Data Protection Commissioner

Offences and Penalties

Disclaimer: Note that the material contained in this section is provided for general information purposes only, and does not purport to be legal advice or a definitive interpretation of the law. If you require legal advice on these or related matters, it is recommended that you consult a legal adviser.

The Data Protection Acts and the Electronic Communications Regulations (SI 336 of 2011) set out the rules with which data controllers must obey. Breaches of these rules sometimes involve offences which are punishable by fines. The offences are as listed below:

Offences by data controllers who are required to register

Offences by any data controllers (not just those who are required to register)

Offences by employees or agents of registered data controllers

Offences by data processors who are required to register

Offences by any data processors (not just those who are required to register)

Offences by employees or agents of data processors

Offences by directors etc. of bodies corporate

Offences by any persons

Offences by Direct Marketers under S.I. 336 of 2011

Offences by electronic communications companies under SI 336 of 2011

Failure of a data controller or a data processor to register

Under Section 19(6) of the Data Protection Acts, it is an offence for a data controller who is required to be registered to keep personal data unless he is registered. It is also an offence for a data processor, who is required to be registered, to process personal data unless the data processor is registered. Accordingly, data controllers who continue to keep personal data, and data processors who process personal data, without meeting their requirement to register are liable to be prosecuted. However, if a data controller or data processor has an registration application pending with this office, then there is no offence.

Back to Menu

Failure to comply with the particulars contained in the register entry

A registered data controller specifies, in his registration application, what types of personal data will be kept, for what purpose, to whom the personal data will be disclosed, and to what places outside the State the data will be transferred. A registered data controller who knowingly treats personal data in a way not covered by the particulars included in the register entry is guilty of an offence, under section 19(6) of the Acts. The same rule applies to employees or agents of the data controller, other than data processors, who are subject to the same restrictions as the data controller in respect of the handling of the personal data. Data controllers, and their employees and agents, should therefore ensure that the particulars included in the registry entry adequately describe the scope of the data controller's dealings with the personal data. If a data controller wishes to treat personal data in a way not covered by the register entry, then the data controller should amend the register entry accordingly.

Failure to notify the Data Protection Commissioner of your change of address

Under section 19(6) of the Data Protection Acts, it is an offence for a data controller or data processor, in respect of whom there is a register entry, to fail to notify the Commissioner of any change of address.

Provision of false or misleading information when applying for registration

It is an offence under section 20(2) of the Data Protection Acts to knowingly furnish the Commissioner with false or misleading information when applying for registration.

Failure to comply with an enforcement notice

Under Section 10(9) of the Data Protection Acts, it is an offence for any data controller or data processor, without reasonable excuse, to fail or refuse to comply with a requirement specified in an enforcement notice. There is a right of appeal against requirements specified in such notices.

Back to Menu

Failure to comply with an information notice

Under Section 12(5) of the Data Protection Acts, it is an offence for any person, without reasonable excuse, to fail or refuse to comply with a requirement specified in an information notice. Knowingly to provide false information, or information that is misleading in a material respect, in response to an information notice is also an offence. There is a right of appeal against requirements specified in an information notice.

Failure to comply with a prohibition notice

Under Section 11(15) of the Data Protection Acts, it is an offence for any person, without reasonable excuse, to fail or refuse to comply with a prohibition specified in a prohibition notice. There is a right of appeal against requirements specified in such notices.

Unauthorised disclosure of personal data by a data processor

Under Section 21(2) of the Data Protection Acts, it is an offence for any data processor, or for any employee or agent of his, to knowingly disclose personal data without the prior authority of the data controller on whose behalf the data were processed.

Offences by directors, managers, officers etc. of bodies corporate

Bodies corporate, such as companies, statutory bodies, and formally-constituted voluntary bodies, are bound by the Data Protection Acts in the same way as individuals. Section 29 of the Act provides that directors, managers, secretaries or other officers of a body corporate which has committed an offence under the Act are also guilty of that offence, if it is proved to have been committed with their consent or connivance or to be attributable to any neglect on their part. If there is no officer of a body corporate who can be shown to bear personal responsibility for the offence, only the body corporate commits the offence. If there is, both the officer and the body corporate can be prosecuted.

This principle is extended to bodies corporate that are managed by their members. Any member who is personally responsible for the offence can similarly be prosecuted as if he were a director or manager of the body corporate concerned.

