Communications (Retention of Data) Act 2011


Data security.

4.— (1) A service provider who F11[retains or preserves] data under F12[section 3(1), 3A(5), 3B(1), 7A(11) or 7B(10)] shall take the following security measures in relation to the retained data:

(a) the data shall be of the same quality and subject to the same security and protection as those data relating to the publicly available electronic communications service or to the public communications network, as the case may be;

(b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

(c) the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by authorised personnel only;

F12[(d) the data, except those that have been accessed and preserved, shall be destroyed by the service provider in such manner, and within such period (which shall not exceed 2 years and one month) as may be prescribed.]

(2) The Data Protection Commissioner is hereby designated as the national supervisory authority for the purposes of this Act and Directive No. 2006/24/EC of the European Parliament and of the Council.




Substituted (1.08.2023) by Criminal Justice (Miscellaneous Provisions) Act 2023 (24/2023), s. 78(c), S.I. No. 391 of 2023.


Substituted (26.06.2023) by Communications (Retention of Data) (Amendment) Act 2022 (25/2022), s. 10(1)(a), (b), S.I. No. 287 of 2023, art. 3(h).

Modifications (not altering text):


Functions transferred and references to “Data Protection Commissioner” and “Office of the Data Protection Commission” construed (25.05.2018) by Data Protection Act 2018 (7/2018), s. 14(1), (2), (4), in effect as per ss. 9, 14(4).

Note establishment of the Data Protection Commission (25.05.2018) by Data Protection Act 2018 (7/2018), s. 10(1), in effect as per s. 9.

Transfer of functions of Data Protection Commissioner to Commission

14. (1) All functions that, immediately before the establishment day, were vested in the Data Protection Commissioner are transferred to the Commission.

(2) A reference in any enactment or instrument under an enactment to the Data Protection Commissioner or to the Office of the Data Protection Commissioner shall be construed as a reference to the Commission.


(4) This section shall come into operation on the establishment day.


Reference to "processing" construed (25.05.2018) by Data Protection Act 2018 (7/2018), s. 166, S.I. No. 174 of 2018.

Reference to processing in enactment

166. Subject to this Act, a reference in any enactment to processing within the meaning of the Act of 1988 shall be construed as including a reference to processing within the meaning of—

(a) the Data Protection Regulation, and

(b) Part 5.