Ireland

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Ireland

Status: Adopted

LAWFULNESS OF PROCESSING (ART 6)

SPECIFYING REQUIREMENT:Communication with data subjects by political parties and candidates for and holders of certain elective offices are considered to be the performance of a task carried out in the public interest (Art 39 Irish Act) (Art 6(1)(e) GDPR).

CHILD’S CONSENT (ART 8)

SPECIFYING REQUIREMENT:

  1. Age: The age of a child is 16 years old (Art 31 Irish Act) (Art 8(1) GDPR).
  2. Scope: Information society services do not include preventative or counseling services (Art 31 Irish Act) (Art 8(1) GDPR).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

ADDITIONAL REQUIREMENT: 

  1. Processing for insurance and pension purposes: Data concerning health may be processed for the purposes of (1) a policy of insurance or life assurance; (2) a policy of health insurance or health-related insurance; (3) an occupational pension, a retirement annuity contract, or any other pension arrangement; or (4) the mortgaging of property (Art 50 Irish Act) (Art 9 GDPR).

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

ADDITIONAL REQUIREMENT: The Irish Act permits processing of personal data relating to criminal convictions and offenses where:

  1. Under the control of official authority: Processing is permitted under the control of the official authority (1) for the administration of justice; (2) in the exercise of a regulatory, authorizing, licensing function or in determining the eligibility for benefits or services; (3) to protect the public against harm arising from dishonesty, malpractice, breaches of ethics, or other improper conduct by, or the unfitness or incompetence of, persons who are or were authorized to carry on a profession or other activity; (4) for enforcement actions aimed at the prevention, detection, or investigation of national or EU law breaches subject to civil or administrative sanctions; (5) for archiving in the public interest, scientific or historical research purposes, or statistical purposes when carried out in accordance with Section 42 of the Irish Act.

  2. Consent: The data subject gives explicit consent for specific purposes, except where EU or national law prohibits the processing.

  3. Legal claims: Processing is necessary for providing or obtaining legal advice or in connection with actual or prospective legal claims and proceedings, or is otherwise necessary for the establishment, exercise, or defense of legal rights.

  4. Prevention of injury or damage: Processing is necessary to prevent injury or other damage to an individual or loss of, or damage to, property or otherwise to protect the vital interests or property of an individual.

  5. Pursuant to national regulations: Regulations may be made to permit processing if necessary for risk assessment of fraud or fraud prevention, risk assessment of bribery or corruption, or both; or to prevent bribery or corruption, or both; or to ensure network and information systems security and to prevent attacks on and damage to computer and electronic communications services (Art 55 Irish Act) (Art 10 GDPR).

AUTOMATED INDIVIDUAL DECISION MAKING (ART 22)

ADDITIONAL REQUIREMENT:
In addition to the exceptions in the GDPR, the right of the individual not to be subject to automated decision making shall not apply when the decision is authorized or required by an enactment and either (1) the effect of that decision is to grant a request of the individual; or (2) if (1) is not applicable, the controller ensures measures are taken to safeguard the individual’s legitimate interests (in some instances, the controller is under additional obligations to comply with a request and to notify the individual of certain information) (Art 57 Irish Act) (Art 22 GDPR).

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

ADDITIONAL REQUIREMENT:

