Data protection act 2018

• Enactment Date: 24 May 2018
• Act Number: 7

Number 7 of 2018

DATA PROTECTION ACT 2018

CONTENTS

PART 1

Preliminary and General

1. Short title, citation and commencement

2. Interpretation

3. Designation by appropriate authority

4. Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances

5. Expenses

6. Regulations

7. Repeals and revocations

8. Application of Data Protection Act 1988

PART 2

Data Protection Commission

9. Establishment day

10. Establishment of Data Protection Commission

11. Supervisory authority for Data Protection Regulation and Directive

12. Functions of Commission

13. Performance of functions of Commission by Commissioner or member of staff

14. Transfer of functions of Data Protection Commissioner to Commission

15. Membership of Commission

16. Appointment of chairperson of Commission

17. Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner

18. Acting Commissioner

19. Accountability of Commissioner to Oireachtas Committees

20. Assignment and transfer of staff to Commission

21. Staff of Commission

22. Superannuation of Commissioners

23. Accounts of Commission

24. Annual report

25. Accountability for accounts of Commission

26. Prohibition on disclosure of confidential information

27. Civil proceedings for contravention of section 26

PART 3

Data Protection Regulation

Chapter 1

General

28. Fees

29. Child for purposes of application of Data Protection Regulation

30. Micro-targeting and profiling of children

31. Consent of child in relation to information society services

32. Codes of conduct: children

33. Right to be forgotten: children

34. Designation of data protection officer

35. Accreditation of certification bodies by Irish National Accreditation Board

36. Suitable and specific measures for processing

37. Limitation on transfers of personal data outside the European Union

38. Processing for a task carried out in the public interest or in the exercise of official authority

39. Communication with data subjects by political parties, candidates for and holders of certain elective political offices

40. Processing of personal data and special categories of personal data by elected representatives

41. Processing for purpose other than purpose for which data collected

42. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

43. Data processing and freedom of expression and information

44. Data processing and public access to official documents

Chapter 2

Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences

45. Processing of special categories of personal data

46. Processing of special categories of personal data for purposes of employment and social welfare law

47. Processing of special categories of personal data for purpose of legal advice and legal proceedings

48. Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission

49. Processing of special categories of personal data for purposes of administration of justice and performance of functions

50. Processing of special categories of personal data for insurance and pension purposes

51. Processing of special categories of personal data and Article 10 data for reasons of substantial public interest

52. Processing of special categories of personal data for purposes of Article 9(2)(h)

53. Processing of special categories of personal data for purposes of public interest in the area of public health

54. Processing of special categories of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

55. Processing of personal data relating to criminal convictions and offences

Chapter 3

Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers

56. Right of access to results and scripts of examination and results of appeal

57. Rights in relation to automated decision making

58. Direct marketing for purposes of Article 21

59. Restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission

60. Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest

61. Restriction on exercise of data subjects’ rights: archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

PART 4

Provisions Consequent on Repeal of Certain Provisions of Data Protection Act 1988

62. Transfer of property of Data Protection Commissioner to Commission

63. Transfer of rights and liabilities of Data Protection Commissioner to Commission

64. Liability for loss occurring before establishment day

65. Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission

66. Final accounts and final annual report of Data Protection Commissioner

67. Saver for scheme relating to superannuation

68. Saver for regulations under Act of 1988

PART 5

Processing of Personal Data for Law Enforcement Purposes

Chapter 1

Preliminary and general (Part 5)

69. Interpretation (Part 5)

70. Application of Part 5

Chapter 2

General principles of data protection

71. Processing of personal data

72. Security measures for personal data

73. Processing of special categories of personal data (Part 5)

74. Data quality

Chapter 3

Obligations of controllers and processors

75. General obligations of controller with regard to technical and organisational measures

76. Data protection by design and by default

77. Security of automated processing

78. Technical and organisational measures

79. Joint controllers

80. Processors

81. Record of data processing activities

82. Data logging for automated processing system

83. Cooperation with Commission

84. Data protection impact assessment and prior consultation with Commission

85. Notification of personal data breach by processor

86. Notification of personal data breach to Commission, etc.

87. Communication of personal data breach to data subject

88. Data protection officer

Chapter 4

Rights, and restriction of rights, of data subject (Part 5)

89. Rights in relation to automated decision making (Part 5)

90. Right to information

91. Right of access

92. Right to rectification or erasure and restriction of processing

93. Communication with data subject

94. Restrictions on exercise of data subject rights (Part 5)

95. Indirect exercise of rights and verification by Commission

Chapter 5

Transfers of personal data to third countries or international organisations

96. Transfer to third country or international organisation

97. Adequacy decision

98. Transfer subject to appropriate safeguards

99. Derogations for specific situations

100. Transfer to recipient in third country

Chapter 6

Independent supervisory authority

101. Functions of Commission under Part 5

102. Power of the Commission to advise and issue opinions

103. Mutual assistance

104. Requests by Commission for mutual assistance

PART 6

Enforcement of Data Protection Regulation and Directive

Chapter 1

Preliminary

105. Interpretation (Part 6)

106. Service of documents (Part 6)

Chapter 2

Enforcement of Data Protection Regulation

107. Interpretation (Chapter 2)

108. Complaints under Chapter 2: General

109. Commission to handle complaint under Chapter 2

110. Commission may conduct inquiry into suspected infringement of relevant enactment

111. Decision of Commission where inquiry under Chapter 2 conducted of own volition

112. Decision of Commission where inquiry conducted in respect of complaint to which Article 55 or 56(5) applies

113. Complaint to which Article 60 applies

114. Commission to adopt decision in certain circumstances

115. Exercise by Commission of corrective power

116. Notification of decision of Commission under Chapter 2

117. Judicial remedy for infringement of relevant enactment

Chapter 3

Enforcement of Directive

118. Interpretation (Chapter 3)

119. Data subject may lodge complaint with Commission

120. Representation of data subjects

121. Complaints under Chapter 3: General

122. Commission to handle complaint under Chapter 3

123. Commission may conduct inquiry into suspected infringements of relevant provision

124. Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition

125. Decision of Commission where inquiry conducted in respect of complaint under Chapter 3

126. Notification of decision of Commission under Chapter 3

127. Corrective powers of Commission (Chapter 3)

128. Judicial remedy for infringement of relevant provision

Chapter 4

Inspection, Audit and Enforcement

129. Authorised officers

130. Powers of authorised officers

131. Search warrants

132. Information notice

133. Enforcement notice

134. Circumstances in which application may be made to the High Court for suspension or restriction of processing of data

135. Power to require report

136. Data Protection Audit

Chapter 5

Investigations

137. Investigations

138. Conduct of investigation under section 137

139. Investigation report

140. Commission to consider investigation report

Chapter 6

Administrative Fines

141. Power of Commission to decide to impose administrative fine: General

142. Appeal against administrative fine

143. Circuit Court to confirm decision to impose administrative fine

Chapter 7

Offences

144. Unauthorised...