1.—(1) In this Act, unless the context otherwise requires—

F1["the Act of 2003" means the Data Protection (Amendment) Act 2003]

“appropriate authority” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

F1[ "automated data" means information that—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) is recorded with the intention that it should be processed by means of such equipment;]

“back-up data” means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged;

F1["blocking", in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked;]

“civil servant” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

“the Commissioner” has the meaning assigned to it by section 9 of this Act;

“company” has the meaning assigned to it by the Companies Act, 1963

“the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981, the text of which is set out in the First Schedule to this Act;

“the Court” means the Circuit Court

F2["data" means automated data and manual data;]

“data controller” means a person who, either alone or with others, controls the contents and use of personal data;

“data equipment” means equipment for processing data;

“data material” means any document or other material used in connection with, or produced by, data equipment;

“data processor” means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;

“data subject” means an individual who is the subject of personal data;

F1["the Directive" means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data⁽¹⁾;]

F3[…]

“disclosure”, in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed;

F1["the EEA Agreement"means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993;]

F1["enactment" means a statute or a statutory instrument (within the meaning of the Interpretation Act 1937);]

“enforcement notice” means a notice under section 10 of this Act;

F1["the European Economic Area" has the meaning assigned to it by the EEA Agreement;]

F3[…]

“information notice” means a notice under section 12 of this Act;

F4[“local authority” means a local authority for the purposes of the Local Government Act 2001 (as amended by the Local Government Reform Act 2014);]

F1["manual data" means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;]

“the Minister” means the Minister for Justice;

F2["personal data" means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;]

“prescribed”, in the case of fees, means prescribed by regulations made by the Minister with the consent of the Minister for Finance and, in any other case, means prescribed by regulations made by the Commissioner with the consent of the Minister;

F2["processing" of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including—

(a) obtaining, recording or keeping the information or data,

(b) collecting, organising, storing, altering or adapting the information or data,

(c) retrieving, consulting or using the information or data,

(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or

(e) aligning, combining, blocking, erasing or destroying the information or data;]

“prohibition notice” means a notice under section 11 of this Act;

F3[…]

F5["relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;]

F1["sensitive personal data" means personal data as to—

(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,

(b) whether the data subject is a member of a trade union,

(c) the physical or mental health or condition or sexual life of the data subject,

(d) the commission or alleged commission of any offence by the data subject, or

(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;]

and any cognate words shall be construed accordingly.

(2) For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.

(3) (a) An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force—

(i) the civil servant so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the authority,

as respects the data concerned.

(b) Without prejudice to paragraph (a) of this subsection, the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a data controller or a data processor and, while the designation is in force—

(i) the officer so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the Minister for Defence,

as respects the data concerned.

(c) For the purposes of this Act, as respects any personal data—

(i) where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(ii) where a designation under paragraph (b) of this subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(iii) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the said Commissioner.

F1[(3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive.

(3B) (a) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if—

(i) the data controller is established in the State and the data are processed in the context of that establishment, or

(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.

(b) For the purposes of paragraph (a) of this subsection, each of the following shall be treated as established in the State:

(i) an individual who is normally resident in the State,

(ii) a body incorporated under the law of the State,

(iii) a partnership or other unincorporated association formed under the law of the State, and

(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) of this paragraph, but maintains in the State—

(I) an office, branch or agency through which he or she carries on any activity, or

(II) a regular practice,

and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.

(c) A data controller to whom paragraph (a)(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.

(3C) Section 2 and sections 2A and 2B (which sections were inserted by the Act of 2003) of this Act shall not apply to—

(a) data kept solely for the purpose of historical research, or

(b other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986),

and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects.]

(4) This Act does not apply to—

(a) personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,

(b) personal data consisting of information that the person keeping the data is required by law to make available to the public, or

(c) personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.

F1[(5) F3[…]]