Data Protection Act 2018
Number 7 of 2018
DATA PROTECTION ACT 2018
REVISED
Updated to 30 April 2024
This Revised Act is an administrative consolidation of the Data Protection Act 2018. It is prepared by the Law Reform Commission in accordance with its function under the Law Reform Commission Act 1975 (3/1975) to keep the law under review and to undertake revision and consolidation of statute law.
All Acts up to and including the Gas (Amendment) and Miscellaneous Provisions Act 2024 (11/2024), enacted 1 May 2024, and all statutory instruments up to and including the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (Commencement) Order 2024 (S.I. No. 181 of 2024), made 30 April 2024, were considered in the preparation of this Revised Act.
Disclaimer: While every care has been taken in the preparation of this Revised Act, the Law Reform Commission can assume no responsibility for and give no guarantees, undertakings or warranties concerning the accuracy, completeness or up to date nature of the information provided and does not accept any liability whatsoever arising from any errors or omissions. Please notify any errors, omissions and comments by email to
revisedacts@lawreform.ie.
Number 7 of 2018
DATA PROTECTION ACT 2018
REVISED
Updated to 30 April 2024
CONTENTS
Preliminary and General
1. Short title, citation and commencement
3. Designation by appropriate authority
8. Application of Data Protection Act 1988
Data Protection Commission
10. Establishment of Data Protection Commission
11. Supervisory authority for Data Protection Regulation and Directive
13. Performance of functions of Commission by Commissioner or member of staff
14. Transfer of functions of Data Protection Commissioner to Commission
16. Appointment of chairperson of Commission
17. Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner
19. Accountability of Commissioner to Oireachtas Committees
20. Assignment and transfer of staff to Commission
22. Superannuation of Commissioners
25. Accountability for accounts of Commission
26. Prohibition on disclosure of confidential information
27. Civil proceedings for contravention of section 26
Data Protection Regulation
General
29. Child for purposes of application of Data Protection Regulation
30. Micro-targeting and profiling of children
31. Consent of child in relation to information society services
32. Codes of conduct: children
33. Right to be forgotten: children
34. Designation of data protection officer
35. Accreditation of certification bodies by Irish National Accreditation Board
36. Suitable and specific measures for processing
37. Limitation on transfers of personal data outside the European Union
40. Processing of personal data and special categories of personal data by elected representatives
41. Processing for purpose other than purpose for which data collected
43. Data processing and freedom of expression and information
44. Data processing and public access to official documents
Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences
45. Processing of special categories of personal data
50. Processing of special categories of personal data for insurance and pension purposes
52. Processing of special categories of personal data for purposes of Article 9(2)(h)
55. Processing of personal data relating to criminal convictions and offences
Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers
56. Right of access to results and scripts of examination and results of appeal
57. Rights in relation to automated decision making
58. Direct marketing for purposes of Article 21
Provisions Consequent on Repeal of Certain Provisions of Data Protection Act 1988
62. Transfer of property of Data Protection Commissioner to Commission
63. Transfer of rights and liabilities of Data Protection Commissioner to Commission
64. Liability for loss occurring before establishment day
65. Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission
66. Final accounts and final annual report of Data Protection Commissioner
67. Saver for scheme relating to superannuation
68. Saver for regulations under Act of 1988
Processing of Personal Data for Law Enforcement Purposes
Preliminary and general (Part 5)
