Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

IRELAND DATA PRIVACY REGULATIONS

EU GDPR

 

In May 2018, the General Data Protection Regulation (GDPR) will be effective.  Over the next year, be vigilant to changes made in the Ireland’s data protection laws as they adjust to meet the new regulation.

The GDPR includes many of the same principles as found in the Data Protection Directive, but there are multiple new requirements:

  • Data Access Rights:  The right-to-be-forgotten and the right to data portability;
  • Mandatory DPO:  Mandatory Data Protection Officer depending on amount and type of processing or monitoring for both data controllers and data processors;
  • Data Controllers:  Appropriate procedures and policies, employee training, records of processing activities, privacy by design;
  • Consent:  Opt-in or explicit consent only, required for every use and additional use, as easy to withdraw as it was to give;
  • Data Breach Reporting:  Mandatory reporting to DPA/Supervisory Authority within 72 hours.  Notifications sent to affected individuals.
  • One Stop Shop:  Businesses established in multiple member states will choose one Data Protection Agency as their Supervisory Authority.

The Article 29 Working Party is issuing guidance, one topic at a time, to give direction to the new requirements.

Who Me?

 

The Ireland Data Protection Act 1988 (revised July 30, 2016) requires compliance from both data controllers and data processors.

Controller:

Those who, either alone or with others, control the contents and use of personal data.

Data Controllers can be, but are not limited to:

  • Established Ireland companies;
  • Government Departments of Ireland;
  • Voluntary organisations of Ireland;
  • Residents of Ireland controlling or processing data for services (i.e. G.P.'s pharmacists or sole traders.)

Processor:

A person who processes personal data on behalf of a data controller. Data processors are expected to, at the very least, be contractually obligated to uphold the standard required of the data controller based on the DPA.

SENSITIVE DATA

In addition to personal data, Ireland defines certain personal information as sensitive data.  This data may have additional requirements related to data protection, data subject access, etc.

Sensitive personal includes, but is not limited to:

  • The racial or ethnic origin, the political opinions or religious or philosophical beliefs of the data subject,
  • Trade union membership,
  • The physical or mental health or condition or sexual life of the data subject,
  • The commission or alleged commission of any offence by the data subject, or
  • Any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

REGISTRATION

Registration with the Data Protection Commissioner (DPC) of Ireland may be different from other Member States since those required or exempted may not be the same as it is in other EU countries.

  • The DPC considers it a best practice to register for those (which include but are not limited to) businesses that may be:
    • Financial Institutions (bank, credit institutions, etc.)
    • Insurance undertakings;
    • Business dealings mostly with direct marketing;
    • Processors of (genetic) data;

There are exceptions to DPC registrations. For more information on registration requirements and exemptions visit the Data Protection Commissioner Website.

Registration fees and processes are different in every EU country. For more information on Data Protection registration fees visit the DPC Website.

CODE

Codes of Practice

The Data Commissioner has formally approved several Codes of Practice related to personal data; a few of which are listed here:

  • Garda Síochána (police force);
  • Injuries Board;
  • Insurance Sector;
  • Department of Education and Skills;
  • Revenue Commissioners;
  • Vocational Education Committees;
  • The Probation Service;
  • Department of Health.

For more information or updates on Ireland’s Data Protection Codes of Practices visit the DPC Website

BREACH REPORTING

Breach Reporting & Notification

You must determine when to notify the Data Commissioner's Office about a data breach, and whether the individuals' whose data was breach need to be notified. In Ireland, the determination to notify the Data Protection Commissioner includes:

  • Whether or not more than 100 people were affected by the breach;
  • If it includes sensitive personal data or personal data of a financial nature; and
  • If those affected individuals are already notified.

Data controllers in Ireland have 48 hours to report a breach. If you are a processor, you must immediate notify the data controller of the breach. The Data Commissioner’s Office indicates that if the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and will not need to inform the individuals; however, such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard.

For the Ireland Personal Data Security Breach Code of Practice visit the DPC Website.

SUBJECT RIGHTS

Data Subject Rights Requirements

The Data Protection Act establishes several requests data subjects could make to data controllers/processors in which such entities must comply. A few of these rights include; the right to:

  • Access information/update one's information;
  • Data portability;
  • Be forgotten; and
  • Request automated decision-taking reasoning.

Ireland’s data controllers have 40 days to comply with a data access request. Additionally, Ireland allows data controllers to charge data subjects for the cost of each correspondence and mandates that a copy of the information be provided to the data subject in permanent form; unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise.

Contact the Privacy Experts at CSR