This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Ireland.
This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
The collection and use of personal data is primarily governed by the General Data Protection Regulation (GDPR) and the Data Protection Act, 2018 (DPA 2018). The latter gives further effect to the GDPR (the GDPR and DPA 2018 together being the 'Legislation'). The Legislation is not sector specific and applies to anyone collecting and using personal data. Personal data is any information relating to an identifiable person who can be directly identified (such as by their name and contact details) or indirectly identified in particular by reference to an identifier (such as an IP address, cookie data or location data). If a person collects information about individuals for any reason other than its own personal, family or household purposes, they will need to comply with the Legislation. The law will catch most businesses and organisations, whatever their size. It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
The Data Protection Commission (DPC) regulates data protection, provides advice and promotes good practice. It also conducts audits, considers complaints and breach reports, monitors compliance and takes enforcement action where appropriate.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
No, there is no requirement for data controllers (as defined in 3 below) or data processors (as defined in 3 below) to register with, or to obtain a licence from, the DPC.
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Ireland (along with the EU) uses the terms personal data and special category data. These concepts are not identical to the term personally identifiable information (PII).
Personal data is any information relating to an identified or identifiable natural person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data is treated as 'special category' personal data if the data reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or if it is genetic data or biometric data that is processed for the purpose of uniquely identifying a natural person, or if it is data concerning health or data concerning a natural person’s sex life or sexual orientation ('special category data').
What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. If a business is considering whether an individual is identifiable, the business will need to take into account the information it is processing together with all the means reasonably likely to be used to identify that individual. Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ (or tells something about) an individual.
The GDPR gives examples of identifiers, including names, identification numbers, and location data. A person may also be identifiable by reference to factors which are specific to their identity, such as physical, genetic or cultural factors.
Other key definitions include:
- a 'controller', being the party that determines the purposes and the means by which the personal data is processed. For example, a business may determine what data it collects, and how it uses it in respect of its employees. It will be a controller in respect of that data; and
- a 'processor', being the party that processes personal data on behalf of a controller. For example, a service provider that provides payroll services for an employer will typically be a processor.
Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
A controller will be responsible for, and must be able to demonstrate compliance with, the fundamental data protection principles, namely to:
- process personal data lawfully, fairly and transparently;
- ensure the purposes of processing are specified, explicit and legitimate;
- ensure the processing of personal data is adequate, relevant and not excessive;
- keep personal data accurate and up to date;
- not keep personal data longer than necessary; and
- process personal data in a secure manner.
There is also an overriding principle of accountability. A controller is responsible for and must be able to demonstrate compliance with the principles by having appropriate, documented records, processes, policies and training.
A controller must provide data subjects with a 'fair processing notice', setting out how relevant data will be used and disclosed, the lawful basis for the processing and the individual's rights, amongst other things. This information should be easily accessible, easy to understand, and in clear and plain language.
A controller must also establish a legal basis for processing personal data, and show that one of the following applies:
- the individual has given their consent to the processing;
- the processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
- the processing is necessary for the compliance with a legal obligation;
- the processing is necessary to protect the vital interest of the data subject or another natural person;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of a task carried out in the public interest or in the exercise of official authority; or
- the processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the rights and freedoms of the data subject (particularly where the data subject is a child).
There are more limited lawful bases for processing special category data, one of which must apply in addition to one of the lawful bases above. These include (but are not limited to) processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, social security and social protection law.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
Consent is one of the lawful bases that controllers can rely on to process personal data. It tends to be used where no other lawful basis can be relied upon as it can be difficult to achieve consent and it can be withdrawn by the data subject. It is used when required by law for example for direct marketing by email or text (unless the soft opt-in applies).
In order for consent to be valid, it must meet certain requirements. Consent is defined as:
'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.
Consent can be given electronically, in writing or orally. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement/conduct clearly indicating acceptance of the proposed processing. In each case some affirmative action should be given. Silence, pre-ticked boxes or inactivity do not constitute valid consent.
When special categories of data are being processed, there is also an additional requirement that the consent needs to be 'explicit'.
For consent to be informed, the data subject must be notified at least of the controller's identity and the purposes of processing. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, separate consents should be given for each of the purposes and should be clearly distinguishable.
The data subject will have, and must be informed of, the right to withdraw consent (in an easy way) at any time. This will not affect the lawfulness of the processing preceding the withdrawal.
Consent may not be considered to be "freely given" if:
- performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of the contract;
- there is a clear imbalance between the data subject and the controller (eg in an employment relationship); or
- the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Records of consents obtained should be kept to demonstrate compliance with the principles.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Sensitive personal data is now called "special categories" of personal data (see 3 above), and the processing of special category data is prohibited unless an exception applies.
