Data Protection Act 2018

Number 7 of 2018

DATA PROTECTION ACT 2018

REVISED

Updated to 30 April 2024

This Revised Act is an administrative consolidation of the Data Protection Act 2018. It is prepared by the Law Reform Commission in accordance with its function under the Law Reform Commission Act 1975 (3/1975) to keep the law under review and to undertake revision and consolidation of statute law.

All Acts up to and including the Gas (Amendment) and Miscellaneous Provisions Act 2024 (11/2024), enacted 1 May 2024, and all statutory instruments up to and including the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (Commencement) Order 2024 (S.I. No. 181 of 2024), made 30 April 2024, were considered in the preparation of this Revised Act.

Disclaimer: While every care has been taken in the preparation of this Revised Act, the Law Reform Commission can assume no responsibility for and give no guarantees, undertakings or warranties concerning the accuracy, completeness or up to date nature of the information provided and does not accept any liability whatsoever arising from any errors or omissions. Please notify any errors, omissions and comments by email to

revisedacts@lawreform.ie.


Number 7 of 2018


DATA PROTECTION ACT 2018

REVISED

Updated to 30 April 2024


CONTENTS

PART 1

Preliminary and General

1. Short title, citation and commencement

2. Interpretation

3. Designation by appropriate authority

4. Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances

5. Expenses

6. Regulations

7. Repeals and revocations

8. Application of Data Protection Act 1988

PART 2

Data Protection Commission

9. Establishment day

10. Establishment of Data Protection Commission

11. Supervisory authority for Data Protection Regulation and Directive

12. Functions of Commission

13. Performance of functions of Commission by Commissioner or member of staff

14. Transfer of functions of Data Protection Commissioner to Commission

15. Membership of Commission

16. Appointment of chairperson of Commission

17. Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner

18. Acting Commissioner

19. Accountability of Commissioner to Oireachtas Committees

20. Assignment and transfer of staff to Commission

21. Staff of Commission

22. Superannuation of Commissioners

23. Accounts of Commission

24. Annual report

25. Accountability for accounts of Commission

26. Prohibition on disclosure of confidential information

26A. Prohibition on disclosure of confidential information by persons engaging with Commission in connection with relevant function

27. Civil proceedings for contravention of section 26

PART 3

Data Protection Regulation

Chapter 1

General

28. Fees

29. Child for purposes of application of Data Protection Regulation

30. Micro-targeting and profiling of children

31. Consent of child in relation to information society services

32. Codes of conduct: children

33. Right to be forgotten: children

34. Designation of data protection officer

35. Accreditation of certification bodies by Irish National Accreditation Board

36. Suitable and specific measures for processing

37. Limitation on transfers of personal data outside the European Union

38. Processing for a task carried out in the public interest or in the exercise of official authority

39. Communication with data subjects by political parties, candidates for and holders of certain elective political offices

40. Processing of personal data and special categories of personal data by elected representatives

41. Processing for purpose other than purpose for which data collected

42. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

43. Data processing and freedom of expression and information

44. Data processing and public access to official documents

Chapter 2

Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences

45. Processing of special categories of personal data

46. Processing of special categories of personal data for purposes of employment and social welfare law

47. Processing of special categories of personal data for purpose of legal advice and legal proceedings

48. Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission

49. Processing of special categories of personal data for purposes of administration of justice and performance of functions

50. Processing of special categories of personal data for insurance and pension purposes

51. Processing of special categories of personal data and Article 10 data for reasons of substantial public interest

52. Processing of special categories of personal data for purposes of Article 9(2)(h)

53. Processing of special categories of personal data for purposes of public interest in the area of public health

54. Processing of special categories of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

55. Processing of personal data relating to criminal convictions and offences

Chapter 3

Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers

56. Right of access to results and scripts of examination and results of appeal

57. Rights in relation to automated decision making

58. Direct marketing for purposes of Article 21

59. Restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission

60. Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest

61. Restriction on exercise of data subjects’ rights: archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

PART 4

Provisions Consequent on Repeal of Certain Provisions of Data Protection Act 1988

