DLA Piper Intelligence

Data Protection
Laws of the World

Law

Ireland
Ireland

The core Irish data protection law is comprised in the Data Protection Act 1988 (‘1988 Act’) as amended by the Data Protection (Amendment) Act 2003 (‘2003 Act’) (together the Data Protection Acts ("DPA")). The 2003 Act implemented the EU Data Protection Directive (95/46/EC) ("Data Protection Directive"). In addition to the DPA, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (‘ePrivacy Regulations’) set out data protection rules in relation to direct marketing and electronic networks and services, including location data and cookies.

Last modified 26 Jan 2017
Law
Ireland

The core Irish data protection law is comprised in the Data Protection Act 1988 (‘1988 Act’) as amended by the Data Protection (Amendment) Act 2003 (‘2003 Act’) (together the Data Protection Acts ("DPA")). The 2003 Act implemented the EU Data Protection Directive (95/46/EC) ("Data Protection Directive"). In addition to the DPA, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (‘ePrivacy Regulations’) set out data protection rules in relation to direct marketing and electronic networks and services, including location data and cookies.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal data is defined as data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller.

Definition of sensitive personal data

Sensitive personal data means personal data as to:

  • the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject
     
  • whether the data subject is a member of a trade union
     
  • the physical or mental health or condition or sexual life of the data subject
     
  • the commission or alleged commission of any offence by the data subject, or
     
  • any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
Last modified 26 Jan 2017
Authority

Office of the Data Protection Commissioner ('DPC')

Canal House Station Road Portarlington Co. Laois
Ireland

LoCall 1890 25 22 31
T +353 57 868 4800
F +353 57 868 4757

info@dataprotection.ie
www.dataprotection.ie

Last modified 26 Jan 2017
Registration

All data controllers and data processors are required to register with the DPC unless exempt.

The Irish registration regime contains wide exemptions for certain categories of processing that do not trigger a registration obligation. There are also certain categories of data controller and data processor that are subject to an absolute obligation to register.

The DPA exempts:

  • not for profit organisations, provided they only process personal data relating to their activities
     
  • data controllers and data processors who process personal data kept in a public register, and
     
  • data controllers and data processors who only process manual data.

The Data Protection Act 1988 (Section 16(1)) Regulations 2007 (‘2007 Regulations’) also exempt from registration:

  • data controllers that only process employees’ human resources data in the normal course of personnel administration
     
  • candidates for political office and elected representatives
     
  • schools, colleges, universities and similar educational institutions
     
  • solicitors and barristers
     
  • data controllers who process customer and supplier data in the context of normal commercial activity
     
  • companies who process personal data of past and present shareholders, directors or other officers in complying with the Irish Companies Acts
     
  • data controllers who process personal data for the purpose of publishing journalistic, literary or artistic material, and
     
  • data controllers or data processors who operate under a statutory data protection code of practice.

Data processors that process personal data on behalf of any of the above categories of data controller are also not required to register.

The 2007 Regulations impose an absolute obligation to register on banks, insurance undertakings, direct marketing firms, debt collection agencies, credit reference agencies, health professionals, anyone processing genetic data, ISPs and telecoms companies. Any data processor that processes personal data on behalf of a data controller that falls into one of these categories is also obliged to register. A failure by a data controller or processor to register, when required to do so, is an offence punishable by fines up to EUR€100,000.

Data controllers and/or data processors are obliged to renew their registration annually. The DPC may refuse an application for registration under certain conditions. There is a right of appeal against a refusal to the Circuit Court.

Last modified 26 Jan 2017
Data Protection Officers

There is no legal requirement to appoint a data protection officer but it would be best practice to do so. The DPC recommends that data controllers appoint a co-ordinator to deal with subject access requests. Where a data protection officer is appointed, this information should be supplied to the data subjects.

Last modified 26 Jan 2017
Collection & Processing

The DPA transposes the data protection principles from the Data Protection Directive, which need to be complied with in relation to the collection and processing of personal data.

In addition to complying with the data protection principles, all processing of personal data must comply with one of a number of legitimate processing conditions contained in the DPA.

These include that:

  • the data subject has given his or her consent to such processing
     
  • the processing is required for the performance of a contract to which the data subject is a party
  • the processing is necessary for compliance with a legal obligation to which the data controller is subject
     
  • the processing is to prevent an injury or other damage to the health of the data subject
     
  • the processing is to protect an individual’s vital interests
     
  • the processing is for the administration of justice, or
     
  • the processing is for the purposes of the legitimate interests pursued by a data controller.

If sensitive personal data is being processed, then an additional set of processing conditions need to be satisfied. These include the ‘explicit’ consent of the data subject. The grounds for processing sensitive data are quite restrictive and it can sometimes be difficult to legitimise the processing of sensitive personal data.

Last modified 26 Jan 2017
Transfer

The DPA contains a number of restrictions on the transfer of personal data by a data controller to a country or territory outside of the European Economic Area ('EEA'). Under the DPA, such transfers may not take place unless the receiving country ensures an adequate level of protection for the privacy of data subjects in relation to the processing of their personal data. A limited number of countries are recognised by the European Commission as having this level of protection.

