Table of Contents
Data Protection Act 2018 (No. 7)Introductory TextActs Referred toPart 1 Preliminary and general (ss. 1-8)1. Short title, citation and commencement2. Interpretation3. Designation by appropriate authority4. Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances5. Expenses6. Regulations7. Repeals and revocations8. Application of Data Protection Act 1988Part 2 Data protection commission (ss. 9-27)9. Establishment day10. Establishment of Data Protection Commission11. Supervisory authority for Data Protection Regulation and Directive12. Functions of Commission13. Performance of functions of Commission by Commissioner or member of staff14. Transfer of functions of Data Protection Commissioner to Commission15. Membership of Commission16. Appointment of chairperson of Commission17. Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner18. Acting Commissioner19. Accountability of Commissioner to Oireachtas Committees20. Assignment and transfer of staff to Commission21. Staff of Commission22. Superannuation of Commissioners23. Accounts of Commission24. Annual report25. Accountability for accounts of Commission26. Prohibition on disclosure of confidential information26A. Prohibition on disclosure of confidential information by persons engaging with Commission in connection with relevant function27. Civil proceedings for contravention of section 26Part 3 Data protection regulation (ss. 28-61)Chapter 1 General (ss. 28-44)28. Fees29. Child for purposes of application of Data Protection Regulation30. Micro-targeting and profiling of children31. Consent of child in relation to information society services32. Codes of conduct: children33. Right to be forgotten: children34. Designation of data protection officer35. Accreditation of certification bodies by Irish National Accreditation Board36. Suitable and specific measures for processing37. Limitation on transfers of personal data outside the European Union38. Processing for a task carried out in the public interest or in the exercise of official authority39. Communication with data subjects by political parties, candidates for and holders of certain elective political offices40. Processing of personal data and special categories of personal data by elected representatives41. Processing for purpose other than purpose for which data collected42. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes43. Data processing and freedom of expression and information44. Data processing and public access to official documentsChapter 2 Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences (ss. 45-55)45. Processing of special categories of personal data46. Processing of special categories of personal data for purposes of employment and social welfare law47. Processing of special categories of personal data for purpose of legal advice and legal proceedings48. Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission49. Processing of special categories of personal data for purposes of administration of justice and performance of functions50. Processing of special categories of personal data for insurance and pension purposes51. Processing of special categories of personal data and Article 10 data for reasons of substantial public interest52. Processing of special categories of personal data for purposes of Article 9(2)(h)53. Processing of special categories of personal data for purposes of public interest in the area of public health54. Processing of special categories of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes55. Processing of personal data relating to criminal convictions and offencesChapter 3 Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers (ss. 56-61)56. Right of access to results and scripts of examination and results of appeal57. Rights in relation to automated decision making58. Direct marketing for purposes of Article 2159. Restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission60. Restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest61. Restriction on exercise of data subjects' rights: archiving purposes in the public interest, scientific or historical research purposes or statistical purposesPart 4 Provisions consequent on repeal of certain provisions of Data Protection Act 1988 (ss. 62-68)62. Transfer of property of Data Protection Commissioner to Commission63. Transfer of rights and liabilities of Data Protection Commissioner to Commission64. Liability for loss occurring before establishment day65. Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission66. Final accounts and final annual report of Data Protection Commissioner67. Saver for scheme relating to superannuation68. Saver for regulations under Act of 1988Part 5 Processing of personal data for law enforcement purposes (ss. 69-104)Chapter 1 Preliminary and general (Part 5) (ss. 69-70)69. Interpretation (Part 5)70. Application of Part 5Chapter 2 General principles of data protection (ss. 71-74)71. Processing of personal data72. Security measures for personal data73. Processing of special categories of personal data (Part 5)74. Data qualityChapter 3 Obligations of controllers and processors (ss. 75-88)75. General obligations of controller with regard to technical and organisational measures76. Data protection by design and by