular do either or both of the following:

(a) cause any of its powers under Chapter 4 (other than section 135 ) to be exercised;

(b) cause an investigation under Chapter 5 to be carried out.

Decision of Commission where inquiry under Chapter 2 conducted of own volition

111. (1) Where an inquiry has been conducted of the Commission’s own volition, the Commission, having considered the information obtained in the inquiry, shall—

(a) if satisfied that an infringement by the controller or processor to which the inquiry relates has occurred or is occurring, make a decision to that effect, and

(b) if not so satisfied, make a decision to that effect.

(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition, make a decision—

(a) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(b) where it decides to so exercise a corrective power, the corrective power that is to be exercised.

(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall exercise the corrective power concerned.

Decision of Commission where inquiry conducted in respect of complaint to which Article 55 or 56(5) applies

112. (1) Where an inquiry has been conducted in respect of a complaint in respect of which the Commission is the competent supervisory authority under Article 55 or 56(5), the Commission, having considered the information obtained in the examination, may—

(a) if satisfied that an infringement by the controller or processor to which the complaint relates has occurred or is occurring, make a decision to that effect, or

(b) if not so satisfied, make a decision to dismiss the complaint.

(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition, make a decision—

(a) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(b) where it decides to so exercise a corrective power, the corrective power that is to be exercised.

(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall exercise the corrective power concerned.

Complaint to which Article 60 applies

113. (1) This section applies to a complaint in respect of which the Commission is the lead supervisory authority.

(2) Where section 109 (4)(a) applies, the Commission shall—

(a) in accordance with subsection (3), make a draft decision in respect of the complaint (or, as the case may be, part of the complaint) and, where applicable, as to the envisaged action to be taken in relation to the controller or processor concerned, and

(b) in accordance with Article 60 and, where appropriate, Article 65, adopt its decision in respect of the complaint or, as the case may be, part of the complaint.

(3) In making a draft decision under subsection (2)(a), the Commission shall, where applicable, have regard to—

(a) the information obtained by the Commission in its examination of the complaint, including, where an inquiry has been conducted in respect of the complaint, the information obtained in the inquiry, and

(b) any draft for a decision that is submitted to the Commission by a supervisory authority in accordance with Article 56(4).

(4) Where the Commission adopts a decision under subsection (2)(b) to the effect that an infringement by the controller or processor concerned has occurred or is occurring, it shall, in addition, make a decision—

(a) where an inquiry has been conducted in respect of the complaint—

(i) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(ii) where it decides to so exercise a corrective power, the corrective power that is to be exercised,

or

(b) where an inquiry has not been conducted in respect of the complaint—

(i) as to whether an action specified in subsection (6) should be taken in respect of the controller or processor concerned, and

(ii) where it decides to take such an action, the action that is to be taken.

(5) The Commission, in making its decision under subsection (4), shall have due regard to the decision as to the envisaged action to be taken in relation to the controller or processor included in the Commission’s draft decision under subsection (2)(a) or, as the case may be, its revised draft decision under Article 60.

(6) The actions referred to in subsection (4)(b) include either or both of the following:

(a) the serving on the controller or processor concerned of an enforcement notice, requiring it to do one or more than one of the following:

(i) comply with the data subject’s request to exercise his or her rights pursuant to a relevant enactment;

(ii) where the enforcement notice is given to the controller, communicate a personal data breach to the data subject;

(iii) rectify or erase personal data or restrict processing pursuant to Article 16, 17 or 18, and, in respect of that action, to comply with Article 19 and, where applicable, Article 17(2);

(b) the taking of such other action in respect of the complaint as the Commission considers appropriate.

(7) The Commission—

(a) where it makes a decision referred to in subsection (4)(a)(ii), shall exercise the corrective power concerned, and

(b) where it makes a decision referred to in subsection (4)(b)(ii), shall take the action concerned.

Commission to adopt decision in certain circumstances

114. Where—

(a) a complaint is lodged with the Commission, or a complaint is lodged with another supervisory authority and the Commission is the supervisory authority in respect of the complainant concerned,

(b) another supervisory authority is the lead supervisory authority in respect of the complaint, and

(c) a decision is made, in accordance with Article 60, to dismiss or reject the complaint or, where Article 60(9) applies, part of the complaint,

the Commission shall adopt the decision referred to in paragraph (c) in respect of the complaint or, as the case may be, part of the complaint.

Exercise by Commission of corrective power

115. (1) For the purposes of exercising a corrective power under section 111 , 112 or 113, the Commission may do either or both of the following:

(a) subject to Chapter 6, decide to impose an administrative fine on the controller or processor concerned;

(b) exercise any other corrective power specified in Article 58(2).

(2) Without prejudice to the generality of subsection (1)(b), the Commission may, for the purposes of exercising a power referred to in that provision, serve on the controller or processor concerned an enforcement notice requiring it to take such steps as the Commission considers necessary for those purposes.

Notification of decision of Commission under Chapter 2

116. (1) The Commission shall—

(a) as soon as practicable after it makes a decision under section 111 or 112, give the controller or processor concerned a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has decided to exercise in respect of the controller or processor,

and

(b) in the case of a decision under section 112 , and as soon as practicable after the giving of the notice under paragraph (a), give the complainant concerned a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has decided to exercise in respect of the controller or processor.

(2) Subject to subsection (4), the Commission shall—

(a) as soon as practicable after it adopts a decision under section 113 (2)(b), give the controller or processor concerned a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has decided to exercise or, as the case may be, the action that it has decided to take, in respect of the controller or processor,

and

(b) in the case of a complaint lodged with the Commission, and as soon as practicable after the giving of the notice under paragraph (a), give the complainant concerned a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has decided to exercise or, as the case may be, the action that it has decided to take, in respect of the controller or processor.

(3) The Commission shall, as soon as practicable after it adopts a decision under section 114 , give—

(a) the complainant concerned, and

(b) the controller or processor concerned,

a notice in writing informing them of the rejection or dismissal of the complaint or, as the case may be, the part of the complaint.

(4) Where the Commission is the lead supervisory authority in relation to a complaint to which Article 60(9) applies, the Commission shall, as soon as practicable after it adopts its decision under Article 60(9)—

(a) give the controller or processor concerned, at its main establishment or single establishment, a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has decided to exercise or, as the case may be, the action that it has decided to take in respect of the controller or processor,

and

(b) give the complainant concerned a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has decided to exercise or, as the case may be, the action that it has decided to take in respect of the controller or processor.

Judicial remedy for infringement of relevant enactment

117. (1) Subject to subsection (9), and without prejudice to any other remedy available to him or her, including his or her right to lodge a complaint, a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action (in this section referred to as a “data protection action”) against the controller or processor concerned.

(2) A data protection action shall be deemed, for the purposes of every enactment and rule of law, to be an action founded on tort.

(3) The Circuit Court shall, subject to subsections (5) and (6), concurrently with the High Court, have jurisdiction to hear and determine data protection actions.

(4) The court hearing a data protection action shall have the power to grant to the plaintiff one or more than one of the following reliefs:

(a) relief by way of injunction or declaration; or

(b) compensation for damage suffered by the plaintiff as a result of the infringement of a relevant enactment.

(5) The compensation recoverable in a data protection action in the Circuit Court shall not exceed the amount standing prescribed, for the time being by law, as the limit of that court’s jurisdiction in tort.

(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by the judge of any circuit in which—

(a) the controller or processor against whom the data protection action is taken has an establishment, or

(b) the data subject has his or her habitual residence.

(7) A data protection action may be brought on behalf of a data subject by a not-for-profit body, organisation or association to which Article 80(1) applies that has been mandated by the data subject to do so.

(8) The court hearing a data protection action brought by a not-for-profit body, organisation or association under subsection (7) shall have the power to grant to the data subject on whose behalf the action is being brought one or more of the following reliefs:

(a) relief by way of injunction or declaration; or

(b) compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment.

(9) A data subject may not bring a data protection action against a controller or processor that is a public authority of another Member State acting in the exercise of its public powers.

(10) In this section—

“damage” includes material and non-material damage;

“injunction” means—

(a) an interim injunction,

(b) an interlocutory injunction, or

(c) an injunction of indefinite duration.

Chapter 3

Enforcement of Directive

Interpretation (Chapter 3)

118. In this Chapter—

“competent supervisory authority” shall be construed in accordance with the Directive;

“complainant” means a data subject who or, as the case may be, a body mandated in accordance with section 120 that, lodges a complaint;

“complaint” means a complaint lodged in accordance with section 119 ;

“controller” and “processor” have the meanings they have in Part 5;

“corrective power” means a power conferred on the Commission by section 127 ;

“inquiry” means an inquiry referred to in section 123 ;

“infringement” means an infringement of a relevant provision.

Data subject may lodge complaint with Commission

119. (1) Without prejudice to any other remedy available to him or her, and subject to section 120 , a data subject who considers that processing of his or her personal data infringes a relevant provision, or provisions adopted by another Member State giving effect to a right to the data subject under the Directive, may lodge a complaint with the Commission.

(2) (a) Without prejudice to the right of a data subject under subsection (1), the Commission may specify the form of a complaint lodged under that subsection.

(b) When specifying a form under paragraph (a), the Commission shall, without excluding other means of communication, ensure that the form is capable of being completed electronically.

(3) The Commission, where it is not the competent supervisory authority in respect of a complaint lodged with it under subsection (1), shall—

(a) without undue delay, transmit the complaint to the competent supervisory authority, and

(b) inform the data subject of the transmission of the complaint.

(4) Where a complaint is transmitted to the Commission in accordance with the law of a Member State giving effect to Article 52(2) of the Directive, the complaint shall, for the purposes of this Part, be deemed to be a complaint lodged, on the date on which the complaint is received by the Commission, with the Commission in accordance with subsection (1).

Representation of data subjects

120. (1) A data subject may mandate a body, organisation or association to which subsection (2) applies to do either or both of the following on his or her behalf:

(a) lodge a complaint under section 119 ;

(b) exercise the rights referred to in section 128 and section 150 .

(2) This subsection applies to a body, organisation or association—

(a) that provides its services on a not-for-profit basis,

(b) that has been properly constituted in accordance with the law of the State or another Member State,

(c) whose objectives, as specified in the documents establishing the body, organisation or association concerned, are in the public interest, and

(d) that is active with regard to the protection of data subject rights and freedoms, including protection of their personal data.

(3) Where the Commission or a court, in performing its functions under this Act, has reasonable doubts as to whether a particular body, organisation or association is one to which subsection (2) applies, it may request the provision by the body, organisation or association concerned of such additional information as is necessary in order to confirm that it is such a body, organisation or association.

Complaints under Chapter 3: General

121. (1) Where a complaint is lodged, or deemed to be lodged, with the Commission under section 119 (1), and section 119 (3) does not apply to the complaint, the Commission shall as soon as practicable give the complainant concerned a notice—

(a) acknowledging the lodging of the complaint or, as the case may be, its receipt by the Commission referred to in section 119 (4), and

(b) informing the complainant of the complainant’s rights under section 128 .

(2) Where subsection (1) applies, the Commission shall—

(a) handle the complaint in accordance with this Part, and

(b) inform the complainant within 3 months from the date on which the complaint is lodged, of the progress or outcome of the complaint.

(3) For the purposes of subsection (2)(b), the Commission shall be taken to have informed a complainant of the outcome of the complaint concerned where it gives the complainant a notice under section 122 (5) or, as the case may be, section 126 .

Commission to handle complaint under Chapter 3

122. (1) For the purposes of section 121 (2)(a), the Commission shall examine the complaint and shall, in accordance with this section, take such action in respect of it as the Commission, having regard to the nature and circumstances of the complaint, considers appropriate.

(2) The Commission, where it considers that there is a reasonable likelihood of the parties concerned reaching, within a reasonable time, an amicable resolution of the subject matter of the complaint, may take such steps as it considers appropriate to arrange or facilitate such an amicable resolution.

(3) Where the parties concerned reach an amicable resolution of the subject matter of the complaint, the complaint shall, from the date on which the amicable resolution is reached, be deemed to have been withdrawn by the complainant concerned.

(4) Where the Commission considers that an amicable resolution cannot be reached by the parties within a reasonable time, it shall proceed to take one or more than one of the following actions:

(a) rejection of the complaint;

(b) dismissal of the complaint;

(c) provision to the complainant of advice in relation to the subject matter of the complaint;

(d) serving on the controller or processor concerned of an enforcement notice, requiring it to do one or more than one of the following:

(i) comply with the data subject’s request to exercise his or her rights under a relevant provision;

(ii) bring processing into compliance with a relevant provision, in a specified manner and within a specified period;

(iii) where the enforcement notice is given to the controller, communicate a personal data breach to data subjects;

(e) causing of such inquiry as the Commission thinks fit to be conducted in respect of the complaint;

(f) taking of such other action in respect of the complaint as the Commission considers appropriate.

