| |
|
| | |
| |
Number 7 of 2018
|
| | |
| |
DATA PROTECTION ACT 2018
|
| | |
| |
CONTENTS
|
| |
PART 1
|
| |
Preliminary and General
|
| |
1. Short title, citation and commencement
|
| |
2. Interpretation
|
| |
3. Designation by appropriate authority
|
| |
4. Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances
|
| |
5. Expenses
|
| |
6. Regulations
|
| |
7. Repeals and revocations
|
| |
8. Application of Data Protection Act 1988
|
| |
PART 2
|
| |
Data Protection Commission
|
| |
9. Establishment day
|
| |
10. Establishment of Data Protection Commission
|
| |
11. Supervisory authority for Data Protection Regulation and Directive
|
| |
12. Functions of Commission
|
| |
13. Performance of functions of Commission by Commissioner or member of staff
|
| |
14. Transfer of functions of Data Protection Commissioner to Commission
|
| |
15. Membership of Commission
|
| |
16. Appointment of chairperson of Commission
|
| |
17. Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner
|
| |
18. Acting Commissioner
|
| |
19. Accountability of Commissioner to Oireachtas Committees
|
| |
20. Assignment and transfer of staff to Commission
|
| |
21. Staff of Commission
|
| |
22. Superannuation of Commissioners
|
| |
23. Accounts of Commission
|
| |
24. Annual report
|
| |
25. Accountability for accounts of Commission
|
| |
26. Prohibition on disclosure of confidential information
|
| |
27. Civil proceedings for contravention of section 26
|
| |
PART 3
|
| |
Data Protection Regulation
|
| |
Chapter 1
|
| |
General
|
| |
28. Fees
|
| |
29. Child for purposes of application of Data Protection Regulation
|
| |
30. Micro-targeting and profiling of children
|
| |
31. Consent of child in relation to information society services
|
| |
32. Codes of conduct: children
|
| |
33. Right to be forgotten: children
|
| |
34. Designation of data protection officer
|
| |
35. Accreditation of certification bodies by Irish National Accreditation Board
|
| |
36. Suitable and specific measures for processing
|
| |
37. Limitation on transfers of personal data outside the European Union
|
| |
38. Processing for a task carried out in the public interest or in the exercise of official authority
|
| |
39. Communication with data subjects by political parties, candidates for and holders of certain elective political offices
|
| |
40. Processing of personal data and special categories of personal data by elected representatives
|
| |
41. Processing for purpose other than purpose for which data collected
|
| |
42. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
|
| |
43. Data processing and freedom of expression and information
|
| |
44. Data processing and public access to official documents
|
| |
Chapter 2
|
| |
Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences
|
| |
45. Processing of special categories of personal data
|
| |
46. Processing of special categories of personal data for purposes of employment and social welfare law
|
| |
47. Processing of special categories of personal data for purpose of legal advice and legal proceedings
|
| |
48. Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission
|
| |
49. Processing of special categories of personal data for purposes of administration of justice and performance of functions
|
| |
50. Processing of special categories of personal data for insurance and pension purposes
|
| |
51. Processing of special categories of personal data and Article 10 data for reasons of substantial public interest
|
| |
52. Processing of special categories of personal data for purposes of Article 9(2)(h)
|
| |
53. Processing of special categories of personal data for purposes of public interest in the area of public health
|
| |
54. Processing of special categories of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
|
| |
55. Processing of personal data relating to criminal convictions and offences
|
| |
Chapter 3
|
| |
Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers
|
| |
56. Right of access to results and scripts of examination and results of appeal
|
| |
57. Rights in relation to automated decision making
|
| |
58. Direct marketing for purposes of Article 21
|
| |
59. Restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission
|
| |
60. Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest
|
| |
61. Restriction on exercise of data subjects’ rights: archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
|
| |
PART 4
|
| |
Provisions Consequent on Repeal of Certain Provisions of Data Protection Act 1988
|
| |
62. Transfer of property of Data Protection Commissioner to Commission
|
| |
63. Transfer of rights and liabilities of Data Protection Commissioner to Commission
|
| |
64. Liability for loss occurring before establishment day
|
| |
65. Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission
|
| |
66. Final accounts and final annual report of Data Protection Commissioner
|
| |
67. Saver for scheme relating to superannuation
|
| |
68. Saver for regulations under Act of 1988
|
| |
PART 5
|
| |
Processing of Personal Data for Law Enforcement Purposes
|
| |
Chapter 1
|
| |
Preliminary and general (Part 5)
