GDPR Guide to National Implementation: Ireland
26 min read
In this chapter:
Q24/ Regulatory Guidance
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
New legislation has been passed.
(b) Relevant legislation includes:
- Data Protection Act 2018 (the “2018 Act”)
- Date in force: 25 May 2018
- Link: see here
- Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314 of 2018)
- Date in force: 8 August 2018
- Link: see here
- Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2018 (S.I. No. 188 of 2019) (together with the legislation directly above “Health Research Regulations”)
- Date in force: 29 April 2019
- Link: see here
- Data Sharing and Governance Act 2019
- Date in force: Part commenced 18 April 2019
- Link: see here
(c) What is the status of national pre-GDPR data protection law?
The pre-GDPR legislation, the Data Protection Acts 1988 and 2003 (as amended), have largely been disapplied by the 2018 Act. The pre-GDPR legislation continues to apply in limited circumstances including to the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or international relations, to complaints made by individuals prior to 25 May 2018, to contraventions of the pre-GDPR legislation and to investigations under the pre-GDPR legislation that had begun but were not completed before 25 May 2018.
Q2/ Personal data of deceased persons
Does national law make specific rules regarding the processing of personal data of deceased persons?
The 2018 Act amends the Health Identifiers Act 2014 (“2014 Act”) with the result that the appropriate technical and organisational measures are to be applied to a deceased person’s relevant information (as defined in the 2014 Act), which includes their health identifier.
Q3/ Legal bases for processing
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
There are no specific rules governing this issue.
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
The processing of personal data shall be lawful to the extent that it is necessary and proportionate for:
- the performance of a function of a controller conferred by or under an enactment or by the Constitution; or
- the administration by or on behalf of a controller of any non-statutory scheme programme or funds where the legal basis for such administration is a function of a controller conferred by or under an enactment or by the Constitution.
In addition, there is the possibility that ministerial regulations may be enacted in relation to the processing of personal data which is necessary for the performance of a task carried out in the public interest by a controller or which is necessary in the exercise of official authority vested in a controller.
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
See Q3(b) above.
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
The 2018 Act provides that the following processing of personal data and sensitive personal data, where necessary and proportionate, will not be considered to be incompatible with the initial purposes:
- preventing a threat to national security, defence or public security; or
- preventing, detecting, investigating or prosecuting criminal offences.
In respect of sensitive personal data only, the processing of such will not be considered to be incompatible where necessary and proportionate for the purposes of:
- providing or obtaining legal advice or for the purposes of, or in connection with, legal claims and proceedings (including prospective legal claims and proceedings); or
- establishing, exercising or defending legal rights.
Q4/ Consent of children
At what age can a child give their consent to processing in relation to ISS?
16 years of age for ISS purposes only. The 2018 Act provides that a child for the purposes of the GDPR is any person under 18 years of age. However, for non-information society services, whether a child can consent (rather than the consent of a parent or guardian) will depend on the maturity of the child and their level of understanding of the processing.
Q5/ Processing of sensitive personal data
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
All sensitive personal data can be processed if the data subject’s valid consent has been obtained.
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
Suitable and specific measures must be taken to safeguard the fundamental rights and freedoms of data subjects (e.g., employees). Irish law is not prescriptive as to the form of these measures. It does, however, include non-exhaustive examples. Some of the measures relevant in an employment context include limiting access to personal data undergoing processing in a workplace and encrypting data.
(ii) Substantial public interest
There are no specific rules on processing this category of data. However, the 2018 Act provides that ministerial regulations may be enacted in the future in respect of authorising processing, where necessary for reasons of substantial public interest, in either or both of the following cases:
- sensitive personal data; and/or
- personal data relating to criminal convictions and offences (without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (“Spent Convictions Act”)).
No such ministerial regulations have so far been enacted.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
Suitable and specific measures must be taken to safeguard the fundamental rights and freedoms of data subjects.
In addition, such processing is subject to the requirement that the processing is undertaken by or under the responsibility of:
- a health practitioner, which includes, among others, a registered medical practitioner; or
- a person who owes a duty of confidentiality to the data subject which is equivalent to the health practitioner/ patient relationship.
(iv) Public interest in the area of public health
Under the 2018 Act, such processing requires the implementation of suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects. The 2018 Act does not prescribe the specific measures to be undertaken but includes non-exhaustive examples such as ensuring strict time limits for the erasure of personal data and that the processing be undertaken by a health practitioner.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
Under the 2018 Act, such processing requires the implementation of suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects. Similarly to the above, the 2018 Act is not prescriptive as to the specific measures. The processing must also respect the data minimisation principle and where the purposes can be fulfilled by processing which does not permit, or no longer permits, identification of data subjects, the processing will be carried out in that manner.