Otherwise under the DPA, it is only possible to transfer personal data outside the EEA if:

  • The data subject has consented to the transfer
     
  • The transfer is necessary for the performance of a contract between the data subject and the data controller

  • The transfer is necessary for the performance of a contract between the data controller and someone other than the data subject, and the contract is entered into at the request of the data subject, or the contract is in the interests of the data subject

  • The transfer is necessary for reasons of public interest
     
  • The transfer is necessary under some international obligation of the State
     
  • The transfer is required or authorised by law
     
  • The transfer is necessary for obtaining legal advice
     
  • The transfer is necessary in order to prevent personal injury or damage to the health of the data subject, or
     
  • The transfer is done under one of the EU Approved Model Clauses ("SCCs")
     
  • The transfer is necessary to protect the data subject’s vital interests

  • The personal data to be transferred are an extract from a statutory public register

  • The transfer is subject to standard contractual clauses approved by the EU Commission

  • The transfer of data is subject to binding corporate rules (“BCRs”)

The DPC recognises the use of BCRs, and the Irish DPC has agreed to abide by the mutual recognition procedure. Multinational companies must draft and submit draft BCRs to the DPC for its approval. The Irish DPC acted as the lead authority for approval of the Intel Corporation’s BCRs in January 2012. 

Formerly, transfers of data from the EEA to the US could take place (in the absence of fulfilling one of the exceptions above) where the recipient in the US had signed up to the Safe Harbor regime. This is no longer the case since the Court of Justice of the European Union held in Schrems v. Data Protection Commissioner (C-362/14) that the European Commission Decision underlying Safe Harbor (Decision 2000/520/EC) is invalid. The Irish High Court remitted the matter for consideration to the DPC, which commenced its investiigation of the reformulated complaints submitted by Mr Schrems.

In May 2016, the DPC commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning the use of SCCs to authorise the transfer of personal data to the U.S. and a preliminary reference to the CJEU.

Last modified 26 Jan 2017
Security

Data controllers and data processors must take appropriate security measures against unauthorised access to or unauthorised alteration, disclosure or destruction of, personal data, particularly where the processing involves the transmission of data over a network and against all other forms of processing.

As to the level of security required, data controllers and data processors must put in place appropriate security provisions for the protection of personal data, having regard to:

  • the current state of technological development
     
  • the cost of implementing security measures
     
  • the nature of the personal data, and
     
  • the harm that might result from unauthorised processing or loss of the data concerned.

Data controllers and data processors are also obliged to take all reasonable steps to ensure that their employees and other persons at the place of work concerned are aware of and comply with the relevant security measures.

These requirements extend to both technical and organisational security measures. Data controllers should have appropriate access controls in place, and be able to monitor the access to their systems and records. Access should be limited according to sensitivity and on a “need to know” basis.

Last modified 26 Jan 2017
Breach Notification

The DPC has published a Personal Data Security Breach Code of Practice(‘Code’) which states that the DPC must be notified of any situation where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration. There is a limited exception to this requirement where the disclosure:

  • affects less than one hundred individuals
  • the loss of sensitive personal or financial data is not involved, and
  • the affected individuals have been informed.

Under the ePrivacy Regulations, data breaches in relation to electronic communication networks or services must be notified to the Data Protection Commissioner. Where the breach is likely to affect the personal data or privacy of a subscriber, affected subscribers must also be notified.

In very limited circumstances, data controllers can take the view that affected data subjects do not need to be notified if measures have been taken which will make the data inaccessible or unintelligible to unauthorised users; such technical measures could include encryption.

Last modified 26 Jan 2017
Enforcement

The DPC is responsible for the enforcement of the DPA and the ePrivacy Regulations.

The DPC must investigate any complaints which he receives from individuals who feel that personal information about them is not being treated in accordance with the DPA, unless she is of the opinion that such complaints are "frivolous or vexatious". The DPC can also launch investigations on her own initiative, where she is of the opinion that there might be a breach of the DPA, or where she considers it appropriate in order to ensure compliance with the DPA. Authorised officials of the DPC have legislative powers of entry, inspection and interrogation to support these investigations. The DPC carried out 51 audits and inspections in 2015, prioritising multinational technology companies and major public-sector organisations.

A breach of specific provisions of the DPA can result in criminal liability. These include:

  • The failure of a data controller or data processor to register with the DPC

  • The disclosure of personal data which was obtained without authority 

  • The failure to comply with a DPA enforcement notice

  • Failure to comply with a DPC prohibition notice on transfer of personal data outside the State

  • Failure to comply with a DPC notice requiring information, or knowingly providing false or misleading information in response to such a notice

  • Knowingly supplying false or misleading information as part of a registration with the DPC, and

  • Failure to comply with an authorised officer of the DPC.

