Criminal Justice (Forensic Evidence and DNA Database System) Act 2014

123.

Application of Act of 1988

123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—

(a) Chapter 2,

(b) Chapter 3, or

(c) an Article 7 request,

and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—

(i) Chapter 2 or the provisions of that Chapter,

(ii) Chapter 3or the provisions of that Chapter, and

(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.

(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely—

(a) in section 1(1), the insertion of the following definitions:

“ ‘Act of 2008’ means the Criminal Justice (Mutual Assistance) Act 2008;

Act of 2014 ’ means the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014;

‘Agreement with Iceland and Norway’, ‘Council Decision’, ‘dactyloscopic data’, ‘designated state’, ‘European Union or international instrument’, ‘Member State’ and ‘relevant European Union or international instrument’ have the meanings they have in section 109 of the Act of 2014;

‘Article 7 request’ means a request made or received under Chapter 3 of Part 5 of the Act of 2008 pursuant to Article 7 of the Council Decision or that Article insofar as it is applied by Article 1 of the Agreement with Iceland and Norway;

‘Central Authority’ has the meaning it has in section 2(1) of the Act of 2008;

‘data protection authority’, in relation to a designated state, means the authority in that designated state that is designated by that designated state to be the independent data protection authority of that designated state for the purposes of a European Union or international instrument;

‘DNA’ means deoxyribonucleic acid;

‘national contact point’, in relation to a relevant European Union or international instrument, has the meaning it has in section 109 of the Act of 2014;

‘processing’ has the meaning it has in this Act and shall include the sending or receipt, as the case may be, of a notification under section 113(2), 114(3), 115(2), 116(3), 119(2) or 120(2) of the Act of 2014.”,

(b) in section 2, the insertion of the following subsections after subsection (1):

“(1A) A data controller (including a national contact point) shall in order to comply with subsection (1) (b) as respects personal data kept by him or her also comply with section 125 of the Act of 2014 in respect of those data.

(1B) For the purposes of subparagraphs (i) and (ii) of subsection (1) (c), the processing of personal data supplied or received pursuant to—

(a) Chapter 2 of Part 12 of the Act of 2014, or

(b) Chapter 3 of that Part of that Act,

is deemed to be a purpose compatible with the purpose for which those data were obtained.”,

(c) in section 2C, the substitution of the following subsection for subsection (1):

“(1) In determining appropriate security measures for the purposes of section 2(1)(d) (but without prejudice to the generality of that provision), a data controller—

(a) shall, in relation to the processing of personal data supplied or received pursuant to—

(i) Chapter 2 of Part 12 of the Act of 2014, or

(ii) Chapter 3 of that Part of that Act,

comply with the technical specifications of the automated search and comparison procedure required by the relevant European Union or international instrument, and

(b) shall ensure that the measures provide a level of security appropriate to—

(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, or accidental alteration of, the data concerned, and

(ii) the nature of the data concerned.”,

(d) in section 4, the addition of the following subsection:

“(14) Notwithstanding section 5, this section applies to the processing of personal data supplied or received pursuant to—

(a) Chapter 2 of Part 12 of the Act of 2014,

(b) Chapter 3 of that Part of that Act, or

(c) an Article 7 request.”,

(e) in section 7—

(i) the proviso shall not apply to a data controller in respect of personal data received or obtained by him or her from a body in a designated state pursuant to a European Union or international instrument,

(ii) the designation of the section (as modified by subparagraph (i)) as subsection (1) of that section, and

(iii) the addition of the following subsections:

“(2) A data controller shall not use the inaccuracy of personal data received by him or her from a body in a designated state pursuant to a European Union or international instrument as a ground to avoid or reduce his or her liability to the data subject concerned under subsection (1).

