Data Protection Act 2018
Restrictions on exercise of data subject rights (Part 5) | ||
94. (1) Subject to subsection (2), a controller, with respect to personal data for which it is responsible, may restrict, wholly or partly, the exercise of a right of a data subject specified in subsection (4). | ||
(2) Subsection (1) shall apply where the controller is satisfied that restricting the exercise of a right under that subsection constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject for the purposes of— | ||
(a) avoiding obstructing official or legal inquiries, investigations or procedures, | ||
(b) avoiding prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, | ||
(c) protecting public security, | ||
(d) protecting national security, or | ||
(e) protecting the rights and freedoms of other persons. | ||
(3) Without prejudice to the generality of subsection (2), the purposes specified in paragraphs (a) to (e) of subsection (2) include the following: | ||
(a) the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid; | ||
(b) the enforcement of, compliance with or administration of any enactment related to a purpose specified in section 70 (1)(a); | ||
(c) ensuring the safety of the public and the safety or security of individuals and property; | ||
(d) ensuring the fairness of criminal proceedings in a court or other tribunal; | ||
(e) ensuring the security of— | ||
(i) a penal institution, | ||
(ii) a children detention school within the meaning of section 3 of the Children Act 2001 , | ||
(iii) a remand centre designated under section 88 of the Children Act 2001 , | ||
(iv) the Central Mental Hospital, or | ||
(v) any system of communications, whether internal or external, of the Garda Síochána, the Defence Forces, the Revenue Commissioners or a penal institution; | ||
(f) protecting the life, safety or well-being of any person; | ||
(g) preventing the facilitation of the commission of an offence; | ||
(h) avoiding the prejudice or impairment of national security, defence or the international relations of the State; | ||
(i) avoiding the obstruction or impairment of official or legal inquiries, investigations or procedures or the operation of legal privilege; | ||
(j) the performance by the Commission of its functions. | ||
(4) The rights of a data subject to which subsection (1) applies are: | ||
(a) the right of the data subject under section 90 (1) in so far as relates to information specified in subsection (2)(f) of that section; | ||
(b) the rights of the data subject under paragraphs (a) and (b) of section 91 (1); | ||
(c) the right of the data subject to be notified— | ||
(i) under section 92 (10) of the restriction of the processing of personal data under subsection (9) of that section, or | ||
(ii) under section 92 (11) of a decision not to rectify or erase data pursuant to a request under subsection (1) or (3) of that section, as the case may be. | ||
(5) Subject to subsection (6), where a controller restricts, pursuant to subsection (1), the exercise of the right of a data subject specified in paragraph (b) or (c) of subsection (4), the controller shall notify the data subject in writing of— | ||
(a) the restriction of the exercise of the said right and the reasons for such restriction, and | ||
(b) the right of the data subject— | ||
(i) under section 95 to request the Commission to verify the lawfulness of the processing concerned, or | ||
(ii) under section 128 to seek a judicial remedy in relation to the said restriction. | ||
(6) Subsection (5) shall not apply where to notify the data subject in accordance with that subsection of the matters specified therein would be contrary to a purpose specified in subsection (2). | ||
(7) Where a controller restricts, pursuant to subsection (1), the exercise of the right of a data subject specified in paragraph (b) or (c) of subsection (4), the controller shall— | ||
(a) create and maintain a record in writing of the factual or legal basis for the decision to so restrict the right concerned, and | ||
(b) make such a record available to the Commission, if so requested by the Commission. | ||
(8) Regulations may be made specifying a category of processing to be a category of processing in respect of which the exercise of the rights specified in subsection (4) may, in accordance with subsection (2), be restricted under subsection (1). | ||
(9) Regulations under subsection (8) may be made by— | ||
(a) the Minister, following consultation with such other Minister of the Government as he or she considers appropriate and the Commission, or | ||
(b) any other Minister of the Government, following consultation with the Minister, such other Minister of the Government as he or she considers appropriate and the Commission. | ||
(10) The Minister of the Government making regulations under subsection (8) shall have regard to— | ||
(a) the nature, scope and purposes of the category of processing concerned, | ||
(b) whether, having regard to the matters referred to in paragraph (a), the restriction concerned is one to which subsection (2) would apply, and | ||
(c) any risks arising for the rights and freedoms of data subjects. | ||
(11) Regulations made under this section shall— | ||
(a) respect the essence of the right to data protection and protect the interests of the data subject, and | ||
(b) restrict the exercise of data subject rights only in so far as is necessary and proportionate to the aim sought to be achieved. | ||
(12) For the purposes of this section, “penal institution” means— | ||
(a) a place to which the Prisons Acts 1826 to 2015 apply, or | ||
(b) a military prison or detention barrack within the meaning, in each case, of the Defence Act 1954 . |