|
| |
69. Interpretation (Part 5)
|
| |
70. Application of Part 5
|
| |
Chapter 2
|
| |
General principles of data protection
|
| |
71. Processing of personal data
|
| |
72. Security measures for personal data
|
| |
73. Processing of special categories of personal data (Part 5)
|
| |
74. Data quality
|
| |
Chapter 3
|
| |
Obligations of controllers and processors
|
| |
75. General obligations of controller with regard to technical and organisational measures
|
| |
76. Data protection by design and by default
|
| |
77. Security of automated processing
|
| |
78. Technical and organisational measures
|
| |
79. Joint controllers
|
| |
80. Processors
|
| |
81. Record of data processing activities
|
| |
82. Data logging for automated processing system
|
| |
83. Cooperation with Commission
|
| |
84. Data protection impact assessment and prior consultation with Commission
|
| |
85. Notification of personal data breach by processor
|
| |
86. Notification of personal data breach to Commission, etc.
|
| |
87. Communication of personal data breach to data subject
|
| |
88. Data protection officer
|
| |
Chapter 4
|
| |
Rights, and restriction of rights, of data subject (Part 5)
|
| |
89. Rights in relation to automated decision making (Part 5)
|
| |
90. Right to information
|
| |
91. Right of access
|
| |
92. Right to rectification or erasure and restriction of processing
|
| |
93. Communication with data subject
|
| |
94. Restrictions on exercise of data subject rights (Part 5)
|
| |
95. Indirect exercise of rights and verification by Commission
|
| |
Chapter 5
|
| |
Transfers of personal data to third countries or international organisations
|
| |
96. Transfer to third country or international organisation
|
| |
97. Adequacy decision
|
| |
98. Transfer subject to appropriate safeguards
|
| |
99. Derogations for specific situations
|
| |
100. Transfer to recipient in third country
|
| |
Chapter 6
|
| |
Independent supervisory authority
|
| |
101. Functions of Commission under Part 5
|
| |
102. Power of the Commission to advise and issue opinions
|
| |
103. Mutual assistance
|
| |
104. Requests by Commission for mutual assistance
|
| |
PART 6
|
| |
Enforcement of Data Protection Regulation and Directive
|
| |
Chapter 1
|
| |
Preliminary
|
| |
105. Interpretation (Part 6)
|
| |
106. Service of documents (Part 6)
|
| |
Chapter 2
|
| |
Enforcement of Data Protection Regulation
|
| |
107. Interpretation (Chapter 2)
|
| |
108. Complaints under Chapter 2: General
|
| |
109. Commission to handle complaint under Chapter 2
|
| |
110. Commission may conduct inquiry into suspected infringement of relevant enactment
|
| |
111. Decision of Commission where inquiry under Chapter 2 conducted of own volition
|
| |
112. Decision of Commission where inquiry conducted in respect of complaint to which Article 55 or 56(5) applies
|
| |
113. Complaint to which Article 60 applies
|
| |
114. Commission to adopt decision in certain circumstances
|
| |
115. Exercise by Commission of corrective power
|
| |
116. Notification of decision of Commission under Chapter 2
|
| |
117. Judicial remedy for infringement of relevant enactment
|
| |
Chapter 3
|
| |
Enforcement of Directive
|
| |
118. Interpretation (Chapter 3)
|
| |
119. Data subject may lodge complaint with Commission
|
| |
120. Representation of data subjects
|
| |
121. Complaints under Chapter 3: General
|
| |
122. Commission to handle complaint under Chapter 3
|
| |
123. Commission may conduct inquiry into suspected infringements of relevant provision
|
| |
124. Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition
|
| |
125. Decision of Commission where inquiry conducted in respect of complaint under Chapter 3
|
| |
126. Notification of decision of Commission under Chapter 3
|
| |
127. Corrective powers of Commission (Chapter 3)
|
| |
128. Judicial remedy for infringement of relevant provision
|
| |
Chapter 4
|
| |
Inspection, Audit and Enforcement
|
| |
129. Authorised officers
|
| |
130. Powers of authorised officers
|
| |
131. Search warrants
|
| |
132. Information notice
|
| |
133. Enforcement notice
|
| |
134. Circumstances in which application may be made to the High Court for suspension or restriction of processing of data