General principles of data protection
71. Processing of personal data
72. Security measures for personal data
73. Processing of special categories of personal data (Part 5)
Obligations of controllers and processors
75. General obligations of controller with regard to technical and organisational measures
76. Data protection by design and by default
77. Security of automated processing
78. Technical and organisational measures
81. Record of data processing activities
82. Data logging for automated processing system
83. Cooperation with Commission
84. Data protection impact assessment and prior consultation with Commission
85. Notification of personal data breach by processor
86. Notification of personal data breach to Commission, etc.
87. Communication of personal data breach to data subject
Rights, and restriction of rights, of data subject (Part 5)
89. Rights in relation to automated decision making (Part 5)
92. Right to rectification or erasure and restriction of processing
93. Communication with data subject
94. Restrictions on exercise of data subject rights (Part 5)
95. Indirect exercise of rights and verification by Commission
Transfers of personal data to third countries or international organisations
96. Transfer to third country or international organisation
98. Transfer subject to appropriate safeguards
99. Derogations for specific situations
100. Transfer to recipient in third country
Independent supervisory authority
101. Functions of Commission under Part 5
102. Power of the Commission to advise and issue opinions
104. Requests by Commission for mutual assistance
Enforcement of Data Protection Regulation and Directive
Preliminary
106. Service of documents (Part 6)
Enforcement of Data Protection Regulation
107. Interpretation (Chapter 2)
108. Complaints under Chapter 2: General
109. Commission to handle complaint under Chapter 2
110. Commission may conduct inquiry into suspected infringement of relevant enactment
111. Decision of Commission where inquiry under Chapter 2 conducted of own volition
113. Complaint to which Article 60 applies
114. Commission to adopt decision in certain circumstances
115. Exercise by Commission of corrective power
116. Notification of decision of Commission under Chapter 2
117. Judicial remedy for infringement of relevant enactment
Enforcement of Directive
118. Interpretation (Chapter 3)
119. Data subject may lodge complaint with Commission
120. Representation of data subjects
121. Complaints under Chapter 3: General
122. Commission to handle complaint under Chapter 3
123. Commission may conduct inquiry into suspected infringements of relevant provision
124. Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition
125. Decision of Commission where inquiry conducted in respect of complaint under Chapter 3
126. Notification of decision of Commission under Chapter 3
127. Corrective powers of Commission (Chapter 3)
128. Judicial remedy for infringement of relevant provision
Inspection, Audit and Enforcement
130. Powers of authorised officers
Investigations
138. Conduct of investigation under section 137
140. Commission to consider investigation report
Administrative Fines
141. Power of Commission to decide to impose administrative fine: General
142. Appeal against administrative fine
143. Circuit Court to confirm decision to impose administrative fine
Offences
144. Unauthorised disclosure by processor
145. Disclosure of personal data obtained without authority
146. Offences by directors, etc., of bodies corporate
147. Prosecution of summary offences by Commission
Miscellaneous
148. General provisions relating to complaints
149. Publication of convictions, sanctions, etc.
150. Right to effective judicial remedy (Part 6)
151. Privileged legal material
155. Jurisdiction of Circuit Court
Miscellaneous Provisions
157. Supervisory authority for courts acting in judicial capacity
159. Processing of personal data where court is controller
160. Publication of judgment or decision of court or court list
161. Rules of court for data protection actions
163. Application to High Court concerning adequate level of protection or appropriate safeguards
164. Court may order destruction, erasure of data
Amendments of other Acts of Oireachtas
165. Reference to personal data in enactment
166. Reference to processing in enactment
167. Amendment of Firearms Act 1925
168. Amendment of section 33AK of Central Bank Act 1942
169. Amendment of section 2 of Civil Service Regulation Act 1956
170. Amendment of section 24 of Misuse of Drugs Act 1977
171. Amendment of section 15A of Control of Clinical Trials Act 1987
172. Amendment of Data Protection Act 1988
173. Amendment of Bankruptcy Act 1988
174. Amendment of Firearms and Offensive Weapons Act 1990
175. Amendment of section 13A of Electoral Act 1992
176. Amendment of Comptroller and Auditor General (Amendment) Act 1993
178. Amendment of section 24 of Statistics Act 1993
179. Amendment of section 57B of Irish Aviation Authority Act 1993
180. Amendment of section 18F of Health Insurance Act 1994