Back to Menu

Disclosure of personal data which was obtained without authority

The Data Protection Acts deal with the threat to privacy posed by persons who are not data controllers or data processors (or their employees) and who, having obtained unauthorised access to personal information, then disclose it to others. Under section 22 of the Acts, such conduct is an offence. This unauthorised access can occur in various ways. In the case of electronic data the most obvious is "hacking", i.e. obtaining access from a point remote from the computer by electronic means. Unauthorised access can also occur by someone gaining access to a data controller's equipment when the staff are not present. Someone might steal, or take without authority, a diskette or tape or manual file on which data are recorded. Or someone (other than the data controller or his staff) could be in a position to read personal data being shown on the computer screen or to read a printout. But whichever way the unauthorised access takes place, it will be an offence if the person concerned, having gained access, proceeds to disclose to another person the information he or she has accessed.

Obstruction of, or failure to cooperate with, an "authorised officer"

Section 24 of the Data Protection Acts confers certain powers upon an "authorised officer", a person authorised by the Data Protection Commissioner to exercise powers of entry and inspection.

LINK»  more about powers of an "authorised officer"

Section 24(6) of the Acts makes it an offence for any person to obstruct or impede an authorised officer in the exercise of a power; to fail to comply with any of the requirements to cooperate with the authorised officer; or knowingly to give false or misleading information to an authorised officer, in purported compliance with such requirements.
 

sending unsolicited marketing messages to individuals by fax, SMS, e-mail or automated dialling machine

It is an offence under regulation 13(13) of S.I. 336 of 2011, to send an unsolicited marketing communication to an individual, who is not a customer, by SMS or e-mail or an unsolicited marketing communication to any individual by fax or automated calling machine unless prior consent of the individual has been obtained.

sending unsolicited marketing by fax, SMS, e-mail or automated dialling machine to a business if it has objected to the receipt of such messages

If a business has informed the sender that it does not consent to direct marketing messages then it is an offence to send such messages by telephone, fax, automated calling machines, SMS or e-mail.  It is also an offence to make an unsolicited telephone call for the purpose of direct marketing or send a direct marketing message by fax or automated dialling machine if an objection to such communications is recorded in the National Directory Database for that line.

marketing by telephone where the subscriber has objected to the receipt of such calls

It is an offence under regulation 13(13) of S.I. 336 of 2011 to make an unsolicited telephone call for the purpose of direct marketing if the sender is notified of an objection to such communications or an objection is recorded in the National Directory Database for that line.

failing to identify the caller or sender or failing to provide a physical address or return e-mail address

When direct marketing telephone calls are being made or messages sent by e-mail, SMS, fax or automated dialling machines, then the caller or sender must identify themselves and provide a telephone number, address or e-mail address at which they can be contacted.  Failure to do so is an offence under regulation 13(13) of S.I. 336 of 2011.

failing to give customers the possibility of objecting to future e-mail and SMS marketing messages with each message sent

Where direct marketing messages relating to the sender's own similar products are being sent to customers by e-mail or SMS the sender must give an easy to use, without charge, opportunity with each message sent, to object to future messages. This opportunity must also have been given when the contact details were initially collected from the customer not more than twelve months prior to the sending of the direct marketing communication or, where applicable, the contact details were used for the sending of electronic mail for direct marketing purposes within that twelve month period.  Failure to comply is an offence under regulation 13(13) of S.I. 336 of 2011.

concealing the identity of the sender on whose behalf the marketing communication was made

It is an offence under regulation 13(13) of S.I. 336 of 2011, for the sender of an e-mail or SMS for direct marketing purposes to disguise or conceal the identity of the sender or to fail to provide a valid address to which the recipient can send a request that such communication shall cease.

making marketing phone calls to mobile telephones without consent

Marketing calls to mobile telephones are prohibited unless (i) the caller has been notified by the subscriber or user concerned that he or she consents to the receipt of such calls on his or her mobile telephone, or (ii) the subscriber or user has consented generally to receiving marketing calls and that such consent to receive marketing calls is recorded in the National Directory Database in respect of his or her mobile telephone number. Failure to comply is an offence under regulation 13(13) of S.I. 336 of 2011.

sending SMS information messages with "tagged on" marketing content

A non-marketing SMS message (e.g. an SMS information message) may not have marketing content "tagged on" unless the subscriber or user concerned has given prior consent to the receipt of an SMS communication containing such "tagged on" marketing content. Failure to comply is an offence under regulation 13(13) of S.I. 336 of 2011.

