COMPARATIVE GUIDE
9 April 2025

Data Privacy Comparative Guide

PP
Pembroke Privacy

Contributor

Pembroke Privacy logo
Explore Firm Details
Data Privacy Comparative Guide for the jurisdiction of Ireland, check out our comparative guides section to compare across multiple countries
Ireland Privacy
Kate Colleary and Meg MacMahon

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Ireland has been a member state of the European Union since 1973. The main sources of law governing data privacy in the European Union (and therefore Ireland) include the following:

  • EU regulations: Legal acts that:
    • have general application;
    • are binding in their entirety; and
    • are directly applicable in all EU countries (ie, no national legislation is required to transpose them and make them effective).
  • EU directives: Legal acts which require member states to achieve a particular result without dictating the means through which that result should be achieved. Directives normally do not prescribe the exact rules to be adopted. In the Irish case, EU directives require national transposing legislation in order to be effective.

The main EU legislative framework comprises Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR).

Since 25 May 2018, the primary statute governing data privacy in Ireland is the Data Protection Act 2018, as amended, which:

  • gives further effect to the General Data Protection Regulation (GDPR); and
  • transposes into national law the Law Enforcement Directive (2016/680) (LED), which applies to the processing of personal data for law enforcement purposes. The Data Protection Acts 1988 and 2003 still apply in certain circumstances, such as to the processing of personal data for the purposes of safeguarding the security of the state.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

EU law:

  • Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘ePrivacy Directive') relates to many aspects of the electronic communications sector including direct marketing. The ePrivacy Directive was transposed into national law by Statutory Instrument 336/2011, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (‘ePrivacy Regulations'), which outline specific rules on:
    • the use of cookies;
    • marketing communications; and
    • the security of electronic communications networks and services.
  • The LED, which was transposed into national law by Part 5 of the Data Protection Act 2018.

National law:

  • The Data Sharing and Governance Act 2019 governs the sharing of data (including personal data) between public bodies.
  • The Communications (Retention of Data) (Amendment) Act 2022 amended the ePrivacy Regulations and requires electronic communications service providers to retain data for one year or such a period as may be prescribed by the minister for justice for the purposes of:
    • preventing, detecting, investigating or prosecuting offences;
    • safeguarding the security of the state;
    • protecting personal safety; and
    • searching for missing persons
  • Part 8 of the Data Protection Act 2018 amends various other statutes relating to many different sectors, such as:
    • banking;
    • health; and
    • education.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

International instruments relating to, or with direct implications for, data privacy which are applicable in Ireland include:

  • the International Covenant on Civil and Political Rights;
  • the Charter of Fundamental Rights of the European Union;
  • the European Convention on Human Rights;
  • Council of Europe Convention 108 (Protection of Individuals with regard to Automatic Processing of Personal Data); and
  • the United Nations Convention on the Rights of the Child.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The Data Protection Act 2018, which became law on 25 May 2018, established the Data Protection Commission (DPC). The DPC is the national independent supervisory authority in Ireland with responsibility for upholding the fundamental right of individuals to have their personal data protected. The DPC's statutory powers, functions and duties derive from:

  • the Data Protection Act 2018;
  • the GDPR;
  • the LED; and
  • the Data Protection Acts 1988 to 2003 which, among other things, give effect to the Council of Europe Convention 108.

The DPC handles complaints and can initiate its own investigations into suspected infringements of data protection legislation. It also has a role in:

  • promoting awareness of data protection;
  • engaging in public consultations; and
  • cooperating with other supervisory authorities and engaging with the European Data Protection Board.

The DPC fulfils an important role in the context of European data protection regulation and enforcement, as Ireland is the headquarters of many of the world's leading technology companies and thus data protection inquiries with respect to such entities fall to be examined by the DPC under the one-stop shop principle under the GDPR.

The DPC, as a supervisory authority operating within the GDPR regime, has the power to impose:

  • fines of up to €10 million or up to 2% of the total worldwide annual turnover of an undertaking (whichever is higher); or
  • (with respect to findings of infringements of certain provision of the GDPR) fines of up to €20 million or 4% of the total worldwide annual turnover of the undertaken (whichever is higher).

Up until 2024, the DPC operated with one commissioner for data protection, who oversaw the monitoring and enforcement of data protection in Ireland. In 2024, the previous commissioner, Helen Dixon, stood down and two new commissioners were appointed, with a third commissioner due to be appointed in late 2024/2025.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Section 5 of the GDPR deals with codes of conduct and self-certification. This section aims to encourage the drawing up of codes of conduct to contribute to the proper application and functioning of the GDPR. Associations and other bodies representing controllers may prepare, conduct or amend such codes in relation to issues such as:

  • fair and transparent processing;
  • legitimate interests;
  • the collection of personal data;
  • pseudonymisation of personal data;
  • information provided to the public and to data subjects;
  • the exercise of the rights of data subjects;
  • information provision and consent of children to the processing of their personal data;
  • the responsibilities of data controllers;
  • data protection by design and default and security measures;
  • notification of personal data breaches to supervisory authorities and data subjects;
  • international transfers; and
  • dispute resolution.

