See also Data Protection (NI)

Data Protection Legislation

The EU adopted a new set of data protection rules - the General Data Protection Regulation (GDPR)  - which introduced substantial changes to European data protection law, along with severe financial penalties for non-compliance. GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). 

The Data Protection Act 2018 (RoI) was signed into law on 24 May 2018, and some of the provisions came into effect on 25 May 2018, to coincide with the coming into force of the GDPR.

From May 25th, 2018 the key legislative frameworks in the Republic of Ireland are: 

The Data Protection Commission (DPC) is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.

Data Protection Glossary

Personal data 

is information that relates to, or can identify you, either by itself or together with other available information. Personal data can include:

Data subject

Under data protection law, if a person, organisation or company is holding or using your personal data, you are known as a data subject.

Data controller

A data controller is responsible for the keeping and use of personal information on computer or in structured manual files about living persons. Data controllers can be either individuals or "legal persons" such as companies, Government Departments and voluntary organisations. In practice, to find out who controls the contents and use of personal information stored, consider: 

If an entity controls and is responsible for the personal data which it holds, then it is a data controller. If, on the other hand, it holds the personal data, but some other entity decides and is responsible for what happens to the data, then that other entity is the data controller, and the holding entity is a "data processor".  In case of doubt, consult a legal adviser or seek the advice of the Data Protection Commissioner.

Being a data controller carries with it serious legal responsibilities. All data controllers must comply with certain important rules about how they collect and use personal information. Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices.

Data processor

The data controller can allow another person, organisation or company, known as a data processor, to process personal data on its behalf. Doing anything with personal data, including storing it, is known as processing. Examples of data processors include payroll companies, accountants and market research companies, all of which hold or process personal information on behalf of someone else. "Cloud" providers are also generally Data Processors.

It is possible for one entity to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.

A data processor is distinct from the data controller for whom they are processing the personal data. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a "data processor". However, someone who is not employed by the data controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a data processor. A subsidiary company owned by a data controller to process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a data processor.

Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. They must only process personal data on the instructions of the Data Controller. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss.

Age of consent

The GDPR  requires members states to set a digital age of consent. The digital age of consent is the minimum age a user must be before a social media and internet companies can collect, process and store their data. The E.U. has set the age of consent to sixteen by default and member states are given the option of adopting a lower age, but it may be no lower than thirteen years. In Ireland, the Digital Age of Consent was set at 16 in the Data Protection Act 2018.

Data Protection Officer  (see Appendix III, Article 256)

Under the GDPR, certain organisations are required to appoint a designated Data Protection Officer (DPO). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority. An organisation is required to appoint a designated data protection officer (Article 37) where  ... inter alia ... the core activities of the controller or the processor consist of processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences

The NBSCCCI Guidance in Appendix B (see Article 256) recommends that a Church Authority appoint a DPO.

The Article 29 Data Protection Working Party (WP29) – an advisory group made up of a representative from the Data Protection authority of each EU Member State, the European Data Protection Supervisor and the EU Commission – have published guidance on the interpretation of the words "core activities" and "large scale". Thus, a bank or insurance company processing customer data in the regular course of their business should be considered large scale but the processing of patient data by a single GP should not.

The processing of personal data is not in any sense a "core activity" of the NWE Region of the Prelature, in Ireland or elsewhere. Unlike, for example, a diocese, the instances in which Article 9 categories of data have to be processed are few and far between. Accordingly, the Prelature in Ireland does not require the formal appointment of a DPO. The Safeguarding Coordinator will supervise the compliance of the Prelature with the requirements of GDPR in its activities.

General data protection principles

Data protection

Data subjects are entitled to have their personal information:

Lawful reason

A Data Controller can only use or keep personal data where there is a lawful reason. The GDPR sets out six lawful reasons in Article 6:

Data controllers must provide information

Data subjects must be given enough information in simple and clear language to know what an organisation is going to do with their personal data. This is often found in privacy policies on websites or in forms which data subjects can read or sign in person. For instance, data subjects should be told:

Personal data rights

The organisation should also tell data subjects about their rights, including their right to:

In general, only personal data necessary for those stated purposes for which it is collected should be collected and processed. Personal data should only be kept for as long as is necessary for the purpose for which it was collected.

While it is being stored or processed, personal data must be kept safe, and policies and procedures must be in place to make sure that there is no unauthorised access.

Special categories of data and limits on processing

Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:

Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR. Paragraph 2 (d) allows that when ‘ processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the consent of the data subjects’, then this data can be processed. 

Some types of processing fall outside the GDPR, such as processing by An Garda Síochána in the context of criminal investigations and prosecutions and the processing of passenger name records to prevent terrorist activities.

Where the GDPR applies

The GDPR applies to the processing of personal data by controllers and processors established in the EU, regardless of whether the processing takes place in the EU or not. 

The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.

Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU.

Application to Safeguarding Practice

Excerpts from NBSCCCI GAP Paper 7

Article 5 of GDPR requires consideration of the following principles prior to making a decision to share information: 

Article 6 of GDPR requires that: 

There should be a procedure for a data subject requesting access to their personal records. Children and adults have the same rights over their personal data.  These include the rights to access their personal data; request rectification; object to processing; and have their personal data erased. 