181. Amendment of section 142 of Consumer Credit Act 1995
182. Amendment of section 32B of Irish Medicines Board Act 1995
183. Amendment of section 77 of Central Bank Act 1997
184. Amendment of section 1 of Health (Provision of Information) Act 1997
185. Amendment of section 9M of Electricity Regulation Act 1999
186. Amendment of British-Irish Agreement Act 1999
187. Amendment of section 7D of Comhairle Act 2000
188. Amendment of section 33 of Commission To Inquire Into Child Abuse Act 2000
189. Amendment of section 2 of Merchant Shipping (Investigation of Marine Casualties) Act 2000
190. Amendment of section 28 of Education (Welfare) Act 2000
191. Amendment of section 38 of Planning and Development Act 2000
192. Amendment of section 14 of Dormant Accounts Act 2001
193. Amendment of section 30 of Residential Institutions Redress Act 2002
194. Amendment of section 2 of Official Languages Act 2003
195. Amendment of section 86 of Personal Injuries Assessment Board Act 2003
196. Amendment of section 12 of Unclaimed Life Assurance Policies Act 2003
197. Amendment of section 66 of Civil Registration Act 2004
198. Amendment of section 39 of Commissions of Investigation Act 2004
199. Amendment of section 55H of Health Act 2004
200. Amendment of section 2 of Safety, Health and Welfare at Work Act 2005
201. Amendment of section 265 of Social Welfare Consolidation Act 2005
202. Amendment of Disability Act 2005
203. Amendment of section 2 of Railway Safety Act 2005
204. Amendment of section 12 of Health (Repayment Scheme) Act 2006
205. Amendment of section 19 of Electoral (Amendment) Act 2006
206. Amendment of section 67 of Pharmacy Act 2007
207. Amendment of Passports Act 2008
208. Amendment of Criminal Justice (Mutual Assistance) Act 2008
209. Amendment of section 2 of Chemicals Act 2008
210. Amendment of Nursing Homes Support Scheme Act 2009
211. Amendment of section 23 of Criminal Justice (Miscellaneous Provisions) Act 2009
212. Amendment of section 201 of National Asset Management Agency Act 2009
213. Amendment of Criminal Justice (Money Laundering and Terrorist Financing) Act 2010
214. Amendment of section 12 of Communications (Retention of Data) Act 2011
215. Amendment of section 17A of Ministers and Secretaries (Amendment) Act 2011
216. Amendment of section 28 of Student Support Act 2011
217. Amendment of Communications Regulation (Postal Services) Act 2011
218. Amendment of Property Services (Regulation) Act 2011
219. Amendment of section 56 of Credit Union and Co-operation with Overseas Regulators Act 2012
220. Amendment of Europol Act 2012
221. Amendment of Personal Insolvency Act 2012
222. Amendment of section 2 of Animal Health and Welfare Act 2013
223. Amendment of section 8 of Health (Alteration of Criteria for Eligibility) Act 2013
224. Insertion of section 957A to Companies Act 2014
225. Amendment of Health Identifiers Act 2014
226. Amendment of section 15 of Freedom of Information Act 2014
227. Amendment of section 41 of Customs Act 2015
228. Amendment of section 7 of Regulation of Lobbying Act 2015
229. Amendment of Sport Ireland Act 2015
231. Amendment of section 62 of Financial Services and Pensions Ombudsman Act 2017
232. Amendment of National Shared Services Office Act 2017
Statutory Instruments Revoked
Data Protection Commission
Provisions Applicable to Oral Hearing Conducted by an Authorised Officer Under Section 138
Acts Referred to
Animal Health and Welfare Act 2013 (No. 15)
Bankruptcy Act 1988 (No. 27)
British-Irish Agreement Act 1999 (No. 1)
Central Bank Act 1942 (No. 22)
Central Bank Act 1997 (No. 8)
Chemicals Act 2008 (No. 13)
Children Act 2001 (No. 24)
Civil Registration Act 2004 (No. 3)
Civil Service Regulation Act 1956 (No. 46)
Comhairle Act 2000 (No. 1)
Commission To Inquire Into Child Abuse Act 2000 (No. 7)
Commissions of Investigation Act 2004 (No. 23)
Communications (Retention of Data) Act 2011 (No. 3)
Communications Regulation (Postal Services) Act 2011 (No. 21)
Companies Act 2014 (No. 38)
Competition Act 2002 (No. 14)
Comptroller and Auditor General (Amendment) Act 1993 (No. 8)
Consumer Credit Act 1995 (No. 24)
Control of Clinical Trials Act 1987 (No. 28)
Credit Union and Co-operation with Overseas Regulators Act 2012 (No. 40)
Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (No. 11)
Criminal Justice (Miscellaneous Provisions) Act 2009 (No. 28)
Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6)
Criminal Justice (Mutual Assistance) Act 2008 (No. 7)
Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (No. 4)
Customs Act 2015 (No. 18)
Data Protection (Amendment) Act 2003 (No. 6)
Data Protection Act 1988 (No. 25)
Data Protection Acts 1988 and 2003
Data Protection Acts 1988 to 2003
Defence Act 1954 (No. 18)
Dentists Act 1985 (No. 9)
Disability Act 2005 (No. 14)
Dormant Accounts Act 2001 (No. 32)
Education (Welfare) Act 2000 (No. 22)
Education Act 1998 (No. 51)
Electoral (Amendment) Act 2006 (No. 33)
Electoral Act 1992 (No. 23)
Electricity Regulation Act 1999 (No. 23)
European Parliament Elections Act 1997 (No. 2)