(5) The Commission shall, as soon as practicable after taking an action referred to in subsection (4) (other than paragraph (e) of that subsection), give the complainant a notice in writing informing the complainant of the action taken.

Commission may conduct inquiry into suspected infringements of relevant provision

123. (1) The Commission, whether for the purpose of section 122 (4)(e) or of its own volition, may, in order to ascertain whether an infringement has occurred or is occurring, cause such inquiry as it thinks fit to be conducted for that purpose.

(2) The Commission may, for the purposes of subsection (1), where it considers it appropriate to do so, in particular do either or both of the following:

(a) cause any of its powers under Chapter 4 (other than sections 134 and 135 ) to be exercised;

(b) cause an investigation under Chapter 5 to be carried out.

Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition

124. (1) Where an inquiry has been conducted of the Commission’s own volition, the Commission, having considered the information obtained in the inquiry, shall—

(a) if satisfied that an infringement by the controller or processor to which the inquiry relates has occurred or is occurring, make a decision to that effect, or

(b) if not so satisfied, make a decision to that effect.

(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition, make a decision—

(a) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(b) where it decides to so exercise a corrective power, the corrective power that is to be exercised.

(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall exercise the corrective power concerned.

Decision of Commission where inquiry conducted in respect of complaint under Chapter 3

125. (1) Where an inquiry has been conducted in respect of a complaint, the Commission, having considered the information obtained in the inquiry, may—

(a) if satisfied that an infringement by the controller or processor to which the complaint relates has occurred or is occurring, make a decision to that effect, or

(b) if not so satisfied, make a decision to dismiss the complaint.

(2) Where the Commission makes a decision under subsection (1)(a), it shall, in addition, make a decision—

(a) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(b) where it decides to so exercise a corrective power, the corrective power that is to be exercised.

(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall exercise the corrective power concerned.

Notification of decision of Commission under Chapter 3

126. The Commission shall—

(a) as soon as practicable after the decision under section 124 or 125 is made by it, give the controller or processor concerned a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has exercised in respect of the controller or processor,

and

(b) in the case of a decision under section 125 , give, as soon as practicable after the notice under paragraph (a) is given, the complainant a notice in writing setting out—

(i) the decision and the reasons for it, and

(ii) where applicable, the corrective power that the Commission has exercised in respect of the controller or processor.

Corrective powers of Commission (Chapter 3)

127. (1) The Commission may, for the purposes of sections 124 (3) and 125 (3), do one or more than one of the following:

(a) issue a warning to the controller or processor that intended data processing is likely to infringe a relevant provision;

(b) issue a reprimand to the controller or processor where data processing by the controller or processor has infringed a relevant provision;

(c) order the controller or processor to comply with a data subject’s request to exercise his or her rights under a relevant provision;

(d) order the controller or processor to bring processing into compliance with a relevant provision, in a specified manner and within a specified period;

(e) order the controller to communicate a personal data breach to data subjects;

(f) impose a temporary or definitive limitation, including a ban on processing;

(g) impose a restriction on processing by the controller or processor;

(h) order the suspension of data transfers to a recipient in a third country or to an international organisation.

(2) Without prejudice to the generality of sections 124 (2)(b) and 125 (2)(b), the Commission may, for the purposes of exercising a power specified in subsection (1), serve on the controller or processor concerned an enforcement notice requiring it to take such steps as the Commission considers necessary for those purposes.

Judicial remedy for infringement of relevant provision

128. (1) Subject to subsection (8), and without prejudice to any other remedy available to him or her, including his or her right under section 119 to lodge a complaint, a data subject may, where he or she considers that his or her rights under a relevant provision have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant provision, bring an action (in this section referred to as a “data protection action”) against the controller or processor concerned.

(2) A data protection action shall be deemed, for the purposes of every enactment and rule of law, to be an action founded on tort.

(3) The Circuit Court shall, subject to subsections (5) and (6), concurrently with the High Court, have jurisdiction to hear and determine data protection actions.

(4) The court hearing a data protection action shall have the power to grant to the plaintiff one or more than one of the following reliefs:

(a) relief by way of injunction or declaration; or

(b) compensation for damage suffered by the plaintiff as a result of the infringement of a relevant provision.

(5) The compensation recoverable in a data protection action in the Circuit Court shall not exceed the amount standing prescribed, for the time being by law, as the limit of that court’s jurisdiction in tort.

(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by the judge of any circuit in which—

(a) the controller or processor against whom the data protection action is taken has an establishment, or

(b) the data subject has his or her habitual residence.

(7) The court hearing a data protection action that has been brought, in accordance with section 120 (1)(b), on behalf of a data subject by a body, organisation or association to which subsection (2) of that section applies shall have the power to grant to the data subject on whose behalf the action is being brought one or more of the following reliefs:

(a) relief by way of injunction or declaration; or

(b) compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment.

(8) A data subject may not bring a data protection action against a controller or processor that is a public authority of another Member State acting in the exercise of its public powers.

(9) In this section—

“damage” includes material and non-material damage;

“injunction” means—

(a) an interim injunction,

(b) an interlocutory injunction, or

(c) an injunction of indefinite duration.

Chapter 4

Inspection, Audit and Enforcement

Authorised officers

129. (1) The Commission may appoint such and so many members of its staff, and such and so many other suitably qualified persons, as it considers appropriate to be authorised officers for the purposes of this Act.

(2) A person appointed under subsection (1) shall, on his or her appointment, be furnished by the Commission with a certificate of his or her appointment and, when exercising a power conferred by this Act shall, on request by any person thereby affected, produce such certificate together with a form of personal identification to that person for inspection.

(3) A person who, immediately before the commencement of this section, was an authorised officer under section 24 of the Act of 1988 shall—

(a) for the unexpired period of his or her term of appointment under that section, and

(b) subject to the same terms and conditions as applied to that appointment,

be deemed to be an authorised officer appointed under subsection (1), and accordingly paragraph (a) of subsection (4) shall apply in respect of that authorised officer.

(4) An appointment shall cease—

(a) if the Commission revokes, in writing, the appointment,

(b) in the case of a person who at the time of his or her appointment was a member of staff of the Commission, upon the person ceasing to be such a member of staff, or

(c) in the case of an appointment for a fixed period, upon the expiry of that period.

(5) In this section, “suitably qualified person” means a person other than a member of staff of the Commission who, in the opinion of the Commission, has the expertise and experience necessary to perform the functions conferred on an authorised officer by this Act.

Powers of authorised officers

130. (1) For the purposes of this Act, a relevant enactment or a relevant provision, an authorised officer may—

(a) subject to subsection (6), enter, at any reasonable time, any place—

(i) where any activity connected with the processing of personal data takes place,

(ii) where the authorised officer has reasonable grounds for believing any activity connected with the processing of personal data takes place, or

(iii) at which the authorised officer has reasonable grounds for believing documents, records, statements or other information relating to the processing of personal data is being kept,

(b) search and inspect the place and any documents, records, statements or other information found there,

(c) require any person at the place, being a controller or processor, or an employee or agent of either of them, to produce to him or her any documents or records relating to the processing of personal data which are in that person’s power or control and, in the case of information in a non-legible form, to reproduce it in a legible form, and to give to the authorised officer such information as he or she may reasonably require in relation to any entries in such documents or records,

(d) secure for later inspection—

(i) any documents or records so provided or found and any data equipment, including any computer, in which those records may be held, or

(ii) any such place, or part thereof, in which—

(I) documents, records, statements or data equipment are kept, or

(II) there are reasonable grounds for believing that such documents, records, statements or data equipment are kept,

for such period as the authorised officer may reasonably consider necessary for the purposes of the performance of his or her functions or the functions of the Commission under this Act, a relevant enactment or a relevant provision,

(e) inspect and take extracts from or make copies of any such documents or records (including, in the case of information in a non-legible form, a copy of or extract from such information in a permanent legible form),

(f) remove and retain such documents or records for such period as the authorised officer reasonably considers necessary for the purposes of the performance of his or her functions or the functions of the Commission under this Act, a relevant enactment or a relevant provision, or require any person referred to in paragraph (c) to retain and maintain such documents or records for such period of time, as the authorised officer reasonably considers necessary for those purposes,

(g) if a person who is required under paragraph (c) to provide a particular record is unable to provide it, require the person to state, to the best of that person’s knowledge and belief, where the record is located or from whom it may be obtained, and

(h) require any person referred to in paragraph (c) to give to the authorised officer any information relating to the processing of personal data that the officer may reasonably require for the purposes of the performance of his or her functions or the functions of the Commission under this Act, a relevant enactment or a relevant provision and to afford the officer all reasonable assistance in relation thereto.

(2) An authorised officer may, in the performance of his or her functions under this Act, a relevant enactment or a relevant provision—

(a) operate any data equipment, including any computer, or cause any such data equipment or computer to be operated by a person accompanying the authorised officer, and

(b) require any person who appears to the authorised officer to be in a position to facilitate access to the documents or records stored in any data equipment or computer or which can be accessed by the use of that data equipment or computer to give the authorised officer all reasonable assistance in relation to the operation of the data equipment or computer or access to the records stored in it, including by—

(i) providing the documents or records to the authorised officer in a form in which they can be taken and in which they are, or can be made, legible and comprehensible,

(ii) giving to the authorised officer any password necessary to make the documents or records concerned legible and comprehensible, or

(iii) otherwise enabling the authorised officer to examine the documents or records in a form in which they are legible and comprehensible.

(3) When performing a function under this Act, a relevant enactment or a relevant provision, an authorised officer may, subject to any warrant under section 131 , be accompanied by such and so many other authorised officers or members of the Garda Síochána as he or she considers appropriate.

(4) An authorised officer may require a person to provide him or her with his or her name and address where the authorised officer has reasonable grounds for requiring such information for the purpose of applying for a warrant under section 131 .

(5) Where an authorised officer in the performance of his or her functions or the functions of the Commission under this Act, a relevant enactment or a relevant provision is prevented from entering any place, he or she may make an application under section 131 for a warrant to authorise such entry.

(6) An authorised officer shall not enter a dwelling, other than—

(a) with the consent of the occupier, or

(b) in accordance with a warrant under section 131 .

(7) A person shall be guilty of an offence if he or she—

(a) obstructs, impedes or assaults an authorised officer in the performance of his or her functions under this Act, a relevant enactment or a relevant provision,

(b) fails or refuses to comply with a requirement of an authorised officer under this section,

(c) alters, suppresses or destroys any documents, records, statements or other information which the person concerned has been required by an authorised officer to produce, or may reasonably expect to be so required to produce,

(d) in purported compliance with a requirement under this section, gives to an authorised officer information, documents or records which the person knows to be false or misleading in a material respect,

(e) falsely represents himself or herself to be an authorised officer, or

(f) procures or attempts to procure any action referred to in paragraphs (a) to (e).

(8) A person guilty of an offence under subsection (7) shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.

(9) A statement or admission made by a person pursuant to a requirement under subsection (1) or (2) shall not be admissible in evidence in proceedings for an offence (other than an offence under paragraph (b) of subsection (7)) brought against the person.

(10) In this section and section 131 , “place” includes—

(a) a dwelling or a part thereof,

(b) a building or a part thereof,

(c) any other premises or part thereof, and

(d) a vehicle, vessel, aircraft or any other means of transport.

Search warrants

131. (1) If a judge of the District Court is satisfied on the sworn information of an authorised officer that there are reasonable grounds for suspecting that information required by an authorised officer for the purpose of performing his or her functions under this Part is held at any place, the judge may issue a warrant authorising him or her, accompanied if the officer considers it necessary by such other person or a member of the Garda Síochána, at any time or times from the date of issue of the warrant, on production, if so required, of the warrant, to enter, if need be by reasonable force, the place and exercise all or any of the powers conferred on an authorised officer under section 130 .

(2) The period of validity of a warrant shall be 28 days from its date of issue, but that period of validity may be extended in accordance with subsections (3) and (4).

(3) The authorised officer may, during the period of validity of a warrant (including such period as previously extended under subsection (4)), apply to a judge of the District Court for an order extending the period of validity of the warrant and such an application shall be grounded upon information on oath laid by the authorised officer stating, by reference to the purpose or purposes for which the warrant was issued, the reasons why the authorised officer considers the extension to be necessary.

(4) If, on the making of an application under subsection (3), the judge of the District Court is satisfied that there are reasonable grounds for believing, having regard to that information so laid, that further time is needed so that the purpose or purposes for which the warrant was issued can be fulfilled, the judge may make an order extending the period of validity of the warrant by such period as, in the opinion of the judge, is appropriate and just; and where such an order is made, the judge shall cause the warrant to be suitably endorsed to indicate its extended period of validity.