(3) Where—

(a) the Minister or the Commissioner of the Garda Síochána pays damages to a data subject under this section for damage caused to the data subject by reason of inaccurate data received by the national contact point in relation to DNA data or the national contact point in relation to dactyloscopic data, as may be appropriate, from a body in a designated state pursuant to Chapter 2 or 3 of Part 12of the Act of 2014, or

(b) the Minister, the Commissioner of the Garda Síochána or the Director of Public Prosecutions pays damages to a data subject under this section for damage caused to the data subject by reason of inaccurate data received by the Central Authority, the Garda Síochána or the Director of Public Prosecutions, as may be appropriate, from a body in a Member State or Iceland or Norway pursuant to an Article 7 request,

the Minister, the Commissioner of the Garda Síochána or the Director of Public Prosecutions, as the case may be, may seek a refund of the amount that he or she paid in damages to the data subject concerned from the body in the designated state concerned.

(4) Where—

(a) a body in a designated state applies to the national contact point in relation to DNA data or the national contact point in relation to dactyloscopic data for a refund of damages paid by it, or on its behalf, on foot of a decision or finding of a court or other tribunal or the data protection authority in that designated state for damage caused to a data subject by reason of inaccurate data sent by the national contact point concerned to that body pursuant to Chapter 2or 3 of Part 12 of the Act of 2014, or

(b) a body in a Member State or Iceland or Norway applies to the Minister or the Director of Public Prosecutions for a refund of damages paid by it, or on its behalf, on foot of a decision or finding of a court or other tribunal or the data protection authority in that Member State or Iceland or Norway, as the case may be, for damage caused to a data subject by reason of inaccurate data sent by the Minister or the Director of Public Prosecutions, as the case may be, to that body pursuant to an Article 7 request,

the Minister or the Commissioner of the Garda Síochána, as may be appropriate, in the circumstances referred to in paragraph (a), or the Minister or the Director of Public Prosecutions, as may be appropriate, in the circumstances referred to in paragraph (b), shall refund to the body in the designated state concerned the amount paid in damages by it, or on its behalf, to the data subject concerned.”,

(f) section 8(b) —

(i) insofar as it relates to the purpose of detecting or investigating offences, shall not apply to the processing of data pursuant to Chapter 2,

(ii) insofar as it relates to the purpose of preventing, detecting or investigating offences, shall not apply to the processing of personal data pursuant to Chapter 3, or

(iii) insofar as it relates to the purpose of detecting or investigating offences or apprehending or prosecuting offenders, shall not apply to the processing of personal data pursuant to an Article 7 request,

which are or have been supplied by or to a data controller in the State pursuant to a European Union or international instrument, and

(g) in section 9, the insertion of the following subsection after subsection (1D):

“(1E) (a) The Commissioner shall be the competent data protection authority in the State for the purposes of a European Union or international instrument.

(b) The lawfulness of the processing of personal data supplied or received pursuant to—

(i) Chapter 2 of Part 12 of the Act of 2014,

(ii) Chapter 3of that Part of that Act, and

(iii) an Article 7 request,

shall be monitored by the Commissioner.

(c) The performance by the Commissioner of his or her function under paragraph (b) shall include the carrying out of random checks on the processing of personal data referred to in that paragraph.

(d) The Commissioner may request the data protection authority of a designated state to perform its functions under the law of that designated state with regard to checking the lawfulness of the processing of personal data supplied by the State to that designated state pursuant to the relevant European Union or international instrument.

(e) The Commissioner may receive information from the data protection authority of a designated state arising from the performance by it of the functions referred to in paragraph (d) with regard to the processing of the personal data concerned.

(f) The Commissioner shall, at the request of the data protection authority of a designated state, perform his or her functions under paragraphs (a) to (c) of this subsection and he or she shall furnish information to that authority with regard to the processing of the personal data the subject of the request.”.

Annotations:

Modifications (not altering text):

C18

References to "personal data" and "processing" construed (25.05.2018) by Data Protection Act 2018 (7/2018), ss. 165 and 166, S.I. No. 174 of 2018.

Reference to personal data in enactment

165. Subject to this Act, a reference in any enactment to personal data within the meaning of the Act of 1988 shall be construed as including a reference to personal data within the meaning of—

(a) the Data Protection Regulation, and

(b) Part 5.

Reference to processing in enactment

166. Subject to this Act, a reference in any enactment to processing within the meaning of the Act of 1988 shall be construed as including a reference to processing within the meaning of—

(a) the Data Protection Regulation, and

(b) Part 5.