default77. Security of automated processing78. Technical and organisational measures79. Joint controllers80. Processors81. Record of data processing activities82. Data logging for automated processing system83. Cooperation with Commission84. Data protection impact assessment and prior consultation with Commission85. Notification of personal data breach by processor86. Notification of personal data breach to Commission, etc.87. Communication of personal data breach to data subject88. Data protection officerChapter 4 Rights, and restriction of rights, of data subject (Part 5) (ss. 89-95)89. Rights in relation to automated decision making (Part 5)90. Right to information91. Right of access92. Right to rectification or erasure and restriction of processing93. Communication with data subject94. Restrictions on exercise of data subject rights (Part 5)95. Indirect exercise of rights and verification by CommissionChapter 5 Transfers of personal data to third countries or international organisations (ss. 96-100)96.Transfer to third country or international organisation97. Adequacy decision98. Transfer subject to appropriate safeguards99. Derogations for specific situations100. Transfer to recipient in third countryChapter 6 Independent supervisory authority (ss. 101-104)101. Functions of Commission under Part 5102. Power of the Commission to advise and issue opinions103. Mutual assistance104. Requests by Commission for mutual assistancePart 6 Enforcement of data protection regulation and directive (ss. 105-156)Chapter 1 Preliminary (ss. 105-106)105. Interpretation (Part 6)106. Service of documents (Part 6)Chapter 2 Enforcement of Data Protection Regulation (ss. 107-117A)107. Interpretation (Chapter 2) (ss. 107-117)108. Complaints under Chapter 2: General109. Commission to handle complaint under Chapter 2110. Commission may conduct inquiry into suspected infringement of relevant enactment111. Decision of Commission where inquiry under Chapter 2 conducted of own volition112. Decision of Commission where inquiry conducted in respect of complaint to which Article 55 or 56(5) applies113. Complaint to which Article 60 applies114. Commission to adopt decision in certain circumstances115. Exercise by Commission of corrective power116. Notification of decision of Commission under Chapter 2117. Judicial remedy for infringement of relevant enactment117A. Judicial remedy for infringement of certain appropriate safeguards on transfers of personal data outside European UnionChapter 3 Enforcement of Directive (ss. 118-128)118. Interpretation (Chapter 3)119. Data subject may lodge complaint with Commission120. Representation of data subjects121. Complaints under Chapter 3: General122. Commission to handle complaint under Chapter 3123. Commission may conduct inquiry into suspected infringements of relevant provision124. Decision of Commission in respect of inquiry under Chapter 3 conducted of own volition125. Decision of Commission where inquiry conducted in respect of complaint under Chapter 3126. Notification of decision of Commission under Chapter 3127. Corrective powers of Commission (Chapter 3)128. Judicial remedy for infringement of relevant provisionChapter 4 Inspection, Audit and Enforcement (ss. 129-136)129. Authorised officers130. Powers of authorised officers131. Search warrants132. Information notice133. Enforcement notice134. Circumstances in which application may be made to the High Court for suspension or restriction of processing of data135. Power to require report136. Data Protection AuditChapter 5 Investigations (ss. 137-140)137. Investigations138. Conduct of investigation under section 137139. Investigation report140. Commission to consider investigation reportChapter 6 Administrative Fines (ss. 141-143)141. Power of Commission to decide to impose administrative fine: General142. Appeal against administrative fine143. Circuit Court to confirm decision to impose administrative fineChapter 7 Offences (ss. 144-147)144. Unauthorised disclosure by processor145. Disclosure of personal data obtained without authority146. Offences by directors, etc., of bodies corporate147. Prosecution of summary offences by CommissionChapter 8 Miscellaneous (ss. 148-156)148. General provisions relating to complaints149. Publication of convictions, sanctions, etc.150. Right to effective judicial remedy (Part 6)151. Privileged legal material152. Presumptions153. Expert evidence154. Immunity from suit155. Jurisdiction of Circuit Court156. Hearing of proceedingsPart 7 Miscellaneous provisions (ss. 157-164)157. Supervisory authority for courts acting in judicial capacity158. Restrictions on obligations of controllers and rights of data subjects for objective of safeguarding judicial independence and court proceedings159. Processing of personal data where court is controller160. Publication of judgment or decision of court or court list161. Rules of court for data protection actions162. Legal privilege163. Application to High Court concerning adequate level of protection or appropriate safeguards164. Court may order destruction, erasure of dataPart 8 Amendments of other Acts of oireachtas (ss. 165-232)165. Reference to personal data in enactment166. Reference to processing in enactment167. Amendment of Firearms Act 1925168. Amendment