Return to the Home PageData Protection Commissoner
Block 4, Irish Life Centre, Talbot St., Dublin 1 About Us Your Rights Your Responsibilities Contact Us Reference
 
-
 REFERENCE 
Legal Texts
Key Definitions
Publications
Forms
Case Studies
Links

 

 

 
Number 25 of 1988
DATA PROTECTION ACT, 1988


Registration


The register.

16.(1) This section applies to the following persons, that is to say:

(a) data controllers, being public authorities and other bodies and persons referred to in the Third Schedule to this Act,

(b) data controllers, being financial institutions, persons holding authorisations under the European Communities (Non-Life) Insurance Regulations, 1976 (S.I. No. 115 of 1976), or the European Communities (Life Assurance) Regulations, 1984 (S.I. No. 57 of 1984), or persons whose business consists wholly or mainly in direct marketing, providing credit references or collecting debts,

(c) any other data controllers who keep personal data relating to-

(i) racial origin

(ii) political opinions or religious or other beliefs,

(iii) physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental health or their employees in the ordinary course of personnel administration and not used or disclosed for any other purpose),

(iv) sexual life; or

(v) criminal convictions,

(d) data processors whose business consists wholly or partly in processing personal data on behalf of data controllers, and

(e) such categories of data controllers and data processors as may stand prescribed for the time being (which categories may include data controllers and data processors to whom this section would not otherwise apply and on whom enforcement notices, prohibition notices or information notices have been served if the notices are in force and either the time for bringing an appeal against them under section 26 of this Act has expired without such an appeal having been brought or any such appeal has been withdrawn).

(2) The Commissioner shall establish and maintain a register (referred to in this Act as the register) of persons to whom this section applies and shall make, as appropriate, an entry or entries in the register in respect of each person whose application for registration therein is accepted by the Commissioner.

(3) (a) Members of the public may inspect the register free of charge at all reasonable times and may take copies of, or of extracts from, entries in the register.

(b) A member of the public may, on payment to the Commissioner of such fee (if any) as may be prescribed, obtain from the Commissioner a copy (certified by him or by a member of his staff to be a true copy) of, or of an extract from, any entry in the register.

(c) In any proceedings-

(i) a copy of, or of an extract from, an entry in the register certified by the Commissioner or by a member of his staff to be a true copy shall be evidence of the entry or extract, and

(ii) a document purporting to be such a copy, and to be certified, as aforesaid shall be deemed to be such a copy and to be so certified unless the contrary is proved.

(d) In any proceedings-

(i) a certificate signed by the Commissioner or by a member of his staff and stating that there is not an entry in the register in respect of a specified person as a data controller or as a dataprocessor shall be evidence of that fact, and

(ii) a document purporting to be such a certificate, and to be signed, as aforesaid shall be deemed to be such a certificate and to be so signed unless the contrary is proved.


Applications for registration.

17.(1)(a) A person wishing to be registered in the register or to have a registration continued under section 18 of this Act or to have the particulars in an entry in the register altered shall make an application in writing in that behalf to the Commissioner and shall furnish to him such information as may be prescribed and any other information that he may require.

(b) Where a data controller intends to keep personal data for two or more purposes, he may make an application for separate registration in respect of any of those purposes and, subject to the provisions of this Act, entries shall be made in the register in accordance with any such applications.

(2) Subject to subsection (3) of this section, the Commissioner shall accept an application for registration, made in the prescribed manner an in respect of which such fee as may be prescribed has been paid, from a person to whom section 16 of this Act applies unless he is of opinion that-

(a) the particulars proposed for inclusion in an entry in the register are insufficient or any other information required by the Commissioner either has not been furnished or is insufficient, or

(b) the person applying for registration is likely to contravene any of the provisions of this Act.

(3) The Commissioner shall not accept such an application for registration as aforesaid from a data controller who keeps personal data specified in section 16(1)(c) of this Act unless he is of opinion that appropriate safeguards for the protection of the privacy of the data subjects concerned are being, and will continue to be, provided by him.

(4) Where the Commissioner refuses an application for registration, he shall, as soon as may be, notify in writing the person applying for registration of the refusal and the notification shall-

(a) specify the reasons for the refusal, and

(b) state that the person may appeal to the Court under section 26 of this Act against the refusal within 21 days from the receipt by him of the notification.

