Data Protection Act 1988
Collection, processing, keeping, use and disclosure of personal data.
2.—F6[(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:
(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,
(b) the data shall be accurate and complete and, where necessary, kept up to date,
(c) the data—
(i) shall have been obtained only for one or more specified, explicit and legitimate purposes,
(ii) shall not be further processed in a manner incompatible with that purpose or those purposes,
(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
(iv) shall not be kept for longer than is necessary for that purpose or those purposes,
(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.]
(2) A data processor shall, as respects personal data processed by him, comply with paragraph (d) of subsection (1) of this section.
(3) Paragraph (a) of the said subsection (1) does not apply to information intended for inclusion in data, or to data, kept for a purpose mentioned in section 5 (1) (a) of this Act, in any case in which the application of that paragraph to the data would be likely to prejudice any of the matters mentioned in the said section 5 (1) (a).
(4) Paragraph (b) of the said subsection (1) does not apply to backup data.
(5) F7[(a) Subparagraphs (ii) and (iv) of paragraph (c) of the said subsection (1) do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects, and,]
(b) the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained,
if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject.
(6) F8[…]
F9[(7) F10[…]
(8) F10[…]]
Annotations
Amendments:
F6
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(a), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
F7
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(b), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
F8
Deleted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(c), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
F9
Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 3(d), S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
F10
Repealed other than for certain excepted purposes (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(1)(b), (4), S.I. No. 174 of 2018. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b), (2), (3). See C-note below.
Modifications (not altering text):
C27
Subss. (7), (8) repealed, but retained (see below) for certain excepted purposes, (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(1)(b), (4), S.I. No. 174 of 2018. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b) (the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014) or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (5/2018) to the extent that the Act of 1988 is applied in those Acts) and s. 8(2), (3) (transitional provisions).
F9[(7) Where—
(a) personal data are kept for the purpose of direct marketing, and
(b) the data subject concerned requests the data controller in writing—
(i) not to process the data for that purpose, or
(ii) to cease processing the data for that purpose,
then—
(I) if the request is under paragraph (b)(i) of this subsection, the data controller—
(A) shall, where the data are kept only for the purpose aforesaid, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, erase the data, and
(B) shall not, where the data are kept for that purpose and other purposes, process the data for that purpose after the expiration of the period aforesaid,
(II) if the request is under paragraph (b)(ii) of this subsection, as soon as may be and in any event not more than 40 days after the request has been given or sent to the data controller, he or she—
(A) shall, where the data are kept only for the purpose aforesaid, erase the data, and
(B) shall, where the data are kept for that purpose and other purposes, cease processing the data for that purpose,
and
(III) the data controller shall notify the data subject in writing accordingly and, where appropriate, inform him or her of those other purposes.
(8) Where a data controller anticipates that personal data, including personal data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the data controller shall inform the persons to whom the data relates that they may object, by means of a request in writing to the data controller and free of charge, to such processing.]
C28
Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(b), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015, otherwise (3.12.2018) by S.I. No. 503 of 2018.
Application of Act of 1988
123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—
(a) Chapter 2,
(b) Chapter 3, or
(c) an Article 7 request,
and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—
(i) Chapter 2 or the provisions of that Chapter,
(ii) Chapter 3 or the provisions of that Chapter, and
(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.
(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— ...
(b) in section 2, the insertion of the following subsections after subsection (1):
“(1A) A data controller (including a national contact point) shall in order to comply with subsection (1) (b) as respects personal data kept by him or her also comply with section 125 of the Act of 2014 in respect of those data.
(1B) For the purposes of subparagraphs (i) and (ii) of subsection (1) (c), the processing of personal data supplied or received pursuant to—
(a) Chapter 2 of Part 12 of the Act of 2014, or
(b) Chapter 3 of that Part of that Act,
is deemed to be a purpose compatible with the purpose for which those data were obtained.”,
...
C29
Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.
Data protection
19. ...
(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—
(a) references to personal data included relevant credit data, and
(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.
(3) ...
(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).
...
Editorial Notes:
E15
Subs. (1)(d) applied to a deceased individual’s relevant information as it does to a living individual’s relevant information (13.07.2015) by Health Identifiers Act 2014 (15/2014), s. 27(3), S.I. No. 294 of 2015.