The exceptions include (but are not limited to) processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defence of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, social security and social protection law.
"Special categories" of personal data has been expanded to include biometric data for the purpose of uniquely identifying a natural person, and genetic data. "Data concerning health" has also been specifically defined as "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status". 'Wellbeing' data could therefore be caught by the rules regarding the processing of special category data. Reference to sexual orientation has now also been expressly added to the definition.
Criminal convictions and offences are not included within the definition of special category data. However, the DPA 2018 deals with this type of data in a similar way. In order to process criminal convictions a controller must have a lawful basis, meet a condition set out in section 55 of the DPA 2018 and comply with the safeguards set out in that Act.
How do the laws in your jurisdiction address children’s PII?
Children need particular protection when their personal data is being collected and processed as they may be less aware of the risks involved or their rights. A controller will need to assess the safeguards that they need to put in place in order to make sure that the processing is fair and that a lawful basis is met.
In relation to the offer of online services directly to a child (information society services), if the data subject is a child of at least 16 years old and they have given consent to the processing of his/her personal data, the processing will be lawful (provided all other requirements of the GDPR and DPA 18 are met). Where the child is below 16 years, such processing shall be lawful only if consent is given or authorised by the holder of parental responsibility over the child. This will not apply if the information society services offered to the child are preventative or counselling services.
The controller must make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility.
Any information and communication where processing is addressed to a child, should be in clear and in plain language that the child can easily understand. Children have the same rights as adults in relation to the processing of their data and the right to erasure of data is particularly relevant if they gave their consent to the processing when they were a child.
An issue may arise because a different age of consent will apply in different countries, so organisations with a European reach will have to know the location of the child to ensure the right rules can be applied.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Both controllers and processors must maintain a record of processing activities (ROPA) which must be made available to the DPC on request.
The ROPA should contain:
- the name and contact details of the organisation (and where applicable, of other controllers, the organisation representative and their data protection officer);
- the purposes of the processing;
- the lawful basis for the processing;
- a description of the categories of individuals and categories of personal data;
- the categories of recipients of personal data;
- details of any transfers to third countries including documenting the transfer mechanism safeguards in place;
- retention periods; and
- a description of any technical and organisational security measures.
This obligation does not apply to organisations with fewer than 250 employees unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special category data or data related to criminal convictions or offences.
To comply with the accountability principle and to meet its privacy by design obligations, a controller must document its processes and policies so that it can demonstrate how it has sought to comply with the data protection principles. It should have a range of policies tailored to its business such as a data protection policy, retention and disposal policy, data breach policy, marketing policy, consent records, data maps, training materials and processes to comply with the data protection principles and to enable individuals to exercise their rights.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
A controller must carry out a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to individuals.
If, in the DPIA, a controller identifies a high risk that they cannot sufficiently mitigate or reduce, they must consult with the DPC prior to commencing the processing. When consulting the DPC, a controller must provide details of:
- where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
- the purposes and means of the intended processing;
- the measures and safeguards provided to protect the rights and freedoms of data subjects;
- where applicable, the contact details of the data protection officer;
- the data protection impact assessment; and
- any other information requested by the DPC.
The DPC is required to respond within eight weeks of the request for consultation and provide written advice to the controller (the period may in certain circumstances be extended). Where appropriate, the DPC may exercise its powers in respect of the proposed processing (such as issuing a warning not to process the personal data).
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
Yes, a DPIA should be carried out where the intended processing is "likely to result in high risks" to data subjects.
Some examples of processing where a DPIA is required are stated in the GDPR:
- the systematic or extensive evaluation of personal aspects identified through means of automated processing, and on which decisions are based that produce legal effects or significantly affect the person;
- processing special category data, such as health data, on a large scale or personal data relating to criminal convictions and offences; and
- the systematic monitoring of a publicly accessible area on a large scale.
The current DPC's guidance also indicates a DPIA is required for certain types of processing operations where a documented screening or preliminary risk assessment indicates that the processing operations are likely to result in a high risk to the rights and freedoms of individuals, and they include (but are not limited to):
- use of personal data on a large-scale for a purpose other than that for which it was initially collected;
- profiling vulnerable persons (including children) to target marketing or online services at such persons;
- use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects;
- systematically monitoring, tracking or observing individuals’ location or behaviour;
- profiling individuals on a large-scale;
- processing biometric data or genetic data in certain cases; and
- combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for difference purposes or by different controllers.
The DPIA should be carried out prior to any processing and contain at least:
- a description of the proposed processing, its purposes and the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks.