(5) If-

(a) the Commissioner, by reason of special circumstances, is of opinion that a refusal of an application for registration should take effect urgently, and

(b) the notification of the refusal includes a statement to that effect and a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act.

paragraph (b) of subsection (4) of this section shall not apply in relation to the notification and paragraph (b) of subsection (6) of this section shall be construed and have effect as if for the words from and including "21 days" to the end of the paragraph there were substituted "7 days beginning on the date on which the notification was received,".

(6) Subject to subsection (5) of this section, a person who has made an application for registration shall-

(a) until he is notified that it has been accepted or it is withdrawn,

or

(b) if he is notified that the application has been refused, until the end of the period of 21 days within which an appeal may be brought under section 26 of this Act against the refusal and, if such an appeal is brought, until the determination or withdrawal of the appeal,

be treated for the purposes of section 19 of this Act as if the application had been accepted and the particulars contained in it had been included in an entry in the register on the date on which the application was made.

(7) Subsection (2) to (6) of this section apply, with any necessary modifications, to an application for continuance of registration and an application for alteration of the particulars in an entry in the register as they apply to an application for registration.


Duration and continuance of registration.

18.(1) A registration (whether it is the first registration or a registration continued under this section) shall be for the prescribed period and on the expiry thereof the relevant entry shall be removed from the register unless the registration is continued as aforesaid.

(2) The prescribed period (which shall not be less than one year) shall be calculated-

(a) in the case of a first registration, from the date on which the relevant entry was made in the register, and

(b) in the case of a registration which has been continued under this section, from the date from which it was so continued.

(3) The Commissioner shall, subject to the provisions of this Act, continue a registration, whether it has previously been continued under this section or not.

(4) Notwithstanding the foregoing provisions of this section, the Commissioner may at any time, at the request of the person to whom an entry relates, remove it from the register.


Effect of registration.

19.(1) A data controller to whom section 16 of this Act applies shall not keep personal data unless there is for the time being an entry in the register in respect of him.

(2) A data controller in respect of whom there is an entry in the register shall not-

(a) keep personal data of any description other than that specified in the entry,

(b) keep or use personal data for a purpose other than the purpose or purposes described in the entry,

(c) if the source from which such data, and any information intended for inclusion in such data, are obtained is required to be described in the entry, obtain such data or information from a source that is not so described.

(d) disclose such data to a person who is not described in the entry (other than a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of this Act),

(e) directly or indirectly transfer such data to a place outside the State other than one named or described in the entry.

(3) An employee or agent (not being a data processor) of a data controller mentioned in subsection (2) of this section shall, as respects personal data kept or, as the case may be, to be kept by the data controller, be subject to the same restrictions in relation to the use, source, disclosure or transfer of the data as those to which the data controller is subject under that subsection.

(4) A data processor to whom section 16 applies shall not process personal data unless there is for the time being an entry in the register in respect of him.

(5) If and whenever a person in respect of whom there is an entry in the register changes his address, he shall thereupon notify the Commissioner of the change.

(6) A person who contravenes subsection (1), (4) and (5), or knowingly contravenes any other provision, of this section shall be guilty of an offence.


Regulations for registration.

20.(1) The following matters, and such other matters (if any) as may be necessary or expedient for the purpose of enabling sections 16 to 19 of this Act to have full effect, may be prescribed:

(a) the procedure to be followed in relation to applications by persons for registration, continuance of registration or alteration of the particulars in an entry in the register or for withdrawal of such applications,

(b) the information required to be furnished to the Commissioner by such persons, and

(c) the particulars to be included in entries in the register,

and different provision may be made in relation to the matters aforesaid as respects different categories of persons.

(2) A person who in purported compliance with a requirement prescribed under this section furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.


Miscellaneous


Unauthorised disclosure by data processor.

21.(1) Personal data processed by a data processor shall not be disclosed by him, or by an employee or agent of his, without the prior authority of the data controller on behalf of whom the data are processed.

(2) A person who knowingly contravenes subsection (1) of this section shall be guilty of an offence.


Disclosure of personal data obtained without authority.

22.(1) A person who-

(a) obtains access to personal data, or obtains any information constituting such data, without the prior authority of the data controller or data processor by whom the data are kept, and

(b) discloses the data or information to another person,

shall be guilty of an offence.

(2) Subsection (1) of this section does not apply to a person who is an employee or agent of the data controller or data processor concerned.


Provisions in relation to certain non-residents and to data kept or processed outside State.