(5) Nothing in subsections (1) to (4) prevents a judge of the District Court from issuing, on the making of a new application under subsection (1), a further search warrant under this section in relation to the same place.

Information notice

132. (1) The Commission or an authorised officer may, by notice in writing (referred to in this Act as an “information notice”) served on a controller or processor, require the controller or processor to furnish, in writing, within such period as may be specified in the notice and, if applicable, in the format or manner specified in the notice, such information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commission of its, or by the authorised officer of his or her, functions under this Part.

(2) Subject to subsection (3)

(a) an information notice shall include a statement informing the controller or processor concerned of his entitlement under section 150 (1) to appeal against the requirement specified in the notice,

(b) the period, referred to in subsection (1), specified in an information notice shall not be less than 28 days from the date on which the notice is served, and

(c) if an appeal is brought under section 150 (1) against a requirement specified in an information notice, the requirement need not be complied with and subsection (6) shall not apply in relation to the requirement, pending the determination or withdrawal of the appeal.

(3) Where the Commission or authorised officer—

(a) by reason of special circumstances, is of the opinion that a requirement specified in an information notice should be complied with urgently, and

(b) includes a statement to that effect in the information notice,

subsection (2) shall not apply in relation to the notice, but the notice—

(i) shall include a statement of the effect of subsections (3) and (4) of section 150 , and

(ii) shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.

(4) (a) Nothing in this section shall be taken to compel a controller or processor, in complying with an information notice, to furnish information that would be exempt from production in proceedings in a court on the ground of legal professional privilege.

(b) A document furnished in compliance with an information notice shall not be admissible in evidence in proceedings for an offence (other than an offence under this section) brought against any person who furnishes or concurs in the furnishing of the document.

(5) The controller or processor concerned shall inform the Commission of any documents, records, statements or other information withheld by it under subsection (4)(a).

(6) A controller or processor that without reasonable excuse fails to comply with a requirement specified in an information notice or that, in purported compliance with such a requirement, gives to the Commission or an authorised officer information which the controller or processor knows to be false or misleading in a material respect, shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.

(7) (a) An information notice may be cancelled—

(i) where it has been issued by the Commission, by the Commission, and

(ii) where it has been issued by an authorised officer, by the Commission or that authorised officer.

(b) A person who cancels an information notice under paragraph (a) shall notify in writing the controller or processor on which the notice was served.

Enforcement notice

133. (1) In this Part, “enforcement notice” means a notice in writing served in accordance with subsection (2), subsection (3) or section 109 (5)(d), 115 (2), 122 (4)(d) or 127 (2), on a controller or processor, requiring the controller or processor to take such steps as are specified in the notice, within such time as may be so specified.

(2) Notwithstanding anything contained in Chapter 2, the Commission or an authorised officer, where of the opinion that a controller or processor has contravened or is contravening a relevant enactment, may serve on the controller or processor an enforcement notice requiring the controller or processor to take one or more than one of the steps specified in section 109 (5)(d).

(3) Notwithstanding anything contained in Chapter 3, the Commission or an authorised officer, where of the opinion that a controller or processor has contravened or is contravening a relevant provision, may serve on the controller or processor an enforcement notice requiring the controller or processor to take one or more than one of the steps specified in section 122 (4)(d).

(4) An enforcement notice shall include a statement informing the controller or processor concerned of its entitlement under section 150 (1) to appeal against a requirement specified in the notice.

(5) Where an enforcement notice is served under section 109 (5)(d), 122 (4)(d), subsection (2) or subsection (3)

(a) the notice shall specify the relevant enactment or relevant provision, as applicable, that in the opinion of the Commission or, where applicable, authorised officer, has been or is being contravened and the reasons for having formed that opinion, and

(b) subject to subsection (6)

(i) the period, referred to in subsection (1), specified in an enforcement notice shall be not less than 28 days from the date on which the notice is served, and

(ii) if an appeal is brought under section 150 (1) against a requirement specified in the notice, the requirement need not be complied with and, pending the determination or withdrawal of the appeal, subsections (9) and (10) shall not apply in relation to the requirement.

(6) Where the Commission or authorised officer—

(a) by reason of special circumstances, is of the opinion that a requirement specified in an enforcement notice referred to in subsection (5) should be complied with urgently, and

(b) includes a statement to that effect in the enforcement notice,

subsection (5)(b) shall not apply in relation to the notice, but the notice—

(i) shall include a statement of the effect of subsections (3) and (4) of section 150 , and

(ii) shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.

(7) (a) Subject to paragraph (b), a controller or processor, having complied with an enforcement notice, shall, as soon as may be and in any event not more than 28 days after such compliance, notify the following of the steps taken to comply with the enforcement notice:

(i) the Commission or the authorised officer concerned;

(ii) any data subject concerned.

(b) Where the compliance with an enforcement notice has involved the rectification or erasure of personal data or the restriction of processing, the controller and processor shall, in complying with paragraph (a), in addition—

(i) notify any recipient to whom the data have been disclosed, or

(ii) where compliance with subparagraph (i) proves impossible or involves a disproportionate effort, and where the data subject so requests, notify the data subject of the recipients or the categories of recipients.

(8) (a) An enforcement notice may be cancelled—

(i) where it has been issued by the Commission, by the Commission, and

(ii) where it has been issued by an authorised officer, by the Commission or that authorised officer.

(b) A person who cancels an enforcement notice under paragraph (a) shall notify in writing the controller or processor on which the notice was served.

(9) (a) The Commission may, subject to Chapter 6, decide to impose an administrative fine on a controller or processor that, without reasonable excuse, fails to comply with a requirement specified in an enforcement notice served on the controller or processor under section 109 (5)(d), 115 (2) or subsection (2).

(b) The Commission, as soon as practicable after making its decision under paragraph (a), shall give the controller or processor concerned a notice in writing informing it of the decision.

(10) A controller or processor that, without reasonable excuse, fails to comply with—

(a) a requirement specified in an enforcement notice, or

(b) subsection (7),

shall be guilty of an offence and shall be liable—

(i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.

Circumstances in which application may be made to the High Court for suspension or restriction of processing of data

134. (1) Without prejudice to Articles 58(2) and 66 of the Data Protection Regulation and subsection (4), the Commission, where it considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects under a relevant enactment, until steps or further steps are taken under the relevant enactment, may, on notice to the controller or processor concerned, make an application in a summary manner to the High Court for an order under subsection (2).

(2) The High Court may determine an application under subsection (1) by—

(a) making any order that it considers appropriate, including an order suspending, restricting or prohibiting—

(i) the processing by the controller or processor of the personal data concerned, or

(ii) the transfer by the controller or processor of such data to a recipient in a third country or to an international organisation,

for such period, or until the occurrence of such event, as is specified in the order, and

(b) giving to the Commission any other direction that the High Court considers appropriate.

(3) The Commission shall, on complying with a direction of the High Court under subsection (2)(b), give notice in writing to the controller or processor concerned of the Commission’s compliance with the direction.

(4) Where the Commission considers that the immediate suspension, restriction or prohibition of the processing of personal data or the transfer of such data to a recipient in a third country or to an international organisation is necessary in order to protect the rights and freedoms of data subjects under a relevant enactment, it may apply in a summary manner exparte to the High Court for an interim order under subsection (6).

(5) An application under subsection (4) shall be grounded on an affidavit sworn by or on behalf of the Commission.

(6) (a) The High Court may, on an application under subsection (4), where, having regard to the circumstances of the case, the Court considers it necessary to do so for the protection of the rights and freedoms of data subjects, make an interim order suspending, restricting or prohibiting—

(i) the processing by the controller or processor of the personal data concerned, or

(ii) the transfer by the controller or processor of such data to a recipient in a third country or to an international organisation.

(b) Without prejudice to subsection (7), where an interim order is made under this subsection, the Commission shall, as soon as is practicable, serve a copy of the order and of the affidavit referred to in subsection (5) on the controller or processor concerned.

(c) An interim order under this subsection shall have effect for such period, not exceeding 7 working days, as is specified in the order, and shall cease to have effect on the determination by the High Court of an application under subsection (1).

(7) (a) An interim order under subsection (6) shall take effect on notification of its making being given to the controller or processor.

(b) Oral communication to the controller or processor by or on behalf of the Commission of the fact that an interim order has been made, together with production of a copy of such order, shall, without prejudice to any other form of notification, be taken to be sufficient notification to the controller or processor concerned of the making of the order.

(8) The Commission shall communicate the details of an order made by the High Court under this section to the—

(a) European Commission,

(b) European Data Protection Board, and

(c) other supervisory authorities concerned.

Power to require report

135. (1) The Commission may, for the purposes of proper and effective monitoring of the application of a relevant enactment, and having regard to the matters set out in subsection (3), by notice in writing given to a controller or processor, require the controller or processor to provide to the Commission, in accordance with such notice, a report on any matter specified in the notice about which the Commission has required or could require the provision of information, or the production of any statement, record or document under any provision of a relevant enactment.

(2) A notice under subsection (1) shall be in writing and shall state—

(a) the date on which the notice is given,

(b) the period within which the controller or processor shall nominate a person to the Commission for approval under subsection (4),

(c) the purpose, scope and form of the report,

(d) the matters required to be reported on,

(e) the timetable for completion of the report,

(f) whether the report is to include recommendations in relation to the improved compliance by the controller or processor with a relevant enactment,

(g) where appropriate, the methodology to be used in preparation of the report, and

(h) such other matters relating to the report as the Commission considers appropriate.

(3) Before giving a notice under this section, the Commission, taking account of the purpose for which the report is required, shall have regard to at least the following matters—

(a) whether any other powers that may be exercised by the Commission may be more appropriate in the circumstances concerned,

(b) the relevant knowledge and expertise available to the controller or processor, and

(c) the level of resources available to the controller or processor and the likely benefit to the controller or processor of providing the report.

(4) A report required to be provided to the Commission under this section shall be prepared by a person (referred to as the “reviewer”)—

(a) nominated by the controller or processor, within such period as is specified in the notice given under subsection (1), and approved by the Commission, or

(b) nominated by the Commission, where—

(i) no person is nominated by the controller or processor within the period specified in the notice under subsection (1), or

(ii) the Commission is not satisfied with the person so nominated.

(5) When considering whether to approve a nomination under subsection (4)(a) or make a nomination under subsection (4)(b), the Commission shall have regard to the circumstances giving rise to the requirement for a report and whether the person it proposes to so approve or nominate as reviewer appears to have—

(a) the competence and expertise necessary to prepare the report,

(b) the ability to complete the report within the period specified by the Commission in the notice given under subsection (1),

(c) any relevant specialised knowledge, including specialised knowledge of the data processing activities carried on by the controller or processor and the matters to be reported on,

(d) any potential conflict of interest in reviewing the matters to be reported on,

(e) sufficient detachment, having regard to any existing professional or commercial relationship, to give an objective opinion, and

(f) any previous experience in preparing reports under this section or reports of a similar nature.

(6) Where the Commission approves a nomination under subsection (4)(a) or makes a nomination under subsection (4)(b), it shall notify the controller or processor, in writing, accordingly.

(7) Where the nomination of a reviewer is approved or made by the Commission under subsection (4), the controller or processor shall enter into a contract with the reviewer.

(8) It shall be a term of the contract referred to in subsection (7)

(a) that the reviewer is required to prepare for the controller or processor a report in accordance with the notice given under subsection (1),

(b) that the reviewer is required and permitted to provide to the Commission the following where the Commission so requests:

(i) periodic updates on progress and issues arising;

(ii) interim reports; and

(iii) copies of any draft reports given to the controller or processor,

and

(c) that the contract is governed by the law of the State.

(9) If the Commission considers it appropriate, it may request the controller or processor to provide the Commission with a copy of the draft contract before it is made and the Commission may require such modifications to the draft contract as it considers appropriate.

(10) The costs of and incidental to the preparation of a report under this section shall be borne by the controller or processor.

(11) A controller or processor shall give all such assistance to a reviewer as he or she may reasonably require for the purposes of the preparation of a report under this section.

(12) A reviewer shall, where requested by the Commission, in such form and within such period as the Commission may specify, provide an explanation of all or any part of a report under this section or the recommendations, if any, made in the report, or of such other matters relating to the report as the Commission considers appropriate.

(13) The Commission shall not be bound by the content of a report under this section and such a report shall not be taken to be a decision or opinion of the Commission for any purpose.

(14) The Commission shall not be liable for any acts or omissions of a reviewer or controller or processor relating to a report under this section.

