Number 25 of 1988
DATA PROTECTION ACT, 1988
Registration
The register.
16.(1) This section applies to the following persons, that is
to say:
(a) data controllers, being public authorities and
other bodies and persons referred to in the Third Schedule
to this Act,
(b) data controllers, being financial institutions,
persons holding authorisations under the European
Communities (Non-Life) Insurance Regulations, 1976 (S.I.
No. 115 of 1976), or the European Communities (Life
Assurance) Regulations, 1984 (S.I. No. 57 of 1984), or
persons whose business consists wholly or mainly in direct
marketing, providing credit references or collecting
debts,
(c) any other data controllers who keep personal data
relating to-
(i) racial origin
(ii) political opinions or religious or other beliefs,
(iii) physical or mental health (other than any such
data reasonably kept by them in relation to the physical
or mental health or their employees in the ordinary course
of personnel administration and not used or disclosed for
any other purpose),
(iv) sexual life; or
(v) criminal convictions,
(d) data processors whose business consists wholly or
partly in processing personal data on behalf of data
controllers, and
(e) such categories of data controllers and data
processors as may stand prescribed for the time being
(which categories may include data controllers and data
processors to whom this section would not otherwise apply
and on whom enforcement notices, prohibition notices or
information notices have been served if the notices are in
force and either the time for bringing an appeal against
them under section 26 of this Act has expired without such
an appeal having been brought or any such appeal has been
withdrawn).
(2) The Commissioner shall establish and maintain a
register (referred to in this Act as the register) of persons
to whom this section applies and shall make, as appropriate,
an entry or entries in the register in respect of each person
whose application for registration therein is accepted by the
Commissioner.
(3) (a) Members of the public may inspect the register
free of charge at all reasonable times and may take copies
of, or of extracts from, entries in the register.
(b) A member of the public may, on payment to the
Commissioner of such fee (if any) as may be prescribed,
obtain from the Commissioner a copy (certified by him or
by a member of his staff to be a true copy) of, or of an
extract from, any entry in the register.
(c) In any proceedings-
(i) a copy of, or of an extract from, an entry in
the register certified by the Commissioner or by a
member of his staff to be a true copy shall be
evidence of the entry or extract, and
(ii) a document purporting to be such a copy, and
to be certified, as aforesaid shall be deemed to be
such a copy and to be so certified unless the contrary
is proved.
(d) In any proceedings-
(i) a certificate signed by the Commissioner or by
a member of his staff and stating that there is not an
entry in the register in respect of a specified person
as a data controller or as a dataprocessor shall be
evidence of that fact, and
(ii) a document purporting to be such a
certificate, and to be signed, as aforesaid shall be
deemed to be such a certificate and to be so signed
unless the contrary is proved.
Applications for registration.
17.(1)(a) A person wishing to be registered in the
register or to have a registration continued under section
18 of this Act or to have the particulars in an entry in
the register altered shall make an application in writing
in that behalf to the Commissioner and shall furnish to
him such information as may be prescribed and any other
information that he may require.
(b) Where a data controller intends to keep personal
data for two or more purposes, he may make an application
for separate registration in respect of any of those
purposes and, subject to the provisions of this Act,
entries shall be made in the register in accordance with
any such applications.
(2) Subject to subsection (3) of this section, the
Commissioner shall accept an application for registration,
made in the prescribed manner an in respect of which such fee
as may be prescribed has been paid, from a person to whom
section 16 of this Act applies unless he is of opinion that-
(a) the particulars proposed for inclusion in an entry
in the register are insufficient or any other information
required by the Commissioner either has not been furnished
or is insufficient, or
(b) the person applying for registration is likely to
contravene any of the provisions of this Act.
(3) The Commissioner shall not accept such an application
for registration as aforesaid from a data controller who keeps
personal data specified in section 16(1)(c) of this Act unless
he is of opinion that appropriate safeguards for the
protection of the privacy of the data subjects concerned are
being, and will continue to be, provided by him.
(4) Where the Commissioner refuses an application for
registration, he shall, as soon as may be, notify in writing
the person applying for registration of the refusal and the
notification shall-
(a) specify the reasons for the refusal, and
(b) state that the person may appeal to the Court under
section 26 of this Act against the refusal within 21 days
from the receipt by him of the notification.
(5) If-
(a) the Commissioner, by reason of special
circumstances, is of opinion that a refusal of an
application for registration should take effect urgently,
and
(b) the notification of the refusal includes a
statement to that effect and a statement of the effect of
the provisions of section 26 (other than subsection (3))
of this Act.
paragraph (b) of subsection (4) of this section shall not
apply in relation to the notification and paragraph (b) of
subsection (6) of this section shall be construed and have
effect as if for the words from and including "21
days" to the end of the paragraph there were substituted
"7 days beginning on the date on which the notification
was received,".