failure to take appropriate technical and organisational measures to safeguard the security of services

Data controllers in the electronic communications sector must give effect to a specific security policy which protects personal data against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure of personal data. They must also ensure that personal data can only be accessed by authorised personnel for legally authorised purposes. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.

failure to notify subscribers without delay of a particular risk of a breach of the security of the public communications network

Data controllers in the electronic communications sector must provide information to their subscribers on any particular risk of a breach of the security of the public communications network. Where the risk lies outside the scope of the measures to be taken by the relevant service provider, they must provide information to their subscribers on any possible remedies including an indication of the likely costs involved. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.

failure to notify the Data Protection Commissioner where there has been a personal data breach

Where there has been a personal data breach, data controllers in the electronic communications sector must, without undue delay, notify the Data Protection Commissioner of the breach. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.

failure to notify the subscriber or individual concerned where there has been a personal data breach which is likely to adversely affect the personal data or privacy of the subscriber or individual concerned

Where there has been a personal data breach which is likely to adversely affect the personal data or privacy of a subscriber or individual, data controllers in the electronic communications sector must, without undue delay, notify the subscriber or individual of the breach. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011. Such a notification is not required if the data controller has demonstrated to the satisfaction of the Data Protection Commissioner that it has implemented technological protection measures which render the data unintelligible to any person who is not authorised to access it and that those measures were applied to the data affected by the security breach.

failure to maintain an inventory of personal data breaches

Data controllers in the electronic communications sector must maintain an inventory of personal data breaches which comprise information on the facts surrounding the breach, the effects of the breach and any remedial action taken. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.

refusal to co-operate with an audit carried out by the Data Protection Commissioner

Data controllers in the electronic communications sector must co-operate with any audits undertaken by the Data Protection Commissioner to determine compliance with the provisions of regulation 4 of S.I. 336 of 2011.  A refusal to co-operate is an offence under regulation 4(13) of S.I. 336 of 2011.
 

Back to Menu

Penalties for Offences under the Data Protection Act

Criminal sanctions

Summary proceedings for an offence under the Data Protection Act may be brought and prosecuted by the Data Protection Commissioner. Under section 31 of the Acts, the maximum fine on summary conviction of such an offence is set at €3,000. On convictions on indictment, the maximum penalty is a fine of €100,000.

If the commission of an offence under the Data Protection Acts also involves violence - for example, if an "authorised officer"  is assaulted in trying to gain access to a premises under section 24 - then the offender can be proceeded against for assault and be liable to imprisonment.

Civil sanctions

Where a person suffers damage as a result of a failure by a data controller or data processor to meet their data protection obligations, then the data controller or data processor may be subject to civil sanctions by the person affected. Ordinarily, the "injury" suffered by a data subject will be damage to his or her reputation, possible financial loss and mental distress. The data subject concerned may have adequate remedies under the existing law (defamation where appropriate, breach of confidentiality and so on, but, more frequently perhaps, in negligence because in some cases a data controller or a data processor would owe a duty of care to data subjects about whom data are being kept or processed - a duty to see that damage is not caused to them by negligent handling of the data in question). In so far as a data controller or data processor may not be subject to this duty of care, section 7 of the Data Protection Acts remedies this by ensuring that such a duty will be implied in all cases where personal data are kept or processed.

Forfeitures etc.

Where a court convicts a person of an offence under the Data Protection Act, section 31(2) of the Acts provides that the court has discretion to order any data material, i.e. any document or other material used in connection with, or produced by, data equipment connected with the commission of the offence, to be forfeited or destroyed. The court may also order any relevant data to be erased. A court would use this power to prevent any further damage being done by the use of the material or of the data.

When exercising this power, the court must give the owner of the data concerned or anyone who is otherwise interested in them an opportunity to show cause why a forfeiture etc. order should not be made.
 

Penalties for offences under S.I. 336 of 2011.

Summary proceedings for an offence under S.I. 336 of 2011, may be brought and prosecuted by the Commissioner.  Each call or message can attract a fine of up to €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 if the offender is a body corporate. 

The court may also order the destruction of data that is connected with the commission of an offence.  See Forfeitures above relating to penalties under the Data Protection Acts.

Back to Menu






» Permanent Link