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
Genetic data: The processing of genetic data for genetic testing purposes requires the consent of the individual under the Disability Act 2005 as amended (“2005 Act”) and must not otherwise be prohibited by law. Consent is interpreted by reference to the GDPR.
The 2005 Act also prohibits the processing of genetic data in certain circumstances including for the purposes of insurance or a life assurance policy. In addition, reasonable steps must be taken to provide the individual with appropriate information as to the purposes and possible outcomes of the proposed processing and any potential health implications for the individual which become known as a result of the processing.
Biometric data: Depending upon the legal basis relied upon for the processing of biometric data, the 2018 Act may impose additional requirements such as the requirement to have in place suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects where the processing of biometric data is for the purposes of carrying out its obligations under employment law.
Health data: Explicit consent must be obtained from data subjects whose personal data is processed for health research purposes, except in limited circumstances. The Health Research Regulations also require in certain circumstances that an Impact Assessment is carried out before the processing of personal data for health research purposes.
The processing of health data is lawful where it is necessary and proportionate for the purposes of:
- an insurance policy or life assurance;
- health insurance or health-related insurance policy;
- an occupational pension, retirement annuity contract or any other pension arrangement; or
- the mortgaging of a property. This is subject to the requirement that suitable and specific measures to safeguard the rights and freedoms of data subjects must be implemented.
Q6/ Data relating to criminal offences or convictions
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
Without prejudice to the Spent Convictions Act and subject to suitable and specific measures being taken, personal data relating to criminal convictions and offences may only be processed where:
- it is done under the control of official authority; or
- one or more of the following conditions have been met. Such conditions include:
- where the data subject has provided their explicit consent;
- the processing is necessary and proportionate for the performance of a contract to which the data subject is a party to;
- the processing is necessary for the purpose of obtaining or providing legal advice or establishing, exercising or defending legal rights;
- the processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of damage to, property or otherwise to protect the vital interests of the data subject or another person; or
- the processing is permitted by ministerial regulations or otherwise authorised by the law of the State. At this time, no such ministerial regulations have been enacted.
The above conditions are without prejudice to the Spent Convictions Act which provides that certain specified minor convictions that date back seven years are known as “spent” and the individual is not required by law or general agreement to disclose the conviction or circumstances relating to it except in certain circumstances. This often arises in the context of employment background checks, and organisations should bear in mind that they should not ask individuals to disclose any spent convictions.
(a) Does national law specify exemptions to a data subject’s right to erasure?
A data subject’s right to erasure may be restricted in certain circumstances, including:
- legal claims;
- civil law claims;
- prevention, detection or investigation of offences;
- estimating the liability of a controller;
- confidential expressions of opinions;
- legal privilege; and
- the exercise of the right to freedom of expression.
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
A data subject’s right to information may be restricted in certain circumstances, including:
- legal claims;
- civil law claims;
- prevention, detection or investigation of offences;
- estimating the liability of a controller;
- confidential expressions of opinions; and
- legal privilege.
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
The 2018 Act provides additional exemptions to those set out in Art. 22(2)(a) & (c) GDPR. In particular, the data subject’s right does not apply where:
- the decision is authorised or required by or under an enactment; and
- the effect of that decision is to grant the data subject’s request; or
- adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject, including making arrangements to enable him or her to make representations regarding the decision, request human intervention in the decision-making process or request to appeal the decision.
The exemptions set out in Q7(a) & (b) above also apply.
Q8/ Restrictions on data subjects’ rights
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
The right of an individual to object to the processing of their personal data under Art. 21 GDPR does not apply to processing carried out:
- in the course of electoral activities in the State; or
- by the referendum commission in the performance of its functions.
Where personal data is processed for archiving purposes in the public interest, the rights of data subjects under Arts. 15 (access right), 16 (right to rectification), 18 (right to restriction), 19 (right to be notified of the rectification, erasure or restriction of personal data), 20 (right to data portability) & 21 (right to object) GDPR will be restricted to the extent that:
- the exercise of those rights would likely render impossible, or seriously impair the achievement of the purposes of archiving in the public interest; and
- the restriction is necessary for fulfilling the purposes of archiving in the public interest.
Where personal data is processed for scientific or historical research purposes or statistical purposes, the rights of data subjects under Arts. 15 (access right), 16 (right to rectification), 18 (right to restriction) & 21 (right to object) GDPR will be restricted to the extent that:
- the exercise of those rights would likely render impossible, or seriously impair the achievement of those purposes; and
- the restriction is necessary for fulfilling those purposes.
Q9/ Joint controllership
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
There are no additional rules on apportionment of liability between joint controllers.
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
There are no additional pieces of legislation.
Q11/ Impact Assessments
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
Pursuant to Art. 35(4) GDPR, the DPA has adopted a list (see here) specifying the circumstances in which an Impact Assessment is required. Such circumstances include the profiling of vulnerable persons (including children) to target marketing or online services at them and the profiling or use of algorithms or sensitive personal data to determine access to services.