62. Transfer of property of Data Protection Commissioner to Commission

63. Transfer of rights and liabilities of Data Protection Commissioner to Commission

64. Liability for loss occurring before establishment day

65. Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission

66. Final accounts and final annual report of Data Protection Commissioner

67. Saver for scheme relating to superannuation

68. Saver for regulations under Act of 1988

PART 5

Processing of Personal Data for Law Enforcement Purposes

Chapter 1

Preliminary and general (Part 5)

69. Interpretation (Part 5)

70. Application of Part 5

Chapter 2

General principles of data protection

71. Processing of personal data

72. Security measures for personal data

73. Processing of special categories of personal data (Part 5)

74. Data quality

Chapter 3

Obligations of controllers and processors

75. General obligations of controller with regard to technical and organisational measures

76. Data protection by design and by default

77. Security of automated processing

78. Technical and organisational measures

79. Joint controllers

80. Processors

81. Record of data processing activities

82. Data logging for automated processing system

83. Cooperation with Commission

84. Data protection impact assessment and prior consultation with Commission

85. Notification of personal data breach by processor

86. Notification of personal data breach to Commission, etc.

87. Communication of personal data breach to data subject

88. Data protection officer

Chapter 4

Rights, and restriction of rights, of data subject (Part 5)

89. Rights in relation to automated decision making (Part 5)

90. Right to information

91. Right of access

92. Right to rectification or erasure and restriction of processing

93. Communication with data subject

94. Restrictions on exercise of data subject rights (Part 5)

95. Indirect exercise of rights and verification by Commission

Chapter 5

Transfers of personal data to third countries or international organisations

96. Transfer to third country or international organisation

97. Adequacy decision

98. Transfer subject to appropriate safeguards

99. Derogations for specific situations

100. Transfer to recipient in third country

Chapter 6

Independent supervisory authority

101. Functions of Commission under Part 5

102. Power of the Commission to advise and issue opinions

103. Mutual assistance

104. Requests by Commission for mutual assistance

PART 6

Enforcement of Data Protection Regulation and Directive

Chapter 1

Preliminary

105. Interpretation (Part 6)

106. Service of documents (Part 6)

Chapter 2

Enforcement of Data Protection Regulation

107. Interpretation (Chapter 2)

108. Complaints under Chapter 2: General

109. Commission to handle complaint under Chapter 2

110. Commission may conduct inquiry into suspected infringement of relevant enactment

111. Decision of Commission where inquiry under Chapter 2 conducted of own volition

112. Decision of Commission where inquiry conducted in respect of complaint to which Article 55 or 56(5) applies

113. Complaint to which Article 60 applies

114. Commission to adopt decision in certain circumstances

115. Exercise by Commission of corrective power

116. Notification of decision of Commission under Chapter 2

117. Judicial remedy for infringement of relevant enactment

117A. Judicial remedy for infringement of certain appropriate safeguards on transfers of personal data outside European Union

Chapter 3

Enforcement of Directive

118. Interpretation (Chapter 3)

119. Data subject may lodge complaint with Commission

120. Representation of data subjects

121. Complaints under Chapter 3: General

122. Commission to handle complaint under Chapter 3

123. Commission may conduct inquiry into suspected infringements of relevant provision

124. Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition

125. Decision of Commission where inquiry conducted in respect of complaint under Chapter 3

126. Notification of decision of Commission under Chapter 3

127. Corrective powers of Commission (Chapter 3)

128. Judicial remedy for infringement of relevant provision

Chapter 4

Inspection, Audit and Enforcement

129. Authorised officers

130. Powers of authorised officers

131. Search warrants

132. Information notice

133. Enforcement notice

134. Circumstances in which application may be made to the High Court for suspension or restriction of processing of data

135. Power to require report

136. Data Protection Audit

Chapter 5

Investigations

137. Investigations

138. Conduct of investigation under section 137

139. Investigation report

140. Commission to consider investigation report

Chapter 6

Administrative Fines

141. Power of Commission to decide to impose administrative fine: General

142. Appeal against administrative fine

143. Circuit Court to confirm decision to impose administrative fine

Chapter 7

Offences

144. Unauthorised disclosure by processor

145. Disclosure of personal data obtained without authority

146. Offences by directors, etc., of bodies corporate

147. Prosecution of summary offences by Commission

Chapter 8

Miscellaneous

148. General provisions relating to complaints

149. Publication of convictions, sanctions, etc.

150. Right to effective judicial remedy (Part 6)

151. Privileged legal material

152. Presumptions

153. Expert evidence

154. Immunity from suit

155. Jurisdiction of Circuit Court

156. Hearing of proceedings

PART 7

Miscellaneous Provisions

157. Supervisory authority for courts acting in judicial capacity

158. Restrictions on obligations of controllers and rights of data subjects for objective of safeguarding judicial independence and court proceedings