(15) A person who—

(a) obstructs or impedes a reviewer in the preparation of a report under this section,

(b) in relation to the preparation of a report under this section, gives information to a reviewer that the person knows to be false or misleading in a material respect, or

(c) is a reviewer and in relation to the preparation of a report under this section gives information to the Commission which the reviewer knows to be false or misleading in a material respect,

shall be guilty of an offence and shall be liable—

(i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.

Data Protection Audit

136. (1) Where Part 5 applies to a controller or processor, the Commission may carry out or cause to be carried out such examination in the form of an audit as it considers appropriate in order to determine whether the practices and procedures of the controller or processor are in compliance with that Part and regulations made under it.

(2) The Commission may, for the purposes of an audit under subsection (1) or a data protection audit, require the controller or processor concerned to produce any documents, records, statements or other information within that person’s possession or control, or within that person’s procurement, that are relevant to or required for the conduct of the audit.

(3) Before commencing an audit under subsection (1), or a data protection audit, the Commission shall give the controller or processor concerned notice of its proposal to conduct such an audit, which notice shall—

(a) specify the matters to which the proposed audit will relate, and

(b) specify the date, which shall be not earlier than 7 days from the date on which the notice is given on which the audit will be commenced.

(4) In this section, “data protection audit” means a data protection audit conducted for the purpose of Article 58(1)(b) of the Data Protection Regulation.

Chapter 5

Investigations

Investigations

Investigations

137. (1) The Commission may, for the purposes of an inquiry referred to in section 110 (1) or 123 (1), cause such investigation as it thinks fit to be carried out.

(2) The Commission may, for the purposes of subsection (1), direct one or more authorised officers—

(a) to carry out the investigation, and

(b) to submit to the Commission an investigation report following the completion of the investigation.

(3) The Commission may define the scope and terms of the investigation to be carried out, whether as respects the matters or the period to which it is to extend or otherwise, and may, in particular, limit the investigation to matters connected with particular circumstances.

(4) Where more than one authorised officer has been directed to carry out an investigation, the investigation report shall be prepared jointly by the authorised officers so directed and this section and sections 138 to 140 shall, with all necessary modifications, be construed accordingly.

(5) As soon as is practicable after being appointed to carry out an investigation, the authorised officer shall—

(a) give the controller or processor concerned notice in writing—

(i) where the examination concerned is being carried out in respect of a complaint within the meaning of Chapter 2 or 3, setting out the particulars of the complaint concerned, or

(ii) where the examination is being carried out of the Commission’s own volition, setting out the matters to which the investigation relates,

and

(b) afford to the controller or processor an opportunity to respond to the notice under paragraph (a) within 7 days from the date on which the notice was given (or such further period not exceeding 28 days as the authorised officer allows).

Conduct of investigation under section 137

138. (1) An authorised officer who has been directed under section 137 (2) to carry out an investigation may, for the purposes of the investigation—

(a) require a person, being a controller or processor, or an employee or agent of such controller or processor, who, in the authorised officer’s opinion—

(i) possesses information that is relevant to the investigation, or

(ii) has any record or document within the person’s possession or control or within the person’s procurement that are relevant to the investigation,

to provide that record or document, as the case may be, to the authorised officer, and

(b) where the authorised officer thinks fit, require that person to attend before him or her for the purpose of so providing that information, record or document, as the case may be,

and the person shall comply with the requirement.

(2) A requirement under subsection (1) shall specify—

(a) a period within which, or a date and time on which, the person the subject of the requirement is to comply with the requirement, and

(b) as the authorised officer concerned thinks fit—

(i) the place at which the person shall attend to give the information concerned or to which the person shall deliver the record or document concerned, or

(ii) the place to which the person shall send the information, record or document concerned.

(3) A person required to attend before an authorised officer under subsection (2)

(a) is also required to answer fully and truthfully any question put by the authorised officer, and

(b) if so required by the authorised officer, shall answer any such question under oath.

(4) Where it appears to an authorised officer that a person has failed or is failing to comply or fully comply with a requirement under subsection (2) or (3), the authorised officer may, on notice to the person and with the consent of the Commission, apply in a summary manner to the Circuit Court for an order under subsection (5).

(5) The Circuit Court, on hearing an application under subsection (4), where satisfied that the person concerned has failed or is failing to comply or fully comply with the requirement concerned, may—

(a) make an order requiring the person, within such period as the Court may specify, to comply or fully comply, as the case may be, with the requirement, or

(b) substitute a different requirement for the requirement concerned.

(6) The administration of an oath referred to in subsection (3)(b) by an authorised officer is hereby authorised.

(7) A person the subject of a requirement under subsection (1) or (3) shall be entitled to the same immunities and privileges in respect of compliance with such requirement as if the person were a witness before the High Court.

(8) Any statement or admission made by a person pursuant to a requirement under subsection (1) or (3) shall not be admissible in evidence in proceedings for an offence (other than an offence under subsection (12)) brought against the person, and this shall be explained to the person in ordinary language by the authorised officer concerned.

(9) Nothing in this section shall be taken to compel the production by any person of statements, records or other documents or other information which would be exempt from production in proceedings in a court on the ground of legal professional privilege.

(10) For the purposes of an investigation, an authorised officer may, if he or she thinks it proper to do so, of his or her own volition conduct an oral hearing.

(11) Schedule 3 shall have effect for the purposes of an oral hearing referred to in subsection (10).

(12) Subject to subsection (9), a person who—

(a) withholds, destroys, conceals or refuses to provide any information or statements, records or other documents required for the purposes of an investigation,

(b) fails or refuses to comply with any requirement of an authorised officer under this section,

(c) in purported compliance with a requirement under this section, gives to an authorised officer information, documents or records which the person knows to be false or misleading in a material respect, or

(d) otherwise obstructs or hinders an authorised officer in the performance of functions under this Act,

shall be guilty of an offence and shall be liable—

(i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.

(13) In this section, a reference to a document or record includes a reference to copies of such document or record.

(14) The powers conferred under this section on an authorised officer to whom subsection (1) applies are in addition to the powers conferred on such an authorised officer under Chapter 4.

Investigation report

139. (1) Where an authorised officer has completed an investigation, he or she shall, as soon as is practicable after having considered, in so far as they are relevant to the investigation—

(a) any information, records or other documents provided to him or her,

(b) any statement or admission made by any person,

(c) any submissions made, and

(d) any evidence presented (whether at an oral hearing or otherwise),

prepare a draft, in writing, of the investigation report (“draft investigation report”) and give, or cause to be given, to the controller or processor to which the investigation relates—

(i) a copy of the draft investigation report, and

(ii) a notice in writing stating that the controller or processor concerned may, not later than 28 days from the date on which the notice was served on it (or such further period not exceeding 28 days as the authorised officer allows), make submissions in writing to the authorised officer on the content of the draft investigation report.

(2) An authorised officer shall—

(a) as soon as is practicable after the expiration of the period referred to in subsection (1)(ii), and

(b) having—

(i) considered the submissions (if any) made in accordance with subsection (1)(ii), and

(ii) made any revisions to the draft investigation report which, in the opinion of the authorised officer, are warranted following such consideration,

prepare the investigation report and submit it to the Commission with any such submissions annexed to it.

(3) An investigation report and a draft investigation report under this section shall be in writing and shall state—

(a) whether the authorised officer—

(i) is satisfied that an infringement of a relevant provision or, as the case may be, a relevant enactment by the controller or processor to which the investigation relates has occurred or is occurring, or

(ii) is not so satisfied,

(b) where paragraph (a)(i) applies, the grounds on which the authorised officer is so satisfied, and

(c) where paragraph (a)(ii) applies—

(i) the basis on which the authorised officer is not so satisfied, and

(ii) the authorised officer’s opinion, in view of such basis, on whether or not a further investigation of the controller or processor is warranted and, if warranted, the authorised officer’s opinion on the principal matters to which the further investigation should relate.

(4) Where an investigation report or a draft investigation report contains a statement referred to in subsection (3)(a)(i), the authorised officer shall not make any recommendation, or express any opinion, in such report as to the corrective power under Chapter 2 or 3, as applicable, that he or she considers ought to be exercised in respect of the controller or processor in respect of such infringement in the event that the Commission is also satisfied that an infringement has occurred or is occurring.

Commission to consider investigation report

140. (1) The Commission, on receipt under section 139 (2) of an investigation report, shall, for the purposes of the inquiry concerned, consider the report and any submissions annexed to it.

(2) Where the Commission, in considering the documents referred to in subsection (1), forms the view that further information is required for the purpose of enabling it to make a decision under section 111 , 112 , 124 or 125 , or a draft decision under section 113 , as the case may be, it may, as it considers appropriate, do one or more than one of the following:

(a) conduct an oral hearing;

(b) give the controller or processor to which the investigation concerned relates—

(i) a copy of the investigation report, and

(ii) a notice in writing stating that the controller or processor concerned may, within 21 days from the date on which the notice was served on it (or such further period not exceeding 21 days as the Commission allows), make submissions in writing to the Commission in relation to such matters as the Commission may specify in the notice;

or

(c) direct an authorised officer to conduct such further investigation into such matters as the Commission considers necessary having regard to the investigation report and submissions (if any) annexed to it.

(3) Schedule 3 shall, with any necessary modification, have effect for the purposes of an oral hearing referred to in subsection (2)(a).

(4) Sections 138 and 139 and this section shall apply to a further investigation conducted in compliance with a direction under subsection (2)(c), as if the reference to an authorised officer in those sections was a reference to an authorised officer directed under subsection (2)(c) to conduct the further investigation.

Chapter 6

Administrative Fines

Power of Commission to decide to impose administrative fine: General

141. (1) The Commission, in considering—

(a) whether to make a decision to impose an administrative fine, and

(b) where applicable, the amount of such a fine,

shall act in accordance with this section and Article 83.

(2) Where a controller to whom section 111 (2)(b), 112 (2)(b) or 133 (9) applies is a controller by virtue of his or her being the subject of a designation under subsection (1) or (2) of section 3 , a decision by the Commission to impose an administrative fine in respect of the infringement or failure concerned shall be a decision to impose an administrative fine on the appropriate authority that, or, as the case may be, the Minister who, made the designation, and not on the controller.

(3) Where subsection (2) applies, a reference in sections 115 (1)(a), 133 (9)(b) and this Chapter to a controller shall be construed as a reference to the appropriate authority or Minister concerned.

(4) Where the Commission decides to impose an administrative fine on a controller or processor that—

(a) is a public authority or a public body, but

(b) is not a public authority or a public body that acts as an undertaking within the meaning of the Competition Act 2002 ,

the amount of the administrative fine concerned shall not exceed €1,000,000.

(5) The Commission, as soon as practicable after—

(a) a decision to impose an administrative fine is confirmed under section 142 (3)(a) or 143 (2), or

(b) the court decides, under section 142 (3)(b), to impose a different fine,

shall give the controller or processor concerned a notice in writing, requiring the controller or processor to pay the amount of the fine concerned to the Commission within the period of 28 days commencing on the date of the notice.

(6) A controller or processor shall comply with a requirement referred to in subsection (5).

(7) All payments received by the Commission under this section shall be paid into or disposed of for the benefit of the Exchequer in such manner as the Minister for Finance may direct.

(8) In this section and section 142 , a reference to a decision to impose an administrative fine shall be construed as a reference to a decision by the Commission, under section 111 , 112, 113 or 133 (9), to impose such a fine.

Appeal against administrative fine

142. (1) Without prejudice to section 150 , a controller or processor that is the subject of a decision under section 111 , 112 , 113 or 133 (9) to impose an administrative fine may, within 28 days from the date on which notice of the decision concerned was given to it under section 116 or, as the case may be, section 133 (9)(b) appeal to the court against the decision.

(2) The court, on hearing an appeal under subsection (1), may consider any evidence adduced or argument made by the controller or processor concerned, whether or not already adduced or made to an authorised officer or the Commission.

(3) Subject to subsections (4) and (5), the court may, on the hearing of an appeal under subsection (1)

(a) confirm the decision the subject of the appeal,

(b) replace the decision with such other decision as the court considers just and appropriate, including a decision to impose a different fine or no fine, or

(c) annul the decision.

(4) The court shall, for the purposes of subsection (3), act in accordance with Article 83.

(5) Where the decision the subject of the appeal is one to which section 141 (4) applies, and the court decides under subsection (3)(b) to impose a different fine, the amount of the fine imposed by the court shall not exceed €1,000,000.

(6) In this section, “court” means—

(a) the Circuit Court, where the amount of the administrative fine the subject of the appeal does not exceed €75,000, or

(b) in any other case, the High Court.

Circuit Court to confirm decision to impose administrative fine

143. (1) Where a controller or processor does not appeal in accordance with section 142 (1) against a decision by the Commission to impose an administrative fine on the controller or processor, the Commission shall, as soon as is practicable after the expiration of the period referred to in that subsection, and on notice to the controller or processor concerned, make an application in a summary manner to the Circuit Court for confirmation of the decision.

