S.I. No. 320/2025 - Data Protection Act 2018 (Section 60(4)) (Information Commissioner) Regulations 2025
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 18th July, 2025. | ||
I, JIM O’CALLAGHAN, Minister for Justice, Home Affairs and Migration, in exercise of the powers conferred on me by section 60 (4) of the Data Protection Act 2018 (No. 7 of 2018) (as adapted by the Justice (Alteration of Name of Department and Title of Minister) Order 2025 ( S.I. No. 242 of 2025 )), hereby make the following regulations with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving the draft has been passed by each such House: | ||
Citation | ||
1. These Regulations may be cited as the Data Protection Act 2018 (Section 60(4)) (Information Commissioner) Regulations 2025. | ||
Interpretation | ||
2. (1) In these Regulations – | ||
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018); | ||
“relevant right or obligation” has the meaning assigned to it by Regulation 3. | ||
(2) Unless the context otherwise requires, a reference in these Regulations to a numbered Article is a reference to the Article so numbered of the Data Protection Regulation. | ||
(3) A word or expression used in these Regulations shall, unless the context otherwise requires, have the same meaning in these Regulations as it has in the Data Protection Regulation. | ||
Requirements where rights and obligations restricted in accordance with section 60(3)(c) of Act of 2018 | ||
3. The requirements set out in these Regulations are prescribed, for the purposes of section 60(4) of the Act of 2018, as the requirements to be complied with by the Information Commissioner when any of the rights and obligations referred to in Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22 (in these Regulations referred to as a “relevant right or obligation”), are restricted, in accordance with section 60(3)(c) of that Act, by the Information Commissioner for the purpose of the performance of his or her functions. | ||
Scope of restriction: time | ||
4. A relevant right or obligation may be restricted only for so long as is necessary and proportionate to safeguard the performance by the Information Commissioner of his or her functions. | ||
Information to be provided to data subject where relevant right or obligation restricted | ||
5. (1) Subject to paragraph (2), the Information Commissioner shall, by notice in writing given in a timely manner, provide the information set out in paragraph (3) to a data subject who requests to exercise a relevant right that is restricted or in respect of whom a relevant obligation is owed where that obligation is restricted. | ||
(2) The Information Commissioner shall not give a notice under paragraph (1) to a data subject where, in the opinion of the Information Commissioner, the giving of the notice may prejudice the performance of a function by the Information Commissioner. | ||
(3) A notice given under paragraph (1) to a data subject shall inform the data subject that a relevant right or obligation is restricted and shall include the following information: | ||
(a) the relevant right or obligation that is restricted; | ||
(b) whether the relevant right or obligation has been restricted in whole or in part; | ||
(c) subject to paragraph (4), the reasons for the restriction; | ||
(d) that the data subject may lodge a complaint with the Data Protection Commission pursuant to Article 77(1) in relation to the restriction. | ||
(4) Paragraph (3)(c) shall not apply where, in the opinion of the Information Commissioner, informing the data subject concerned of the reasons may prejudice the performance of a function by the Information Commissioner. | ||
(5) The Information Commissioner shall, where requested to do so by a data subject who receives a notice under paragraph (1), provide the data subject with a copy of the policies and procedures referred to in Regulation 6(1). | ||
Policies and procedures for Article 23(2)(d) and (f) | ||
6. (1) The Information Commissioner shall prepare and implement policies and procedures to provide for the matters referred to in Article 23(2)(d) and (f). | ||
(2) Without prejudice to the generality of paragraph (1), the policies and procedures referred to in that paragraph shall provide for the following: | ||
(a) the use of secure storage, passwords, encryption and other methods to ensure personal data can only be accessed by persons authorised by the Information Commissioner to do so; | ||
(b) the use of controls to ensure that personal data is only disclosed to persons authorised by the Information Commissioner or entitled or permitted by law to receive that personal data; | ||
(c) the determination of appropriate storage periods for personal data or classes of personal data, taking into account the nature, scope and purposes of the processing of the personal data; | ||
(d) the treatment of personal data or classes of personal data at the expiry of the storage periods referred to in subparagraph (c); | ||
(e) data minimisation, including the use of anonymisation and pseudonymisation. | ||
(3) The policies and procedures referred to in paragraph (1) shall be reviewed by the Information Commissioner on a regular basis and updated where he or she considers it appropriate to do so. | ||
(4) In this Regulation, “personal data” includes special categories of personal data and Article 10 data (within the meaning of section 55 of the Act of 2018). | ||
Communication with data subject | ||
7. The Information Commissioner shall ensure that all information provided to a data subject in relation to these Regulations is provided in a concise, intelligible and easily accessible form using clear and plain language. | ||
| ||
GIVEN under my Official Seal, | ||
14 July, 2025. | ||
JIM O’CALLAGHAN, | ||
Minister for Justice, Home Affairs and Migration. | ||
EXPLANATORY NOTE | ||
(This note is not part of the Instrument and does not purport to be a legal interpretation.) | ||
These Regulations, which are made under section 60 (4) of the Data Protection Act 2018 , set out requirements that the Information Commissioner must comply with when restricting the rights and obligations of data subjects under section 60 (3)(c) of the 2018 Act. They include requirements in line with Article 23 of the GDPR to provide certain information to the data subject and to publish policies and procedures. The rights and obligations concerned are those set out in Articles 12 to 22, 34 and Article 5 (in part), including the right to access personal information (Article 15), the right to rectification (Article 16) and the right to erasure (Article 17) in certain circumstances. | ||
Where a right or obligation is restricted, the Regulations provide that the Information Commissioner is obliged to notify the data subject and provide the reasons for the restriction, unless to do so may prejudice the achievement of a relevant objective. | ||
A notification must inform the data subject: | ||
• of the right or obligation affected by the restriction; | ||
• whether the restriction applies in whole or in part and; | ||
• of the data subject’s statutory right to lodge a complaint with the Data Protection Commission. | ||
The proposed measures also require the Information Commissioner to have in place certain policies and procedures. These safeguards and policies must be relation to: | ||
• prevention of abuse; | ||
• unlawful access or transfer and; | ||
• the storage periods. | ||
The applicable safeguards must also take into account the nature, scope and purposes of the processing or categories of processing. The measures also require that Information Commissioner ensures that all information provided in relation to these Regulations is provided in a clear, concise and accessible manner. |
