Data Protection Act 2018
Enforcement notice
133. (1) In this Part, “enforcement notice” means a notice in writing served in accordance with subsection (2), subsection (3) or section 109(5)(d), 115(2), 122(4)(d) or 127(2), on a controller or processor, requiring the controller or processor to take such steps as are specified in the notice, within such time as may be so specified.
(2) Notwithstanding anything contained in Chapter 2, the Commission or an authorised officer, where of the opinion that a controller or processor has contravened or is contravening a relevant enactment, may serve on the controller or processor an enforcement notice requiring the controller or processor to take one or more than one of the steps specified in section 109(5)(d).
(3) Notwithstanding anything contained in Chapter 3, the Commission or an authorised officer, where of the opinion that a controller or processor has contravened or is contravening a relevant provision, may serve on the controller or processor an enforcement notice requiring the controller or processor to take one or more than one of the steps specified in section 122(4)(d).
(4) An enforcement notice shall include a statement informing the controller or processor concerned of its entitlement under section 150(1) to appeal against a requirement specified in the notice.
(5) Where an enforcement notice is served under section 109(5)(d), 122(4)(d), subsection (2) or subsection (3)—
(a) the notice shall specify the relevant enactment or relevant provision, as applicable, that in the opinion of the Commission or, where applicable, authorised officer, has been or is being contravened and the reasons for having formed that opinion, and
(b) subject to subsection (6)—
(i) the period, referred to in subsection (1), specified in an enforcement notice shall be not less than 28 days from the date on which the notice is served, and
(ii) if an appeal is brought under section 150(1) against a requirement specified in the notice, the requirement need not be complied with and, pending the determination or withdrawal of the appeal, subsections (9) and (10) shall not apply in relation to the requirement.
(6) Where the Commission or authorised officer—
(a) by reason of special circumstances, is of the opinion that a requirement specified in an enforcement notice referred to in subsection (5) should be complied with urgently, and
(b) includes a statement to that effect in the enforcement notice,
subsection (5)(b) shall not apply in relation to the notice, but the notice—
(i) shall include a statement of the effect of subsections (3) and (4) of section 150, and
(ii) shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.
(7) (a) Subject to paragraph (b), a controller or processor, having complied with an enforcement notice, shall, as soon as may be and in any event not more than 28 days after such compliance, notify the following of the steps taken to comply with the enforcement notice:
(i) the Commission or the authorised officer concerned;
(ii) any data subject concerned.
(b) Where the compliance with an enforcement notice has involved the rectification or erasure of personal data or the restriction of processing, the controller and processor shall, in complying with paragraph (a), in addition—
(i) notify any recipient to whom the data have been disclosed, or
(ii) where compliance with subparagraph (i) proves impossible or involves a disproportionate effort, and where the data subject so requests, notify the data subject of the recipients or the categories of recipients.
(8) (a) An enforcement notice may be cancelled—
(i) where it has been issued by the Commission, by the Commission, and
(ii) where it has been issued by an authorised officer, by the Commission or that authorised officer.
(b) A person who cancels an enforcement notice under paragraph (a) shall notify in writing the controller or processor on which the notice was served.
(9) (a) The Commission may, subject to Chapter 6, decide to impose an administrative fine on a controller or processor that, without reasonable excuse, fails to comply with a requirement specified in an enforcement notice served on the controller or processor under section 109(5)(d), 115(2) or subsection (2).
(b) The Commission, as soon as practicable after making its decision under paragraph (a), shall give the controller or processor concerned a notice in writing informing it of the decision.
(10) A controller or processor that, without reasonable excuse, fails to comply with—
(a) a requirement specified in an enforcement notice, or
(b) subsection (7),
shall be guilty of an offence and shall be liable—
(i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or
(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.