S.I. No. 626 of 2001
European Communities (Data Protection) Regulations, 2001
I, John O'Donoghue, Minister for Justice, Equality and Law Reform, in exercise of the powers conferred on me by section 3 of the European Communities Act, 1972 (No. 27 of 1972), and for the purpose of giving effect to Articles 4, 17, 25 and 26 of Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereby make the following regulations:
1. (1) These Regulations may be cited as the European Communities (Data Protection) Regulations, 2001.
(2) These Regulations shall come into operation on 1 April, 2002.
(3) In these Regulations, "the Principal Act" means the Data Protection Act, 1988.
2. Section 1 of the Principal Act is amended –
(a) in subsection (1), by the insertion of the following definitions:
" 'the Directive' means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
'the EEA Agreement' means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993;
'enactment' means a statute or a statutory instrument (within the meaning of the Interpretation Act, 1937);
'the European Economic Area' has the meaning assigned to it by the EEA Agreement;",
(b) by the insertion of the following subsection after subsection (4):
"(5)(a) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if –
(i) the data controller is established in the State and the data are processed in the context of that establishment, or
(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.
(b) For the purposes of paragraph (a) of this subsection, each of the following shall be treated as established in the State:
(i) an individual who is normally resident in the State,
(ii) a body incorporated under the law of the State,
(iii) a partnership or other unincorporated association formed under the law of the State, and
(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) but maintains in the State –
(I) an office, branch or agency through which he or she carries on any activity, or
(II) a regular practice,
and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.
(c) A data controller to whom paragraph (a)(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.".
3. The following section is inserted in the Principal Act after section 2:
"Security measures for personal data.
2A.–(1) In determining appropriate security measures for the purposes of section 2(1)(d) of this Act, in particular (but without prejudice to the generality of that provision, where the processing involves the transmission of data over a network, a data controller–
(a) may have regard to the state of technological development and the cost of implementing the measures, and
(b) shall ensure that the measures provide a level of security appropriate to–
(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and
(ii) the nature of the data concerned.
(2) A data controller or data processor shall take all reasonable steps to ensure that–
(a) persons employed by him or her, and
(b) other persons at the place of work concerned,
are aware of and comply with the relevant security measures aforesaid.
(3) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall–
(a) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor carries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent to those imposed on the data controller by section 2(1)(d) of this Act,
(b) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and
(c) take reasonable steps to ensure compliance with those measures.".
4. Section 9 of the Principal Act is amended by the insertion of the following subsection after subsection (2):
"(3) The Commissioner shall be the supervisory authority in the State for the purposes of Articles 4, 17, 25 and 26 of the Directive.".
5. The following section is substituted for section 11 of the Principal Act:
"Restriction on transfer of personal data outside State.
11.–(1) The transfer of personal data to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to–
(a) the nature of the data,
(b) the purposes for which and the period during which the data are intended to be processed,
(c) the country or territory of origin of the information contained in the data,
(d) the country or territory of final destination of that information,
(e) the law in force in the country or territory referred to in paragraph (d),
(f) any relevant codes of conduct or other rules which are enforceable in that country or territory,
(g) any security measures taken in respect of the data in that country or territory, and
(h) the international obligations of that country or territory.
(2)(a) Where in any proceedings under this Act a question arises–
(i) whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area to which personal data are to be transferred, and
(ii) a Community finding has been made in relation to transfers of the kind in question,
the question shall be determined in accordance with that finding.
(b) In paragraph (a) of this subsection 'Community finding' means a finding of the European Commission made for the purposes of paragraph 4 or 6 of Article 25 of the Directive under the procedure provided for in Article 31.2 of the Directive in relation to whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area.
(3) The Commissioner shall inform the Commission and the supervisory authorities of the other Member States of any case where he or she considers that a country or territory outside the European Economic Area does not ensure the adequate level of protection referred to in subsection (1) of this section.
