Data Protection (Registration) Regulations, 1988

• Jurisdiction: Ireland
• Citation: IR SI 351/1988

S.I. No. 351 of 1988.

DATA PROTECTION (REGISTRATION) REGULATIONS, 1988.

I, DONAL C. LINEHAN, Data Protection Commissioner, by virtue of the powers conferred on me by section 20 of the Data protection Act, 1988 (No. 25 of 1988), hereby, with the consent of the Minister for Justice, make the following regulations: 1. These Regulations may be cited as the Data Protection (Registration) Regulations, 1988. 2. These Regulations shall come into force on the 9th day of January, 1989. 3. In these Regulations "the Act" means the Data Protection Act, 1988 . 4. An application by a person wishing to be registered in the register established and maintained by the Data Protection Commissioner under section 16 (2) of the Act or to have a registration continued under section 18 of the Act or to have particulars in an entry in the register altered shall be made by completing the appropriate form specified in the Schedule to these Regulations or a form to the like effect. 5. The information required to be furnished to the Data Protection Commissioner by a person referred to in Regulation 4 shall be that specified in the appropriate form and any other information that the Commissioner may require to enable him to deal either with a particular application or with applications generally (in which case he may require the information to be furnished by way of an addition to the appropriate form). 6. The particulars to be included in an entry in the register in relation to a data controller to whom section 16 of the Act applies shall be:

(a) name and address;

(b) purpose or purposes for which he keeps or uses personal data;

(c) description of the data;

(d) persons or categories of persons (other than persons to whom data are disclosed pursuant to section 8 of the Act) to whom the data may be disclosed;

(e) countries or territories to which the data may be directly or indirectly transferred;

(f) if the source from which the data, and any information intended for inclusion in the data, are obtained is required by the Commissioner to be described in the entry, the persons or categories of persons from whom the data and information are obtained;

(g) if the data controller is not the person to whom requests for information under section 4 (1) (a) of the Act should be addressed, the name or job status and address of that person;

(h) date on which the entry was made or, as the case may be, from which the relevant registration was continued;

(i) a reference to any other entry in the register relating to the data controller. 7. In the case of a data processor whose business consists wholly or partly in processing personal data on behalf of data controllers and who is not himself a data controller to whom section 16 of the Act applies, the particulars to be included in the relevant entry in the register shall be his name and address. 8. (a) In the case of a partnership which has applied to be registered in the register, the name of the partnership and of each of the partners shall be included in the entry in the register.

(b) In the case of a company (within the meaning of the Companies Acts, 1963 to 1987) which has so applied, the address to be so included shall be that of its registered office.

(c) In the case of a person (other than such a company) carrying on a business who has so applied, the address shall be that of his principal place of business.

SCHEDULE.

DATA PROTECTION (REGISTRATION) REGULATIONS, 1988

FORM DPA1

APPLICATION FOR REGISTRATION AS A DATA CONTROLLER (OR AS BOTH A DATA CONTROLLER AND A DATA PROCESSOR)

1. Name and address:

(If a partnership, state its name and the name of each partner; if a company, give the address of the registered office; in the case of any other business, give the address of the principal place of business.)

2. Name or job status of person to whom applications for access to personal data should be sent:

(Give address also if different from above.)

Note: Paragraphs 3 to 7 do not apply to personal data processed on behalf of another.

3. Purpose(s) for which you keep or use personal data:

(If the personal data are kept for the purposes of a business, trade, profession or public service, state in general (but comprehensive) terms the purpose(s) for which it is carried on. In any other case, specify the purpose(s) for which the data are kept or used.)

4. Description of all personal data so kept or used:

(a) The personal data normally associated with each of the following applications, namely: (Describe briefly, but adequately, the various applications.)

(b) Personal data not normally associated with any of the applications specified at (a) above:(Give full details.)

5. Persons or bodies (or categories of them) to whom the persona] data may be disclosed (other than persons or bodies to whom a disclosure may be made in the circumstances specified in section 8 of the Act):

Note: A disclosure of any personal data to a person or body specified above must not be made in any manner incompatible with the purpose's) for which those data are kept. Otherwise the disclosure will be in contravention of section 2(1) (c) (ii) of the Act.

6. Countries or territories (if any) to which you transfer, or intend to transfer, personal data directly or indirectly:

(State countries or territories concerned, description of data to be transferred and purpose of transfer.)

Note: This paragraph relates only to personal information when transferred abroad in automated form.

7. If you keep personal data relating to (a) racial origin, (b) political opinions, (c) religious or (d)other beliefs, (e) physical or mental health (other than any such data reasonably kept by you in relation to the physical or mental health of your employees and not used or disclosed for any other purpose), (f) sexual life or (g) criminal convictions—

(a) state which of these kinds of personal data you keep;

(b) state for which of the applications specified at 4 above each of these kinds of data is kept;

(c) specify under the following headings the safeguards in operation for the protection of the privacy of the data subjects concerned:

1. physical safeguards,

2. technical safeguards.

8. (a) Does any of the personal data kept by you consist of information that you are required by law to make available to the public? *Yes/*No.

(b) If the answer is "Yes", give details:

9. (a) Are you a data processor who is required to register (i.e. are you a person whose business consists wholly or partly in processing personal data on behalf of others)? *Yes/*No.

(b) If the answer is "Yes", state the countries or territories (if any) to which you transfer, or intend to transfer, such data for processing directly or...