(6) Subject to subsection (5) of this section, a person who
has made an application for registration shall-
(a) until he is notified that it has been accepted or it is
withdrawn,
or
(b) if he is notified that the application has been
refused, until the end of the period of 21 days within
which an appeal may be brought under section 26 of this
Act against the refusal and, if such an appeal is brought,
until the determination or withdrawal of the appeal,
be treated for the purposes of section 19 of this Act as if
the application had been accepted and the particulars
contained in it had been included in an entry in the register
on the date on which the application was made.
(7) Subsection (2) to (6) of this section apply, with any
necessary modifications, to an application for continuance of
registration and an application for alteration of the
particulars in an entry in the register as they apply to an
application for registration.
Duration and continuance of registration.
18.(1) A registration (whether it is the first registration or
a registration continued under this section) shall be for the
prescribed period and on the expiry thereof the relevant entry
shall be removed from the register unless the registration is
continued as aforesaid.
(2) The prescribed period (which shall not be less than one
year) shall be calculated-
(a) in the case of a first registration, from the date
on which the relevant entry was made in the register, and
(b) in the case of a registration which has been
continued under this section, from the date from which it
was so continued.
(3) The Commissioner shall, subject to the provisions of
this Act, continue a registration, whether it has previously
been continued under this section or not.
(4) Notwithstanding the foregoing provisions of this
section, the Commissioner may at any time, at the request of
the person to whom an entry relates, remove it from the
register.
Effect of registration.
19.(1) A data controller to whom section 16 of this Act applies
shall not keep personal data unless there is for the time being an
entry in the register in respect of him.
(2) A data controller in respect of whom there is an entry
in the register shall not-
(a) keep personal data of any description other than
that specified in the entry,
(b) keep or use personal data for a purpose other than
the purpose or purposes described in the entry,
(c) if the source from which such data, and any
information intended for inclusion in such data, are
obtained is required to be described in the entry, obtain
such data or information from a source that is not so
described.
(d) disclose such data to a person who is not described
in the entry (other than a person to whom a disclosure of
such data may be made in the circumstances specified in
section 8 of this Act),
(e) directly or indirectly transfer such data to a
place outside the State other than one named or described
in the entry.
(3) An employee or agent (not being a data processor) of a
data controller mentioned in subsection (2) of this section
shall, as respects personal data kept or, as the case may be,
to be kept by the data controller, be subject to the same
restrictions in relation to the use, source, disclosure or
transfer of the data as those to which the data controller is
subject under that subsection.
(4) A data processor to whom section 16 applies shall not
process personal data unless there is for the time being an
entry in the register in respect of him.
(5) If and whenever a person in respect of whom there is an
entry in the register changes his address, he shall thereupon
notify the Commissioner of the change.
(6) A person who contravenes subsection (1), (4) and (5),
or knowingly contravenes any other provision, of this section
shall be guilty of an offence.
Regulations for registration.
20.(1) The following matters, and such other matters (if any)
as may be necessary or expedient for the purpose of enabling sections
16 to 19 of this Act to have full effect, may be prescribed:
(a) the procedure to be followed in relation to
applications by persons for registration, continuance of
registration or alteration of the particulars in an entry
in the register or for withdrawal of such applications,
(b) the information required to be furnished to the
Commissioner by such persons, and
(c) the particulars to be included in entries in the
register,
and different provision may be made in relation to the
matters aforesaid as respects different categories of persons.
(2) A person who in purported compliance with a requirement
prescribed under this section furnishes information to the
Commissioner that the person knows to be false or misleading
in a material respect shall be guilty of an offence.
Miscellaneous
Unauthorised disclosure by data processor.
21.(1) Personal data processed by a data processor shall not be
disclosed by him, or by an employee or agent of his, without the
prior authority of the data controller on behalf of whom the data
are processed.
(2) A person who knowingly contravenes subsection (1)
of this section shall be guilty of an offence.
Disclosure of personal data obtained without authority.
22.(1) A person who-
(a) obtains access to personal data, or obtains any
information constituting such data, without the prior
authority of the data controller or data processor by whom
the data are kept, and
(b) discloses the data or information to another
person,
shall be guilty of an offence.
(2) Subsection (1) of this section does not apply to a
person who is an employee or agent of the data controller or
data processor concerned.
Provisions in relation to certain non-residents and to data
kept or processed outside State.
23.(1)Subject to the provisions of this section, this Act does
not apply to a data controller in respect of data kept, or to a
data processor in respect of data processed, outside the State.
(2) For the purposes of this section, data shall be deemed
to be-
(a) kept by a data controller in the place where he
controls their contents and use, and
(b) processed by a data processor in the place where
the relevant data equipment is located.