Article 40.5 requires associations or other bodies to submit draft codes of conduct to a supervisory authority for approval. There is also provision for the European Commission to publicise approved codes of conduct. Article 41 provides for certain bodies to become accredited to monitor compliance with codes of conduct. Article 42 provides for certification mechanisms and data protection seals to demonstrate compliance with the GDPR. Article 43 sets out the procedure and requirements around the accreditation of certification bodies.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

Articles 2 and 3 of the General Data Protection Regulation (GDPR) cover the material and territorial scope of the application of the GDPR.

The GDPR applies to:

  • the processing of personal data wholly or partly by automated means; and
  • the processing other than by automated means of personal data which:
    • forms part of a filing system; or
    • is intended to form part of a filing system.

One of the main exclusions in Article 2 is that the GDPR does not apply to entities processing personal data for law enforcement purposes; such processing is captured by the LED, which was transposed into Irish law by Part 5 of the Data Protection Act.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

Article 2 and Recital 16 as an interpretative aid make it clear that the GDPR does not apply to:

  • activities which fall outside the scope of EU law, such as activities concerning national security (which is generally left to individual member states to determine); or
  • the processing of personal data by member states when carrying out activities in relation to the common foreign and security policy of the European Union.

The most common exemption to the application of the GDPR is known as the ‘household exemption', which means that the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity with no connection to a professional or commercial activity.

The Data Protection Act 2018 provides a partial exemption from some of the obligations of data protection law where personal data is used for the purpose of exercising the right to freedom of expression, including for journalistic, academic, artistic or literary purposes, where the exemption is necessary to effectively exercise those freedoms.

The Data Protection Act 2018 also sets out some rules which limit the exercise of a person's data protection rights regarding opinions about them which are given ‘in confidence' or on the understanding that they will be treated as confidential, to a recipient that has a ‘legitimate interest' in receiving the information. This means that people may be unable to exercise their data protection rights, such as access or erasure, against the recipient or holder of an opinion about them where it was made or given to them confidentially.

2.3 Does the data privacy regime have extra-territorial application?

In terms of territorial scope, Article 3 of the GDPR states that it applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing takes place in the European Union; this means that the important factor for consideration is where the controller has its main headquarters or main establishment.

The GDPR applies to the processing of personal data of data subjects within the European Union by a controller or processor not established in the European Union in certain circumstances where:

  • goods or services are offered to data subjects in the European Union; or
  • the behaviour of data subjects in the European Union is monitored (where behaviour takes place in the European Union).

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) ‘Data processing'

An operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.

(d) Data subject

An identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to:

  • an identifier such as a name, identification number, location data or an online identifier; or
  • one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of the natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person. Recital 26 of the General Data Protection Regulation (GDPR) states that:

to determine whether a natural person is identifiable, account should be taken of all the means, reasonably likely to be used such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.

(f) Sensitive personal data

This is termed ‘special category personal data' in the GDPR and is defined at Article 9 as:

processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject's wishes through which he or she, by a statement or clear affirmative action, signifies agreement to the processing of his or her personal data.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

Other key terms under the GDPR regime include the following:

  • ‘Personal data breach': A breach of security leading to the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  • ‘Profiling': Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning the natural person's:
    • performance at work;
    • economic situation;
    • health;
    • personal preferences;
    • interests;
    • reliability;
    • behaviour;
    • location; and
    • movements.

Other key terms from the GDPR are the principles contained in Article 5 of the GDPR, which form the building blocks of compliance with the rules on data protection, as follows:

  • Personal data must be processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency).
  • Personal data:
    • must be collected for specified, explicit and legitimate purposes; and
    • must not be further processed in a manner incompatible with those purposes (purpose limitation).
  • Personal data must be adequate, relevant and limited to what is necessary (data minimisation).
  • Personal data must be accurate and where necessary kept up to date (accuracy).
  • Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (storage limitation).
  • Personal data must be processed in a manner that ensures that appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality)

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

Since the introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, there is no mandatory requirement in Ireland for data controllers or processors to register with the Data Protection Commission (DPC). The only mandatory registration requirement at present in Ireland is for data protection officers (DPOs).

4.2 What is the process for registration?

For the registration of DPOs, the DPC provides an online portal for DPOs to register, whereby they must fill out a basic information form including:

  • organisation details (eg, address, website, sector and sub-sector); and
  • the DPO's name and contact details.