|
| |
135. Power to require report
|
| |
136. Data Protection Audit
|
| |
Chapter 5
|
| |
Investigations
|
| |
137. Investigations
|
| |
138. Conduct of investigation under section 137
|
| |
139. Investigation report
|
| |
140. Commission to consider investigation report
|
| |
Chapter 6
|
| |
Administrative Fines
|
| |
141. Power of Commission to decide to impose administrative fine: General
|
| |
142. Appeal against administrative fine
|
| |
143. Circuit Court to confirm decision to impose administrative fine
|
| |
Chapter 7
|
| |
Offences
|
| |
144. Unauthorised disclosure by processor
|
| |
145. Disclosure of personal data obtained without authority
|
| |
146. Offences by directors, etc., of bodies corporate
|
| |
147. Prosecution of summary offences by Commission
|
| |
Chapter 8
|
| |
Miscellaneous
|
| |
148. General provisions relating to complaints
|
| |
149. Publication of convictions, sanctions, etc.
|
| |
150. Right to effective judicial remedy (Part 6)
|
| |
151. Privileged legal material
|
| |
152. Presumptions
|
| |
153. Expert evidence
|
| |
154. Immunity from suit
|
| |
155. Jurisdiction of Circuit Court
|
| |
156. Hearing of proceedings
|
| |
PART 7
|
| |
Miscellaneous Provisions
|
| |
157. Supervisory authority for courts acting in judicial capacity
|
| |
158. Restrictions on obligations of controllers and rights of data subjects for objective of safeguarding judicial independence and court proceedings
|
| |
159. Processing of personal data where court is controller
|
| |
160. Publication of judgment or decision of court or court list
|
| |
161. Rules of court for data protection actions
|
| |
162. Legal privilege
|
| |
163. Application to High Court concerning adequate level of protection or appropriate safeguards
|
| |
164. Court may order destruction, erasure of data
|
| |
PART 8
|
| |
Amendments of other Acts of Oireachtas
|
| |
165. Reference to personal data in enactment
|
| |
166. Reference to processing in enactment
|
| |
167. Amendment of Firearms Act 1925
|
| |
168. Amendment of section 33AK of Central Bank Act 1942
|
| |
169. Amendment of section 2 of Civil Service Regulation Act 1956
|
| |
170. Amendment of section 24 of Misuse of Drugs Act 1977
|
| |
171. Amendment of section 15A of Control of Clinical Trials Act 1987
|
| |
172. Amendment of Data Protection Act 1988
|
| |
173. Amendment of Bankruptcy Act 1988
|
| |
174. Amendment of Firearms and Offensive Weapons Act 1990
|
| |
175. Amendment of section 13A of Electoral Act 1992
|
| |
176. Amendment of Comptroller and Auditor General (Amendment) Act 1993
|
| |
177. Amendment of section 8 of Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
|
| |
178. Amendment of section 24 of Statistics Act 1993
|
| |
179. Amendment of section 57B of Irish Aviation Authority Act 1993
|
| |
180. Amendment of section 18F of Health Insurance Act 1994
|
| |
181. Amendment of section 142 of Consumer Credit Act 1995
|
| |
182. Amendment of section 32B of Irish Medicines Board Act 1995
|
| |
183. Amendment of section 77 of Central Bank Act 1997
|
| |
184. Amendment of section 1 of Health (Provision of Information) Act 1997
|
| |
185. Amendment of section 9M of Electricity Regulation Act 1999
|
| |
186. Amendment of British-Irish Agreement Act 1999
|
| |
187. Amendment of section 7D of Comhairle Act 2000
|
| |
188. Amendment of section 33 of Commission To Inquire Into Child Abuse Act 2000
|
| |
189. Amendment of section 2 of Merchant Shipping (Investigation of Marine Casualties) Act 2000
|
| |
190. Amendment of section 28 of Education (Welfare) Act 2000
|
| |
191. Amendment of section 38 of Planning and Development Act 2000
|
| |
192. Amendment of section 14 of Dormant Accounts Act 2001
|
| |
193. Amendment of section 30 of Residential Institutions Redress Act 2002
|
| |
194. Amendment of section 2 of Official Languages Act 2003
|
| |
195. Amendment of section 86 of Personal Injuries Assessment Board Act 2003