Persons found guilty of offences under the DPA may be liable:

  • On summary conviction (before a district judge sitting alone), to a fine not exceeding EUR 4,000, or

  • On conviction on indictment (before a judge and jury), to a fine not exceeding EUR 100,000.

It should also be noted that under the DPA personal criminal responsibility may be attached to a director or officer of a company which is found guilty of an offence “committed with the consent or connivance” of that director or officer.

Breaching other provisions of the DPA do not in themselves give rise to criminal liability, but the DPC may investigate the incident and issue an ‘Enforcement Notice’ compelling a data controller to comply with the DPA. Failure to comply with an Enforcement Notice is an offence.

The ePrivacy Regulations prescribe fines for failure to report data breaches, inadequate security measures and sending of unsolicited communications (spam) with regard to electronic communication networks and services.

In addition to specific penalties arising out of enforcement actions, a breach of the DPA can also give rise to reputational damage, particularly if the DPC publishes details of the breach in her Annual Report or issues a press release (as she does from time to time).

In 2015 the DPC investigated 932 complaints. The majority of these complaints (578 or 62%) related to subject access requests. In addition, 104 complaints (or 11%) related to violations of the ePrivacy Regulations.

As a result of the ruling of the CJEU in Google Spain v AEPD and Mario Costeja (Case C-131/12) (commonly known as the “Google” Spain ruling), a new category of complaint - Internet Search Result Delisting - emerged in 2014. This ruling confirmed that users may request search engines, under certain conditions, to remove the links to information affecting their privacy specifically where a search has been conducted on the name of that individual. The DPC received 23 such complaints against search engines in 2015. the first "right to be forgotten" case in the Irish courts was heard before the Dublin Circuit Court in May 2016. The case was a challenge to the DPC's decision that a politician's privacy was not breached by Google's refusal to remove a link that was listed in the search results when his name was entered in to the Google search bar. The Circuit Court held that the balance of rightsfell in favour of the appellant and upheld the appeal.

Last modified 26 Jan 2017
Electronic Marketing

The ePrivacy Regulations implement the anti-spam rules set out in Article 13 of the Privacy and Electronic Communications Directive 2002/58/EC (as amended by the Citizens’ Rights Directive). These regulations came into effect on 1 July 2011. Electronic mail includes text messages (SMS), voice messages, sound messages, image messages, multimedia message (MMS) and email messages.

Direct marketing emails can generally only be sent to users with their prior consent. A limited exemption is available for direct marketing emails sent to existing customers promoting other products or services similar to those previously purchased by that consumer (such emails can only be sent for 12 months, the customer must have been given the opportunity to object when the details were collected and the product or service being marketed must be a product or service offered by the person with the existing relationship with the customer). B2B direct marketing emails can generally be sent unless the recipient has informed the sender that it does not consent to the receipt of such messages.

The identity of the sender must not be disguised or concealed and the recipient must be offered an opt-out.

Direct marketing calls (excluding automated calls) may be made to a landline provided the subscriber has not previously objected to receiving such calls or noted his or her preference not to receive direct marketing calls in the National Directory Database. Direct marketing calls cannot be made to a mobile phone without prior consent.

One cannot send a direct marketing fax to an individual subscriber in the absence of prior consent. One can send such a fax to a corporate subscriber unless that subscriber has previously instructed the sender that it does not wish to receive such communications or has recorded a general opt-out to receiving such direct marketing faxes in the National Directory Database.

Breach of these anti-spam rules is a criminal offence. On a summary prosecution (before a judge sitting alone) a maximum fine of EUR 5,000 per message sent can be handed down. On conviction on indictment (before a judge and jury) a company may be fined up to EUR 250,000 per message sent and an individual may be fined up to EUR 50,000 per message.

Last modified 26 Jan 2017
Online Privacy

Cookies

Consent is needed for the use of cookies unless the cookie is strictly necessary for the provision of a service to that subscriber or user. The 2011 Regulations expressly refer to the use of browser settings as a means to obtain consent. There is no express requirement for consent to be ‘prior’ to the use of a cookie. A user must be provided with ‘clear and comprehensive information’ about the cookie (including, in particular, its purposes). This information must be prominently displayed and easily accessible. The methods adopted for giving information and obtaining consent should be as ‘user friendly’ as possible.

The DPC has provided regulatory guidance on the use of cookies which can be accessed at:
http://www.dataprotection.ie/documents/guidance/Electronic_Communications_Guidance.pdf.

Location Data

One cannot process location data unless either:

  • such data has been made anonymous, or
     
  • user consent has been obtained.

A provider of electronic communication networks or services or associated facilities (ie a telco) must inform its users of:

  • the type of location data (other than traffic data) that will be processed
     
  • the purpose and duration of the processing, and
     
  • whether the data will be transmitted to a third party to provide a value added service. Users can withdraw their consent to the processing of location data.
Last modified 26 Jan 2017
Contacts
Philip Nolan
Philip Nolan
Partner and Head of Commercial Department
T +353 1 6145078
Last modified 26 Jan 2017