(3) Where a person who is not resident in the State
controls the contents and use of personal data kept within the
State, or processes any such data, through an employee or
agent in the State, this Act shall apply as if that control
was exercised or, as the case may be, the data were processed
by the employee or agent acting on his own account.
(4) This Act does not apply to data processed wholly
outside the State unless the data are used or intended to be
used in the State.
(5) Section 19 (2) (e) of this Act does not apply to the
transfer of data that are already outside the State.
Powers of authorised officers.
24.(1) In this section "authorised officer" means a
person authorised in writing by the Commissioner to exercise, for
the purposes of this Act, the powers conferred by this section.
(2) An authorised officer may, for the purpose of obtaining
any information that is necessary or expedient for the
performance by the Commissioner of his functions, on production
of the officer's authorisation, if so required-
(a) at all reasonable times enter premises that he
reasonably believes to be occupied by a data controller or a
data processor, inspect the premises and any data therein
(other than data consisting of information specified in
section 12 (4) (b) of this Act) and inspect, examine,
operate and test any data equipment therein,
(b) require any person on the premises, being a data
controller, a data processor or an employee or either of
them, to disclose to the officer any such data and produce
to him any data material (other than data material
consisting of information so specified) that is in that
person's power or control and to give to
him such information as he may reasonably require in
regard to such data and material,
(c) either on the premises or elsewhere, inspect and copy
or extract information from such data, or inspect and copy
or take extracts from such material, and
(d) require any person mentioned in paragraph (b) of this
subsection to give to the officer such information as he may
reasonably require in regard to the procedures employed for
complying with the provisions of this Act, the sources from
which such data are obtained, the purposes for which they
are kept, the persons to whom they are disclosed and the
data equipment in the premises.
(3) Subject to subsection (5) of this section, subsection (2)
of this section shall not apply in relation to a financial
institution.
(4) Whenever the Commissioner considers it necessary or
expedient for the performance by him of his functions that an
authorised officer should exercise, in relation to a financial
institution, the powers conferred by subsection (2) of this
section, the Commissioner may apply to the High Court for an
order under this section.
(5) Whenever, on an application to it under subsection (4) of
this section, the High Court is satisfied that it is reasonable
to do so and is satisfied that the exigencies of the common good
so warrant, it may make an order authorising and authorised
officer to exercise the powers conferred by subsection (2) of
this section in relation to the financial institution concerned,
subject to such condition (if any) as it thinks proper and
specifies in the order.
(6) A person who obstructs or impedes an authorised office in
the exercise of a power, or, without reasonable excuse, does not
comply with a requirement, under this section or who in
purported compliance with such a requirement gives information
to an authorised officer that he knows to be false or misleading
in a material respect shall be guilty of an offence.
Service of notices.
25.- Any notice authorised by this Act to be served on a
person by the Commissioner may be served-
(a) if the person is an individual-
(i) by delivering it to him, or
(ii) by sending it to him by post addressed to him
at his usual or last-known place of residence or
business, or
(iii) by leaving it for him at that place,
(b) if the person is a body corporate or an
unincorporated body of persons, by sending it to the body
by post to, or addressing it to and leaving it at, in the
case of a company, its registered office (within the
meaning of the Companies Act, 1963) and, in any other
case, its principal place of business.
Appeals to Circuit Court.
26.(1) An appeal may be made to and heard and determined by the
Court against-
(a) a requirement specified in an enforcement notice or
an information notice,
(b) a prohibition specified in a prohibition notice,
(c) a refusal by the Commissioner under section 17 of
this Act, notified by him under that section, and
(d) a decision of the Commissioner in relation to a
complaint under section 10(1)(a) of this Act,
and such an appeal shall be brought within 21 days from the
service on the person concerned of the relevant notice or, as
the case may be, the receipt by such person of the
notification of the relevant refusal or decision.
(2) The jurisdiction conferred on the Court by this Act
shall be exercised by the judge for the time being assigned to
the circuit where the appellant ordinarily resides or carries
on any profession, business or occupation or, at the option of
the appellant, by a judge of the Court for the time being
assigned to the Dublin circuit.
(3) (a) Subject to paragraph (b) of this subsection, a
decision of the Court under this section be final.
(b) An appeal may be brought to the High Court on a
point of law against such a decision; and references in
this Act to the determination of an appeal shall be
construed as including references to the determination of
any such appeal to the High Court and of any appeal from
the decision of that Court.
(4) Where-
(a) a person appeals to the Court pursuant to paragraph
(a), (b) or (c) of subsection (1) of this section,
(b) the appeal is brought within the period specified
in the notice or notification mentioned in paragraph (c)
of this subsection, and
(c) the Commissioner has included a statement in the
relevant notice or notification to the effect that by
reason of special circumstances he is of opinion that the
requirement or prohibition specified in the notice should
be complied with, or the refusal specified in the
notification should take effect, urgently,
then, notwithstanding any provision of this Act, if the Court,
on application to it in that behalf, so determines, non-compliance
by the person with a requirement or prohibition specified in the
notice, or, as the case may be, a contravention by him of section
19 of this Act, during the period ending with the determination or
withdrawal of the appeal or during such other period as may be
determined as aforesaid shall not constitute an offence.