(2) The Circuit Court shall, on the hearing of an application under subsection (1), confirm the decision the subject of the application unless the Court sees good reason not to do so.

Chapter 7

Offences

Unauthorised disclosure by processor

144. (1) Personal data processed by a processor shall not be disclosed by the processor or by an employee or agent of the processor, without the prior authority of the controller on behalf of whom the data are processed.

(2) A person who knowingly or recklessly contravenes subsection (1) shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

(3) Subsection (1) does not apply to a person who shows that the disclosing concerned was required or authorised by or under any enactment, rule of law or order of a court.

Disclosure of personal data obtained without authority

145. (1) A person who, without the prior authority of the controller or processor—

(a) obtains personal data, and

(b) discloses the data or information to another person,

shall be guilty of an offence and shall be liable—

(i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(ii) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

(2) Subsection (1) does not apply to a person who shows that the disclosing was required or authorised by or under any enactment, rule of law or order of a court.

(3) A person who sells personal data that were disclosed to the person in contravention of subsection (1) shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

(4) A person who offers to sell personal data obtained without the prior authority of the controller or processor shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

Offences by directors, etc., of bodies corporate

146. Where an offence under this Act is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, a person being a director, manager, secretary or other officer of the body corporate or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and shall be liable to be proceeded against and punished as if he or she were guilty of the first-mentioned offence.

Prosecution of summary offences by Commission

147. (1) Summary proceedings for an offence under this Act may be brought and prosecuted by the Commission.

(2) Notwithstanding section 10 (4) of the Petty Sessions (Ireland) Act 1851 , summary proceedings for an offence under this Act may be brought—

(a) at any time within 3 years from the date on which the offence was alleged to have been committed, or

(b) if, at the expiry of that period, the person against whom the proceedings are to be brought is outside the State, within 6 months of the date on which he or she next enters the State,

whichever is the later, provided that no such proceedings shall be commenced later than 5 years from the date on which the offence concerned was alleged to have been committed.

(3) Where a person is convicted of an offence under this Act, the court may, where it is satisfied that there are good reasons for so doing, order the person to pay the costs and expenses, measured by the court, incurred by the Commission in relation to the investigation, detection and prosecution of the offence, including the expenses of and incidental to an examination of any information provided to the Commission or an authorised officer.

(4) An order for costs and expenses under subsection (3) is in addition to and not instead of any fine or other penalty the court may impose.

Chapter 8

Miscellaneous

General provisions relating to complaints

148. (1) Subject to subsection (2), sections 108 and 121 shall cease to apply where the complaint concerned is withdrawn, or deemed to have been withdrawn, by the data subject concerned, or on behalf of the data subject by a body mandated by the data subject in accordance with Article 80(1) of the Data Protection Regulation or section 120 , as the case may be.

(2) Where subsection (1) applies, nothing in that subsection shall be construed as preventing the Commission, where it is satisfied that there is good and sufficient reason for so doing, from proceeding or, as the case may be, continuing to examine, in accordance with Chapter 2 or 3, as applicable, the subject matter of the complaint.

(3) Where it has reasonable doubts concerning the identity of a complainant, the Commission may request from the complainant or, where applicable, the supervisory authority with which the complaint was lodged, such additional information as is necessary to confirm such identity.

Publication of convictions, sanctions, etc.

149. (1) The Commission shall publish particulars of any—

(a) conviction of a person for a contravention of this Act,

(b) exercise by it of its power—

(i) to impose an administrative fine, or

(ii) to order the suspension of data transfers to a recipient in a third country or to an international organisation, under Article 58(2)(j),

or

(c) order of the Court under section 134 .

(2) The publication under subsection (1) of the particulars referred to in that subsection shall be in such form and manner and in respect of such period as the Commission thinks fit.

(3) The Commission may publish particulars, in such form and manner and in respect of such period as it thinks fit, of the exercise by it of its corrective powers under Article 58(2) (other than those referred to in subsection (1)) or section 127 .

(4) Subject to subsection (5), the Commission may, if it considers it in the public interest to do so, publish particulars of any report under section 135 , report by the Commission of any investigation or audit carried out, or other function performed, by it under the Data Protection Regulation or this Act, or any matter relating to or arising in the course of such an investigation, audit or performance.

(5) The Commission shall ensure that the publication under subsection (4) of information referred to in that subsection is done in such a manner that commercially sensitive information relating to a person is not disclosed.

(6) The publication by the Commission of particulars of any report or matters referred to in subsection (3) or (4) and any other report of the Commission shall, for the purposes of the law of defamation, be absolutely privileged.

(7) In this section, “commercially sensitive information” means—

(a) financial, commercial, scientific, technical or other information the disclosure of which could reasonably be expected to result in a material financial loss or gain to the person to whom it relates, or could prejudice the competitive position of that person in the conduct of his or her business or otherwise in his or her occupation, or

(b) information the disclosure of which could prejudice the conduct or outcome of contractual or other negotiations of the person to whom it relates.

Right to effective judicial remedy (Part 6)

150. (1) A controller or processor on which an information notice or enforcement notice or a notice under section 135 (1) is served may, within 28 days from the date on which the notice is served, appeal against a requirement specified in the notice.

(2) The court, on hearing an appeal under subsection (1), shall—

(a) annul the requirement concerned,

(b) substitute a different requirement for the requirement concerned, or

(c) dismiss the appeal.

(3) This subsection applies to an appeal brought under subsection (1)

(a) against a requirement specified in an information notice to which section 132 (3) applies, or an enforcement notice to which section 133 (6) applies, and

(b) that is brought within the period specified in the notice concerned.

(4) Notwithstanding any provision of this Act, the court, on hearing an appeal to which subsection (3) applies, may on application to it in that behalf, determine that non-compliance by the controller or processor concerned with a requirement specified in the notice, during the period ending with the determination or withdrawal of the appeal or during such other period as the court may determine, shall not constitute an offence.

(5) A data subject or other person affected by a legally binding decision of the Commission under Chapter 2 or 3 may, within 28 days from the date on which notice of the decision is received by him or her, appeal against the decision.

(6) The court, on hearing an appeal under subsection (5), shall—

(a) annul the decision concerned,

(b) substitute its own determination for the decision, or

(c) dismiss the appeal.

(7) Where the Commission, being the competent supervisory authority in respect of a complaint within the meaning of Chapter 2 or 3, does not comply with section 108 (2) or, as the case may be, section 121 (2), the complainant concerned may apply to the court for an order under subsection (8)(a).

(8) The court, on hearing an application under subsection (7), shall—

(a) order the Commission to comply with the provision concerned, or

(b) dismiss the application.

(9) The Circuit Court shall, concurrently with the High Court, have jurisdiction to hear and determine proceedings under this section.

(10) The jurisdiction conferred on the Circuit Court by this section shall be exercised by the judge for the time being assigned to the circuit where—

(a) in the case of an appeal under subsection (1), the controller or processor is established,

(b) in the case of an appeal under subsection (5), the data subject or other person resides or is established, or

(c) in the case of an application under subsection (7), the data subject resides,

or, at the option of the controller, processor, data subject or person concerned, by a judge of the Circuit Court for the time being assigned to the Dublin circuit.

(11) A decision of the Circuit Court or High Court, as the case may be, under this section shall be final save that an appeal shall lie to the High Court or Court of Appeal, as the case may be, on a point of law.

(12) For the purposes of this section, a “legally binding decision” means a decision—

(a) under paragraph (a) or (b) of section 109 (5) or paragraph (a) or (b) of section 122 (4),

(b) under section 111 (1)(a), 112 (1), 113 (2)(b), 114 , 124 (1)(a) or 125 (1), or

(c) to exercise a corrective power under Chapter 2 or 3.

Privileged legal material

151. (1) Where a controller or processor, when requested under this Part to produce information, or provide access to it, refuses to do so on the grounds that the information contains privileged legal material, the Commission or an authorised officer may, at any time within 28 days or such longer period as the High Court may allow of the date of such refusal, apply to the High Court for a determination as to whether the information, or any part of the information, is privileged legal material where—

(a) in relation to the information concerned—

(i) the Commission or authorised officer has reasonable grounds for believing that it is not privileged legal material, or

(ii) due to the manner or extent to which such information is presented together with any other information, it is impossible or impractical to extract only such information,

and

(b) the Commission or authorised officer has reasonable grounds to suspect that the information contains evidence relating to an infringement of a relevant enactment or a relevant provision.

(2) A controller or processor referred to in subsection (1) who refuses to produce information or provide access to it on the grounds that the information contains privileged legal material shall preserve the information and keep it in a safe and secure place and manner pending the determination of an application under subsection (1) and shall, if the information is so determined not to be privileged legal material, produce it in accordance with such order as the High Court considers appropriate.

(3) A person shall be considered to have complied with the requirement under subsection (2) to preserve information where the person has complied with such requirements as may be imposed by an authorised officer under paragraph (d) of section 130 (1).

(4) Where an application is made by the Commission or an authorised officer under subsection (1), the High Court may give such interim or interlocutory directions as it considers appropriate including, without prejudice to the generality of the foregoing, directions as to the appointment of a person with suitable legal qualifications possessing the level of experience and independence from any interest falling to be determined between the parties concerned, that the Court considers to be appropriate for the purpose of—

(a) examining the information, and

(b) preparing a report for the Court with a view to assisting or facilitating the Court in the making of its determination as to whether the information is privileged legal material.

(5) An application under subsection (1) shall be by motion and may, if so directed, be heard otherwise than in public.

Presumptions

152. (1) The presumptions specified in this section shall apply in any proceedings under the Data Protection Regulation or this Act.

(2) Where a document purports to have been created by a person it shall be presumed, unless the contrary is shown, that the document was created by that person and that any statement or record contained in it, unless the document expressly attributes its making to some other person, was made by that person.

(3) Where a document purports to have been created by a person and addressed and sent to a second person, it shall be presumed, unless the contrary is shown, that the document or record was created and sent by the first person and received by the second person, and that any statement or record contained in it—

(a) unless the document or record expressly attributes its making to some other person, was made by the first person, and

(b) came to the notice of the second person.

(4) Where a document or record is retrieved from an electronic storage and retrieval system, it shall be presumed, unless the contrary is shown, that the author of the document is the person who ordinarily uses that electronic storage and retrieval system in the course of his or her business.

(5) Where an authorised officer who, in the exercise of his or her powers, has removed one or more documents or records from any premises or place, gives evidence in any proceedings that, to the best of his or her knowledge and belief, the material is the property of any person, then the material shall be presumed, unless the contrary is shown, to be the property of that person.

(6) Where, in accordance with subsection (5), material is presumed in proceedings to be the property of a person and the authorised officer concerned gives evidence that, to the best of his or her knowledge and belief, the material is material which relates to any trade, profession, or, as the case may be, other activity, carried on by that person, the material shall be presumed, unless the contrary is proved, to be material which relates to that trade, profession, or, as the case may be, other activity, carried on by that person.

(7) References in this section to a document or record are references to a document or record in written or electronic form and, for this purpose “written” includes any form of notation or code whether by hand or otherwise and regardless of the method by which, or medium in or on which, the document or record concerned is recorded.

Expert evidence

153. (1) In any proceedings under the Data Protection Regulation or this Act, the opinion of any witness who appears to possess the appropriate qualifications or experience as respects the matter to which his or her evidence relates shall, subject to subsection (2), be admissible in evidence as regards any matter calling for expertise or special knowledge that is relevant to the proceedings and, in particular and without prejudice to the generality of the foregoing, the following matters, namely—

(a) the effects that types of data processing such as profiling may have, or have had, on the protection of personal data, and

(b) an explanation of any relevant practices or the application of such practice, where such an explanation would assist the proceedings.

(2) Notwithstanding subsection (1), a court may, where in its opinion the interests of justice require it to so direct in the proceedings concerned, direct that evidence of a general or specific kind referred to in that subsection shall not be admissible in proceedings or shall be admissible in such proceedings for specified purposes only.

Immunity from suit

154. Civil or criminal proceedings shall not lie in any court against the Commission, a Commissioner, an authorised officer or a member of the staff of the Commission in respect of anything said or done in good faith by the Commission, Commissioner, authorised officer or member of staff in the course of the performance or purported performance of a function of the Commission, Commissioner, authorised officer or member of staff.

Jurisdiction of Circuit Court

155. An application under section 138 (4), 142 (1), 143 (1) or paragraph 5 of Schedule 3 shall be made to a judge of that Court for the circuit in which the person to whom the application relates ordinarily resides or, if a controller or processor, has an establishment or, at the option of the person, by a judge of the Circuit Court for the time being assigned to the Dublin circuit.

