Data Protection Act 2018

36

Suitable and specific measures for processing

36. (1) Where a requirement that suitable and specific measures be taken to safeguard the fundamental rights and freedoms of data subjects in processing personal data of those subjects is imposed by this Act or regulations made under this Act, those measures may include in particular the following—

(a) explicit consent of the data subject for the processing of his or her personal data for one or more specified purposes,

(b) limitations on access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data,

(c) strict time limits for the erasure of personal data and mechanisms to ensure that such limits are observed,

(d) specific targeted training for those involved in processing operations, and

(e) having regard to the state of the art, the context, nature, scope and purposes of data processing and the likelihood of risk to, and the severity of any risk to, the rights and freedoms of data subjects—

(i) logging mechanisms to permit verification of whether and by whom the personal data have been consulted, altered, disclosed or erased,

(ii) in cases in which it is not mandatory under the Data Protection Regulation, designation of a data protection officer,

(iii) where the processing involves data relating to the health of a data subject, a requirement that the processing is undertaken by a person referred to in section 52(2),

(iv) pseudonymisation of the personal data, and

(v) encryption of the personal data.

(2) Regulations may be made for either or both of the following purposes—

(a) to identify additional suitable and specific measures (to those referred to in paragraphs (a) to (e) of subsection (1)) that may be taken to safeguard the fundamental rights and freedoms of data subjects in the processing of personal data of those subjects for the purposes of the requirement referred to in subsection (1),

(b) to specify that a measure or measures referred to in paragraphs (a) to (e) of subsection (1) or an additional measure or measures identified under paragraph (a), or both, is or are mandatory in respect of the processing to which they are stated to apply.

(3) Without prejudice to the generality of subsection (2)(a), additional suitable and specific measures identified in regulations made under that subsection may relate to—

(a) governance structures,

(b) processes or procedures for risk assessment purposes,

(c) processes or procedures for the management and conduct of research projects, and

(d) other technical and organisational measures designed to ensure that the processing is carried out in accordance with the Data Protection Regulation and processes for testing and evaluating the effectiveness of such measures.

(4) Regulations under subsection (2) may—

(a) identify different measures for different categories of personal data, different categories of controllers, different types of processing or categories of processing, and

(b) specify that a measure or measures referred to in subsection (2)(b) is or are mandatory in respect of the processing of different categories of personal data, processing by different categories of controllers and in respect of different types of processing or categories of processing.

(5) Subject to subsection (6), regulations may be made under subsection (2)

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(6) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (2).

(7) The Commission may, on being consulted under subsection (6), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(8) In making regulations under subsection (2), the Minister or any other Minister of the Government, as the case may be, shall have regard to the public interest and the need for protection of individuals with regard to the processing of their personal data and, without prejudice to the generality of the foregoing shall have regard to—

(a) the nature, scope, context and purposes of the processing,

(b) risks arising for the rights and freedoms of individuals, and

(c) the likelihood and the severity of the risks for the individuals concerned.

Annotations

Editorial Notes:

E17

Power pursuant to subs. (2) exercised (21.01.2021) by Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021 (S.I. No. 18 of 2021).

E18

Power pursuant to subs. (2) exercised (29.04.2019) by Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2019 (S.I. No. 188 of 2019).

E19

Power pursuant to subs. (2) exercised (8.08.2018) by Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314 of 2018), in effect as per reg. 1(2).