The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subject (or their representatives) on the intended processing.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
A person must appoint a data protection officer (DPO) if:
- it is a public authority or body (except for courts acting in their judicial capacity);
- its core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
- its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. A group of undertakings can select a single DPO provided that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities.
If a decision is made to voluntarily appoint a DPO, the organisation should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
The DPO’s tasks (at a minimum) are:
- to inform and advise on data protection laws;
- to monitor compliance with data protection laws, and with the business' data protection polices, including training staff and conducting internal audits;
- to advise on, and to monitor, data protection impact assessments;
- to cooperate with the DPC and other supervisory authorities; and
- to be the first point of contact for supervisory authorities and for data subjects whose data is processed.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Individuals have the right to be informed about the collection and use of their personal data. Transparency is a key requirement.
At the time personal data is obtained from a data subject, a controller must provide the data subject with the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;
- the legitimate interests pursued by the controller or by a third party where the 'legitimate interests' lawful basis is being used;
- the recipients or categories of recipients of the personal data, if any;
- source of the data;
- retention periods;
- details of the individual's rights, including the right to withdraw consent;
- the right to lodge a complaint with a supervisory authority;
- if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
- if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to legitimise the transfer (and where relevant how to obtain a copy).
When personal data is obtained from a source other than the individual that it relates to, the individual needs to be provided with the above privacy information:
- within a reasonable period of obtaining the personal data and no later than one month;
- if that data is used to communicate with the individual, at the latest, when the first communication takes place; or
- if disclosure of the data to another party is envisaged, at the latest, when the data is first disclosed.
The controller must actively provide the necessary information to individuals. The controller can meet this requirement by putting the information on its website, but the controller must make individuals aware of it and give them an easy way to access it. For all audiences, the information must be:
- easily accessible; and
- use clear and plain language.
When providing the information to individuals, a combination of techniques can be used such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. It is also good practice to carry out user testing on draft privacy information to get feedback on how easy it is to access and understand. After it is finalised, regular reviews should be carried out to check it remains accurate and up to date. If the controller plans to use personal data for any new purposes, they must update their privacy information and proactively bring any changes to the attention of relevant individuals.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
Processors do not have the same obligations as controllers, but they do have a number of direct obligations of their own.
New statutory obligations were imposed by the GDPR and DPA 2018 on processors in relation to processing contracts, security measures, security breach notifications, data protection officers and record-keeping.
Processors are also subject to the relevant investigative and corrective powers of the DPC, and may be subject to administrative fines or other penalties for breaches of their direct obligations under the DPA 2018. They may also be contractually liable to the controller for any failure to meet the terms of their agreed contract. This will of course depend on the exact terms of that contract.
A processor can be held liable to pay compensation for any damage caused by its processing (including non-material damage such as distress). The processor will only be liable for the damage if:
- it has failed to comply with the provisions specifically relating to processors; or
- it has acted without the controller’s lawful instructions or against those instructions.
Processors will not be liable if they can prove they are not in any way responsible for the event giving rise to the damage.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
Yes, there are minimum mandatory contractual provisions that data processing clauses/contracts with a processor must contain, which include an obligation to flow-down those obligations to sub-contractors. Failing to include these is itself a breach. If data is being shared between two independent controllers, an appropriate data sharing agreement should be entered into by the parties.
The new contractual commitments to be imposed on processors include assisting with many of the obligations imposed on controllers (such as controllers' obligations to respond to the exercise of data subject rights, data security and other governance obligations).
Processors also have a direct statutory 'policing' obligation, to "immediately inform" the controller if, in the processor's opinion, an instruction infringes the DPA 2018.
A restriction on appointing sub-processors must also be included whereby sub-processors cannot be engaged without the controller's prior consent, which may be given by way of a general written authorisation, but if general then proposed changes must be notified in advance to give controllers a chance to object. If a sub-processor fails to fulfil its data protection obligations, the initial processor must be fully liable to the controller for the performance of that sub-processor's obligations.
A controller will need to conduct due diligence on a proposed processor to enable it to show how it has sought to comply with the data protection principles. This will include the security measures that the processor has in place.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Transfers of personal data to countries outside the European Economic Area are only permitted if certain conditions are satisfied. The restriction applies to all transfers, no matter the size of transfer or how often they are carried out.
To enable a transfer to take place, the transferring organisation must identify if the transfer is to a country which is covered by an EU Commission 'adequacy decision'. If there is no adequacy decision then the organisation must put in place an appropriate safeguard to enable the transfer to take place. Most organisations use the EU Commission model contracts, however there are other mechanisms such as binding corporate rules for internal group transfers that can be used.