159. Processing of personal data where court is controller

160. Publication of judgment or decision of court or court list

161. Rules of court for data protection actions

162. Legal privilege

163. Application to High Court concerning adequate level of protection or appropriate safeguards

164. Court may order destruction, erasure of data

PART 8

Amendments of other Acts of Oireachtas

165. Reference to personal data in enactment

166. Reference to processing in enactment

167. Amendment of Firearms Act 1925

168. Amendment of section 33AK of Central Bank Act 1942

169. Amendment of section 2 of Civil Service Regulation Act 1956

170. Amendment of section 24 of Misuse of Drugs Act 1977

171. Amendment of section 15A of Control of Clinical Trials Act 1987

172. Amendment of Data Protection Act 1988

173. Amendment of Bankruptcy Act 1988

174. Amendment of Firearms and Offensive Weapons Act 1990

175. Amendment of section 13A of Electoral Act 1992

176. Amendment of Comptroller and Auditor General (Amendment) Act 1993

177. Amendment of section 8 of Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993

178. Amendment of section 24 of Statistics Act 1993

179. Amendment of section 57B of Irish Aviation Authority Act 1993

180. Amendment of section 18F of Health Insurance Act 1994

181. Amendment of section 142 of Consumer Credit Act 1995

182. Amendment of section 32B of Irish Medicines Board Act 1995

183. Amendment of section 77 of Central Bank Act 1997

184. Amendment of section 1 of Health (Provision of Information) Act 1997

185. Amendment of section 9M of Electricity Regulation Act 1999

186. Amendment of British-Irish Agreement Act 1999

187. Amendment of section 7D of Comhairle Act 2000

188. Amendment of section 33 of Commission To Inquire Into Child Abuse Act 2000

189. Amendment of section 2 of Merchant Shipping (Investigation of Marine Casualties) Act 2000

190. Amendment of section 28 of Education (Welfare) Act 2000

191. Amendment of section 38 of Planning and Development Act 2000

192. Amendment of section 14 of Dormant Accounts Act 2001

193. Amendment of section 30 of Residential Institutions Redress Act 2002

194. Amendment of section 2 of Official Languages Act 2003

195. Amendment of section 86 of Personal Injuries Assessment Board Act 2003

196. Amendment of section 12 of Unclaimed Life Assurance Policies Act 2003

197. Amendment of section 66 of Civil Registration Act 2004

198. Amendment of section 39 of Commissions of Investigation Act 2004

199. Amendment of section 55H of Health Act 2004

200. Amendment of section 2 of Safety, Health and Welfare at Work Act 2005

201. Amendment of section 265 of Social Welfare Consolidation Act 2005

202. Amendment of Disability Act 2005

203. Amendment of section 2 of Railway Safety Act 2005

204. Amendment of section 12 of Health (Repayment Scheme) Act 2006

205. Amendment of section 19 of Electoral (Amendment) Act 2006

206. Amendment of section 67 of Pharmacy Act 2007

207. Amendment of Passports Act 2008

208. Amendment of Criminal Justice (Mutual Assistance) Act 2008

209. Amendment of section 2 of Chemicals Act 2008

210. Amendment of Nursing Homes Support Scheme Act 2009

211. Amendment of section 23 of Criminal Justice (Miscellaneous Provisions) Act 2009

212. Amendment of section 201 of National Asset Management Agency Act 2009

213. Amendment of Criminal Justice (Money Laundering and Terrorist Financing) Act 2010

214. Amendment of section 12 of Communications (Retention of Data) Act 2011

215. Amendment of section 17A of Ministers and Secretaries (Amendment) Act 2011

216. Amendment of section 28 of Student Support Act 2011

217. Amendment of Communications Regulation (Postal Services) Act 2011