The Health Research Regulations also require that an Impact Assessment be carried out in certain circumstances where personal data is processed for health research purposes.
Q12/ Prior authorisation and public interest
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
Prior consultation with the DPA in writing is required by the 2018 Act where the outcome of a data protection Impact Assessment indicates that, despite the implementation of safeguards such as mitigating measures, the processing would result in a high risk to the rights and freedoms of individuals. In addition, ministerial regulations may be enacted to provide for additional circumstances mandating consultation with the DPA.
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
Ministerial regulations may be enacted under the 2018 Act which would designate that certain classes of controllers, processors and associations or other bodies representing controllers and processors be mandatorily required to appoint a DPO. At the time of writing, no such ministerial regulations have been enacted.
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
DPOs are not subject to secrecy obligations under national law.
Q14/ International data transfers
(a) Does national law make specific rules about transfers of personal data from public registers?
Data transfers from public registers are not subject to specific rules.
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
Data transfers are not subject to restrictions beyond those set out in the GDPR. However, under the 2018 Act there is the potential for ministerial regulations to be enacted for reasons of important public policy. At the time of writing, no such ministerial regulations have been enacted.
(a) Details of the DPA(s).
- Name of DPA: Data Protection Commission
- Address: 21 Fitzwilliam Square South, Dublin 2, R02 RD28, Ireland
- Website: dataprotection.ie
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
Not applicable as there is only one DPA.
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
The law in Ireland does not grant the DPA any additional powers; however, it is more specific in terms of the form of those powers. For example, the DPA can require employees to produce to the DPA any records or documents within their possession or control or procurement that may be relevant to the DPA’s investigations; this is a form of investigatory power.
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
Where the DPA decides to issue an information notice, enforcement notice or to impose an administrative fine, the controller or processor has 28 days from the date on which it is notified of the decision to appeal to court.
With respect to a decision to impose an administrative fine, the appropriate court is the Circuit Court for fines that are €75,000 or less. Otherwise, such appeals will be heard in the High Court.
With respect to a decision to issue an information notice or an enforcement notice, the Circuit Court, concurrently with the High Court, has jurisdiction to hear and determine the appeal.
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
While a controller or a processor can refuse to provide information on the basis that it is subject to legal privilege, it is open to the DPA (or its authorised officers) to apply to the High Court for a determination as to whether the information, or any part of it, is a privileged legal material.
There are certain conditions that the DPA (or its authorised officers, as applicable) must satisfy to bring such an application, in particular:
- it has reasonable grounds for believing it is not so privileged;
- due to the manner or extent to which the information is presented with other information, it is impossible or impracticable to extract only such information; and
- it has reasonable grounds to suspect that the information contains evidence relating to an infringement of a relevant enactment or provision.
Q16/ Claims by not-for-profit bodies
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
National law does not specify any particular not-for-profit bodies that are mandated to bring such claims.
Q17/ Administrative fines, penalties and sanctions
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
Where the DPA decides to impose an administrative fine on a processor or a controller that is a public authority or a public body, but is not a public authority or public body that acts as an undertaking within the meaning of the Competition Act 2002, the administrative fine will not exceed €1 million.
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
A range of penalties can be imposed under the 2018 Act, including:
- Failure to comply with an information notice: Failure to comply with an information notice, without reasonable excuse, or the provision of false or misleading information in a material respect constitutes an offence. On summary conviction, a class A fine (i.e., up to €5,000) and/or imprisonment for a maximum term of 12 months may be imposed. A conviction on indictment may be subject to a fine of up to €250,000 and/or imprisonment for a maximum term of five years;
- Failure to comply with an enforcement notice: Failure to comply with an enforcement notice, without reasonable excuse, or failure to notify the DPA or the data subject of the steps taken to comply with the enforcement notice within 28 days will constitute an offence. On summary conviction, a class A fine and/ or imprisonment for a maximum term of 12 months may be imposed. A conviction on indictment may be subject to a fine of up to €250,000 and/or imprisonment for a maximum term of five years;
- Obstructing or impeding a reviewer: The DPA can require a controller or a processor by written notice to provide it with a report on any matter specified in the notice. In accordance with the provisions of the 2018 Act, a person referred to as a “reviewer” must be nominated either by the relevant controller or processor or by the DPA to prepare the report. Any person who obstructs or impedes a reviewer in the preparation of the report, or knowingly gives false or misleading information in a material respect, is guilty of an offence. Similarly, a reviewer who in the preparation of the report provides knowingly false or misleading information in a material respect is guilty of an offence. On summary conviction, a class A fine and/ or imprisonment for a maximum term of 12 months may be imposed. A conviction on indictment may be subject to a fine of up to €250,000 and/or imprisonment for a maximum term of five years;
- Disclosure without the controller’s prior authority: A processor who knowingly or recklessly discloses personal data without the controller’s prior authority commits an offence. On summary conviction, a class A fine and/or imprisonment for a maximum term of 12 months may be imposed. A conviction on indictment may be subject to a fine of up to €50,000 and/or imprisonment for a maximum term of five years;
- Unauthorised disclosure and sale: A person who discloses personal data without the controller or processor’s prior authority commits an offence. A person who sells personal data that was disclosed to them in an unauthorised manner commits an offence. On summary conviction, a class A fine and/ or imprisonment for a maximum term of 12 months may be imposed. A conviction on indictment may be subject to a fine of up to €50,000 and/or imprisonment for a maximum term of five years; and
- Personal liability for officers: Personal liability can be imposed on directors or other officers of a company where it is proven that an offence committed under the 2018 Act has been committed with their consent or connivance or is attributable to their neglect.