4.3 Is registered information publicly accessible?

With regard to the maintained register of DPOs, unlike the in the United Kingdom, this is not publicly accessible in Ireland in one location. However, details of how to contact the DPO must be included on a data controller or processor's privacy notice, in line with Articles 13 and 14 of the GDPR.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The processing of personal data in Ireland is underpinned by the lawful bases set out in the General Data Protection Regulation (GDPR). Article 6 provides six potential lawful bases for processing:

  • The data subject must have provided consent;
  • The processing must be necessary for the performance of a contract;
  • The processing must be necessary for carrying out a public task;
  • The processing must be necessary to carry out legal obligations;
  • The processing must be necessary to protect the vital interests of the data subject; or
  • The processing must be necessary for the legitimate interests of the controller or a third party.

The processing of sensitive or special categories of personal data is generally prohibited, except in limited circumstances, which are set out in Article 9 of the GDPR. The processing of special category data requires:

  • a legal basis under Article 6; and
  • satisfaction of one of the 10 conditions set out in Article 9.

These conditions are as follows:

  • the explicit consent of the data subject;
  • the performance and exercise of rights in relation to:
    • labour law;
    • social security; and
    • social protection;
  • the vital interests of the data subject;
  • the legitimate activities of a foundation, association or other non-profit organisation where the processing relates only to members or former members of the organisation;
  • the disclosure of the special category data by the data subject;
  • the establishment, exercise or defence of a legal right;
  • public interest;
  • preventative medicine or occupational medicine, assessing a worker's working capacity, medical diagnoses, health or social care, or systems management and health care or social protection services;
  • public health interest; or
  • scientific or historical research purposes or statistical purposes.

Article 8 of the GDPR further indicates that where processing is based on consent in relation to the personal data of a child, such consent will be lawful if the child is at least 16 years old.

Article 10 of the GDPR governs processing personal data in relation to criminal convictions and offences based on a lawful basis set out in Article 6. Such processing must be carried out under the control of relevant official authorities or be authorised under relevant EU or member state law, with appropriate provision of safeguards for rights and freedoms of data subjects.

In Ireland, under the Data Protection Act 2018, some other lawful bases may be relied upon for processing special categories of data, depending on the reason it is being processed. For example:

  • Section 46 provides for the processing of special category data for the purposes of employment and social welfare law;
  • Section 47 provides for the processing of special category data for the purpose of legal advice and legal proceedings;
  • Section 48 provides for the processing of personal data revealing political opinions for electoral activities and functions of the Referendum Commission;
  • Section 49 provides for the processing of special category data for purposes of administration of justice and performance of functions; and
  • Section 50 provides for the processing of special category data for insurance and pension purposes.

Each of these conditions must be subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, prior to processing.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

There are key principles which are to be considered when processing personal data in Ireland. These principles are derived from Article 5 of the GDPR.

The principles which all organisations should adhere to when processing personal data are as follows.

Lawfulness, fairness and transparency: This principle requires that personal data be processed:

  • lawfully, meaning there must be an appropriate legal basis to underpin the processing (see Article 5.1);
  • fairly, meaning fair towards the individuals concerned – that is, processing must not be unduly detrimental, unexpected, misleading or deceptive; and
  • transparently, meaning that the processing should be clear to both individuals and regulators. Similarly, controllers must provide individuals with information relating to processing in a concise, easily accessible, easy to understand format which uses plain language, rather than legal jargon. Specific rules on transparency obligations are set out in Articles 12 to 14 of the GDPR. Controllers must not only ensure that the language is transparent, but also account for their target audience (eg, children or vulnerable individuals).

Purpose limitation: This principle requires that personal data:

  • must only be collected for specified, explicit and legitimate purposes, which are determined at the time of collection; and
  • must not be further processed in a manner that is incompatible with those purposes.

The purpose of this principle is to ensure that:

  • data controllers are clear and transparent from the beginning of a processing activity; and
  • purposes align with individuals' reasonable expectations.

Data minimisation: This principle requires that data controllers only collect and process personal data that is:

  • adequate;
  • relevant; and
  • limited to what is necessary for the purposes for which they are processed.

In other words, this means that only the minimum amount of data required for an intended processing activity should be collected and not larger volumes of data ‘just in case' there may be a need for it in the future.

Accuracy: This principle requires that data controllers ensure that personal data is accurate and, where necessary, kept up to date. All reasonable steps must be taken to correct any inaccuracies promptly, including considering whether it is necessary to periodically update any personal data that a controller holds.

Storage limitation: This principle requires that data controllers not hold personal data (in a form which permits identification of individuals) for longer that is necessary to achieve the purposes for which the personal data was originally collected. Steps must be taken to securely delete personal data as soon as it is no longer necessary to retain.

In accordance with the GDPR, personal data may be stored for longer periods where it will be processed solely for:

  • archiving purposes in the public interest;
  • scientific or historical research purposes; or
  • statistical purposes.

Technical and organisational measures for its safeguarding are essential in such instances.

Integrity and confidentiality: This principle relates to the security and confidentiality of personal data stored by data controllers and requires that personal data be processed only in a manner which:

  • ensures appropriate levels of security, confidentiality, availability and integrity; and
  • protects against:
    • unauthorised or unlawful processing; and
    • accidental loss, destruction or damage.