Hearing of proceedings

156. The whole or any part of any proceedings under this Part may, at the discretion of the court, be heard otherwise than in public.

PART 7

Miscellaneous Provisions

Supervisory authority for courts acting in judicial capacity

157. (1) The judge (“assigned judge”) for the time being assigned for that purpose by the Chief Justice shall be competent for supervision of data processing operations of the courts when acting in their judicial capacity.

(2) The assigned judge shall, in particular—

(a) promote awareness among judges of the provisions of the Data Protection Regulation, the Directive and any enactment, rule made under section 158 (3) or other rule of law that gives further effect to the Data Protection Regulation or effect to the Directive, and ensure compliance with those provisions, and

(b) handle, and investigate to the extent appropriate, complaints in relation to data processing operations of the courts when acting in their judicial capacity.

Restrictions on obligations of controllers and rights of data subjects for objective of safeguarding judicial independence and court proceedings

158. (1) The rights and obligations provided for in—

(a) Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22, and

(b) sections 87 , 90 , 91 , 92 and 93 , and section 71 in so far as it relates to those sections,

are restricted to the extent that the restrictions are necessary and proportionate to safeguard judicial independence and court proceedings.

(2) Subsection (1) is without prejudice to any other enactment or rule of law which restricts the rights and obligations referred to in that subsection.

(3) Without prejudice to the generality of subsection (1), a panel may make such rules as it considers necessary for the purpose of ensuring the effective application of a restriction under that subsection.

(4) Rules made under subsection (3) may relate to such matters as the panel considers appropriate for the purpose referred to in that subsection and, without prejudice to the generality of that subsection, may—

(a) relate to one or more than one of the following:

(i) a class or classes of data subject;

(ii) a category or categories of personal data;

(iii) civil or criminal proceedings, or both;

(iv) a class or classes of civil or criminal proceedings, or both;

(v) the circumstances in which, or the conditions under which, a restriction under subsection (1) shall apply,

(b) include, where relevant, specific provisions as to the matters referred to in Article 23(2), and

(c) make provision for such incidental, supplementary and consequential matters as appear to the panel to be necessary or expedient for the purposes of the rule.

(5) Rules under subsection (3) shall be published in such manner (which may include publication on the website of the Courts Service) as the panel considers appropriate.

(6) In this section, “panel” means a panel of three judges nominated by the Chief Justice for the purposes of this section.

Processing of personal data where court is controller

159. (1) The Superior Courts Rules Committee may make processing rules in respect of personal data that are contained in a record of a superior court of record.

(2) The Circuit Court Rules Committee may make processing rules in respect of personal data that are contained in a record of the Circuit Court.

(3) The District Court Rules Committee may make processing rules in respect of personal data that are contained in a record of the District Court.

(4) The panel referred to in section 158 (6) may make processing rules in respect of personal data—

(a) that are not personal data to which subsection (1), (2) or (3) applies, and

(b) in respect of which a court, when acting in its judicial capacity, is a controller.

(5) Processing rules made under this section shall be binding on a processor of personal data in respect of which the rules are made.

(6) Processing rules made under subsection (4) shall be published in such manner (which may include publication on the website of the Courts Service) as the panel referred to in that subsection considers appropriate.

(7) Subject to subsection (8), a Committee referred to in subsection (1), (2) or (3) may make rules—

(a) authorising the disclosure, for the purpose of facilitating the fair and accurate reporting of the proceedings, to a bona fide member of the Press or broadcast media and at the member’s request, of information contained in a record of proceedings before a court for which the Committee is the rule-making authority, and

(b) prescribing any conditions subject to which such disclosure is to be made.

(8) Rules made under subsection (7)

(a) shall not apply to proceedings required by law to be held otherwise than in public, and

(b) shall apply subject to any order made or direction given by a court in the proceedings concerned.

(9) In this section, “processing rules”, in relation to personal data, means rules made for the purposes of Article 28(3) of the Data Protection Regulation and Article 22(3) of the Directive, governing the processing by a processor of the personal data.

Publication of judgment or decision of court or court list

160. The processing of personal data shall be lawful where that processing—

(a) consists of the publication of—

(i) a judgment or decision of a court, or

(ii) a list or schedule of court proceedings or hearings in court proceedings,

or

(b) is necessary for the purposes of such publication.

Rules of court for data protection actions

161. (1) It shall be the function of the courts in data protection actions to ensure that parties to such actions comply with such rules of court as apply in relation to such actions so that the trial of data protection actions within a reasonable period of their having been commenced is secured.

(2) Where rules of court prescribe a period of time for the service of a document, or the doing of any other thing, in relation to a data protection action, the period within which that document may be served or thing may be done, shall not be extended beyond the period so prescribed unless—

(a) the parties to the action agree to the period being extended, or

(b) the court considers that—

(i) in all the circumstances the extension of the period by such further period as it may direct is necessary or expedient to enable the action to be properly prosecuted or defended, and

(ii) the interests of justice require the extension of the period by that further period.

(3) For the purposes of ensuring compliance by a party to a data protection action with rules of court, a court may make such orders as to the payment of costs as it considers appropriate.

(4) Nothing in this section shall be construed as limiting or reducing the power of an authority, having (for the time being) power to make rules regulating the practice and procedure of a court, to—

(a) make such rules in relation to data protection actions provided such rules do not derogate from, and are not inconsistent with, any provision of the Data Protection Regulation or this Act, or

(b) make such rules in relation to proceedings or actions other than data protection actions.

(5) In this section, “data protection action” means a data protection action under section 117 or section 128 .

(6) In subsections (1) and (2), a reference to the courts or the court includes a reference to the Master of the High Court and a county registrar.

Legal privilege

162. The rights and obligations provided for in—

(a) Articles 12 to 22 and 34 of the Data Protection Regulation (as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22), and

(b) sections 87 , 90 , 91 , 92 and 93 and section 71 , insofar as it relates to those sections,

do not apply—

(i) to personal data processed for the purpose of seeking, receiving or giving legal advice,

(ii) to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and his or her legal advisers or between those advisers, or

(iii) where the exercise of such rights or performance of such obligations would constitute a contempt of court.

Application to High Court concerning adequate level of protection or appropriate safeguards

163. (1) The Commission, where it considers that a place to which personal data are to be transferred does not ensure an adequate level of protection, may apply to the High Court for a determination as to whether the level of protection ensured by the place is adequate.

(2) An application under subsection (1) may be made notwithstanding that the place concerned is the subject of an implementing act pursuant to Article 45(3) of the Data Protection Regulation or, as the case may be, Article 36(3) of the Directive.

(3) The Commission, where it considers that a standard data protection clause does not provide for appropriate safeguards, may apply to the High Court for a determination as to whether the standard data protection clause provides for appropriate safeguards.

(4) For the purposes of this section, the adequacy of the level of protection referred to in subsection (1) shall be assessed in accordance with, as the case may be, Article 45(2) of the Regulation or Article 36(2) of the Directive.

(5) In this section—

“place” means a third country, a territory or one or more specified sectors within a third country, or an international organisation;

“standard data protection clause” means a standard data protection clause to which point (c) or (d) of Article 46(2) of the Data Protection Regulation applies.

Court may order destruction, erasure of data

164. (1) Where a person is convicted of an offence under this Act, the court may order any personal data that appears to the court to be connected with the commission of the offence to be destroyed or erased.

(2) The court shall not make an order under subsection (1) where it considers that a person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data concerned, unless such steps as are reasonably practicable have been taken for notifying that person and giving him or her an opportunity to show cause why the order should not be made.

PART 8

Amendments of other Acts of Oireachtas

Reference to personal data in enactment

165. Subject to this Act, a reference in any enactment to personal data within the meaning of the Act of 1988 shall be construed as including a reference to personal data within the meaning of—

(a) the Data Protection Regulation, and

(b) Part 5.

Reference to processing in enactment

166. Subject to this Act, a reference in any enactment to processing within the meaning of the Act of 1988 shall be construed as including a reference to processing within the meaning of—

(a) the Data Protection Regulation, and

(b) Part 5.

Amendment of Firearms Act 1925

167. The Firearms Act 1925 is amended by the insertion of the following section after section 27A:

“Provision of information by Commissioner to Minister for purposes of Act and Firearms (Firearm Certificates For Non-Residents) Act 2000

27B. (1) The Minister may request the Commissioner to provide any information necessary for the performance of the Minister’s functions under sections 9, 10, 11 and 17 and under section 2 of the Firearms (Firearm Certificates For Non-Residents) Act 2000 , and the Commissioner shall, notwithstanding anything contained in any other enactment or rule of law, but subject to the Data Protection Regulation and the Data Protection Act 2018, comply with that request.

(2) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201611 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 33AK of Central Bank Act 1942

168. Section 33AK(5) of the Central Bank Act 1942 is amended—

(a) in paragraph (az), by the substitution of “( S.I. No. 349 of 2016 ), or” for “( S.I. No. 349 of 2016 ).”,

(b) by the insertion of the following paragraph:

“(ba) to the Data Protection Commission that is required for the performance of that Commission's functions under the Data Protection Regulation or the Data Protection Acts 1988 to 2018.”,

and

(c) by the insertion in subsection (10) of the following definition:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201612 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”.

Amendment of section 2 of Civil Service Regulation Act 1956

169. Section 2 (2) of the Civil Service Regulation Act 1956 is amended—

(a) in paragraph (h), by the deletion of “and”,

(b) in paragraph (i), by the substitution of “Síochána, and” for “Síochána.”, and

(c) by the insertion of the following paragraph after paragraph (i):

“(j) in relation to a member of staff of the Data Protection Commission, the Commissioner for Data Protection or, where more than one Commissioner for Data Protection stands appointed, the chairperson (within the meaning of the Data Protection Act 2018).”.

Amendment of section 24 of Misuse of Drugs Act 1977

170. Section 24 of the Misuse of Drugs Act 1977 is amended—

(a) in subsection (1)(c), by the substitution of “(including those containing any data that constitutes personal data)” for “(including any data within the meaning of the Data Protection Acts 1988 and 2003)”,

(b) in subsection (2)(c), by the substitution of “(including those containing any data that constitutes personal data)” for “(including any data within the meaning of the Data Protection Acts 1988 and 2003)”, and

(c) by the insertion of the following subsection after subsection (7):

“(8) In this section—

‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201613 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘personal data’ means personal data within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Data Protection Act 2018.”.

Amendment of section 15A of Control of Clinical Trials Act 1987

171. Section 15A of the Control of Clinical Trials Act 1987 is amended—

(a) by the substitution of the following paragraph for paragraph (d):

“(d) inspect and copy or extract information from any data including data that constitutes personal data within the meaning of—

(i) the Data Protection Regulation, or

(ii) Part 5 of the Data Protection Act 2018.”,

and

(b) the insertion of the following subsection after subsection (10):

“(11) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201614 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of Data Protection Act 1988

172. (1) The Act of 1988 is amended—

(a) in section 24, by the substitution of the following subsection for subsection (1):

“(1) In this section ‘authorised officer’ has the same meaning that it has in section 2 (1) of the Data Protection Act 2018.”,

and

(b) in section 26—

(i) in subsection (1)—

(I) in paragraph (b), by the substitution of “notice, and” for “notice”, and

(II) by the deletion of paragraph (c),

and

(ii) in subsection (4)—

(I) in paragraph (a), by the substitution of “paragraph (a) or (b) of subsection (1) of this section” for “paragraph (a), (b) or (c) of subsection (1) of this section”, and

(II) by the substitution of “with a requirement or prohibition specified in the notice” for “with a requirement or prohibition specified in the notice, or, as the case may be, a contravention by him of section 19 of this Act,”.

(2) THE AMENDMENTS EFFECTED BY SUBSECTION (1) SHALL NOT APPLY FOR THE PURPOSES OF subsections (1)(b), (2) and (3) OF SECTION 8 .

Amendment of Bankruptcy Act 1988

173. The Bankruptcy Act 1988 is amended by the insertion of the following section:

“Restriction of right of access to personal data in certain circumstances

140D. (1) Article 15 (Right of access) of the Data Protection Regulation is restricted to the extent necessary and proportionate to safeguard the effective performance by the Official Assignee of his or her functions under section 61, where the performance of those functions gives rise to the processing of personal data to which the Data Protection Regulation applies.

(2) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201615 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of Firearms and Offensive Weapons Act 1990

174. The Firearms and Offensive Weapons Act 1990 is amended by the insertion of the following section after section 16:

“Provision of information by Commissioner to Minister

16A. (1) The Minister may request the Commissioner of the Garda Síochána to provide any information necessary for the performance of the Minister’s functions under sections 9C and 9E and the Commissioner shall, notwithstanding anything contained in any other enactment or rule of law, but subject to the Data Protection Regulation and the Data Protection Act 2018, comply with that request.

