Data Protection Act 1988

Duty of care owed by data controllers and data processors.

7

7.For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned:

Provided that, for the purposes only of this section, a data controller shall be deemed to have complied with the provisions of section 2 (1) (b) of this Act if and so long as the personal data concerned accurately record data or other information received or obtained by him from the data subject or a third party and include (and, if the data are disclosed, the disclosure is accompanied by)—

(a) an indication that the information constituting the data was received or obtained as aforesaid,

(b) if appropriate, an indication that the data subject has informed the data controller that he regards the information as inaccurate or not kept up to date, and

(c) any statement with which, pursuant to this Act, the data are supplemented.

Annotations

Modifications (not altering text):

C46

Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(e), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015, otherwise (3.12.2018) by S.I. No. 503 of 2018.

Application of Act of 1988

123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—

(a) Chapter 2,

(b) Chapter 3, or

(c) an Article 7 request,

and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—

(i) Chapter 2 or the provisions of that Chapter,

(ii) Chapter 3 or the provisions of that Chapter, and

(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.

(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— ...

(e) in section 7

(i) the proviso shall not apply to a data controller in respect of personal data received or obtained by him or her from a body in a designated state pursuant to a European Union or international instrument,

(ii) the designation of the section (as modified by subparagraph (i)) as subsection (1) of that section, and

(iii) the addition of the following subsections:

“(2) A data controller shall not use the inaccuracy of personal data received by him or her from a body in a designated state pursuant to a European Union or international instrument as a ground to avoid or reduce his or her liability to the data subject concerned under subsection (1).

(3) Where—

(a) the Minister or the Commissioner of the Garda Síochána pays damages to a data subject under this section for damage caused to the data subject by reason of inaccurate data received by the national contact point in relation to DNA data or the national contact point in relation to dactyloscopic data, as may be appropriate, from a body in a designated state pursuant to Chapter 2 or 3 of Part 12 of the Act of 2014, or

(b) the Minister, the Commissioner of the Garda Síochána or the Director of Public Prosecutions pays damages to a data subject under this section for damage caused to the data subject by reason of inaccurate data received by the Central Authority, the Garda Síochána or the Director of Public Prosecutions, as may be appropriate, from a body in a Member State or Iceland or Norway pursuant to an Article 7 request,

the Minister, the Commissioner of the Garda Síochána or the Director of Public Prosecutions, as the case may be, may seek a refund of the amount that he or she paid in damages to the data subject concerned from the body in the designated state concerned.

(4) Where—

(a) a body in a designated state applies to the national contact point in relation to DNA data or the national contact point in relation to dactyloscopic data for a refund of damages paid by it, or on its behalf, on foot of a decision or finding of a court or other tribunal or the data protection authority in that designated state for damage caused to a data subject by reason of inaccurate data sent by the national contact point concerned to that body pursuant to Chapter 2 or 3 of Part 12 of the Act of 2014, or

(b) a body in a Member State or Iceland or Norway applies to the Minister or the Director of Public Prosecutions for a refund of damages paid by it, or on its behalf, on foot of a decision or finding of a court or other tribunal or the data protection authority in that Member State or Iceland or Norway, as the case may be, for damage caused to a data subject by reason of inaccurate data sent by the Minister or the Director of Public Prosecutions, as the case may be, to that body pursuant to an Article 7 request,

the Minister or the Commissioner of the Garda Síochána, as may be appropriate, in the circumstances referred to in paragraph (a), or the Minister or the Director of Public Prosecutions, as may be appropriate, in the circumstances referred to in paragraph (b), shall refund to the body in the designated state concerned the amount paid in damages by it, or on its behalf, to the data subject concerned.”,

...