Europol Act 2012 (No. 53)
Financial Services and Pensions Ombudsman Act 2017 (No. 22)
Firearms (Firearm Certificates For Non-Residents) Act 2000 (No. 20)
Firearms Act 1925 (No. 17)
Firearms and Offensive Weapons Act 1990 (No. 12)
Freedom of Information Act 2014 (No. 30)
Health (Alteration of Criteria for Eligibility) Act 2013 (No. 10)
Health (Corporate Bodies) Act 1961 (No. 27)
Health (Provision of Information) Act 1997 (No. 9)
Health (Repayment Scheme) Act 2006 (No. 17)
Health Act 2004 (No. 42)
Health Identifiers Act 2014 (No. 15)
Health Insurance Act 1994 (No. 16)
Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 (No. 10)
Interpretation Act 2005 (No. 23)
Irish Aviation Authority Act 1993 (No. 29)
Irish Medicines Board Act 1995 (No. 29)
Local Government Act 2001 (No. 37)
Medical Practitioners Act 1978 (No. 4)
Medical Practitioners Act 2007 (No. 25)
Merchant Shipping (Investigation of Marine Casualties) Act 2000 (No. 14)
Ministers and Secretaries (Amendment) Act 2011 (No. 10)
Misuse of Drugs Act 1977 (No. 12)
National Asset Management Agency Act 2009 (No. 34)
National Shared Services Office Act 2017 (No. 26)
Nursing Homes Support Scheme Act 2009 (No. 15)
Official Languages Act 2003 (No. 32)
Passports Act 2008 (No. 4)
Personal Injuries Assessment Board Act 2003 (No. 46)
Personal Insolvency Act 2012 (No. 44)
Petty Sessions (Ireland) Act 1851 (14 & 15 Vict., c.93)
Pharmacy Act 2007 (No. 20)
Planning and Development Act 2000 (No. 30)
Prisons Acts 1826 to 2015
Property Services (Regulation) Act 2011 (No. 40)
Public Service Superannuation (Miscellaneous Provisions) Act 2004 (No. 7)
Railway Safety Act 2005 (No. 31)
Regulation of Lobbying Act 2015 (No. 5)
Residential Institutions Redress Act 2002 (No. 13)
Safety, Health and Welfare at Work Act 2005 (No. 10)
Social Welfare Consolidation Act 2005 (No. 26)
Sport Ireland Act 2015 (No. 15)
Statistics Act 1993 (No. 21)
Student Support Act 2011 (No. 4)
Unclaimed Life Assurance Policies Act 2003 (No. 2)
Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (No. 5)
Number 7 of 2018
DATA PROTECTION ACT 2018
REVISED
Updated to 30 April 2024
An Act to establish a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission; to give further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); to give effect to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; to give further effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981 and for those and other purposes to amend the Data Protection Act 1988; to provide for the consequential amendment of certain other enactments; and to provide for related matters.
[24th May , 2018]
Be it enacted by the Oireachtas as follows:
Annotations
Editorial Notes:
E1
Act is a relevant enactment for purposes of Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 as provided (30.04.2024) by Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (22/2023), s. 2 and sch. part 1, S.I. No. 181 of 2024.
E2
Personal data may be supplied in certain circumstances as provided (9.03.2022) by European Union (Good Agricultural Practice for Protection of Waters) Regulations 2022 (S.I. No. 113 of 2022), art. 2.
E3
Personal data may be exchanged in certain circumstances as provided (17.12.2020) by European Union (Imports of Animals and Animal Products from Third Countries) Regulations 2020 (S.I. No. 656 of 2020), reg. 38.
E4
Personal data may be exchanged in certain circumstances as provided (3.12.2020) by European Union (Official Controls in relation to Food Legislation) (Imports of Food of Non-Animal Origin) Regulations 2020 (S.I. No. 575 of 2020), reg. 4(3).
E5
Personal data may be exchanged in certain circumstances as provided (23.10.2020) by European Union (Plant Health) Regulations 2020 (S.I. No. 459 of 2020), reg. 73(1).
E6
Personal data may be exchanged in certain circumstances as provided (13.03.2020) by European Union (Official Controls in Relation to Food Legislation) Regulations 2020 (S.I. No. 79 of 2020), reg. 3(5).
E7
Personal data may be exchanged in certain circumstances as provided (1.10.2020) by Greyhound Racing Act 2019 (15/2019), s. 58, S.I. No. 399 of 2020.
E8
Personal data may be exchanged in certain circumstances as provided (27.01.2020) by European Union (Food and Feed Hygiene) Regulations 2020 (S.I. No. 22 of 2020), reg. 22.
E9
Personal data may be exchanged in certain circumstances as provided (14.01.2020) by European Union (Temporary Increase of Official Controls and Emergency Measures on Imports of Food and Feed of Non-Animal Origin) Regulations 2020 (S.I. No. 9 of 2020), reg. 20.
E10
Personal data may be exchanged in certain circumstances as provided by European Communities (Sustainable Use of Pesticides) Regulations 2012 (S.I. No. 155 of 2012), reg. 11(8) as substituted (29.08.2019) by European Communities (Sustainable Use of Pesticides) (Amendment) Regulations 2019 (S.I. No. 438 of 2019), reg. 2(e).
E11
Personal data be exchanged in certain circumstances as provided (19.12.2019) by European Union (Food and Feed Hygiene) Regulations 2019 (S.I. No. 674 of 2019), reg. 22.