  1. Restrictions of data subject rights: An individual’s rights are restricted to the extent that:
    1. The restrictions are necessary for:
      1. Safeguarding cabinet confidentiality, parliamentary privilege, national security, defense, and international relations.
      2. Prevention, detection, investigation, and prosecution of criminal offenses and the execution of criminal penalties.
      3. Administration of taxes, duties, or other money due or owing to the state or other public authority or body.
      4. Establishment, exercise, or defense of an actual or prospective legal claim or proceeding.
      5. Administration of any tax, duty, or other money due or owed to the government in any case in which the non-application of the relevant restrictions would be likely to prejudice the aforementioned administration.
      6. Establishment, exercise, or defense of an actual or prospective legal claim or proceeding.
      7. Enforcement of civil law claims.
      8. Estimating the liability of a controller on foot of a claim where application of rights or obligations would likely prejudice the commercial interests of the controller.
    2. Personal data relating to the data subject is an expression of opinion given in confidence or on the understanding it would be treated as confidential.
    3. The personal data concerned is kept by the Data Protection Commission, Information Commissioner, or the Comptroller and Auditor General for performance of their functions.
  2. Potential regulatory restrictions for physical or mental health: An individual’s rights may be restricted by means of regulation by the minister when considered necessary for the protection of individuals’ rights and freedoms: (1) if the application of those rights would be likely to cause serious harm to the physical or mental health of the data subject and to the extent to which, and for as long as, such application would be likely to cause such harm; and (2) in relation to personal data kept for or related to the social work of a public authority or other body.
  3. Potential regulatory restrictions for the public interest: An individual’s rights may be restricted by means of regulations made by a relevant minister in order to safeguard important objectives of general public interest. Objectives of general public interest include: (1) prevention of threats to public security and safety; (2) avoiding obstructions to justice (legal proceedings and investigation); (3) preventing, detecting, investigating, and prosecuting breaches of discipline by, or the unfitness or incompetence of, regulated professionals and for imposing related sanctions; (4) preventing, detecting, investigating, and prosecuting breaches of ethics for regulated professions; (5) taking any action for considering and investigating complaints made to a regulatory body about a person engaged in a professional or other regulated activity; (6) preventing, detecting, investigating, and prosecuting civil or administrative infringements and executing related sanctions; (7) identifying assets obtained through criminal conduct and for investigating, taking appropriate action, or the like in any related proceedings; (8) ensuring the effective operations of immigration systems, international protection systems, and the systems for acquisition by persons of Irish citizenship, including by preventing, detecting, and investigating abuses of those systems or related infringements; (9) safeguarding the economic or financial interests of the EU or state; (10) safeguarding monetary policy, the smooth operation of payments systems and deposit-guarantee schemes, effective regulation of financial service providers, and consumer protection; (11) protecting the public against financial loss or detriment; (12) protecting public health and safety and protecting the public against discrimination or unfair treatment in the provision of goods and services; (13) maintaining registers in the public interest; (14) safeguarding the integrity and security of examination systems; and (15) safeguarding public health, social security, social protection, and humanitarian activities (Art 60 Irish Act) (Art 23 GDPR).
  4. Right of access: The right of access to a result or script of an examination or to the result of an appeal is considered to be made at the later of the date of first publication of the results of the examination or appeal, or the date of the request (Art 56 Irish Act) (Art 23 GDPR).
  5. Right to object: The right to object shall not apply to processing, including direct mailing, for election purposes and by the Referendum Commission (Arts 58, 59 Irish Act) (Art 23 GDPR).
  6. Legal proceedings: Individuals’ rights are restricted to the extent that the restrictions are necessary and proportionate to safeguard judicial independence and court proceedings (Art 158 Irish Act) (Art 23 GDPR). 
  7. Legal privilege: Individuals’ rights do not apply to personal data related to legal advice or legal privilege and when the exercise of such rights would constitute a contempt of court (Art 162 Irish Act) (Art 23 GDPR).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

SPECIFYING PROVISIONS:
Potential regulations: The minister may issue regulations for the designation of a data protection officer (Art 34 Irish Act) (Art 37(4) GDPR).

Certification (Art 42)

SPECIFYING PROVISIONS:
The Irish National Accreditation Board is the accreditation body for the purposes of Art 43(1) GDPR (Art 35 Irish Act) (Art 42 & 43 GDPR).

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

ADDITIONAL REQUIREMENT:
The SA can appoint “authorized officers” at its own discretion who can exercise powers under Section 130 of the Irish Act. These powers are broadly similar to those of inspectors appointed under other legislation of this kind.
In cases of urgency to protect individuals’ rights and freedoms, the SA may apply in a summary manner, on notice to the controller or processor, to the High Court for an order suspending, restricting, or prohibiting data processing or transfer of data to a third country or international organization (Art 129, 130, 134 Irish Act)
(Art 58 GDPR).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

ADDITIONAL REQUIREMENT:
Administrative fines apply to (1) offenses involving the processing of a child’s (here, age 18 or younger) data for direct marketing, profiling, or microtargeting; (2) the exercise of the SA’s corrective power; and (3) failures to comply with an enforcement notice (Art 30, 115, 133 Irish Act) (Art 83 GDPR).
When the DPA decides to impose fines on a public authority or body that is not considered an undertaking under the Irish Competition Act 2002, the maximum fine is €1 million (Art 141 Irish Act) (Art 83 GDPR). In addition, the DPA cannot impose administrative fines if the controller/processor has already had criminal law sanctions imposed upon it (Art 136 Irish Act).

PENALTIES (ART 84)

SPECIFYING REQUIREMENT:
Offenses related to the unauthorized disclosure by a processor or the disclosure of personal data obtained without authority are subject to a fine and/or imprisonment. The SA may bring and prosecute summary proceedings for any such offenses (Art 144–147 Irish Act) (Art 84 GDPR).

HR PROCESSING (ART 88)

ADDITIONAL REQUIREMENT:
The practice of “enforced data subject access” (requiring an individual to make a subject access request or to supply information obtained from a subject access request) is prohibited in the employment context (Art 4 Irish Act) (Art 88 GDPR).

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

ADDITIONAL REQUIREMENT:
The individual right to access, correction, restriction, objection, and data portability are restricted when processing is carried out for archiving in the public interest, scientific or historical research, or statistical purposes insofar as the exercise of these rights: (1) would likely render impossible, or seriously impair, the achievement of those purposes; and (2) such restriction is necessary for the fulfillment of those purposes.
When data is processed for these purposes and another purpose at the same time, these restrictions apply only to the extent the processing relates to those purposes
(Art 61 Irish Act) (Art 23 GDPR).

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

LOCAL DPA GUIDANCE & LEGAL SOURCES

REMARKS

The Irish Act restructured the Office of the Data Protection Commissioner as the Data Protection Commission, which will be headed by up to three commissioners appointed for terms of 4–5 years. When there is more than one commissioner, the Minister of Justice will appoint a chairperson, who shall have the tiebreaking vote among the commissioners.