Data Protection Act 2018
Power to require report
135. (1) The Commission may, for the purposes of proper and effective monitoring of the application of a relevant enactment, and having regard to the matters set out in subsection (3), by notice in writing given to a controller or processor, require the controller or processor to provide to the Commission, in accordance with such notice, a report on any matter specified in the notice about which the Commission has required or could require the provision of information, or the production of any statement, record or document under any provision of a relevant enactment.
(2) A notice under subsection (1) shall be in writing and shall state—
(a) the date on which the notice is given,
(b) the period within which the controller or processor shall nominate a person to the Commission for approval under subsection (4),
(c) the purpose, scope and form of the report,
(d) the matters required to be reported on,
(e) the timetable for completion of the report,
(f) whether the report is to include recommendations in relation to the improved compliance by the controller or processor with a relevant enactment,
(g) where appropriate, the methodology to be used in preparation of the report, and
(h) such other matters relating to the report as the Commission considers appropriate.
(3) Before giving a notice under this section, the Commission, taking account of the purpose for which the report is required, shall have regard to at least the following matters—
(a) whether any other powers that may be exercised by the Commission may be more appropriate in the circumstances concerned,
(b) the relevant knowledge and expertise available to the controller or processor, and
(c) the level of resources available to the controller or processor and the likely benefit to the controller or processor of providing the report.
(4) A report required to be provided to the Commission under this section shall be prepared by a person (referred to as the “reviewer”)—
(a) nominated by the controller or processor, within such period as is specified in the notice given under subsection (1), and approved by the Commission, or
(b) nominated by the Commission, where—
(i) no person is nominated by the controller or processor within the period specified in the notice under subsection (1), or
(ii) the Commission is not satisfied with the person so nominated.
(5) When considering whether to approve a nomination under subsection (4)(a) or make a nomination under subsection (4)(b), the Commission shall have regard to the circumstances giving rise to the requirement for a report and whether the person it proposes to so approve or nominate as reviewer appears to have—
(a) the competence and expertise necessary to prepare the report,
(b) the ability to complete the report within the period specified by the Commission in the notice given under subsection (1),
(c) any relevant specialised knowledge, including specialised knowledge of the data processing activities carried on by the controller or processor and the matters to be reported on,
(d) any potential conflict of interest in reviewing the matters to be reported on,
(e) sufficient detachment, having regard to any existing professional or commercial relationship, to give an objective opinion, and
(f) any previous experience in preparing reports under this section or reports of a similar nature.
(6) Where the Commission approves a nomination under subsection (4)(a) or makes a nomination under subsection (4)(b), it shall notify the controller or processor, in writing, accordingly.
(7) Where the nomination of a reviewer is approved or made by the Commission under subsection (4), the controller or processor shall enter into a contract with the reviewer.
(8) It shall be a term of the contract referred to in subsection (7)—
(a) that the reviewer is required to prepare for the controller or processor a report in accordance with the notice given under subsection (1),
(b) that the reviewer is required and permitted to provide to the Commission the following where the Commission so requests:
(i) periodic updates on progress and issues arising;
(ii) interim reports; and
(iii) copies of any draft reports given to the controller or processor,
and
(c) that the contract is governed by the law of the State.
(9) If the Commission considers it appropriate, it may request the controller or processor to provide the Commission with a copy of the draft contract before it is made and the Commission may require such modifications to the draft contract as it considers appropriate.
(10) The costs of and incidental to the preparation of a report under this section shall be borne by the controller or processor.
(11) A controller or processor shall give all such assistance to a reviewer as he or she may reasonably require for the purposes of the preparation of a report under this section.
(12) A reviewer shall, where requested by the Commission, in such form and within such period as the Commission may specify, provide an explanation of all or any part of a report under this section or the recommendations, if any, made in the report, or of such other matters relating to the report as the Commission considers appropriate.
(13) The Commission shall not be bound by the content of a report under this section and such a report shall not be taken to be a decision or opinion of the Commission for any purpose.
(14) The Commission shall not be liable for any acts or omissions of a reviewer or controller or processor relating to a report under this section.
(15) A person who—
(a) obstructs or impedes a reviewer in the preparation of a report under this section,
(b) in relation to the preparation of a report under this section, gives information to a reviewer that the person knows to be false or misleading in a material respect, or
(c) is a reviewer and in relation to the preparation of a report under this section gives information to the Commission which the reviewer knows to be false or misleading in a material respect,
shall be guilty of an offence and shall be liable—
(i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or
(ii) on conviction on indictment, to a fine not exceeding €250,000 or imprisonment for a term not exceeding 5 years or both.