Excerpts from a general briefing on GDPR published (2018) by A&L Goodbody, Solicitors. 

CHILD for the purposes of the GDPR

The Act provides that references to “child” in the GDPR shall be taken to refer to a person under 18 years of age.


The Act provides that 16 years is the minimum age at which a child may consent to the processing of their personal data by information society service providers. The consent of the child’s parent of guardian will be required by information society service providers for children under that age.


The Act provides that it will be an offence, punishable by an administrative fine, for a company to process the personal data of a child under 18 years of age for the purposes of direct marketing, profiling or micro-targeting.


The Act requires the DPC to encourage associations and other bodies representing categories of controllers or processors to draw up of codes of practice to contribute to the proper application of the GDPR with regard to the protection of children, the manner in which the consent of holders of parental responsibility over a child is to be obtained by information society services providers, and with regard to the processing of children’s data for direct marketing and profiling purposes.


The Act provides a specific right to erasure for children of personal data collected in relation to the offer of information society services.


The Act allows the Minister, in consultation with the DPC, to extend the categories of controllers and processors that are required to designate a data protection officer, as permitted by Article 34(7) of the GDPR (section 34).


The GDPR requires Member States to reconcile an individual’s right to data protection with the right to freedom of expression and information (including processing for journalistic purposes, or for the purposes of academic, artistic or literary expression). The Act provides that processing carried out for the purpose of exercising the right to freedom of expression and information shall be exempt from specified provisions of the GDPR, insofar as compliance with those provisions would be incompatible with such purposes. The Act provides that the right to freedom of expression shall be interpreted in a broad manner (section 43).


The Act requires certain processing activities to be subject to the implementation of “suitable and specific measures” to safeguard the fundamental rights and freedoms of data subjects. Section 36 of the Act contains a “toolbox” of measures for application in such cases (e.g. strict time limits for erasure of personal data or specific targeting training for those involved in processing operations).


The Act gives effect to Article 10 of the GDPR, which permits personal data relating to criminal convictions and offences to be processed under the control of official authority or for specified purposes under national law. The Act provides examples of processing under official authority (e.g. for the administration of justice) and specifies five purposes where processing is permitted under the Act, including: 

This provision is without prejudice to the provisions of the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (section 55).


Article 23 of the GDPR permits Member States to restrict the exercise of individuals’ rights and controllers’ obligations in certain circumstances, for the purpose of safeguarding important objectives of general public interest. Section 60 of the Act provides that individuals’ rights and controllers’ obligations are restricted to the extent necessary and proportionate, inter alia, to protect personal data relating to a data subject which consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential.


The Act contains twenty-five sections dealing with the DPC’s enforcement and investigation powers (Part 6, Chapters 2, 4 & 5), along with additional provisions dealing with administrative fines and criminal offences (Part 6, Chapters 6 & 7). These lengthy provisions reflect the fact that the DPC now wields a powerful array of corrective powers.


The Act grants the DPC more discretion in regard to handling complaints from data subjects, or not-for-profit bodies acting on their behalf (Chapter 2). The Act requires the DPC to examine all complaints and to take such action as it considers appropriate, having regard to the nature and circumstances of the complaint. The DPC can only refuse to act on a complaint when it is manifestly unfounded or excessive, in particular because of its repetitive character which shall apply only in the narrowest of circumstances (Article 57(4) GDPR).


If the DPC considers there is a “reasonable likelihood” of the parties reaching an amicable resolution of the complaint, the DPC may arrange or facilitate such a resolution. Once a resolution has been reached, the complaint will be deemed to have been withdrawn by the complainant, and no formal statutory decision will be required.


Where the DPC considers than an amicable resolution cannot be reached in the case of a domestic complaint, it must take one or more of the actions (section 109):


The DPC may conduct an inquiry into a suspected infringement arising out of a complaint, or an inquiry of the DPC’s own volition (there is no requirement to establish a probable cause). In conducting its inquiry, the DPC may exercise any of its powers under Part 6, Chapter 4 (other than the power to require an expert report pursuant to section 135) and/or carry out an investigation under Chapter 5 (section 110).


The Act permits a mandated not-for-profit body to bring a representative action on behalf of a data subject seeking injunctive relief or compensation for material or non-material damage suffered as a result of an infringement of data protection law (section 117). It remains to be seen whether this means not-for-profit bodies will be able to take class actions on behalf of multiple data subjects for breaches of the GDPR, as such actions are not currently permitted under Irish law. The Act does not address how the rules in relation to legal costs will apply to actions taken by not-for-profit bodies. Guidance will be needed on whether a court can award costs against a data subject as well as the not-for-profit body in the event of an unsuccessful civil claim.


The Act sets out a number of criminal offences, including:


The Act requires the DPC to publish particulars of convictions, and any exercise of its powers to impose fines or order the suspension of non-EEA transfers, or court orders suspending, restricting or prohibiting data processing operations. It is a matter for the DPC to decide whether to publish particulars of the exercise of its other corrective powers.