Data Protection Act 2018

PART 1 Preliminary and General

1. Short title, citation and commencement

1. (1) This Act may be cited as the Data Protection Act 2018.

(2) This Act and the Data Protection Acts 1988 and 2003 may be cited together as the Data Protection Acts 1988 to 2018.

(3) This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions, and for the repeal of different enactments or provisions of enactments effected by section 7.

2. Interpretation

2. (1) In this Act—

“Act of 1988” means the Data Protection Act 1988;

“Act of 2014” means the Companies Act 2014;

“authorised officer” means a person appointed, or deemed to be appointed, to be an authorised officer under section 129;

“chairperson” means the chairperson of the Commission;

“civil servant” has the meaning assigned to it by the Civil Service Regulation Act 1956;

“Commission” has the meaning assigned to it by section 10;

“Commissioner” has the meaning assigned to it by section 15 and includes a member of staff authorised to act in place of a Commissioner under section 18;

“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016^3 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016^4 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;

“enactment” has the same meaning as it has in the Interpretation Act 2005;

“local authority” means a local authority within the meaning of section 2 of the Local Government Act 2001;

F1[“Mayor of Limerick”has the meaning assigned to it bysection 9of theLocal Government (Mayor of Limerick) and Miscellaneous Provisions Act 2024;]

“Minister” means the Minister for Justice and Equality;

“political party” means a political party registered in the Register of Political Parties in accordance with section 25 of the Electoral Act 1992;

“prescribe” means prescribe by regulations;

“public authority” means—

(a) a Department of State,

(b) a regional assembly,

(c) a local authority,

(d) the office of the Director of Corporate Enforcement,

(e) the Irish Auditing and Accounting Supervisory Authority,

(f) any other person established by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act) other than—

(i) a recognised school or board within the meaning of section 2 of the Education Act 1998 but including a recognised school established and maintained by an education and training board and a board of a school so established and maintained, and

(ii) a management committee established under section 37(3) of the Education Act 1998,

(g) a person with whom the Health Service Executive has, under section 38(1) of the Health Act 2004, entered into an arrangement for the provision of a health or personal social service by that person on behalf of the Executive,

(h) the Garda Síochána;

“public body” means—

(a) a company (within the meaning of the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act) a majority of the shares in which are held by or on behalf of a Minister of the Government,

(b) a subsidiary (within the meaning of section 7 of the Act of 2014) of a company referred to in paragraph (a);

“special categories of personal data”, other than in Part 5, means—

(a) personal data revealing—

(i) the racial or ethnic origin of the data subject,

(ii) the political opinions or the religious or philosophical beliefs of the data subject, or

(iii) whether the data subject is a member of a trade union,

(b) genetic data,

(c) biometric data for the purposes of uniquely identifying an individual,

(d) data concerning health, or

(e) personal data concerning an individual’s sex life or sexual orientation.

(2) Subject to subsection (1), a word or expression used in this Act, other than in Part 5, that is also used in the Data Protection Regulation has, unless the context otherwise requires, the same meaning in this Act as it has in that Regulation.

(3) Unless the context otherwise requires, a reference in this Act (other than in Part 5) to a numbered Article is a reference to the Article so numbered of the Data Protection Regulation.

3. Designation by appropriate authority

3. (1) An appropriate authority (within the meaning of the Civil Service Regulation Act 1956) may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a controller and while the designation is in force the civil servant so designated shall, other than for the purposes of sections 105(3) and 141(2) and (3), be deemed, for the purposes of this Act and the Data Protection Regulation, to be the controller in respect of the data concerned.

(2) Without prejudice to subsection (1), the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a controller and while the designation is in force the officer so designated shall, other than for the purposes of sections 105(3) and 141(2) and (3), be deemed, for the purposes of this Act and the Data Protection Regulation, to be the controller in respect of the data concerned.

(3) For the purposes of this Act and the Data Protection Regulation—

(a) where a designation by the relevant appropriate authority under subsection (1) is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(b) where a designation under subsection (2) is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(c) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the Commissioner of the Garda Síochána.

4. Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances

4. (1) A person shall not, in connection with—

(a) the recruitment of an individual as an employee,

(b) the continued employment of the individual, or

(c) a contract for the provision of services to the person by an individual,

require that individual to—

(i) make a request under Article 15 or under section 91, or

(ii) supply the person with data relating to that individual obtained as a result of such a request.

(2) A person who contravenes subsection (1) shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

5. Expenses

5. The expenses incurred by the Commission and any Minister of the Government in the administration of this Act shall, to such an extent as may be sanctioned by the Minister for Public Expenditure and Reform, be paid out of moneys provided by the Oireachtas.

6. Regulations

6. (1) Regulations made under this Act may contain such incidental, supplementary and consequential provisions as appear to the person making the regulations to be necessary or expedient for the purposes of the regulations.

(2) Every regulation made under this Act, other than under section 51, 60 or 73, shall be laid before each House of the Oireachtas as soon as may be after it is made.

(3) Either House of the Oireachtas may, by a resolution passed within 21 sitting days after the day on which a regulation is laid before it under subsection (2), annul the regulation.

(4) The annulment of a regulation under subsection (3) takes effect immediately on the passing of the resolution concerned but does not affect the validity of anything done under the regulation before the passing of the resolution.

(5) Regulations may be made under section 51, 60 or 73 only if—

(a) a draft of the proposed regulations has been laid before each House of the Oireachtas, and

(b) a resolution approving the draft has been passed by each House.