Principle 6 of Article 5 and Articles 24 and 32 of the GDPR oblige data controllers to ensure that their security measures adequately protect against such harms. These should be a combination of both technical and organisational measures.

Accountability: The overarching principle of accountability is a guiding and fundamental principle of the GDPR. It sets out that data controllers are responsible for and must be able to demonstrate compliance with the above principles of data protection.

Incorporating principles of data protection by design and by default are ways in which demonstrating compliance (being accountable) can be facilitated by a data controller. The principle of data protection by design means embedding data protection features and privacy-enhancing technologies directly into the design of projects at an early stage. Data protection by default, on the other hand, means that user settings must be automatically toggled to the most privacy-centric or data protection-friendly options available where possible.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

There are various other requirements and considerations when processing personal data, including the following:

  • documentation of internal processes and procedures for data protection-related matters, such as:
    • managing the rights requests of data subjects;
    • handling and managing security incidents and data breaches;
    • managing the retention of personal data; and
    • managing international data transfers;
  • documentation of a data protection policy explaining how the organisation processes and secures personal data;
  • regular reviews of and updates to privacy notices;
  • regular monitoring of and updates to records of processing activities;
  • provision of training and awareness to all employees in an organisation and, where necessary, targeted training; and
  • third-party risk management and regular reviews of external data sharing.

Along with this non-exhaustive list, data protection impact assessments (DPIAs) should be a key process in all organisations to identify, understand and mitigate risk arising from inherently high-risk processing activities. The Data Protection Commission has a list of high-risk processing activities, for which DPIAs must be conducted.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

When transferring data to third parties, there are a number of things to consider. Within the European Union, transfers to third parties are subject to certain safeguards. For example, when a data controller transfers personal data to a data processor, Article 28(1) of the General Data Protection Regulation (GDPR) outlines that the controller "shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject".

In other words, a data controller is obliged to satisfy itself that its selected processor can provide such guarantees in relation to the safeguarding and security of personal data. Usually, respective obligations between the parties are set out in the form of a data processing agreement or data protection clause (within a main agreement) which should outline:

  • the subject matter, duration, nature and purpose of the processing;
  • the categories of data subjects concerned; and
  • the types of personal data to be processed.

The contract:

  • sets out the responsibilities of the controller and processor; and
  • should aim to cover all requirements laid out in Articles 28 and 32–36.

Often, and in accordance with Article 28(3)(h), a data controller can audit its data processor to ensure that the agreed measures for the safeguarding and security of personal data to be processed are being implemented in practice.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Requirements and restrictions on the transfer of personal data abroad vary depending on the destination.

Conditions for transfers: Transfers by a transferring data controller or data processor (‘data exporter') are permitted only where the conditions set out in Article 44 of the GDPR (Chapter V) are met, as follows.

The European Commission has deemed the country of destination as adequate: An ‘adequacy decision' is a formal decision made by the European Commission which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as is afforded within the European Union.

Article 45(2) sets out what considerations the European Commission makes when assessing adequacy.

Currently, adequacy decisions have been issued in relation to the following countries or territories:

  • Andorra;
  • Argentina;
  • Canada (with some exceptions);
  • Switzerland;
  • Faroe Islands;
  • Guernsey;
  • Israel;
  • Isle of Man;
  • Japan;
  • Jersey;
  • South Korea;
  • the United Kingdom;
  • Uruguay; and
  • New Zealand.

The transfer is subject to appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects are available: Appropriate safeguards pursuant to Article 46 include:

  • A legally binding and enforceable instrument between public authorities or bodies; this could include an international agreement to share data between an EU-based public authority and one in a third country, for example a treaty.
  • Binding Corporate Rules, this is applicable to transfers which take intra-group for an organisation.
  • Standard Data Protection Clauses adopted by the Commission;
  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission;
  • an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including data subjects' rights; or
  • an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including data subjects' rights.

Derogations: The GDPR also lists, under Article 49, specific derogations which permit transfers to third countries where:

  • explicit and informed consent is obtained from the data subjects concerned;
  • the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary to protect the vital interests of the data subjects (in the absence of consent); or
  • the transfer is made from a register which, according to EU or member state law, is intended to provide information to the public, subject to certain conditions.

Where no other mechanism is applicable to a data transfer, there is one further, although very limited derogation available: where the transfer is necessary for the purposes of compelling legitimate interests of the controller, which are not overridden by the interests and right of the data subject. Where a controller intends to rely on the legitimate interest derogation, it must notify:

  • the Data Protection Commission; and
  • the data subjects concerned.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Schrems II: Since the judgement in Schrems II in 2020, data exporters must focus on two important requirements for cross-border transfers of personal data which are reliant on standard contractual clauses:

  • appropriate and/or supplementary safeguards; and
  • data subjects having enforceable rights and effective legal remedies available.