218. Amendment of Property Services (Regulation) Act 2011

219. Amendment of section 56 of Credit Union and Co-operation with Overseas Regulators Act 2012

220. Amendment of Europol Act 2012

221. Amendment of Personal Insolvency Act 2012

222. Amendment of section 2 of Animal Health and Welfare Act 2013

223. Amendment of section 8 of Health (Alteration of Criteria for Eligibility) Act 2013

224. Insertion of section 957A to Companies Act 2014

225. Amendment of Health Identifiers Act 2014

226. Amendment of section 15 of Freedom of Information Act 2014

227. Amendment of section 41 of Customs Act 2015

228. Amendment of section 7 of Regulation of Lobbying Act 2015

229. Amendment of Sport Ireland Act 2015

230. Amendment of section 12 of Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016

231. Amendment of section 62 of Financial Services and Pensions Ombudsman Act 2017

232. Amendment of National Shared Services Office Act 2017

SCHEDULE 1

Statutory Instruments Revoked

SCHEDULE 2

Data Protection Commission

SCHEDULE 3

Provisions Applicable to Oral Hearing Conducted by an Authorised Officer Under Section 138


Acts Referred to

Animal Health and Welfare Act 2013 (No. 15)

Bankruptcy Act 1988 (No. 27)

British-Irish Agreement Act 1999 (No. 1)

Central Bank Act 1942 (No. 22)

Central Bank Act 1997 (No. 8)

Chemicals Act 2008 (No. 13)

Children Act 2001 (No. 24)

Civil Registration Act 2004 (No. 3)

Civil Service Regulation Act 1956 (No. 46)

Comhairle Act 2000 (No. 1)

Commission To Inquire Into Child Abuse Act 2000 (No. 7)

Commissions of Investigation Act 2004 (No. 23)

Communications (Retention of Data) Act 2011 (No. 3)

Communications Regulation (Postal Services) Act 2011 (No. 21)

Companies Act 2014 (No. 38)

Competition Act 2002 (No. 14)

Comptroller and Auditor General (Amendment) Act 1993 (No. 8)

Consumer Credit Act 1995 (No. 24)

Control of Clinical Trials Act 1987 (No. 28)

Credit Union and Co-operation with Overseas Regulators Act 2012 (No. 40)

Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (No. 11)

Criminal Justice (Miscellaneous Provisions) Act 2009 (No. 28)

Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6)

Criminal Justice (Mutual Assistance) Act 2008 (No. 7)

Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (No. 4)

Customs Act 2015 (No. 18)

Data Protection (Amendment) Act 2003 (No. 6)

Data Protection Act 1988 (No. 25)

Data Protection Acts 1988 and 2003

Data Protection Acts 1988 to 2003

Defence Act 1954 (No. 18)

Dentists Act 1985 (No. 9)

Disability Act 2005 (No. 14)

Dormant Accounts Act 2001 (No. 32)

Education (Welfare) Act 2000 (No. 22)

Education Act 1998 (No. 51)

Electoral (Amendment) Act 2006 (No. 33)

Electoral Act 1992 (No. 23)

Electricity Regulation Act 1999 (No. 23)

European Parliament Elections Act 1997 (No. 2)

Europol Act 2012 (No. 53)

Financial Services and Pensions Ombudsman Act 2017 (No. 22)

Firearms (Firearm Certificates For Non-Residents) Act 2000 (No. 20)

Firearms Act 1925 (No. 17)

Firearms and Offensive Weapons Act 1990 (No. 12)

Freedom of Information Act 2014 (No. 30)

Health (Alteration of Criteria for Eligibility) Act 2013 (No. 10)

Health (Corporate Bodies) Act 1961 (No. 27)

Health (Provision of Information) Act 1997 (No. 9)

Health (Repayment Scheme) Act 2006 (No. 17)

Health Act 2004 (No. 42)

Health Identifiers Act 2014 (No. 15)

Health Insurance Act 1994 (No. 16)

Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 (No. 10)

Interpretation Act 2005 (No. 23)

Irish Aviation Authority Act 1993 (No. 29)

Irish Medicines Board Act 1995 (No. 29)

Local Government Act 2001 (No. 37)

Medical Practitioners Act 1978 (No. 4)

Medical Practitioners Act 2007 (No. 25)

Merchant Shipping (Investigation of Marine Casualties) Act 2000 (No. 14)

