European Communities (Data Protection) Regulations, 2001

• Jurisdiction: Ireland

I, John O'Donoghue, Minister for Justice, Equality and Law Reform, in exercise of the powers conferred on me by section 3 of the European Communities Act, 1972 (No. 27 of 1972), and for the purpose of giving effect to Articles 4, 17, 25 and 26 of Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data1 , hereby make the following regulations:

1. (1) These Regulations may be cited as the European Communities (Data Protection) Regulations, 2001.

(2) These Regulations shall come into operation on 1 April, 2002.

(3) In these Regulations, “the Principal Act” means the Data Protection Act, 1988 .

2. Section 1 of the Principal Act is amended—

(a) in subsection (1), by the insertion of the following definitions:

“ ‘the Directive’ means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

‘the EEA Agreement’ means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993;

‘enactment’ means a statute or a statutory instrument (within the meaning of the Interpretation Act, 1937 );

‘the European Economic Area’ has the meaning assigned to it by the EEA Agreement;”,

and

(b) by the insertion of the following subsection after subsection (4):

“(5)(a) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if—

(i) the data controller is established in the State and the data are processed in the context of that establishment, or

(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.

(b) For the purposes of paragraph (a) of this subsection, each of the following shall be treated as established in the State:

(i) an individual who is normally resident in the State,

(ii) a body incorporated under the law of the State,

(iii) a partnership or other unincorporated association formed under the law of the State, and

(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) but maintains in the State—

(I) an office, branch or agency through which he or she carries on any activity, or

(II) a regular practice,

and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.

(c) A data controller to whom paragraph (a)(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.”.

3. The following section is inserted in the Principal Act after section 2:

“Security measures for personal data. 2A.—(1) In determining appropriate security measures for the purposes of section 2(1)(d) of this Act, in particular (but without prejudice to the generality of that provision), where the processing involves the transmission of data over a network, a data controller— (a) may have regard to the state of technological development and the cost of implementing the measures, and (b) shall ensure that the measures provide a level of security appropriate to— (i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and (ii) the nature of the data concerned. (2) A data controller or data processor shall take all reasonable steps to ensure that— (a) persons employed by him or her, and (b) other persons at the place of work concerned, are aware of and comply with the relevant security measures aforesaid. (3) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall— (a) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor carries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent to those imposed on the data controller by section 2(1)(d) of this Act, (b) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and (c) take reasonable steps to ensure compliance with those measures.”.

4. Section 9 of the Principal Act is amended by the insertion of the following subsection after subsection (2):

“(3) The Commissioner shall be the supervisory authority in the State for the purposes of Articles 4, 17, 25 and 26 of the Directive.”.

5. The following section is substituted...