European Data Protection Board (EDPB) six-step process: In 2021, the EDPB published a guidance document on measures to supplement transfer tools to ensure compliance with EU levels of protection of personal data in relation to data transfers. Within this guidance document, the EDPB provides data exporters with six steps to follow when assessing and conducting transfers of personal data to a third country.

  • Step 1: Know your transfers.
  • Step 2: Identify the transfer tools to be relied on.
  • Step 3: Assess whether the Article 46 transfer tool is effective in light of the circumstances of the transfer.
  • Step 4: Adopt supplementary measures.
  • Step 5: Take procedural steps if effective supplementary measures have been identified.
  • Step 6: Re-evaluate at appropriate intervals.

Section 37 of the Data Protection Act 2018: Section 37 provides that the minister for justice and equality has the power, in the absence of an adequacy decision, to make regulations restricting the transfer of categories of personal data to a third country or an international organisation for important reasons of public policy.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Various data subject rights are set out in Chapter 3 of the General Data Protection Regulation (GDPR).

Article 12 sets out certain obligations on:

  • the way in which controllers must respond to data subject rights; and
  • the manner in which they must provide information.

Importantly, Article 12(1) states that the controller must take appropriate measures to provide the information required by the GDPR relating to the processing to the data subject in a "concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child".

Articles 13-22 of the GDPR set out a number of data subject rights.

  • Under Articles 13 and 14, data subjects have a right to be provided with certain information in situations where:
    • personal data is received directly from data subjects (Article 13); and
    • information has not been received from the data subject (Article 14).
  • Article 15 sets out the right of the data subject to access personal data concerning him or her. This is one of the most commonly exercised data subject rights and often enables the data subject to determine:
    • how personal data about him or her is being handled; and
    • whether it is being processed lawfully.
  • Article 16 sets out the right to rectification.
  • Article 17 sets out the right to erasure (also known as the right to be forgotten).
  • Article 18 sets out the right to restriction of processing.
  • Article 20 sets out the right to data portability.
  • Article 21 sets out the right to object.
  • Article 22 sets out the right not to be subjected to automated individual decision making (including profiling).

Article 34 mandates a controller to communicate a personal data breach to the data subject where the breach is likely to result in a high risk to the rights and freedoms of natural subjects.

Certain exemptions apply to the exercise of data subject rights. Article 23 sets out certain restrictions on rights, stating that EU or national law "may restrict by way of legislative measure" the scope of obligations set out in Articles 12-22 and 34, as long as such a restriction:

  • respects the essence of the fundamental rights and freedoms; and
  • is a necessary and proportionate measure in a democratic society to safeguard for a number of stated objectives which are set out in Article 23.1(a)-(j), including:
    • national security;
    • defence; and
    • public security.

Article 23.2 sets out the requirements that such a national legislative measure must contain, including in relation to:

  • the purpose of the processing;
  • the categories of personal data;
  • the scope of restrictions introduced;
  • safeguards;
  • specification of the controller or categories of controller;
  • storage periods and applicable safeguards;
  • the risks to the rights and freedoms of data subjects; and
  • the right of data subjects to be informed about the restriction unless that may be prejudicial to the purposes of the restriction.

Certain provisions of the Data Protection Act 2018 set out specific restrictions at Sections 59, 60 and 61. Section 60(3) sets out the circumstances in which the rights and obligations set out in Articles 12-22, 34 and 5 of the GDPR may be restricted, stating that that such rights and obligations are restricted to the extent necessary and proportionate for certain purposes set out in Section 60.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects can seek to exercise their rights by contacting the controller. Article 12.3 states that the controller must provide information on action taken on a rights request:

  • without undue delay; and
  • within one month of receipt of a request.

In certain circumstances, this timeframe can be extended by a further two months.

7.3 What remedies are available to data subjects in case of breach of their rights?

Article 82 of the GDPR sets out the right to compensation and liability. Significantly, Article 82.1 states that any person who has suffered "material or non-material damage" as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. Recital 146 makes it clear that a controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. Recital 146 further states that:

where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured.

On 4 May 2023, in Ul v Osterreichische Post AG (C-300/21-), the Court of Justice of the European Union set out the requirements to be applied by member states when determining the amount of compensation payable:

  • A mere infringement of the GDPR is not sufficient to establish a right to compensation.
  • In order to obtain compensation, there must have been:
    • the processing of personal data that infringes the GDPR;
    • damage suffered by the data subject; and
    • a causal link between that unlawful processing and that damage.
  • Each member state can prescribe the criteria for determining the extent of compensation payable, provided that the principles of equivalence and effectiveness of EU law are complied with.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

The appointment of a data protection officer (DPO) is mandatory under Article 37 of the General Data Protection Regulation (GDPR) in the following circumstances set out at Article 37.1:

  • The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • The core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • The core activities of the controller or processor consist of processing on a large scale of:
    • special categories of data pursuant to Article 9; or
    • personal data relating to criminal convictions and offences referred to in Article 10.