|
| |
196. Amendment of section 12 of Unclaimed Life Assurance Policies Act 2003
|
| |
197. Amendment of section 66 of Civil Registration Act 2004
|
| |
198. Amendment of section 39 of Commissions of Investigation Act 2004
|
| |
199. Amendment of section 55H of Health Act 2004
|
| |
200. Amendment of section 2 of Safety, Health and Welfare at Work Act 2005
|
| |
201. Amendment of section 265 of Social Welfare Consolidation Act 2005
|
| |
202. Amendment of Disability Act 2005
|
| |
203. Amendment of section 2 of Railway Safety Act 2005
|
| |
204. Amendment of section 12 of Health (Repayment Scheme) Act 2006
|
| |
205. Amendment of section 19 of Electoral (Amendment) Act 2006
|
| |
206. Amendment of section 67 of Pharmacy Act 2007
|
| |
207. Amendment of Passports Act 2008
|
| |
208. Amendment of Criminal Justice (Mutual Assistance) Act 2008
|
| |
209. Amendment of section 2 of Chemicals Act 2008
|
| |
210. Amendment of Nursing Homes Support Scheme Act 2009
|
| |
211. Amendment of section 23 of Criminal Justice (Miscellaneous Provisions) Act 2009
|
| |
212. Amendment of section 201 of National Asset Management Agency Act 2009
|
| |
213. Amendment of Criminal Justice (Money Laundering and Terrorist Financing) Act 2010
|
| |
214. Amendment of section 12 of Communications (Retention of Data) Act 2011
|
| |
215. Amendment of section 17A of Ministers and Secretaries (Amendment) Act 2011
|
| |
216. Amendment of section 28 of Student Support Act 2011
|
| |
217. Amendment of Communications Regulation (Postal Services) Act 2011
|
| |
218. Amendment of Property Services (Regulation) Act 2011
|
| |
219. Amendment of section 56 of Credit Union and Co-operation with Overseas Regulators Act 2012
|
| |
220. Amendment of Europol Act 2012
|
| |
221. Amendment of Personal Insolvency Act 2012
|
| |
222. Amendment of section 2 of Animal Health and Welfare Act 2013
|
| |
223. Amendment of section 8 of Health (Alteration of Criteria for Eligibility) Act 2013
|
| |
224. Insertion of section 957A to Companies Act 2014
|
| |
225. Amendment of Health Identifiers Act 2014
|
| |
226. Amendment of section 15 of Freedom of Information Act 2014
|
| |
227. Amendment of section 41 of Customs Act 2015
|
| |
228. Amendment of section 7 of Regulation of Lobbying Act 2015
|
| |
229. Amendment of Sport Ireland Act 2015
|
| |
230. Amendment of section 12 of Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016
|
| |
231. Amendment of section 62 of Financial Services and Pensions Ombudsman Act 2017
|
| |
232. Amendment of National Shared Services Office Act 2017
|
| |
SCHEDULE 1
|
| |
Statutory Instruments Revoked
|
| |
SCHEDULE 2
|
| |
Data Protection Commission
|
| |
SCHEDULE 3
|
| |
Provisions Applicable to Oral Hearing Conducted by an Authorised Officer Under Section 138
|
| | |
| |
Acts Referred to
|
| |
Animal Health and Welfare Act 2013
(No. 15)
|
| |
Bankruptcy Act 1988
(No. 27)
|
| |
British-Irish Agreement Act 1999
(No. 1)
|
| |
Central Bank Act 1942
(No. 22)
|
| |
Central Bank Act 1997
(No. 8)
|
| |
Chemicals Act 2008
(No. 13)
|
| |
Children Act 2001
(No. 24)
|
| |
Civil Registration Act 2004
(No. 3)
|
| |
Civil Service Regulation Act 1956
(No. 46)
|
| |
Comhairle Act 2000
(No. 1)
|
| |
Commission To Inquire Into Child Abuse Act 2000
(No. 7)
|
| |
Commissions of Investigation Act 2004
(No. 23)
|
| |
Communications (Retention of Data) Act 2011
(No. 3)
|
| |
Communications Regulation (Postal Services) Act 2011
(No. 21)
|
| |
Companies Act 2014
(No. 38)
|
| |
Competition Act 2002
(No. 14)
|
| |
Comptroller and Auditor General (Amendment) Act 1993
(No. 8)
|
| |
Consumer Credit Act 1995
(No. 24)
|
| |
Control of Clinical Trials Act 1987
(No. 28)
|
| |
Credit Union and Co-operation with Overseas Regulators Act 2012
(No. 40)
|
| |
Criminal Justice (Forensic Evidence and DNA Database System) Act 2014
(No. 11)
|
| |
Criminal Justice (Miscellaneous Provisions) Act 2009