Ministers and Secretaries (Amendment) Act 2011 (No. 10)

Misuse of Drugs Act 1977 (No. 12)

National Asset Management Agency Act 2009 (No. 34)

National Shared Services Office Act 2017 (No. 26)

Nursing Homes Support Scheme Act 2009 (No. 15)

Official Languages Act 2003 (No. 32)

Passports Act 2008 (No. 4)

Personal Injuries Assessment Board Act 2003 (No. 46)

Personal Insolvency Act 2012 (No. 44)

Petty Sessions (Ireland) Act 1851 (14 & 15 Vict., c.93)

Pharmacy Act 2007 (No. 20)

Planning and Development Act 2000 (No. 30)

Prisons Acts 1826 to 2015

Property Services (Regulation) Act 2011 (No. 40)

Public Service Superannuation (Miscellaneous Provisions) Act 2004 (No. 7)

Railway Safety Act 2005 (No. 31)

Regulation of Lobbying Act 2015 (No. 5)

Residential Institutions Redress Act 2002 (No. 13)

Safety, Health and Welfare at Work Act 2005 (No. 10)

Social Welfare Consolidation Act 2005 (No. 26)

Sport Ireland Act 2015 (No. 15)

Statistics Act 1993 (No. 21)

Student Support Act 2011 (No. 4)

Unclaimed Life Assurance Policies Act 2003 (No. 2)

Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (No. 5)


Number 7 of 2018


DATA PROTECTION ACT 2018

REVISED

Updated to 30 April 2024


An Act to establish a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission; to give further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); to give effect to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; to give further effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981 and for those and other purposes to amend the Data Protection Act 1988; to provide for the consequential amendment of certain other enactments; and to provide for related matters.

[24th May , 2018]

Be it enacted by the Oireachtas as follows:

Annotations

Editorial Notes:

E1

Act is a relevant enactment for purposes of Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 as provided (30.04.2024) by Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (22/2023), s. 2 and sch. part 1, S.I. No. 181 of 2024.

E2

Personal data may be supplied in certain circumstances as provided (9.03.2022) by European Union (Good Agricultural Practice for Protection of Waters) Regulations 2022 (S.I. No. 113 of 2022), art. 2.

E3

Personal data may be exchanged in certain circumstances as provided (17.12.2020) by European Union (Imports of Animals and Animal Products from Third Countries) Regulations 2020 (S.I. No. 656 of 2020), reg. 38.

E4

Personal data may be exchanged in certain circumstances as provided (3.12.2020) by European Union (Official Controls in relation to Food Legislation) (Imports of Food of Non-Animal Origin) Regulations 2020 (S.I. No. 575 of 2020), reg. 4(3).

E5

Personal data may be exchanged in certain circumstances as provided (23.10.2020) by European Union (Plant Health) Regulations 2020 (S.I. No. 459 of 2020), reg. 73(1).

E6

Personal data may be exchanged in certain circumstances as provided (13.03.2020) by European Union (Official Controls in Relation to Food Legislation) Regulations 2020 (S.I. No. 79 of 2020), reg. 3(5).

E7

Personal data may be exchanged in certain circumstances as provided (1.10.2020) by Greyhound Racing Act 2019 (15/2019), s. 58, S.I. No. 399 of 2020.

E8

Personal data may be exchanged in certain circumstances as provided (27.01.2020) by European Union (Food and Feed Hygiene) Regulations 2020 (S.I. No. 22 of 2020), reg. 22.

E9

Personal data may be exchanged in certain circumstances as provided (14.01.2020) by European Union (Temporary Increase of Official Controls and Emergency Measures on Imports of Food and Feed of Non-Animal Origin) Regulations 2020 (S.I. No. 9 of 2020), reg. 20.

E10

Personal data may be exchanged in certain circumstances as provided by European Communities (Sustainable Use of Pesticides) Regulations 2012 (S.I. No. 155 of 2012), reg. 11(8) as substituted (29.08.2019) by European Communities (Sustainable Use of Pesticides) (Amendment) Regulations 2019 (S.I. No. 438 of 2019), reg. 2(e).

E11

Personal data be exchanged in certain circumstances as provided (19.12.2019) by European Union (Food and Feed Hygiene) Regulations 2019 (S.I. No. 674 of 2019), reg. 22.