A failure to appoint a DPO where this is required will constitute an infringement of the GDPR and possibly result in the imposition of a corrective power on the controller or processor under Article 58.

8.2 What qualifications or other criteria must the data protection officer meet?

Article 37.5 states that a DPO must be designated on the basis of "professional qualities and in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39". Article 37.6 states that a DPO may:

  • be a staff member of the controller or processor; or
  • fulfil the role on the basis of a service contract.

8.3 What are the key responsibilities of the data protection officer?

Article 39 sets out the tasks of the DPO as follows:

  • to inform and advise the controller or processor, and employees who carry out data processing, of their obligations under the GDPR and other EU or national laws;
  • to monitor compliance with the GDPR and other EU or national laws, and with policies of the controller or processor in relation to the protection of personal data, including:
    • the assignment of responsibilities;
    • awareness raising;
    • training of staff involved in processing operations; and
    • related audits;
  • to provide advice where requested as regards data protection impact assessments and monitor performance according to Article 35;
  • to cooperate with the supervisory authority; and
  • to act as a contact point for the supervisory authority on issues relating to the processing, including prior consultation referred to at Article 36; and to consult where appropriate with regard to any other matter.

Article 39.2 states that in performing his or her tasks, the DPO must have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Yes, in Ireland, the role of the DPO can and frequently is outsourced. An external DPO should be:

  • possessed of the expertise and knowledge to fulfil the obligations set out in Article 39; and
  • provided by the controller or processor on whose behalf it is engaged with the necessary resources to carry out its duties in an independent manner.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Article 30 of the GDPR requires controllers to maintain a record of processing activities (ROPA). The requirements on ROPAs are set out in Articles 30.1(a)-(g) of the GDPR and include keeping a record of:

  • the purposes of the processing;
  • the categories of data subjects;
  • the categories of personal data;
  • the categories of recipients to which data will be disclosed;
  • where applicable, transfers of personal data to third countries or international organisations, including documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data; and
  • a general description of technical and organisational security measures referred to in Article 32(1) of the GDPR.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

Article 8 of the GDPR sets out conditions for a child's consent in relation to information society services, stating that:

  • the age of consent for a child is 16;
  • where a child is below 16, consent under Article 6(1)(a) will be lawful only where it is given by the ‘holder of parental responsibility'; and
  • individual member states may provide by law for a lower age of consent, provided that this is not below 13.

Ireland's Data Protection Commission published the Fundamentals for a Child Oriented Approach to Data Processing in 2021, providing guidelines and best practice around the processing of children's personal data. Another useful publication setting out best practice with regard to the processing of children's personal data is the Age Appropriate Design Code for online services processing children's data, produced by the UK Information Commissioner's Office. The focus of the code is on the necessary privacy-by-design features that must be engineered from the outset in services used by children.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

The controller must implement appropriate technical and organisational measures to ensure compliance, and be able to demonstrate that processing is compliant, with the General Data Protection Regulation (GDPR), taking account of:

  • the nature, scope, context and purposes of the processing; and
  • the risks to the rights and freedoms of natural persons.

Section 32 imposes obligations regarding security of processing on controllers and processors, which are mandated to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, having regard to:

  • the state of the art;
  • the costs of implementation;
  • the nature, scope, context and purposes of the processing; and
  • the risks to the rights and freedoms of natural persons.

Certain security measures are laid out in Articles 32.1(a)-(d) of the GDPR as follows:

  • pseudonymisation and encryption;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Under Article 33 of the GDPR, data breaches must be notified by the controller to the regulator within 72 hours of becoming aware of them, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 33.3 of the GDPR sets out the requirements for such notification. In Ireland, the Data Protection Commission has a specific online form that must be completed by a controller to notify the regulator of a personal data breach (where required to do so).

Voluntary notification of a data breach (to the regulator) may be considered appropriate if the controller is not reasonably able to reach a determination on the likely consequences of the breach (ie, whether there would be a risk to the rights and freedoms of natural persons).

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Article 34 of the GDPR sets out the circumstances in which a personal data breach must be communicated to the data subject – if the breach is likely to result in a high risk to the rights and freedoms of natural persons, it must be communicated to the affected person. Article 34.2 of the GDPR sets out the information that must be contained in such a communication – namely that the communication should:

  • "describe in clear and plain language the nature of the personal data breach"; and
  • contain the information set out in Articles 33.3 (b)-(d).

The communication of a data breach to a data subject will not be required if certain conditions (set out at Articles 34.3(a)-(c)) are met, as follows:

  • The controller has implemented appropriate technical and organisational measures, which have been applied to the personal data affected by the breach (eg, encryption);
  • The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; and
  • Communication would involve disproportionate effort.

In such case, there must be a public communication or similar measure whereby affected data subjects are informed in an equally effective manner.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

It is considered best practice to immediately take steps to remediate the data breach and protect the personal data affected to ensure that no further damage is caused. For example, in the case of an email being delivered to the wrong recipient(s), the recipient(s) should be contacted immediately and asked to delete the email (and any attachments).