7. Repeals and revocations

7. (1) Subject to subsection (4), the following provisions of the Act of 1988 are repealed:

(a) in section 1—

(i) subsection (1), the definition of “direct marketing”, “financial institution” and “the register”, and

(ii) subsection (5);

(b) section 2(7) and (8);

(c) section 4(2), (6), (8) and (13);

(d) section 5(1)(d);

(e) section 9 and the Second Schedule;

(f) section 11(3) and (4)(b);

(g) sections 13, 14, 16, 17, 18, 19, 20, 22A and 33.

(2) Subject to subsection (4), section 14(2) of the Data Protection (Amendment) Act 2003 is repealed.

(3) Subject to subsection (4), the enactments specified in column (3) of Schedule 1 are revoked to the extent specified in column (4) of that Schedule.

(4) The repeals and revocations effected by this section shall not apply for the purposes of subsections (1)(b), (2) and (3) of section 8.

8. Application of Data Protection Act 1988

8. (1) Subject to this section, the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data (within the meaning of that Act) other than—

(a) the processing of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, or

(b) the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 to the extent that the Act of 1988 is applied in those Acts.

(2) The Act of 1988 shall apply to—

(a) a complaint by an individual under section 10 of that Act made before the commencement of this section, and

(b) a contravention of that Act that occurred before such commencement.

(3) An investigation under section 10 of the Act of 1988 that was begun but not completed before the commencement of this section shall be completed in accordance with that Act and that Act shall apply to such an investigation.

PART 2 Data Protection Commission

9. Establishment day

9. The Minister shall, by order, appoint a day to be the establishment day for the purposes of this Act.

10. Establishment of Data Protection Commission

10. (1) On the establishment day there shall stand established a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission (in this Act referred to as the “Commission”).

(2) Schedule 2 shall have effect in relation to the Commission.

11. Supervisory authority for Data Protection Regulation and Directive

11. The Commission shall be the supervisory authority within the meaning of, and for the purposes specified in—

(a) the Data Protection Regulation, and

(b) the Directive.

12. Functions of Commission

12. (1) In addition to the functions assigned to the Commission by virtue of its being the supervisory authority for the purposes of the Data Protection Regulation and the Directive, the general functions of the Commission shall include—

(a) any functions assigned to it by or under this Act,

(b) functions transferred to the Commission under section 14, and

(c) such other functions as may be assigned to it from time to time by or under any other enactment.

(2) The Commission shall monitor the lawfulness of processing of personal data in accordance with—

(a) Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013^5 on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast), and

(b) Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013^6 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast).

(3) The Commission is designated for the purposes of Chapter IV (Mutual assistance) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981.

(4) The Minister may, following consultation with the Commission, make any regulations that he or she considers necessary or expedient for the purpose of enabling Chapter IV (as referred to in subsection (3)) to have full effect.

(5) The Commission shall have all such powers as are necessary or expedient for the performance of its functions.

(6) The Commission shall disseminate, to such extent and in such manner as it considers appropriate, information in relation to the functions performed by it.

(7) The Commission shall be independent in the performance of its functions.

(8) Subject to this Act, the Commission shall regulate its own procedures.

13. Performance of functions of Commission by Commissioner or member of staff

13. (1) Where more than one Commissioner stands appointed under section 15, the functions of the Commission, other than the functions specified in subsection (3), may be performed through or by a Commissioner where he or she is authorised in that behalf by the Commission.

(2) The functions of the Commission, other than the functions specified in subsection (3), may be performed through or by any member of staff of the Commission where he or she is authorised in that behalf by the Commission.

(3) The functions referred to in subsections (1) and (2) are the functions of the Commission under sections 12(8), 21, 28, 43, 84(9) and (10), 129, 134(1) and (4), 135(1), 149 (other than subsection (1)), paragraph 1 of Schedule 2 and its function, as supervisory authority, under Article 35(4) and (5) of the Data Protection Regulation.

(4) A Commissioner or member of staff of the Commission who performs any of the functions of the Commission is presumed in any proceedings to have been authorised to do so on its behalf unless the contrary is shown.

14. Transfer of functions of Data Protection Commissioner to Commission

14. (1) All functions that, immediately before the establishment day, were vested in the Data Protection Commissioner are transferred to the Commission.

(2) A reference in any enactment or instrument under an enactment to the Data Protection Commissioner or to the Office of the Data Protection Commissioner shall be construed as a reference to the Commission.

(3) A reference in the Act of 1988 (other than in section 1(3)(c)(iii) in so far as it refers to to the Commissioner of the Garda Síochána) to the Commissioner shall be construed as a reference to the Commission.

(4) This section shall come into operation on the establishment day.

15. Membership of Commission

15. (1) The Commission shall consist of such and so many members (not being more than 3) as the Government determines.

(2) Each member of the Commission shall be known as a Commissioner for Data Protection (in this Act referred to as a “Commissioner”).

(3) Subject to subsections (4), (8) and (9) and section 18, a Commissioner shall be appointed by the Government on the recommendation of the Public Appointments Service and the appointment shall be for a period of not less than 4 and not more than 5 years from the date of his or her appointment.

(4) If, immediately before the establishment day, there is a person holding office as the Data Protection Commissioner, he or she shall, on the establishment day, be a Commissioner for the remainder of the term of office, and upon the same terms and conditions, for which he or she was appointed as the Data Protection Commissioner.

(5) Subject to subsection (7), the Public Appointments Service shall recommend a person for appointment as Commissioner following an open selection competition held by the Service for that purpose.

(6) The Public Appointments Service shall appoint a selection panel to assist it in holding an open selection competition.

(7) The Public Appointments Service shall ensure that a person is recommended under subsection (5) for appointment only if it is satisfied that the person has the qualifications, experience and skills necessary to enable the Commission to effectively perform its functions.