Legalize
Legalize / Ireland / Act

Data Protection Act , 1988

Type Act
Publication 1988-07-13
State In force
Source Irish Statute Book
Reform history JSON API
1. Interpretation and application of Act.

1.—(1)In this Act, unless the context otherwise requires—

F1["the Act of 2003" means the Data Protection (Amendment) Act 2003]

“appropriate authority” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

F1["automated data" means information that—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) is recorded with the intention that it should be processed by means of such equipment;]

“back-up data” means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged;

F1["blocking", in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked;]

“civil servant” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

“the Commissioner” has the meaning assigned to it by section 9 of this Act;

“company” has the meaning assigned to it by the Companies Act, 1963

“the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981, the text of which is set out in the First Schedule to this Act;

“the Court” means the Circuit Court

F2["data" means automated data and manual data;]

“data controller” means a person who, either alone or with others, controls the contents and use of personal data;

“data equipment” means equipment for processing data;

“data material” means any document or other material used in connection with, or produced by, data equipment;

“data processor” means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;

“data subject” means an individual who is the subject of personal data;

F1["the Directive" means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals withregard to the processing of personal data and on the free movement of such data^(1);]

F3[…]

“disclosure”, in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed;

F1["the EEA Agreement"means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993;]

F1["enactment" means a statute or a statutory instrument (within the meaning ofthe Interpretation Act 1937);]

“enforcement notice” means a notice under section 10 of this Act;

F1["the European Economic Area" has the meaning assigned to it by the EEA Agreement;]

F3[…]

“information notice” means a notice under section 12 of this Act;

F4[“local authority”means a local authority for the purposes of theLocal Government Act 2001(as amended by the Local Government Reform Act 2014);]

F1["manual data" means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;]

“the Minister” means the Minister for Justice;

F2["personal data" means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;]

“prescribed”, in the case of fees, means prescribed by regulations made by the Minister with the consent of the Minister for Finance and, in any other case, means prescribed by regulations made by the Commissioner with the consent of the Minister;

F2["processing" of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including—

(a) obtaining, recording or keeping the information or data,

(b) collecting, organising, storing, altering or adapting the information or data,

(c) retrieving, consulting or using the information or data,

(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or

(e) aligning, combining, blocking, erasing or destroying the information or data;]

“prohibition notice” means a notice under section 11 of this Act;

F3[…]

F5["relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;]

F1["sensitive personal data" means personal data as to—

(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,

(b) whether the data subject is a member of a trade union,

(c) the physical or mental health or condition or sexual life of the data subject,

(d) the commission or alleged commission of any offence by the data subject, or

(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;]

and any cognate words shall be construed accordingly.

(2)For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.

(3)(a)An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force—

(i)the civil servant so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii)this Act shall not apply to the authority,

as respects the data concerned.

(b)Without prejudice to paragraph (a) of this subsection, the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a data controller or a data processor and, while the designation is in force—

(i)the officer so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii)this Act shall not apply to the Minister for Defence,

as respects the data concerned.

(c)For the purposes of this Act, as respects any personal data—

(i)where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(ii)where a designation under paragraph (b) of this subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(iii)a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the said Commissioner.

F1[(3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive.

(3B) (a) Subject to any regulations undersection 15(2)of this Act, this Act applies to data controllers in respect of the processing of personal data only if—

(i) the data controller is established in the State and the data are processed in the context of that establishment, or

(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.

(b) For the purposes ofparagraph (a)of this subsection, each of the following shall be treated as established in the State:

(i) an individual who is normally resident in the State,

(ii) a body incorporated under the law of the State,

(iii) a partnership or other unincorporated association formed under the law of the State, and

(iv) a person who does not fall withinsubparagraphs (i), (ii)or(iii)of this paragraph, but maintains in the State—

(I) an office, branch or agency through which he or she carries on any activity, or

(II) a regular practice,

and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.

(c) A data controller to whomparagraph (a)(ii)of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.

(3C)Section 2andsections 2Aand2B(which sections were inserted by the Act of 2003) of this Act shall not apply to—

(a) data kept solely for the purpose of historical research, or

(bother data consisting of archives or departmental records (within the meaning in each case ofthe National Archives Act 1986),

and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects.]

(4)This Act does not apply to—

(a)personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,

(b)personal data consisting of information that the person keeping the data is required by law to make available to the public, or

(c)personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.

