Data Protection Act 2018
Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest
60. (1) The rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22—
(a) are restricted to the extent specified in subsection (3), and
(b) may be restricted in regulations made under subsections (5) or (6).
(2) Subsection (1) is without prejudice to any other enactment or rule of law which restricts the rights and obligations referred to in that subsection.
(3) Subject to subsection (4), the rights and obligations referred to in subsection (1) are restricted to the extent that—
(a) the restrictions are necessary and proportionate—
(i) to safeguard cabinet confidentiality, parliamentary privilege, national security, defence and the international relations of the State,
(ii) for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties,
(iii) for the administration of any tax, duty or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration,
(iv) in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure,
(v) for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim, or
(vi) for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim,
(b) the personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information, or
(c) the personal data concerned are kept—
(i) by the Commission for the performance of its functions,
(ii) by the Information Commissioner for the performance of his or her functions, or
(iii) by the Comptroller and Auditor General for the performance of his or her functions.
(4) The Minister may prescribe requirements to be complied with when the rights and obligations referred to in subsection (1) are restricted in accordance with subsection (3).
(5) Subject to subsection (9), regulations may be made by a Minister of the Government where he or she considers it necessary for the protection of a data subject or the rights and freedoms of others restricting the rights and obligations referred to in subsection (1)—
(a) (i) if the application of those rights and obligations would be likely to cause serious harm to the physical or mental health of the data subject, and
(ii) to the extent to which, and for as long as, such application would be likely to cause such serious harm,
and
(b) in relation to personal data kept for, or obtained in the course of, the carrying out of social work by a public authority, public body, a voluntary organisation or other body.
(6) Subject to subsection (9), regulations may be made restricting the rights and obligations referred to in subsection (1) where such restrictions are necessary for the purposes of safeguarding important objectives of general public interest and such regulations shall include, where appropriate, specific provisions required by Article 23(2).
(7) Important objectives of general public interest referred to in subsection (6) include:
(a) preventing threats to public security and public safety;
(b) avoiding obstructions to any official or legal inquiry, investigation or process, including any out-of-court redress procedure, proceedings pending or due before a court, tribunal of inquiry or commission of investigation;
(c) preventing, detecting, investigating and prosecuting breaches of discipline by, or the unfitness or incompetence of, persons who are or were authorised by law to carry on a profession or any other regulated activity and the imposition of sanctions for same;
(d) preventing, detecting, investigating or prosecuting breaches of ethics for regulated professions;
(e) taking any action for the purposes of considering and investigating a complaint made to a regulatory body in respect of a person carrying out a profession or other regulated activity where the profession or activity is regulated by that body and the imposition of sanctions on foot of such a complaint;
(f) preventing, detecting, investigating or prosecuting, whether in the State or elsewhere, breaches of the law which are subject to civil or administrative sanctions and enforcing such sanctions;
(g) the identification of assets which are derived from, or are suspected to derive from, criminal conduct and the taking of appropriate action to deprive or deny persons of those assets or the benefits of those assets and any investigation or preparatory work in relation to any related proceedings;
(h) ensuring the effective operation of the immigration system, the system for granting persons international protection in the State and the system for the acquisition by persons of Irish citizenship, including by preventing, detecting and investigating abuses of those systems or breaches of the law relating to those systems;
(i) safeguarding the economic or financial interests of the European Union or the State, including on monetary, budgetary and taxation matters;
(j) safeguarding monetary policy, the smooth operation of payment systems, the resolution of regulated financial service providers (within the meaning of the Central Bank Act 1942), the operation of deposit-guarantee schemes, the protection of consumers and the effective regulation of financial service providers (within the meaning of the Central Bank Act 1942);
(k) protecting members of the public against—
(i) financial loss or detriment due to the dishonesty, malpractice or other improper conduct of, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate or other entities,
(ii) financial loss or detriment due to the conduct of individuals who have been adjudicated bankrupt, or
(iii) financial loss or detriment due to the conduct of individuals who have been involved in the management of a body corporate which has been the subject of a receivership, examinership or liquidation under the Act of 2014;
(l) protecting—
(i) the health, safety, dignity, well-being of individuals at work against risks arising out of or in connection with their employment, and
(ii) members of the public against discrimination or unfair treatment in the provision of goods or services to them;
(m) the keeping of public registers for reasons of general public interest, whether the registers are accessible to the public on a general or restricted basis;
(n) safeguarding the integrity and security of examinations systems;
(o) safeguarding public health, social security, social protection and humanitarian activities.
(8) Where the rights and obligations referred to in subsection (1) are restricted in regulations made under subsection (6) on the basis of important objectives of general public interest of the State, other than the objectives referred to in subsection (7), the important objective or objectives of general public interest shall be identified in those regulations.
(9) Subject to subsection (10), regulations may be made under subsection (5) or (6)—
(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or
(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.
(10) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (5) or (6).
(11) The Commission may, on being consulted under subsection (10), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—
(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and
(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.
(12) Regulations made under this section shall—
(a) respect the essence of the right to data protection and protect the interests of the data subject, and
(b) restrict the exercise of data subjects’ rights only in so far as is necessary and proportionate to the aim sought to be achieved.
Annotations
Editorial Notes:
E20
Power pursuant to subs. (6) exercised (28.11.2022) by Data Protection Act 2018 (Section 60(6)) (Competition and Consumer Protection Commission) Regulations 2022 (S.I. No. 603 of 2022).
E21
Power pursuant to subs. (6) exercised (28.11.2022) by Data Protection Act 2018 (Section 60(6)) (Corporate Enforcement Authority) Regulations 2022 (S.I. No. 602 of 2022).
E22
Power pursuant to subs. (6) exercised (28.11.2022) by Data Protection Act 2018 (Section 60(6)) (Irish Auditing and Accounting Supervisory Authority) Regulations 2022 (S.I. No. 601 of 2022).
E23
Power pursuant to subs. (6) exercised (4.05.2022) by Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022 (S.I. No. 221 of 2022).
E24
Power pursuant to subs. (5)(a) exercised (10.03.2022) by Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (S.I. No. 121 of 2022).
E25
Power pursuant to subs. (6) exercised (20.11.2020) by Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2020 (S.I. No. 534 of 2020).
E26
Previous affecting provision: power pursuant to subs. (6) exercised (30.10.2019) by Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019 (S.I. No. 537 of 2019), in effect as per reg. 1(2); revoked (20.11.2020) by Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2020 (S.I. No. 534 of 2020), reg. 12.