Evidence in proceedings.
27.(1) In any proceedings-
(a) a certificate signed by the Minister or the
Minister for Defence and stating that in his opinion
personal data are, or at any time were, kept for the
purpose of safeguarding the security of the State shall be
evidence of that opinion,
(b) a certificate-
(i) signed by a member of the Garda Siochana not
below the rank of chief superintendent or an officer
of the Permanent Defence Force who holds an army rank
not below that of colonel and is designated by the
Minister for Defence under section 8 (a) of this Act,
and
(ii) stating that in the opinion of the member or,
as the case may be, the officer a disclosure of
personal data is required for the purpose aforesaid,
shall be evidence of that opinion, and
(c) a document purporting to be a certificate under
paragraph (a) or (b) of this subsection and to be signed
by a person specified in the said paragraph (a) or (b), as
appropriate, shall be deemed to be such a certificate and
to be so signed unless the contrary is proved.
(2) Information supplied by a person in compliance with a
request under section 3 or 4 (1) of this Act, a requirement
under this Act or a direction of a court in proceedings under
this Act shall not be admissible in evidence against him or
his spouse in proceedings for an offence under this Act.
Hearing of proceedings.
28. The whole or any part of any proceedings under this Act
may, at the discretion of the court, be heard otherwise than in
public.
Offences by directors, etc., of bodies corporate.
29.(1)Where an offence under this Act has been committed by a
body corporate and is proved to have been committed with the
consent or connivance of or to be attributable to any neglect on
the part of a person, being a director, manager, secretary or
other office of that body corporate, or a person who was
purporting to act in any such capacity, that person, as well as
the body corporate, shall be guilty of that offence and be liable
to be proceeded against and punished accordingly.
(2) Where the affairs of a body corporate are managed by
its members, subsection (1) of this section shall apply in
relation to the acts and defaults of a member in connection
with his functions of management as if he was a director or
manager of the body corporate.
Prosecution of summary offences by Commissioner.
30.(1) Summary proceedings for an offence under this Act may be
brought and prosecuted by the Commissioner.
(2) Notwithstanding section 10 (4) of the Petty Sessions
(Ireland) Act, 1851, summary proceedings for an offence under
this Act may be instituted within one year from the date of
the offence.
Penalties.
31.(1) A person guilty of an offence under this Act shall be
liable-
(a) on summary conviction, to a fine not exceeding
£1,000, or
(b) on conviction on indictment, to a fine not
exceeding £50,000.
(2) Where a person is convicted of an offence under this
Act, the court may order any data material which appears to
the court to be connected with the commission of the offence
to be forfeited or destroyed and any relevant data to be
erased.
(3) The court shall not make an order under subsection (2)
of this section in relation to data material or data where it
considers that some person other than the person convicted of
the offence concerned may be the owner of, or otherwise
interested in, the data unless such steps as are reasonably
practicable have been taken for notifying that person and
giving him an opportunity to show cause why the order should
not be made.
(4) Section 13 of the Criminal Procedure Act, 1967, shall
apply in relation to an offence under this Act that is not
being prosecuted summarily as if, in lieu of the penalties
provided for in subsection (3) (a) of that section, there were
specified therein the fine provided for in subsection (1) (a)
of this section and the reference in subsection (2) (a) of the
said section 13 to the penalties provided for by subsection
(3) shall be construed and have effect accordingly.
Laying of regulations before Houses of Oireachtas.
32. Every regulation made under the Act (other than section 2)
shall be laid before each House of the Oireachtas as soon as may
be after it is made and, if a resolution annulling the regulation
is passed by either such House within the next 21 days on which
that House has sat after the regulation is laid before it, the
regulation shall be annulled accordingly, but without prejudice to
the validity of anything previously done thereunder.
Fees.
33.(1) Fees under this Act shall be paid into or disposed of
for the benefit of the Exchequer in accordance with the directions
of the Minister for Finance.
(2) The Public Offices Fees Act, 1879, shall not apply in
respect of any fees under this Act.
Expenses of Minister.
34. The expenses incurred by the Minister in the administration
of this Act shall, to such extent as may be sanctioned by the
Minister for Finance, be paid out of moneys provided by the
Oireachtas.
Short title and commencement.
35.(1) This Act may be cited as the Data Protection Act, 1988.
(2) This Act shall come into operation on such day or days
as, by order or orders made by the Minister under this
section, may be fixed therefore either generally or with
reference to any particular purpose or provision and
difference days may be so fixed for different purposes and
different provisions.
|