23.(1)Subject to the provisions of this section, this Act does not apply to a data controller in respect of data kept, or to a data processor in respect of data processed, outside the State.

(2) For the purposes of this section, data shall be deemed to be-

(a) kept by a data controller in the place where he controls their contents and use, and

(b) processed by a data processor in the place where the relevant data equipment is located.

(3) Where a person who is not resident in the State controls the contents and use of personal data kept within the State, or processes any such data, through an employee or agent in the State, this Act shall apply as if that control was exercised or, as the case may be, the data were processed by the employee or agent acting on his own account.

(4) This Act does not apply to data processed wholly outside the State unless the data are used or intended to be used in the State.

(5) Section 19 (2) (e) of this Act does not apply to the transfer of data that are already outside the State.


Powers of authorised officers.

24.(1) In this section "authorised officer" means a person authorised in writing by the Commissioner to exercise, for the purposes of this Act, the powers conferred by this section.

(2) An authorised officer may, for the purpose of obtaining any information that is necessary or expedient for the performance by the Commissioner of his functions, on production of the officer's authorisation, if so required-

(a) at all reasonable times enter premises that he reasonably believes to be occupied by a data controller or a data processor, inspect the premises and any data therein (other than data consisting of information specified in section 12 (4) (b) of this Act) and inspect, examine, operate and test any data equipment therein,

(b) require any person on the premises, being a data controller, a data processor or an employee or either of them, to disclose to the officer any such data and produce to him any data material (other than data material consisting of information so specified) that is in that person's power or control and to give to

him such information as he may reasonably require in regard to such data and material,

(c) either on the premises or elsewhere, inspect and copy or extract information from such data, or inspect and copy or take extracts from such material, and

(d) require any person mentioned in paragraph (b) of this subsection to give to the officer such information as he may reasonably require in regard to the procedures employed for complying with the provisions of this Act, the sources from which such data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment in the premises.

(3) Subject to subsection (5) of this section, subsection (2) of this section shall not apply in relation to a financial institution.

(4) Whenever the Commissioner considers it necessary or expedient for the performance by him of his functions that an authorised officer should exercise, in relation to a financial institution, the powers conferred by subsection (2) of this section, the Commissioner may apply to the High Court for an order under this section.

(5) Whenever, on an application to it under subsection (4) of this section, the High Court is satisfied that it is reasonable to do so and is satisfied that the exigencies of the common good so warrant, it may make an order authorising and authorised officer to exercise the powers conferred by subsection (2) of this section in relation to the financial institution concerned, subject to such condition (if any) as it thinks proper and specifies in the order.

(6) A person who obstructs or impedes an authorised office in the exercise of a power, or, without reasonable excuse, does not comply with a requirement, under this section or who in purported compliance with such a requirement gives information to an authorised officer that he knows to be false or misleading in a material respect shall be guilty of an offence.


Service of notices.

25.- Any notice authorised by this Act to be served on a person by the Commissioner may be served-

(a) if the person is an individual-

(i) by delivering it to him, or

(ii) by sending it to him by post addressed to him at his usual or last-known place of residence or business, or

(iii) by leaving it for him at that place,

(b) if the person is a body corporate or an unincorporated body of persons, by sending it to the body by post to, or addressing it to and leaving it at, in the case of a company, its registered office (within the meaning of the Companies Act, 1963) and, in any other case, its principal place of business.


Appeals to Circuit Court.

26.(1) An appeal may be made to and heard and determined by the Court against-

(a) a requirement specified in an enforcement notice or an information notice,

(b) a prohibition specified in a prohibition notice,

(c) a refusal by the Commissioner under section 17 of this Act, notified by him under that section, and

(d) a decision of the Commissioner in relation to a complaint under section 10(1)(a) of this Act,

and such an appeal shall be brought within 21 days from the service on the person concerned of the relevant notice or, as the case may be, the receipt by such person of the notification of the relevant refusal or decision.

(2) The jurisdiction conferred on the Court by this Act shall be exercised by the judge for the time being assigned to the circuit where the appellant ordinarily resides or carries on any profession, business or occupation or, at the option of the appellant, by a judge of the Court for the time being assigned to the Dublin circuit.

(3) (a) Subject to paragraph (b) of this subsection, a decision of the Court under this section be final.

(b) An appeal may be brought to the High Court on a point of law against such a decision; and references in this Act to the determination of an appeal shall be construed as including references to the determination of any such appeal to the High Court and of any appeal from the decision of that Court.