(4)(a) This section shall not apply to a transfer of data if–
(i) the transfer of the data or the information constituting the data is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the State,
(ii) the data subject has given his or her consent to the transfer,
(iii) the transfer is necessary–
(I) for the performance of a contract between the data subject and the data controller, or
(II) for the taking of steps at the request of the data subject with a view to his or her entering into a contract with the data controller,
(iv) the transfer is necessary–
(I) for the conclusion of a contract between the data controller and a person other than the data subject that–
(A) is entered into at the request of the data subject, and
(B) is in the interests of the data subject,
(II) for the performance of such a contract,
(v) the transfer is necessary for the purpose of obtaining legal advice or for the purpose of or in connection with legal proceedings or prospective legal proceedings,
(vi) the transfer is necessary in order to prevent injury or other damage to the health of the data subject or serious loss of or damage to property of the data subject or otherwise to protect his or her vital interests, and informing the data subject of, or seeking his or her consent to, the transfer is likely to damage his or her vital interests,
(vii) the transfer is of part only of the personal data on a register established by or under an enactment, being–
(I) a register intended for consultation by the public,
(II) a register intended for consultation by persons having a legitimate interest in its subject matter,
and, in the case of a register referred to in clause (II) of this subparagraph, the transfer is made, at the request of, or to, a person referred to in that clause and any conditions to which such consultation is subject are complied with by any person to whom the data are or are to be transferred,
(viii) the transfer has been authorised by the Commissioner where the data controller adduces adequate safeguards with respect to the privacy and fundamental rights and freedoms of individuals and for the exercise by individuals of their relevant rights under this Act or the transfer is made on terms of a kind approved by the Commissioner as ensuring such safeguards.
(b) The Commissioner shall inform the European Commission and the supervisory authorities of the other states in the European Economic Area of any authorisation or approval under paragraph (a)(viii) of this subsection.
(c) The Commissioner shall comply with any decision of the European Commission under the procedure laid down in Article 31.2 of the Directive made for the purposes of paragraph 3 or 4 of Article 26 of the Directive.
(5) Where, in relation to a transfer of data to a country or territory outside the European Economic Area, a data controller adduces the safeguards for the data subject concerned referred to in subsection (4)(a)(viii) of this section by means of a contract embodying the contractual clauses referred to in paragraph 2 or 4 of Article 26 of the Directive, the data subject shall have the same right–
(a) to enforce a clause of the contract conferring rights on him or her or relating to such rights, and
(b) to compensation or damages for breach of such a clause,
that he or she would have if he or she were a party to the contract.
(6) The Commissioner may, subject to the provisions of this section, prohibit the transfer of personal data from the State to a place outside the State unless such transfer is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the State.
(7) In determining whether to prohibit a transfer of personal data under this section, the Commissioner shall also consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.
(8) A prohibition under subsection (6) of this section shall be effected by the service of a notice (referred to in this Act as a prohibition notice) on the person proposing to transfer the data concerned.
(9) A prohibition notice shall–
(a) prohibit the transfer concerned either absolutely or until the person aforesaid has taken such steps as are specified in the notice for protecting the interests of the data subjects concerned,
(b) specify the time when it is to take effect,
(c) specify the grounds for the prohibition, and
(d) subject to subsection (11) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the prohibition specified in the notice within 21 days from the service of the notice on him or her.
(10) Subject to subsection (11) of this section, the time specified in a prohibition notice for compliance with the prohibition specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (9)(d) of this section and, if an appeal is brought against the prohibition, the prohibition need not be complied with and subsection (14) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.
(11) If the Commissioner–
(a) by reason of special circumstances, is of opinion that a prohibition specified in a prohibition notice should be complied with urgently, and
(b) includes a statement to that effect in the notice,
subsection (9)(d) and (10) of this section shall not apply in relation to the notice but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the prohibition before the end of the period of 7 days beginning on the date on which the notice is served.
(12) The Commissioner may cancel a prohibition notice and, if he or she does so, shall notify in writing the person on whom it was served accordingly.
(13) (a) This section applies, with any necessary modifications, to a transfer of information from the State to a place outside the State for conversion into personal data as it applies to a transfer of personal data from the State to such a place.
(b) In paragraph (a) of this subsection 'information' means information (not being data) relating to a living individual who can be identified from it.
(14) A person who, without reasonable excuse, fails or refuses to comply with a prohibition specified in a prohibition notice shall be guilty of an offence.".
6. Section 23 of the Principal Act is repealed.
GIVEN under my Official Seal,
19 December, 2001.
JOHN O'DONOGHUE, Minister for Justice, Equality and Law Reform
(This is not part of the instrument and does not purport to be a legal interpretation.)
This Instrument brings into operation certain provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Regulations bring into effect articles 4,17, 25 and 26 of that Directive, which deal mainly with transfers of personal data to third countries and provide that such transfers may only take place where an adequate level of protection for such data is deemed to exist.
The Regulations come into effect on 1 April 2002.
 O.J. No. L 281/38 of 23.11.95, p. 31.