(No. 28)
|
| |
Criminal Justice (Money Laundering and Terrorist Financing) Act 2010
(No. 6)
|
| |
Criminal Justice (Mutual Assistance) Act 2008
(No. 7)
|
| |
Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016
(No. 4)
|
| |
Customs Act 2015
(No. 18)
|
| |
Data Protection (Amendment) Act 2003
(No. 6)
|
| |
Data Protection Act 1988
(No. 25)
|
| |
Data Protection Acts 1988 and 2003
|
| |
Data Protection Acts 1988 to 2003
|
| |
Defence Act 1954
(No. 18)
|
| |
Dentists Act 1985
(No. 9)
|
| |
Disability Act 2005
(No. 14)
|
| |
Dormant Accounts Act 2001
(No. 32)
|
| |
Education (Welfare) Act 2000
(No. 22)
|
| |
Education Act 1998
(No. 51)
|
| |
Electoral (Amendment) Act 2006
(No. 33)
|
| |
Electoral Act 1992
(No. 23)
|
| |
Electricity Regulation Act 1999
(No. 23)
|
| |
European Parliament Elections Act 1997
(No. 2)
|
| |
Europol Act 2012
(No. 53)
|
| |
Financial Services and Pensions Ombudsman Act 2017
(No. 22)
|
| |
Firearms (Firearm Certificates For Non-Residents) Act 2000
(No. 20)
|
| |
Firearms Act 1925
(No. 17)
|
| |
Firearms and Offensive Weapons Act 1990
(No. 12)
|
| |
Freedom of Information Act 2014
(No. 30)
|
| |
Health (Alteration of Criteria for Eligibility) Act 2013
(No. 10)
|
| |
Health (Corporate Bodies) Act 1961
(No. 27)
|
| |
Health (Provision of Information) Act 1997
(No. 9)
|
| |
Health (Repayment Scheme) Act 2006
(No. 17)
|
| |
Health Act 2004
(No. 42)
|
| |
Health Identifiers Act 2014
(No. 15)
|
| |
Health Insurance Act 1994
(No. 16)
|
| |
Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
(No. 10)
|
| |
Interpretation Act 2005
(No. 23)
|
| |
Irish Aviation Authority Act 1993
(No. 29)
|
| |
Irish Medicines Board Act 1995
(No. 29)
|
| |
Local Government Act 2001
(No. 37)
|
| |
Medical Practitioners Act 1978
(No. 4)
|
| |
Medical Practitioners Act 2007
(No. 25)
|
| |
Merchant Shipping (Investigation of Marine Casualties) Act 2000
(No. 14)
|
| |
Ministers and Secretaries (Amendment) Act 2011
(No. 10)
|
| |
Misuse of Drugs Act 1977
(No. 12)
|
| |
National Asset Management Agency Act 2009
(No. 34)
|
| |
National Shared Services Office Act 2017
(No. 26)
|
| |
Nursing Homes Support Scheme Act 2009
(No. 15)
|
| |
Official Languages Act 2003
(No. 32)
|
| |
Passports Act 2008
(No. 4)
|
| |
Personal Injuries Assessment Board Act 2003
(No. 46)
|
| |
Personal Insolvency Act 2012
(No. 44)
|
| |
Petty Sessions (Ireland) Act 1851
(14 & 15 Vict., c.93)
|
| |
Pharmacy Act 2007
(No. 20)
|
| |
Planning and Development Act 2000
(No. 30)
|
| |
Prisons Acts 1826 to 2015
|
| |
Property Services (Regulation) Act 2011
(No. 40)
|
| |
Public Service Superannuation (Miscellaneous Provisions) Act 2004
(No. 7)
|
| |
Railway Safety Act 2005
(No. 31)
|
| |
Regulation of Lobbying Act 2015
(No. 5)
|
| |
Residential Institutions Redress Act 2002
(No. 13)
|
| |
Safety, Health and Welfare at Work Act 2005
(No. 10)
|
| |
Social Welfare Consolidation Act 2005
(No. 26)
|
| |
Sport Ireland Act 2015
(No. 15)
|
| |
Statistics Act 1993
(No. 21)
|
| |
Student Support Act 2011
(No. 4)
|
| |
Unclaimed Life Assurance Policies Act 2003
(No. 2)
|
| |
Vehicle Registration Data (Automated Searching and Exchange) Act 2018
(No. 5)
|
| |
|
| | |
| |
Number 7 of 2018
|
| | |
| |
DATA PROTECTION ACT 2018
|
| | |
| |
An Act to establish a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission; to give further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); to give effect to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162
on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; to give further effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981 and for those and other purposes to amend the
Data Protection Act 1988
; to provide for the consequential amendment of certain other enactments; and to provide for related matters.
|
| |
[24th May, 2018]
|
| |
Be it enacted by the Oireachtas as follows:
|
| |
1OJ No. L 119, 4.5.2016, p.1
2OJ No. L 119, 4.5.2016, p.89 |