In the absence of an EU Commission adequacy decision, or of appropriate safeguards, a transfer may only take place if one of the specific derogations/conditions apply, such as the data subject has given their explicit consent, the transfer is necessary for performance of a contract, important reasons of public interest or the establishment, exercise or defence of legal claims, or is necessary to protect the vital interests of the data subject or other persons where the data subject is physically or legally unable to give consent.
It is also currently possible to rely on Privacy Shield for transfers to the USA, subject to any potential future case-law challenges that may arise.
A controller should consider the impact that Brexit will have on its processing arrangements. In particular, flows of data from the EU to the UK should be assessed and a decision made as to the whether adequate safeguards need to be put in place post Brexit.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
Both the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. The parties should take into account factors such as the state of the art, implementation costs and the context of processing. Such measures could include pseudonymisation, encryption of personal data and a process for regularly testing the effectiveness of such measures.
Measures should be put in place following an evaluation of the risks in order to prevent unauthorised or accidental processing and to ensure it is possible to establish the precise details of any processing that takes place. The measures must ensure the confidentiality, integrity and availability of the systems and services that process personal data, and the data itself. Such measures should enable the controller to restore the personal data in a timely manner in the event of a physical or technical incident.
Does your jurisdiction impose requirements of data protection by design or default?
Yes, a business must put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is known as privacy by design. It means a controller should consider data protection in everything it does and in any new projects, systems and processes (or changes to existing ones).
In essence, this means a business has to integrate data protection into its processing activities and business practices, from the design stage right through the data lifecycle.This pro-privacy methodology includes appropriate measures in order to safeguard data subjects, both when determining the means for processing and when processing personal data. These measures can include the encryption and pseudonymisation of personal data.
It also means that controllers must implement measures to ensure that only personal data which is necessary for each specific purpose is processed. This applies to the amount of personal data, extent of processing and period of storage.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Yes. Under the Data Protection Act 2018, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
An organisation should ensure it has robust breach detection, investigation and internal reporting procedures in place to help it determine whether it needs to notify the personal data breach to the DPC and the affected individuals about a personal data breach.
An organisation must keep a record of any personal data breaches, regardless of whether it is required to notify the breach.
An organisation may also be required to notify a security breach under sector specific laws, such as the ePrivacy Regulations 2011 for certain service providers.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
The DPA 2018 introduces a duty on a controller to report certain types of personal data breaches to the relevant supervisory authority.
When a personal data breach has occurred, an organisation will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it is likely that there will be a risk, then the organisation must notify the breach to the DPC. If it is unlikely to result in a risk, then the organisation does not have to report it. However, if the organisation decides that it does not need to report the breach, it will need to be able to justify this decision, and will need to keep a record of the breach, the analysis and the decision not to report.
In addition, if a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the organisation must inform the individuals concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the DPC. The business will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher. Similarly, if the likelihood of the consequences is greater, then again the risk is higher. In such cases, the organisation will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
The report to the DPC must be made within 72 hours of the controller becoming aware of the breach. If the organisation decides not to notify individuals, it will still need to notify the DPC unless it can demonstrate that the breach is unlikely to result in a risk to the affected individuals' rights and freedoms. The DPC has the power to compel an organisation to inform affected individuals if they consider there is a high risk.
An organisation must document the facts relating to the breach, its effects and the remedial action taken. This is part of its overall obligation to comply with the accountability principle, and allows the DPC to verify its compliance with its notification duties.
Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
Individuals have a range of rights under the GDPR and DPA 2018. They have the right to be given a fair processing notice, access their personal data, have data rectified or erased (also known as the 'right to be forgotten'), or restrict its use or transfer to another party, in certain circumstances.
Where legitimate interests is the lawful basis for processing the data, a data subject can object to the processing in which case the controller must assess whether it can continue to process the data (this is called the legitimate interests balancing test/assessment). An individual has the right to object to receiving direct marketing and to withdraw any consent they have given for a processing activity – if they object or withdraw their consent this must be complied with.
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them unless certain conditions are met.
The right of access, commonly referred to as the data subject access right, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why an organisation is using their data, and check they are doing it lawfully.
Data subject rights may not apply or may be restricted in certain circumstances (principally as set out in the DPA 2018). Restrictions on data subject rights tend to be narrowly construed by the DPC.
Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
A data subject can bring an action against a controller or processor where they consider their rights have been infringed. Proceedings can be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. An individual can complain to the DPC which can take enforcement action along with other relevant supervisory authorities.
Any person who has suffered material or non-material damage as a result of a breach by a controller or processor has the right to receive compensation from the controller or processor for the damage suffered (including for distress).