(2) In this section ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201616 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 13A of Electoral Act 1992

175. Section 13A of the Electoral Act 1992 is amended by the insertion of the following subsection after subsection (3B):

“(3C) In addition to any other electoral purpose for which the information contained in the register prepared under section 13, including a draft register or the supplement to the register prepared under section 15 or an electors list published under section 16, being information which is excluded from the edited register, may be used, that information may be used—

(a) by a specified person (within the meaning of section 39 of the Data Protection Act 2018), for the purpose of communicating with a data subject in accordance with section 39 of that Act, or

(b) by an elected representative (within the meaning of section 40 of the Data Protection Act 2018) for the purposes of section 40 of that Act.”.

Amendment of Comptroller and Auditor General (Amendment) Act 1993

176. The Comptroller and Auditor General (Amendment) Act 1993 is amended—

(a) in section 10, by the substitution of the following subsection for subsection (3):

“(3) In this section—

‘automated data’ means information that—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) is recorded with the intention that it should be processed by means of such equipment;

‘data’ means automated data and manual data;

‘data equipment’ means equipment for processing data;

‘data material’ means any document or other material used in connection with, or produced by, data equipment;

‘manual data’ means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

‘relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;”,

and

(b) by the insertion of the following section after section 18B:

“Application of this Act to the Data Protection Commission

18C. This Act applies to the Data Protection Commission as if it were a Department.”.

Amendment of section 8 of Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993

177. Section 8 of the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 is amended in subsection (1A) by the substitution of “the functions of the Data Protection Commission under section 10 of the Data Protection Act 1988 and Part 6 of the Data Protection Act 2018” for “the functions of the Data Protection Commissioner under section 10 of the Data Protection Act 1988 ”.

Amendment of section 24 of Statistics Act 1993

178. Section 24 of the Statistics Act 1993 is amended—

(a) by the substitution of the following subsection for subsection (2):

“(2) Without prejudice to the Data Protection Regulation and the Data Protection Act 2018, persons and undertakings may provide information and records, or copies thereof, which they may possess to the Director General or officers of statistics on invitation under the provisions of this Act.”,

and

(b) by the insertion of the following subsection:

“(3) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201617 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 57B of Irish Aviation Authority Act 1993

179. Section 57B(1) of the Irish Aviation Authority Act 1993 is amended by the substitution of the following paragraph for paragraph (d):

“(d) inspect, copy or extract information from any material (including information in any form) or thing found or produced to the authorised person.”.

Amendment of section 18F of Health Insurance Act 1994

180. Section 18F of the Health Insurance Act 1994 is amended—

(a) in subsection (2)(d), by the substitution of “data (including data that constitutes personal data)” for “data (within the meaning of the Data Protection Acts 1988 and 2003)”, and

(b) in subsection (12), by the insertion of the following definitions:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201618 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘personal data’ means personal data within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Data Protection Act 2018.”.

Amendment of section 142 of Consumer Credit Act 1995

181. Section 142 of the Consumer Credit Act 1995 is amended—

(a) in subsection (2), by the substitution of the following paragraph for paragraph (b):

“(b) which relates to information that constitutes personal data to which the Data Protection Regulation applies.”,

(b) in subsection (4), by the substitution of the following paragraph for paragraph (b):

“(b) which relates to information that constitutes personal data to which the Data Protection Regulation applies.”,

and

(c) by the insertion of the following subsection after subsection (4):

“(5) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201619 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 32B of Irish Medicines Board Act 1995

182. Section 32B of the Irish Medicines Board Act 1995 is amended—

(a) in subsection (3), by the substitution of the following paragraph for paragraph (l):

“(l) inspect and copy or extract information from any data, including data that constitutes personal data within the meaning of—

(i) the Data Protection Regulation, or

(ii) Part 5 of the Data Protection Act 2018.”,

and

(b) by the insertion of the following subsection after subsection (11):

“(12) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201620 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 77 of Central Bank Act 1997

183. Section 77 of the Central Bank Act 1997 is amended by the substitution of the following subsection for subsection (12):

“(12) In this section—

‘automated data’ means information that—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) is recorded with the intention that it should be processed by means of such equipment;

‘data’ means automated data and manual data;

‘data equipment’ means equipment for processing data;

‘data material’ means any document or other material used in connection with, or produced by data equipment;

‘manual data’ means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

‘relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.”.

Amendment of section 1 of Health (Provision of Information) Act 1997

184. The Health (Provision of Information) Act 1997 is amended by the substitution of the following section for section 1:

“Requests for and provision of information

1. (1) The National Cancer Registry Board (established under the Health (Corporate Bodies) Act 1961 ) may request from any person personal data (including data concerning health and genetic data within the meaning of the Data Protection Regulation) held by, or in the possession of, that person for the purposes of the performance of that Board of its functions.

(2) Without prejudice to his or her obligations under the Data Protection Regulation and the Act of 2018, the person to whom a request is made under subsection (1) shall provide the personal data requested to the extent it is held by, or in the possession of, that person.

(3) The Health Service Executive may, for the purposes of compiling and maintaining a record of the names, addresses, telephone numbers, e-mail addresses and dates of birth of persons who, for public health reasons, may be invited to participate in any cancer screening (including any breast, cervical or bowel cancer screening) programme operated by the Executive, request from any person the names, addresses, telephone numbers, e-mail addresses and dates of birth of persons held by, or in the possession of, that person.

(4) Without prejudice to his or her obligations under the Data Protection Regulation and the Act of 2018, the person to whom a request is made under subsection (3) may provide that information to the extent it is held by, or in the possession of, that person.

(5) In this section—

Act of 2018’ means the Data Protection Act 2018;

‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201621 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘personal data’ means personal data within the meaning of the Data Protection Regulation.”.

Amendment of section 9M of Electricity Regulation Act 1999

185. Section 9M of the Electricity Regulation Act 1999 is amended—

(a) in subsection (4), by the substitution of “the Data Protection Regulation or the Data Protection Act 2018” for “the Data Protection Acts 1988 and 2003”, and

(b) by the insertion of the following subsection after subsection (10):

“(11) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201622 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of British-Irish Agreement Act 1999

186. Section 51 of the British-Irish Agreement Act 1999 is amended—

(a) in subsection (1) by—

(i) the substitution of the following definition for the definition of “Act of 1988”:

“ ‘Act of 1988’ means the Data Protection Act 1988 , as amended by the Data Protection Act 2018;”,

and

(ii) the substitution of the following definition for the definition of “established”:

“ ‘established’, in relation to a data controller or a data processor, shall be construed in accordance with section 1(3B)(b) of the Act of 1988;”,

and

(b) by the deletion of subsection (6).

Amendment of section 7D of Comhairle Act 2000

187. Section 7D of the Comhairle Act 2000 is amended—

(a) in subsection (3), by the substitution of “Subject to the Data Protection Regulation and the Data Protection Act 2018” for “Subject to the Data Protection Acts 1988 and 2003”, and

(b) by the substitution of the following subsection for subsection (8):

“(8) In this section—

‘application’, ‘assessment’ and ‘service statement’ have the meanings assigned to them respectively by Part 2 of the Disability Act 2005 ;

‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201623 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 33 of Commission To Inquire Into Child Abuse Act 2000

188. The Commission To Inquire Into Child Abuse Act 2000 is amended by the substitution of the following section for section 33:

“33. (1) Article 15 (Right of access) of the Data Protection Regulation is restricted, to the extent necessary and proportionate to safeguard the effective performance by the Commission of its functions or a Committee of its functions, in so far as it relates to personal data (within the meaning of that Regulation) provided to the Commission or a Committee while the data is in the custody of the Commission or a Committee, or in the case of such data provided to the Confidential Committee, of a body to which it is transferred by the Commission upon the dissolution of the Commission.

(2) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201624 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 2 of Merchant Shipping (Investigation of Marine Casualties) Act 2000

189. Section 2 (1) of the Merchant Shipping (Investigation of Marine Casualties) Act 2000 is amended in the definition of “record” by the deletion of the words “any form in which data (within the meaning of the Data Protection Act 1988 ) are held,”.

Amendment of section 28 of Education (Welfare) Act 2000

190. Section 28 of the Education (Welfare) Act 2000 is amended—

(a) by the substitution of “controller” for “data controller” in each place it occurs, and

(b) in subsection (3), by the deletion of “ ‘data controller’ and ‘personal data’ have the meanings assigned to them by the Data Protection Act 1988 ” and the insertion of the following:

“ ‘controller’ means a controller within the meaning of the Data Protection Regulation;

‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201625 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘personal data’ means personal data within the meaning of the Data Protection Regulation;”.

Amendment of section 38 of Planning and Development Act 2000

191. Section 38 of the Planning and Development Act 2000 is amended in subsection (2) by the deletion of “and the Data Protection Acts 1988 and 2003”.

Amendment of section 14 of Dormant Accounts Act 2001

192. Section 14 (5) of the Dormant Accounts Act 2001 is amended by the substitution of the following paragraph for paragraph (b):

“(b) Nothing in paragraph (a) shall be construed as restricting the right of a person to inspect the register, in relation to an account, where the person—

(i) proves to the satisfaction of an institution that he or she is, or may be, the account holder,

(ii) proves to the satisfaction of an institution that he or she is authorised by the account holder to so inspect, or

(iii) may act on behalf of the account holder in relation to that account pursuant to regulations made under section 9.”.

Amendment of section 30 of Residential Institutions Redress Act 2002

193. The Residential Institutions Redress Act 2002 is amended by the substitution of the following section for section 30:

“30. (1) Article 15 (Right of access) of the Data Protection Regulation is restricted, to the extent necessary and proportionate to safeguard the effective performance by the Board of its functions and the Review Committee of its functions, in so far as it relates to personal data (within the meaning of that Regulation) provided to the Board while the data is in the custody of the Board or the Review Committee.

(2) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201626 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 2 of Official Languages Act 2003

194. Section 2 (1) of the Official Languages Act 2003 is amended—

(a) in the Irish text, in the definition of “taifead”, by the substitution of “aon fhoirm ina gcoimeádtar sonraí (lena n-áirítear foirm mheaisín-inléite) nó rud” for “aon fhoirm ina gcoimeádtar sonraí (de réir bhrí an Achta um Chosaint Sonraí 1988), aon fhoirm eile (lena n-áirítear foirm mheaisín-inléite) nó rud eile” and

(b) in the English text, in the definition of “record”, by the substitution of “any form in which data are held (including machine-readable form)” for “any form in which data (within the meaning of the Data Protection Act 1988 ) are held, any other form (including machine-readable form)”.

Amendment of section 86 of Personal Injuries Assessment Board Act 2003

195. Section 86 of the Personal Injuries Assessment Board Act 2003 is amended—

(a) in subsection (1), by the substitution of “but only if the processing (within the meaning of the Data Protection Regulation) of any particulars constituting personal data (within the meaning of that Regulation) in the database is in accordance with the Data Protection Regulation and the Data Protection Act 2018.” for “but only if the database is, for the time being, maintained in accordance with the Data Protection Act 1988 ”, and

(b) by the insertion of the following subsection after subsection (4):

“(5) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201627 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 12 of Unclaimed Life Assurance Policies Act 2003

196. Section 12 (5) of the Unclaimed Life Assurance Policies Act 2003 is amended by the substitution of the following paragraph for paragraph (b):

“(b) Nothing in paragraph (a) shall be construed as restricting the right of a person to inspect the register in relation to a policy where the person—

(i) proves to the satisfaction of an insurance undertaking that he or she is, or may be, the policy holder,

(ii) proves to the satisfaction of an insurance undertaking that he or she is authorised by the policy holder to so inspect, or

(iii) may act on behalf of the policy holder in relation to that policy pursuant to regulations made under section 7.”.

Amendment of section 66 of Civil Registration Act 2004

197. Section 66 of the Civil Registration Act 2004 is amended—

(a) in subsection (1), by the substitution of “Notwithstanding anything contained in any other enactment, but subject to the Data Protection Regulation and the Data Protection Act 2018, an tArd-Chláraitheoir may” for “Notwithstanding anything contained in the Data Protection Acts 1988 to 2003 or any other enactment, an tArd-Chláraitheoir may”, and

(b) by the substitution of the following subsection for subsection (2):

“(2) In this section—

‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201628 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘information’ includes personal data;

‘personal data’ means personal data within the meaning of—

(a) the Data Protection Act 1988 ,

(b) the Data Protection Regulation, or

(c) Part 5 of the Data Protection Act 2018.”.