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

The general rules on processing of personal data apply to the personal data of employees.

In addition, Article 88 of the General Data Protection Regulation (GDPR) provides for processing in the context of employment. This article permits member states to adopt laws, collective agreements or rules for the protection of the rights and freedoms in respect of the processing of personal data of employees within the employment context.

In 2023, Ireland's Data Protection Commission (DPC) published a Guidance Note on Data Protection in the Workplace. A number of important statements are contained in that guidance note, as follows:

  • It is vital to have appropriate policies and procedures in place governing the processing of the personal data of employees (including former employees).
  • It is unlikely that the content of a work email will constitute personal data, but in case of a data subject access request emails should be examined to check whether they could be personal data.
  • Work email addresses may or may not constitute personal data; it depends on:
    • how identifiable a person may be; or
    • whether the address is very generic.
  • The DPC, in one case study, was satisfied that a job description and outlook calendar did not fall under the remit of personal data as defined in Article 4(1) of the GDPR.
  • One example of how an employer could demonstrate transparency in the workplace is through an easily accessible HR self-service system that allows an employee to see what data an employer holds on him or her and how it is used (eg, address, salary details, employment status, health status).
  • Employers must have a lawful basis to process personal data under Article 6 of the GDPR. In addition, if an employer is processing special category data such as health data (eg, medical certificates or occupational health reports). The employer will also need to avail of one of the permissible exceptions for processing personal data under Article 9 of the GDPR.
  • With regard to employee monitoring, in one case study in which an employer used access details to a carpark to determine employee attendance at work, the DPC deemed that such processing constituted incompatible further processing, as the employees had not been informed that such data would be used to verify their time and attendance.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

The DPC accepts that organisations have a legitimate interest in protecting their business, reputation, resources and equipment. To this end, organisations may decide to monitor their staff's use of the internet, email and telephone. However, the following activities constitute the processing of personal data and, as such, data protection law applies:

  • the collection, use or storage of information about workers;
  • the monitoring of their internet access or email; and
  • their surveillance by video cameras (which process images).

In addition, individuals have a right to private life at work, according to the European Court of Human Rights' decision in Barbulescu v Romania (Application 61496/08)), which highlights the necessity for appropriate care in monitoring employees and setting clear policies. Such practices and policies should reflect an appropriate balance between:

  • the legitimate interests of the employer; and
  • the data protection rights and right to private life of the employees.

Appropriate safeguards should be in place, particularly if the monitoring is intrusive. The ECtHR in Barbulescu v Romania held that such safeguards should ensure "that the employer cannot access the actual content of the communications concerned unless the employee has been notified in advance of that eventuality".

In relation to software, keystroke logging or ‘tattleware', and covert surveillance in the workplace, the DPC has stated that:

monitoring software is extremely intrusive and that any attempt to use it must be objectively and demonstrably justified and proportionate. In light of the highly intrusive nature of such monitoring applications, in the ordinary course of an individual's employment, employers should implement other less intrusive means by which to monitor employee attendance and productivity.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

In the employment context, certain legal bases such as consent to processing under Article 6(1)(a) of the GDPR may not be an appropriate legal basis to rely on in the case of an employer-employee relationship, as the ‘free' element of validly constituted consent under the definition at Article 4(11) of the GDPR may not be satisfied due to the imbalance of power.

In its Guidance Note on Data Protection in the Workplace, the DPC states that:

where an employer attempts to rely on consent to process employee personal data, the employee must be given an option to withdraw their consent at any time. Employers need to ensure they can facilitate this withdrawal of consent and make that process easy for employees.

In relation to reliance on contractual necessity, under Article 6(1)(b) of the GDPR, the DPC has confirmed that the legal basis of contractual necessity is a common lawful basis for employers to rely upon, given that a contractual relationship often exists between an employer and employee. Employers should note that the processing of personal data should be "necessary for the performance" of the employment contract; otherwise. they may need to consider reliance on another legal basis.

Where an employer is obliged to comply with EU or national law, compliance with a legal obligation may be an appropriate legal basis to rely upon. However:

  • the requirement to assess the necessity of the processing still applies; and
  • the law must be clear and precise, ensuring that its application to a data subject is foreseeable.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

Regulation 5(4) of the ePrivacy Regulations, which transposed the ePrivacy Directive into Irish law, requires organisations to obtain user consent in order to utilise cookies (or similar technologies) on websites. The definition of ‘consent' is taken from the General Data Protection Regulation (GDPR); and consent must involve a "clear, affirmative act, freely given, specific, informed, and unambiguous".

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Organisations that avail of cloud computing services are obliged under the GDPR's security principle to ensure there is adequate security for the personal data they intend to process. Article 28(1) of the GDPR states that only processors providing sufficient guarantees to implement appropriate technical and organisational measures may be engaged by a controller. Furthermore, Article 32 of the GDPR requires that controllers and processors implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A controller must therefore be satisfied that personal data will be secure if it is outsourced to a cloud provider.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

Marketing and advertising in the online context, in Ireland and the European Union, has come under scrutiny in recent years. In the direct marketing sphere, it is important for controllers not to automatically opt in users to direct marketing; and even where users themselves opt in, they must be provided with a valid ‘unsubscribe' option.