(4) Where-

(a) a person appeals to the Court pursuant to paragraph (a), (b) or (c) of subsection (1) of this section,

(b) the appeal is brought within the period specified in the notice or notification mentioned in paragraph (c) of this subsection, and

(c) the Commissioner has included a statement in the relevant notice or notification to the effect that by reason of special circumstances he is of opinion that the requirement or prohibition specified in the notice should be complied with, or the refusal specified in the notification should take effect, urgently,

then, notwithstanding any provision of this Act, if the Court, on application to it in that behalf, so determines, non-compliance by the person with a requirement or prohibition specified in the notice, or, as the case may be, a contravention by him of section 19 of this Act, during the period ending with the determination or withdrawal of the appeal or during such other period as may be determined as aforesaid shall not constitute an offence.


Evidence in proceedings.

27.(1) In any proceedings-

(a) a certificate signed by the Minister or the Minister for Defence and stating that in his opinion personal data are, or at any time were, kept for the purpose of safeguarding the security of the State shall be evidence of that opinion,

(b) a certificate-

(i) signed by a member of the Garda Siochana not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under section 8 (a) of this Act, and

(ii) stating that in the opinion of the member or, as the case may be, the officer a disclosure of personal data is required for the purpose aforesaid,

shall be evidence of that opinion, and

(c) a document purporting to be a certificate under paragraph (a) or (b) of this subsection and to be signed by a person specified in the said paragraph (a) or (b), as appropriate, shall be deemed to be such a certificate and to be so signed unless the contrary is proved.

(2) Information supplied by a person in compliance with a request under section 3 or 4 (1) of this Act, a requirement under this Act or a direction of a court in proceedings under this Act shall not be admissible in evidence against him or his spouse in proceedings for an offence under this Act.


Hearing of proceedings.

28. The whole or any part of any proceedings under this Act may, at the discretion of the court, be heard otherwise than in public.


Offences by directors, etc., of bodies corporate.

29.(1)Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of a person, being a director, manager, secretary or other office of that body corporate, or a person who was

purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and be liable to be proceeded against and punished accordingly.

(2) Where the affairs of a body corporate are managed by its members, subsection (1) of this section shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he was a director or manager of the body corporate.


Prosecution of summary offences by Commissioner.

30.(1) Summary proceedings for an offence under this Act may be brought and prosecuted by the Commissioner.

(2) Notwithstanding section 10 (4) of the Petty Sessions (Ireland) Act, 1851, summary proceedings for an offence under this Act may be instituted within one year from the date of the offence.


Penalties.

31.(1) A person guilty of an offence under this Act shall be liable-

(a) on summary conviction, to a fine not exceeding £1,000, or

(b) on conviction on indictment, to a fine not exceeding £50,000.

(2) Where a person is convicted of an offence under this Act, the court may order any data material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any relevant data to be erased.

(3) The court shall not make an order under subsection (2) of this section in relation to data material or data where it considers that some person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data unless such steps as are reasonably practicable have been taken for notifying that person and giving him an opportunity to show cause why the order should not be made.

(4) Section 13 of the Criminal Procedure Act, 1967, shall apply in relation to an offence under this Act that is not being prosecuted summarily as if, in lieu of the penalties provided for in subsection (3) (a) of that section, there were specified therein the fine provided for in subsection (1) (a) of this section and the reference in subsection (2) (a) of the said section 13 to the penalties provided for by subsection (3) shall be construed and have effect accordingly.


Laying of regulations before Houses of Oireachtas.

32. Every regulation made under the Act (other than section 2) shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the regulation is passed by either such House within the next 21 days on which that House has sat after the regulation is laid before it, the regulation shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder.


Fees.

33.(1) Fees under this Act shall be paid into or disposed of for the benefit of the Exchequer in accordance with the directions of the Minister for Finance.

(2) The Public Offices Fees Act, 1879, shall not apply in respect of any fees under this Act.


Expenses of Minister.

34. The expenses incurred by the Minister in the administration of this Act shall, to such extent as may be sanctioned by the Minister for Finance, be paid out of moneys provided by the Oireachtas.


Short title and commencement.

35.(1) This Act may be cited as the Data Protection Act, 1988.

(2) This Act shall come into operation on such day or days as, by order or orders made by the Minister under this section, may be fixed therefore either generally or with reference to any particular purpose or provision and difference days may be so fixed for different purposes and different provisions.