Amendment of section 39 of Commissions of Investigation Act 2004

198. Section 39 of the Commissions of Investigation Act 2004 is amended—

(a) by designating the section as subsection (1),

(b) in that designated subsection (1), by the substitution of “Article 15 (Right of access) of the Data Protection Regulation is restricted, to the extent necessary and proportionate to safeguard the effective operation of commissions and the future cooperation of witnesses, in so far as it relates to personal data (within the meaning of that Regulation) provided to a commission” for “ Section 4 of the Data Protection Act 1988 does not apply to personal data provided to a commission”, and

(c) by the insertion of the following subsection after subsection (1):

“(2) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201629 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 55H of Health Act 2004

199. Section 55H of the Health Act 2004 is amended—

(a) in subsection (8), by the substitution of the following paragraph for paragraph (a):

“(a) submit a draft of the proposed procedures to the Data Protection Commission for its opinion as to whether any provision of the procedures would, if given effect, be likely to result in a contravention of the Data Protection Regulation or the Data Protection Act 2018, and”,

(b) in subsection (9), by the substitution of “the Data Protection Commission” for “the Data Protection Commissioner”, and

(c) by the insertion of the following subsection after subsection (9):

“(10) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201630 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 2 of Safety, Health and Welfare at Work Act 2005

200. Section 2 (1) of the Safety, Health and Welfare at Work Act 2005 is amended—

(a) by the substitution of the following definition for the definition of “record”:

“ ‘record’ includes any memorandum, book, report, statement, register, plan, chart, map, drawing, specification, diagram, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form in which data (including data that constitute personal data within the meaning of the Data Protection Regulation or Part 5 of the Data Protection Act 2018) are held, any form (including machine-readable form) or thing in which information is held or stored manually, mechanically or electronically, and anything that is a part or copy, in any form, of any of, or any combination of, the foregoing;”,

and

(b) by the insertion of the following definition:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201631 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”.

Amendment of section 265 of Social Welfare Consolidation Act 2005

201. Section 265 of the Social Welfare Consolidation Act 2005 is amended—

(a) in subsection (1)—

(i) by the substitution of the following definitions for the definitions of “data controller” and “personal data”:

“ ‘controller’ means a controller within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Act of 2018;

‘personal data’ means personal data within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Act of 2018;”,

and

(ii) by the insertion of the following definitions:

“ ‘Act of 2018’ means the Data Protection Act 2018;

‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201632 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,

and

(b) in subsection (2), by the substitution of “controller” for “data controller”.

Amendment of Disability Act 2005

202. The Disability Act 2005 is amended—

(a) in section 12, by the deletion of subsection (3),

(b) in section 13, by the deletion of subsection (4),

(c) in section 41—

(i) by the deletion of the definition of “the Acts”,

(ii) by the substitution of the following definition for the definition of “processing”:

“ ‘processing’ means processing within the meaning of the Data Protection Regulation;”,

and

(iii) by the insertion of the following definition:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201633 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,

(d) in section 42—

(i) by the substitution, in subsection (1)(b), of “the Data Protection Regulation”, for “the Acts”,

(ii) by the deletion, in subsection (2)(a), of “save in accordance with the provisions of section 12A of the Data Protection Act 1988 (as inserted by the Data Protection (Amendment) Act 2003 ”,

(iii) by the substitution of the following subsection for subsection (4):

“(4) A person who contravenes subsection (2) or (3) shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine, or

(b) on conviction on indictment, to a fine not exceeding €100,000.”,

and

(iv) by the insertion of the following subsections:

“(5) Where a person is convicted of an offence under subsection (4), the court may order any personal data that appears to the court to be connected with the commission of the offence to be destroyed or erased.

(6) The court shall not make an order under subsection (5) where it considers that a person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data concerned, unless such steps as are reasonably practicable have been taken for notifying that person and giving him or her an opportunity to show cause why the order should not be made.”,

(e) by the deletion of section 43, and

(f) in section 45, by the deletion of subsection (1).

Amendment of section 2 of Railway Safety Act 2005

203. Section 2 (1) of the Railway Safety Act 2005 is amended in the definition of “record” by the deletion of the words “in which data (within the meaning of the Data Protection Act 1988 ) are held, any other form”.

Amendment of section 12 of Health (Repayment Scheme) Act 2006

204. Section 12 (3) of the Health (Repayment Scheme) Act 2006 is amended by the substitution of “except after consultation with the Data Protection Commission” for “except after consultation with the Data Protection Commissioner within the meaning of the Data Protection Acts 1988 and 2003”.

Amendment of section 19 of Electoral (Amendment) Act 2006

205. Section 19 of the Electoral (Amendment) Act 2006 is amended by the substitution of “A registration authority may,” for “Notwithstanding anything in the Data Protection Acts 1988 and 2003, a registration authority may,”.

Amendment of section 67 of Pharmacy Act 2007

206. Section 67 of the Pharmacy Act 2007 is amended—

(a) in subsection (3), by the substitution of the following paragraph for paragraph (l):

“(l) inspect and copy or extract information from any data, including data that constitutes personal data within the meaning of—

(i) the Data Protection Regulation, or

(ii) Part 5 of the Data Protection Act 2018.”,

and

(b) by the insertion of the following subsection after subsection (12):

“(13) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201634 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of Passports Act 2008

207. The Passports Act 2008 is amended—

(a) in section 2, by—

(i) the deletion of the definitions of “Act of 1988”, “automated data” and “data”,

(ii) the insertion of the following definition:

“ ‘Act of 2018’ means the Data Protection Act 2018;”,

(iii) the substitution of the following definition for the definition of “biometric data”:

“ ‘biometric data’ means biometric data within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Act of 2018;”,

(iv) the insertion of the following definition:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201635 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,

(v) the substitution of the following definition for the definition of “personal data”:

“ ‘personal data’ means personal data within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Act of 2018;”,

and

(vi) the substitution of the following definition for the definition of “processing”:

“ ‘processing’ means processing within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Act of 2018.”,

(b) in section 8, by the substitution in subsection (1) of “Subject to the Data Protection Regulation and the Act of 2018” for “Subject to the Data Protection Acts 1988 and 2003”, and

(c) in section 21(1)(b), by the substitution of “personal data” for “data” in each place it occurs.

Amendment of Criminal Justice (Mutual Assistance) Act 2008

208. The Criminal Justice (Mutual Assistance) Act 2008 is amended—

(a) in section 76(1), by the insertion of the following definition:

“ ‘controller’ means a controller within the meaning of Part 5 of the Data Protection Act 2018;”,

(b) in section 79C(7), by the insertion of “or, as the case may be, controller” after “data controller” in each place it occurs,

(c) in section 94, by—

(i) the substitution of the following subsections for subsections (5) and (6):

“(5) Article 7, in its application in relation to the use of personal data contained in evidence or information obtained under the Treaty by a person in the State, is without prejudice to the application of—

(a) subject to section 8 of the Act of 2018, section 7 (duty of care owed by data controllers and data processors) of the Act of 1988 in respect of the use of such data (within the meaning of the Act of 1988), and

(b) Part 5 of the Act of 2018, in respect of the use of such data (within the meaning of that Part).

(6) (a) Subject to section 8 of the Act of 2018, the Data Protection Acts 1988 and 2003 apply in relation to personal data referred to in subsection (5)(a), in respects other than those related to their use.

(b) Part 5 of the Act of 2018 applies in relation to personal data referred to in subsection (5)(b), in respects other than those related to their use.”,

and

(ii) the insertion of the following subsection:

“(8) In this section—

‘Act of 1988’ means the Data Protection Act 1988 ;

Act of 2018’ means the Data Protection Act 2018.”,

and

(d) in section 107, by—

(i) the substitution of the following subsections for subsections (2) and (3):

“(2) Subsection (1) is without prejudice to the application of—

(a) subject to section 8 of the Act of 2018, section 7 (duty of care owed by data controllers and data processors) of the Act of 1988 in respect of the use of such data (within the meaning of the Act of 1988), and

(b) Part 5 of the Act of 2018, in respect of the use of such data (within the meaning of that Part).

(3) (a) Subject to section 8 of the Act of 2018, the Data Protection Acts 1988 and 2003 apply in relation to personal data referred to in subsection (2)(a), in respects other than those related to their use.

(b) Part 5 of the Act of 2018 applies in relation to personal data referred to in subsection (5)(b), in respects other than those related to their use.”,

and

(ii) by the insertion of the following subsection after subsection (4):

“(5) In this section—

‘Act of 1988’ means the Data Protection Act 1988 ;

Act of 2018’ means the Data Protection Act 2018.”.

Amendment of section 2 of Chemicals Act 2008

209. Section 2 (1) of the Chemicals Act 2008 is amended by—

(a) the substitution of the following definition for the definition of “record”—

“ ‘record’ includes any memorandum, book, report, statement, register, plan, chart, map, drawing, specification, diagram, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form in which data (including data that constitute personal data within the meaning of the Data Protection Regulation or Part 5 of the Data Protection Act 2018) are held, any form (including machine-readable form) or thing in which information is held or stored manually, mechanically or electronically, and anything that is a part or copy, in any form, of any of, or any combination of, the foregoing;”,

and

(b) the insertion of the following definition:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201636 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”.

Amendment of Nursing Homes Support Scheme Act 2009

210. The Nursing Homes Support Scheme Act 2009 is amended—

(a) in section 26, by the deletion of subsection (12), and

(b) in section 45(1), by the substitution of “Subject to the Data Protection Regulation and the Data Protection Act 2018” for “Notwithstanding any provision of the Data Protection Acts 1988 to 2003”.

Amendment of section 23 of Criminal Justice (Miscellaneous Provisions) Act 2009

211. Section 23 of the Criminal Justice (Miscellaneous Provisions) Act 2009 is amended by the substitution of the following subsections for subsection (2):

“(2) The Data Protection Act 1988 shall, subject to any necessary modifications, apply and have effect in relation to the processing (within the meaning of that Act) of personal data (within the meaning of that Act) for the purposes of the operation of the Council Decision and the Schengen Convention.

(3) The Data Protection Act 2018 shall, subject to any necessary modifications, apply and have effect to the processing (within the meaning of Part 5 of that Act) of personal data (within the meaning of that Part) for the purposes of the operation of the Council Decision and the Schengen Convention.”.

Amendment of section 201 of National Asset Management Agency Act 2009

212. The National Asset Management Agency Act 2009 is amended by the substitution of the following section for section 201:

“201. (1) For the avoidance of doubt, an obligation on a credit institution or any other person under this Act to disclose information to NAMA, a NAMA group entity or the NTMA extends to personal data within the meaning of the Data Protection Regulation.

(2) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201637 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of Criminal Justice (Money Laundering and Terrorist Financing) Act 2010

213. The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 is amended—

(a) in section 2(1), by the insertion of the following definitions:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201638 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘personal data’ means personal data within the meaning of—

(i) the Data Protection Act 1988 ,

(ii) the Data Protection Regulation, or

(iii) Part 5 of the Data Protection Act 2018;”,

(b) in section 52(2), by the deletion of “(within the meaning of the Data Protection Acts 1988 and 2003)”, and

(c) in section 88(2), by the deletion of “(within the meaning of the Data Protection Acts 1988 and 2003)”.

Amendment of section 12 of Communications (Retention of Data) Act 2011

214. Section 12 of the Communications (Retention of Data) Act 2011 is amended by the substitution of the following subsections for subsection (4):

“(4) The designated judge may, if he or she considers it desirable to do so, communicate with the Taoiseach or the Minister concerning disclosure requests and with the Data Protection Commission in connection with its functions under the Data Protection Regulation and the Data Protection Acts 1988 to 2018.

(5) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201639 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 17A of Ministers and Secretaries (Amendment) Act 2011

215. Section 17A of the Ministers and Secretaries (Amendment) Act 2011 is amended—

(a) in subsection (2), by the substitution of “Data Protection Regulation” for “Data Protection Acts 1988 and 2003”, and

(b) by the insertion of the following subsection after subsection (3):

“(4) In this section, ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201640 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.

Amendment of section 28 of Student Support Act 2011

216. Section 28 of the Student Support Act 2011 is amended—

(a) by the substitution of “controller” for “data controller” in each place it occurs,

(b) in subsection (1), by the substitution of “Notwithstanding anything contained in any enactment (other than the Act of 2018)” for “Notwithstanding anything contained in the Data Protection Acts 1988 and 2003 or any other enactment”, and

(c) in subsection (5), by—

(i) the substitution of the following definitions for the definition of “data controller”:

“ ‘Act of 2018’ means the Data Protection Act 2018;

‘controller’ means a controller within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Act of 2018;

‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201641 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,

(ii) the substitution of the following definition for the definition of “personal data”:

“ ‘personal data’ means personal data within the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5 of the Act of 2018;”,

and

(iii) the substitution of the following definition for the definition of “processing”:

“ ‘processing’ means processing with the meaning of—

(a) the Data Protection Regulation, or

(b) Part 5