Q18/ Freedom of expression and information
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
The 2018 Act provides that the processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes and for the purposes of academic, artistic or literary expression, will be exempt from compliance with certain provisions of the GDPR where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with the provisions would be incompatible with such purposes.
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
See Q18(a) above.
Q19/ National identification numbers
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
The closest equivalent to a national identification number in Ireland is a personal public services number (PPSN). The use of a PPSN is governed by the Social Welfare Consolidation Act 2005. Subject to certain limited exceptions, a person who uses a PPSN or seeks to have a PPSN disclosed to him is guilty of an offence. An employer may use a PPSN for limited purposes, e.g., corresponding with the Revenue Commissioners in connection with the payment of an employee. The exceptions include a “specified body”, which are largely public bodies such as the Revenue Commissioners and the Health Services Executive and for persons who have a transaction with a “specified body” where the PPSN is relevant to the transaction.
Q20/ Processing in the context of employment
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
The 2018 Act permits the processing of sensitive personal data for the purposes of exercising rights and obligations under employment law which is based on Art. 9(2)(b) GDPR. However, it includes an additional requirement that suitable and specific measures be taken to safeguard the rights and freedoms of data subjects.
The 2018 Act also permits the processing of sensitive personal data as necessary, and subject to specific measures being taken to safeguard the employee’s rights and freedoms, for the purposes of preventative or occupational medicine or for the assessment of the working capacity of an employee, which is based on Art. 9(2)(h) GDPR. In addition, the processing must be carried out by or under the responsibility of a health practitioner or a person who in the circumstances owes confidentiality obligations to the data subject which are equivalent to those of a health practitioner.
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
There are no specific safeguards of this nature.
Q21/ Other material derogations
Are there any other material derogations from, or additions to, the GDPR under national law?
There are no other material derogations.
Q22/ Current legal challenges
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
There are no current legal challenges ongoing.
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
The DPA has yet to take enforcement action for breaches of the GDPR. However, it appears from the DPA’s most recent annual report and press releases that the DPA has 20 open statutory inquiries in relation to multinational technology companies’ compliance with the GDPR. The DPA special investigations unit has opened 31 inquiries into surveillance by the state for law enforcement purposes, including in respect of the use of technologies such as CCTV, body cameras, automatic number plate recognition and drones.
Q24/ Regulatory Guidance
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
The DPA has issued high-level guidance on various topics, including:
- guidance on limiting data subject rights and the application of Art. 23 GDPR (see here);
- data processing operations that require an Impact Assessment; (see here)
- a practical guide to controller and processor contracts (see here);
- guidance on appropriate qualifications for a DPO (see here); and
- guidance on CCTV for controllers (see here: dataprotection.ie/en/guidance-landing/guidance-use-cctv-data-controllers).
McCann FitzGerald contributors
Paul is head of the Technology and Innovation Group at McCann FitzGerald and advises on a wide range of data protection, information technology, outsourcing, e-commerce, confidentiality and intellectual property issues. He writes and lectures widely on these and other topics.
Paul has provided specialist advice in the complex and evolving area of data protection law for over 22 years and is an expert in the field. He advises clients on all aspects of data protection/ GDPR compliance, including fair and transparent processing obligations, data protection policies and procedures, records of processing activities, subject access requests, international data transfers, data security, data retention and marketing obligations.
Paul writes and lectures widely on data protection and related issues. Paul’s articles have been included in various journals including the firm’s Technology and Innovation e-zine and external journals such as E-Commerce Law and Policy, Data Protection Ireland and the Sunday Business Post.
Catherine practises in McCann FitzGerald’s Technology and Innovation Group where she works closely with Paul Lavery and Adam Finlay advising on data protection, information technology, intellectual property and commercial contractual matters.
Catherine has advised clients in the public and private sector on compliance with the GDPR and the legal mechanisms for international data transfers, and has experience in liaising with the Data Protection Commission.
- Foreword and issue-by-issue comparison
- Country-by-country guides:
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP