Data Protection Act 1988

Enforcement of data protection.

10

10. (1) ( a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened F33 [ ] in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.

( b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall—

(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and

F34 [ (ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the individual who made the complaint of his or her decision in relation to it and that the individual may, if aggrieved by the decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him or her of the notification. ]

F35 [ (1A) The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof. ]

(2) If the Commissioner is of opinion that a person F36 [ ] has contravened or is contravening a provision of this Act (other than a provision the contravention of which is an offence), the Commissioner may, by notice in writing (referred to in this Act as an enforcement notice) served on the person, require him to take such steps as are specified in the notice within such time as may be so specified to comply with the provision concerned.

(3) Without prejudice to the generality of subsection (2) of this section, if the Commissioner is of opinion that a data controller has contravened section 2 (1) of this Act, the relevant enforcement notice may require him—

F34 [ ( a ) to block, rectify, erase or destroy any of the data concerned, or ]

( b) to supplement the data with such statement relating to the matters dealt with by them as the Commissioner may approve of; and as respects data that are inaccurate or not kept up to date, if he supplements them as aforesaid, he shall be deemed not to be in contravention of paragraph (b) of the said section 2 (1) .

(4) An enforcement notice shall—

( a) specify any provision of this Act that, in the opinion of the Commissioner, has been or is being contravened and the reasons for his having formed that opinion, and

( b) subject to subsection (6) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him.

(5) Subject to subsection (6) of this section, the time specified in an enforcement notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (4) (b) of this section and, if an appeal is brought against the requirement, the requirement need not be complied with and subsection (9) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(6) If the Commissioner—

( a) by reason of special circumstances, is of opinion that a requirement specified in an enforcement notice should be complied with urgently, and

( b) includes a statement to that effect in the notice,

subsections (4) (b) and (5) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.

(7) On compliance by a data controller with a requirement under subsection (3) of this section, he shall, as soon as may be and in any event not more than 40 days after such compliance, notify—

( a) the data subject concerned, and

F34 [ ( b ) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period beginning 12 months before the date of the service of the enforcement notice concerned and ending immediately before such compliance unless such notification proves impossible or involves a disproportionate effort,

of the blocking, rectification, erasure, destruction or statement concerned. ]

(8) The Commissioner may cancel an enforcement notice and, if he does so, shall notify in writing the person on whom it was served accordingly.

(9) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence.

Annotations:

Amendments:

F33

Deleted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(a)(i), S.I. No. 207 of 2003.

F34

Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(a)(ii), (d) and (e), S.I. No. 207 of 2003; subs. (7)(b), substituted by s. 11(e), commenced (18.07.2014) by S.I. No. 337 of 2014.

F35

Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(b), S.I. No. 207 of 2003.

F36

Deleted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 11(c), S.I. No. 207 of 2003.

Modifications (not altering text):

C55

Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.

Data protection

19. ...

(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—

(a) references to personal data included relevant credit data, and

(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.

(3) ...

(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).

...

C56

Application of section extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).

Unsolicited commercial communications.

9. ...

(6) The following provisions of the Act, namely —

(a) sections 1, 10, 12, 24 and 25,

(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,

and

(c) sections 27 to 30,

apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.

(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.

...

(9) Section 10 of the Act applies as if —

(a) in subsection (1)(a), “in relation to a person either where the person complains” were substituted for “by a data controller or a data processor in relation to an individual either where the individual complains”,

(b) in subsection (1)(b), the following subparagraph were substituted for subparagraph (ii):

“(ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the person who made the complaint of his or her decision in relation to it and that the person may, if aggrieved by the decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by the person of the notification.”,

(c) the following subsection were inserted after subsection (1):

“(1A) The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with Regulation 9 of the Regulations of 2003 and to identify any contravention thereof.”,

(d) in subsection (2), there were deleted, “being a data controller or a data processor,”,

(e) in subsection (3), there were substituted the following paragraph for paragraph (a):

“(a) to block, rectify, erase or destroy any of the data concerned, or”, and ,

(f) in subsection (7), there were substituted the following for so much of the subsection as follows paragraph (a):

“(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the previous 12 months before the date of the service of the enforcement notice concerned and ending immediately before such compliance unless such notification proves impossible or involves a disproportionate effort,

of the blocking, rectification, erasure, destruction or statement concerned.”.

...

(11) In this Regulation —

“Act” means the Data Protection Act 1988 ( No. 25 of 1988);

Editorial Notes:

E28

Previous affecting provision: subs. 7(b) as enacted not commenced; substituted as per F-Note above.

E29

Previous affecting provision: application of section extended (from the date on which the declaration by the State under Article 32 (4) of the Customs Co-operation Convention took effect to 24 October 2007) by Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004 (S.I. No. 254 of 2004), reg. 10(2).

E30

Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35, subject to transitional provisions in reg. 34.

E31

Previous affecting provision: non-textual amendments identical to those made by Data Protection (Amendment) Act 2003 above were made by the European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(9).

E32

Previous affecting provision: application of ss. 10, 12, 24, 25, 26 (insofar as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Commissioner in relation to a complaint under section 10(1)(a) ) and ss. 27 to 31 extended with any necessary modifications (8.05.2002) by European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002), reg. 12; revoked (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003), reg. 24.