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
The DPC has a range of powers it can exercise, including carrying out investigations and audits, imposing a fine and restricting or stopping the processing of personal data.
The DPC can make a decision to impose a fine on a controller or a processor for a breach of the obligations that apply to it. There is a two tier system of fines reflecting the seriousness with which a breach of specified obligations is viewed. For example, breaches of the principles, conditions applicable to consent, lawful basis, individual's rights and restricted transfers provisions are subject to the higher tier of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a data protection impact assessment, a processor's obligations, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The GDPR sets out various factors that the DPC will take into account when making a decision as to whether to impose a fine and the amount of the fine. Those factors include the nature, gravity and duration of the infringement, any mitigating action taken, previous infringements and the intentional or negligent character of the infringement.
If the DPC makes a decision to impose a fine, the relevant controller or processor can appeal the DPC's decision to the Irish courts. The courts have authority to approve the decision, vary the decision (including to impose a different or no fine), or annul the decision.
If the controller or processor does not appeal the DPC's decision to impost a fine, the DPC is required to make an application to the Irish courts for confirmation of the decision. The courts will confirm the decision unless the court determines that there is good reason not to do so.
Other enforcement actions the DPC can take include:
- issuing an information notice to require any person to provide information as is necessary or expedient for the performance by the DPC of its functions; and
- issuing an enforcement notice which requires a person to take steps specified in the notice, or refrain from taking steps specified in the notice, or both.
A failure to comply with either such notice is an offence under the DPA 2018, but the issuing of either notice can be appealed to the Irish courts.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The DPA 2018 sets out exemptions from some of the rights individuals have under the GDPR and the obligations the GDPR imposes on a controller. How the exemptions are applied and the extent of the exemption will differ depending on the circumstances and they tend to be narrowly construed by the DPC. The exemptions are intended to be considered on a case by case basis and if a controller relies on an exemption it should be in a position to justify and document its reasons for doing so. This is part of the accountability obligation that applies to a controller.
Exemptions to the usual rules on processing include situations where personal data is processed for:
- preventing and detecting crime, prosecuting offenders and assessing or collecting of a tax or duty;
- compliance with a legal obligation or in connection with legal proceedings;
- discharging functions designed to protect the public;
- discharging a regulatory function conferred under specific legislation;
- journalistic, academic, artistic or literary purposes; and
- scientific or historical research purposes or for statistical purposes.
There are also a number of exemptions that relate to the processing of health data in certain circumstances.
Some types of processing of personal data are not covered by the GDPR. Examples are:
- personal data that is processed for purely personal or household activity with no connection to a professional or commercial activity; and
- processing of personal data by competent law authorities for law enforcement purposes eg police investigating a crime. This processing is covered by the DPA 2018.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them. This applies where there is no human involvement in the decision-making process. Such a process can only be carried out by an organisation if the decision is:
- necessary for entering into or performance of a contract between the organisation and the individual;
- authorised by law; or
- based on the individual’s explicit consent.
If special category personal data is involved, the organisation can only carry out such processing:
- if it has the individual’s explicit consent; or
- if the processing is necessary for reasons of substantial public interest.
The controller must inform the data subject of the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Please describe any laws addressing email communication or direct marketing?
Marketing activities using personal data have to comply with the GDPR and ePrivacy Regulations 2011.
Where personal data is processed for the purposes of direct marketing, the data subject has a right to object to the processing. This right should be explicitly brought to the attention of the data subject at the time their data is collected and presented clearly and separately from any other information.
Where the data subject objects to processing for direct marketing purposes, the business should not continue to process the data for such purposes (including any profiling relating to such direct marketing).
In addition, under the ePrivacy Regulations 2011 there are rules governing marketing by certain methods. For example, electronic messages marketing (such as by email) and text marketing can only be sent to customers with their consent unless the soft-opt in applies. There are also rules relating to telephone marketing which requires the number to be screened against the National Directory Database.
The soft-opt in applies where the details are collected in the context of a sale of a product or service and (a) the marketing relates to the same or similar goods/services as those purchased; (b) the customer is given the opportunity to opt-out at the time of the purchase and in every communication thereafter; and (c) the marketing comes directly from the contracting entity that sold the goods or services.
When relying on consent to direct market, an organisation should specify the different methods they want to use (eg by email or text). In addition, the organisation must ask for specific consent if it wants to pass details to other companies, and it must name or describe those companies in detail.
A business should also keep clear records of consent, and keep a ‘do not contact’ list of anyone who objects, opts out or withdraws their consent.
At the time of writing, a new European E-Privacy Regulation is currently being prepared which will impact the above.