Data Protection Commissioner

Powers of the Data Protection Commissioner

The Data Protection Commissioner is responsible for ensuring that people's rights are respected, and that the persons who keep personal information on computer or in manual format meet their responsibilities. To assist the Commissioner in exercising these functions, he or she is assigned certain important powers under the Data Protection Acts, 1988 and 2003, and under the Electronic Communications Regulations, S.I. 336 of 2011.

Investigations by the Data Protection Commissioner

Under section 10 of the Data Protection Acts, 1988 and 2003, the Commissioner must investigate any complaints which he receives from individuals who feel that personal information about them is not being treated in accordance with the Act, unless he is of the opinion that such complaints are "frivolous or vexatious". With regard to complaints of breaches of the Data Protection Acts, the Commissioner is obliged to seek an amicable resolution of the complaint in the first instance. Where this cannot be achieved, he may make a Decision on the complaint. The Commissioner's Decision can be appealed to the Circuit Court.

The Commissioner may also launch investigations on his own initiative, where he is of the opinion that there might be a breach of the Act, or where he considers it appropriate in order to ensure compliance with the Acts.  In practice, the investigations to ensure compliance, usually, take the form of privacy audits.  The data controller,normally, gets advance notice and the aim of the privacy audit is to assist in improving data protection practices.  It is only in the event of serious breaches being discovered or failure of the data controller to implement recommendations that further sanctions would be considered.

The Commissioner's Power to Obtain Information

Under section 12 of the Data Protection Acts, 1988 and 2003, the Data Protection Commissioner may require any person to provide him with whatever information the Commissioner needs to carry out his functions, such as to pursue an investigation. The Commissioner exercises this power by providing a written notice, called an "information notice", to the person.

A person who receives an information notice has the right to appeal it to the Circuit Court.

Failure to comply with an information notice without reasonable excuse is an offence. Knowingly to provide false information, or information that is misleading in a material respect, in response to an information notice is an offence. No legal prohibition may stand in the way of compliance with an information notice. The only exceptions to compliance with an information notice are (i) where the information in question is or was, in the opinion of the Minister for Justice, Equality and Law Reform, or in the opinion of the Minister for Defence, kept for the purpose of safeguarding the security of the State, and (ii) where the information is privileged from disclosure in proceedings in any court.

Back to Menu

The Commissioner's Power to Enforce Compliance with the Act

Under section 10 of the Data Protection Acts, 1988 and 2003, the Data Protection Commissioner may require a data controller or data processor to take whatever steps the Commissioner considers appropriate to comply with the terms of the Data Protection Acts, 1988 and 2003. Such steps could include correcting the data, blocking the data from use for certain purposes,  supplementing the data with a statement which the Commissioner approves, or erasing the data altogether. The Commissioner exercises this power by providing a written notice, called an "enforcement notice", to the data controller or data processor. A person who receives an enforcement notice has the right to appeal it to the Circuit Court.

It is an offence to fail or refuse to comply with an enforcement notice without reasonable excuse.

The Commissioner's Power to Prohibit Overseas Transfer of Personal Data

Under section 11 of the Data Protection Acts, 1988 and 2003, the Data Protection Commissioner may prohibit the transfer of personal data from the State to a place outside the State. The Commissioner exercises this power by providing a written notice, called a "prohibition notice", to the data controller or data processor.

In considering whether to exercise this power, the Commissioner must have regard to the need to facilitate international transfers of information.

A prohibition notice may be absolute, or may prohibit the transfer of personal data until the person concerned takes certain steps to protect the interests of the individuals affected. A person who receives a prohibition notice has the right to appeal it to the Circuit Court.

It is an offence to fail or refuse to comply with a prohibition specified in a prohibition notice without reasonable excuse.

The Powers of "Authorised Officers" to Enter and Examine Premises

Under section 24 of the Data Protection Acts, 1988 and 2003 and under Regulation 19 of S.I. 336 of 2011,  the Data Protection Commissioner may appoint an "authorised officer" to enter and examine the premises of a data controller or data processor, to enable the Commissioner to carry out his functions, such as to pursue an investigation. The authorised officer has the power to:

  • enter the premises and inspect any data equipment there
  • require the data controller, data processor or staff to assist in obtaining access to data, and to provide any related information
  • inspect and copy any information
  • require the data controller, data processor or staff to provide information about procedures on complying with the Act, sources of data, purposes for which personal data are kept, persons to whom data are disclosed, and data equipment on the premises.

It is an offence to obstruct or impede an authorised officer; to fail to comply with any of the requirements set out above; or knowingly to give false or misleading information to an authorised officer.

Appeals to the Court

Disclaimer: If you are contemplating taking an appeal against a decision of the Commissioner, or against the exercise of the Commissioner's powers, it is recommended that you seek independent legal advice. Note that the material contained in this section is provided for general information purposes only, and does not purport to be legal advice or a definitive interpretation of the law.

Under section 26 of the Data Protection Acts, appeals can be made to the Circuit Court against:-

  • a requirement specified in an information notice
  • a requirement specified in an enforcement notice
  • a prohibition specified in a prohibition notice
  • a refusal by the Data Protection Commissioner to accept an application for registration, or for renewal of registration, or for an amendment of registration details
  • a decision of the Data Protection Commissioner in relation to a complaint by an individual.

Appeals to the court must normally be made within 21 days from the service of the notice, or from the data of receipt of the refusal or decision. The decision of the court is final, although an appeal against the court's decision may be brought to the High Court on a point of law.

Prosecution of offences under Data Protection Acts and under S.I. 336 of 2011.

Section 30 of the Data Protection Acts provides that the Commissioner may bring summary proceedings for an offence under the Acts.  The Commissioner also has the power to prosecute offences in relation to offences under S.I. 336 of 2011 (Electronic Communications Regulations).

Codes of Practice

The Commissioner can prepare and publish codes of practice for guidance in applying data protection law to particular areas.  Codes of good practice, whether drawn up by the Commissioner or by trade associations, may be put before the Oireachtas to have statutory effect. 

Back to Menu






» Permanent Link