of section 33AK of Central Bank Act 1942169. Amendment of section 2 of Civil Service Regulation Act 1956170. Amendment of section 24 of Misuse of Drugs Act 1977171. Amendment of section 15A of Control of Clinical Trials Act 1987172. Amendment of Data Protection Act 1988173. Amendment of Bankruptcy Act 1988174. Amendment of Firearms and Offensive Weapons Act 1990175. Amendment of section 13A of Electoral Act 1992176. Amendment of Comptroller and Auditor General (Amendment) Act 1993177. Amendment of section 8 of Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993178. Amendment of section 24 of Statistics Act 1993179. Amendment of section 57B of Irish Aviation Authority Act 1993180. Amendment of section 18F of Health Insurance Act 1994181. Amendment of section 142 of Consumer Credit Act 1995182. Amendment of section 32B of Irish Medicines Board Act 1995183. Amendment of section 77 of Central Bank Act 1997184. Amendment of section 1 of Health (Provision of Information) Act 1997185. Amendment of section 9M of Electricity Regulation Act 1999186. Amendment of British-Irish Agreement Act 1999187. Amendment of section 7D of Comhairle Act 2000188. Amendment of section 33 of Commission To Inquire Into Child Abuse Act 2000189. Amendment of section 2 of Merchant Shipping (Investigation of Marine Casualties) Act 2000190. Amendment of section 28 of Education (Welfare) Act 2000191. Amendment of section 38 of Planning and Development Act 2000192. Amendment of section 14 of Dormant Accounts Act 2001193. Amendment of section 30 of Residential Institutions Redress Act 2002194. Amendment of section 2 of Official Languages Act 2003195. Amendment of section 86 of Personal Injuries Assessment Board Act 2003196. Amendment of section 12 of Unclaimed Life Assurance Policies Act 2003197. Amendment of section 66 of Civil Registration Act 2004198. Amendment of section 39 of Commissions of Investigation Act 2004199. Amendment of section 55H of Health Act 2004200. Amendment of section 2 of Safety, Health and Welfare at Work Act 2005201. Amendment of section 265 of Social Welfare Consolidation Act 2005202. Amendment of Disability Act 2005203. Amendment of section 2 of Railway Safety Act 2005204. Amendment of section 12 of Health (Repayment Scheme) Act 2006205. Amendment of section 19 of Electoral (Amendment) Act 2006206. Amendment of section 67 of Pharmacy Act 2007207. Amendment of Passports Act 2008208. Amendment of Criminal Justice (Mutual Assistance) Act 2008209. Amendment of section 2 of Chemicals Act 2008210. Amendment of Nursing Homes Support Scheme Act 2009211. Amendment of section 23 of Criminal Justice (Miscellaneous Provisions) Act 2009212. Amendment of section 201 of National Asset Management Agency Act 2009213. Amendment of Criminal Justice (Money Laundering and Terrorist Financing) Act 2010214. Amendment of section 12 of Communications (Retention of Data) Act 2011215. Amendment of section 17A of Ministers and Secretaries (Amendment) Act 2011216. Amendment of section 28 of Student Support Act 2011217. Amendment of Communications Regulation (Postal Services) Act 2011218. Amendment of Property Services (Regulation) Act 2011219. Amendment of section 56 of Credit Union and Co-operation with Overseas Regulators Act 2012220. Amendment of Europol Act 2012221. Amendment of Personal Insolvency Act 2012222. Amendment of section 2 of Animal Health and Welfare Act 2013223. Amendment of section 8 of Health (Alteration of Criteria for Eligibility) Act 2013224. Insertion of section 957A to Companies Act 2014225. Amendment of Health Identifiers Act 2014226. Amendment of section 15 of Freedom of Information Act 2014227. Amendment of section 41 of Customs Act 2015228. Amendment of section 7 of Regulation of Lobbying Act 2015229. Amendment of Sport Ireland Act 2015230. Amendment of section 12 of Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016231. Amendment of section 62 of Financial Services and Pensions Ombudsman Act 2017232. Amendment of National Shared Services Office Act 2017Schedule 1 Statutory instruments revokedSchedule 2 Data protection commissionSchedule 3 Provisions applicable to oral hearing conducted by an authorised officer under section
Page Overview
Document Overview
Tools
Print / Export
Notification
Bookmark
Share / Source link
76. Data protection by design and by default
(1) A controller shall, without prejudice to the generality of section 75(1), for the purposes of meeting the requirements of this Part and protecting the rights of data subjects -
(a) when determining the means of processing personal data, and
(b) when carrying out the said processing,
implement appropriate technical and organisational measures that are designed -
(i) to implement the principles of the protection of personal data contained in this Part in an effective manner, and
(ii) to integrate the necessary safeguards into the said processing.
(2) Without prejudice to the generality of section 75(1) and subsection (1), a controller shall, subject to subsection (3), when processing personal data implement appropriate technical and organisational measures to ensure that only personal data that are necessary for each specific purpose of the processing are processed.
(3) The requirement in subsection (2) applies in relation to -