F1[(5)F3[…]]

2. Collection, processing, keeping, use and disclosure of personal data.

2.—F6[(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:

(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,

(b) the data shall be accurate and complete and, where necessary, kept up to date,

(c) the data—

(i) shall have been obtained only for one or more specified, explicit and legitimate purposes,

(ii) shall not be further processed in a manner incompatible with that purpose or those purposes,

(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and

(iv) shall not be kept for longer than is necessary for that purpose or those purposes,

(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.]

(2)A data processor shall, as respects personal data processed by him, comply with paragraph (d) of subsection (1) of this section.

(3)Paragraph (a) of the said subsection (1) does not apply to information intended for inclusion in data, or to data, kept for a purpose mentioned in section 5 (1) (a) of this Act, in any case in which the application of that paragraph to the data would be likely to prejudice any of the matters mentioned in the said section 5 (1) (a).

(4)Paragraph (b) of the said subsection (1) does not apply to backup data.

(5)F7[(a)Subparagraphs (ii)and(iv)ofparagraph (c)of the saidsubsection (1)do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects, and,]

(b)the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained,

if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject.

(6) F8[…]

F9[(7)F10[…]

(8)F10[…]]

2A. F11[Processing of personal data.

2A.—(1) Personal data shall not be processed by a data controller unlesssection 2of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the following conditions is met:

(a) the data subject has given his or her consent to the processing or, if the data subject, by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the data subject and the giving of such consent is not prohibited by law,

(b) the processing is necessary—

(i) for the performance of a contract to which the data subject is a party,

(ii) in order to take steps at the request of the data subject prior to entering into a contract,

(iii) for compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract, or

(iv) to prevent—

(I) injury or other damage to the health of the data subject, or

(II) serious loss of or damage to property of the data subject,

or otherwise to protect his or her vital interests where the seeking of the consent of the data subject or another person referred to inparagraph (a)of this subsection is likely to result in those interests being damaged,

(c) the processing is necessary—

(i) for the administration of justice,

(ii) for the performance of a function conferred on a person by or under an enactment,

(iii) for the performance of a function of the Government or a Minister of the Government, or

(iv) for the performance of any other function of a public nature performed in the public interest by a person,

(d) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.

(2) The Minister may, after consultation with the Commissioner, by regulations specify particular circumstances in whichsubsection (1)(d)of this section is, or is not, to be taken as satisfied.]

2B. F12[Processing of sensitive personal data.

2B.—(1) Sensitive personal data shall not be processed by a data controller unless:

(a)sections 2and2A(as amended and inserted, respectively, by the Act of 2003) are complied with, and

(b) in addition, at least one of the following conditions is met:

(i) the consent referred to in paragraph (a) ofsubsection (1)ofsection 2A(as inserted by theAct of 2003) of this Act is explicitly given,

(ii) the processing is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment,

(iii) the processing is necessary to prevent injury or other damage to the health of the data subject or another person or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where—

(I) consent to the processing cannot be given by or on behalf of the data subject in accordance withsection 2A(1)(a)(inserted by the Act of 2003) of this Act, or

(II) the data controller cannot reasonably be expected to obtain such consent,

or the processing is necessary to prevent injury to, or damage to the health of, another person, or serious loss in respect of, or damage to, the property of another person, in a case where such consent has been unreasonably withheld,

(iv) the processing—

(I) is carried out in the course of its legitimate activities by any body corporate, or any unincorporated body of persons, that—

(A) is not established, and whose activities are not carried on, for profit, and

(B) exists for political, philosophical, religious or trade union purposes,

(II) is carried out with appropriate safeguards for the fundamental rights and freedoms of data subjects,

(III) relates only to individuals who either are members of the body or have regular contact with it in connection with its purposes, and

(IV) does not involve disclosure of the data to a third party without the consent of the data subject,

(v) the information contained in the data has been made public as a result of steps deliberately taken by the data subject,

(vi) the processing is necessary—

(I) for the administration of justice,

(II) for the performance of a function conferred on a person by or under an enactment, or

(III) for the performance of a function of the Government or a Minister of the Government,

(vii) the processing—

(I) is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings, or

(II) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

(viii) the processing is necessary for medical purposes and is undertaken by—

(I) a health professional, or

This document does not substitute the official text published in the Irish Statute Book. We accept no responsibility for any inaccuracies arising from the transcription of the original into this format.