Regarding targeted or personalised advertising, in January 2023 Meta was fined €390 million by the Irish Data Protection Commission (DPC) for infringements of the GDPR relating to targeted advertising. The DPC said that this reflected binding decisions by the European Data Protection Board that Meta had violated transparency obligations by:

  • not clearly outlining its legal basis for personal data processing to users; and
  • invalidating its ‘contract' legal basis for personal data processing for ad targeting.

As with direct marketing, targeted advertising should have a clear yes/no consent basis under the GDPR, with the option to opt out. Large tech and social media companies can be seen to have altered their practices by introducing what has been described as a ‘pay or okay' model for receiving targeted ads – meaning that users can either:

  • pay to ensure that their personal data is not processed for the purposes of targeted advertising; or
  • avail of free services (which include targeted advertising).

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

In Ireland, data privacy complaints can be made directly to the Data Protection Commission (DPC). Simultaneously, data subjects have a right to seek compensation before the courts for alleged infringements of the General Data Protection Regulation (GDPR) or the Data Protection Act 2018.

12.2 What issues do such disputes typically involve? How are they typically resolved?

One of the most common data privacy issues complained about is that data subjects are dissatisfied with the responses to data subject access requests (DSARs) provided to them by controllers – in other words, where DSARs are not complied with. Other disputes and issues before the DPC and the courts span all obligations and rights under the GDPR and the Data Protection 2018, such as:

  • other data subject rights (eg, the right to be forgotten);
  • lawful bases for processing; and
  • alleged infringements of transparency requirements.

Where a complaint is made to the DPC, staff will attempt to amicably resolve the matter by liaising with the data subject and controller to try to reach a mutually satisfactory solution. If this is not achieved, the matter may be opened as an inquiry and formal submissions will be sought from each party and a decision will be reached.

In disputes involving cross-border processing (eg, those relating to the large tech companies based in Dublin), at the end of an inquiry:

  • the decision must be assessed by the European Data Protection Board; and
  • other member state supervisory authorities will have an opportunity to comment on the decision before it is finalised.

There is a dispute resolution mechanism contained in the GDPR if agreement cannot be reached between the supervisory authorities.

12.3 Have there been any recent cases of note?

One recent high-profile decision of the DPC was a decision against TikTok which the DPC issued in September 2023, fining the video sharing platform €345 million in relation to its handling of children's personal data. Specifically, it found infringements of the GDPR in relation to:

  • certain platform settings, including:
    • public-by-default settings; and
    • the settings associated with the ‘Family Pairing' feature; and
  • its mechanism for age verification.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Any horizon-scanning exercise, relating to any jurisdiction around the globe, must start with the anticipation of further developments and the mass rollout of artificial intelligence (AI) technology, which will have a major overlap with data privacy. Privacy professionals will be well placed to advise on governance and risk relating to AI. The EU AI Act has been passed and sets out categories of risk of AI systems and obligations on entities utilising AI to address those risks.

In light of the vast technological advances of the last 20-25 years, national and European legislators have been scrambling to come up with legislation to tackle harmful, illegal content as well as dis/misinformation. The Digital Services Act (DSA) contains several new rules on intermediary services and obliges many online service providers to tackle online harm and illegal content. The EU Audiovisual and Media Services Directive (AVMSD) also contains provisions protecting users from harm online. In Ireland:

  • the AVMSD has been implemented (with regard to its online safety provisions) by the Online Safety and Media Regulation Act, 2022; and
  • an agency, Coimisiún na Meán (Media Commission), has been established to oversee issues arising therefrom.

Finally, we expect more activity relating to entities registering under the EU-US Data Privacy Framework in order to transfer personal data between the European Union and the United States. The European Commission adopted its adequacy decision for the EU-US Data Privacy Framework in July 2023, ensuring that personal data will flow freely and safely from the European Economic Area to the United States.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

We would urge any entity that processes personal data to get the basic principles right from the outset, thereby saving itself massive headaches (or at worst regulatory investigations) down the line.

It is important to ensure that you know:

  • whether you are acting as a controller or processor;
  • what your lawful basis for processing is; and
  • whether you are complying with the foundational principles of data protection as set down in Article 5 of the General Data Protection Regulation.

In addition, we advise organisations to ensure that policies and procedures are in place to demonstrate compliance – that is, to show accountability which is an often-overlooked principle of data protection. Clear and comprehensive records of processing activities can go a long way towards ensuring that organisations are:

  • accounting for all the personal data they process; and
  • handling it lawfully.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Kate Colleary
Kate Colleary
Photo of Meg MacMahon
Meg MacMahon
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More