Data Protection Legislation
Key Data Protection legislative frameworks applicable from 25 May 2018
The Data Protection Commission (DPC) is governed by a number of legislative frameworks. Details of the key legislation and guidance about how the laws are applied is outlined below.
From 25 May 2018 the key legislative frameworks are:
- General Data Protection Regulation (GDPR)
- Data Protection Act 2018
- the “Law Enforcement Directive” (Directive (EU) 2016/680) which has been transposed into Irish law by way of the Data Protection Act 2018
- the Data Protection Acts 1988 and 2003
- the 2011 “ePrivacy Regulations” (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks and Services) (Privacy And Electronic Communications) Regulations 2011)
The General Data Protection Regulation (GDPR) applies from 25 May 2018. It has general application to the processing of personal data in the EU, setting out more extensive obligations on data controllers and processors, and providing strengthened protections for data subjects. Although the GDPR is directly applicable as a law in all Member States, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which, amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018.
However, in some instances, depending on the nature and circumstances of the personal data processing, the type of personal data being processed, or when the data protection issue occurred, the GDPR will not apply and instead another legal framework concerning the regulation of the processing of personal data may apply. For example, if a data protection complaint or a possible infringement of the law relates to an incident which occurred before the GDPR became applicable on 25 May 2018, then the Data Protection Acts 1988 – 2003, and not the GDPR, will apply. After 25 May 2018, if the processing of personal data is carried out for a law enforcement purpose (in other words the prevention, investigation, detection or prosecution of a criminal offence or the execution of criminal penalties) then the GDPR will not apply and instead the Law Enforcement Directive, which has been transposed into Irish law by way of the Data Protection Act 2018, will apply.
A very brief summary of the main data protection frameworks, which the DPC will supervise and enforce from 25 May 2018 onwards, is set out in the table below.
GDPR |
The GDPR will apply by default to the majority of personal data processing, but in Ireland further rules on certain issues (for example the reasons for, and extent to which, data subject rights may be restricted) are set out in the Data Protection Act 2018. |
Law Enforcement Directive (as transposed by provisions in Parts 5 and 6 of the Data Protection Act 2018) |
The Law Enforcement Directive is transposed into Irish law by the Data Protection Act 2018, in Part 5 and Part 6 of that Act. Those provisions set out the laws in Ireland which apply concerning the processing of personal data by data controllers who are competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, where personal data is being processed for these purposes. |
Data Protection Acts 1988 and 2003 (as retained by sections 7(4) and 8 of the Data Protection Act 2018) |
Data Protection Acts 1988 and 2003 (as retained by sections 7(4) and 8 of the Data Protection Act 2018). The Data Protection Acts 1988 and 2003 (without the repeals and revocations in section 7 the Data Protection Act 2018) apply to:
|
Data Protection Acts 1988 and 2003 (as amended by section 7 of the Data Protection Act 2018) |
The Data Protection Acts 1988 and 2003 (as amended by the repeals and revocations in section 7 the Data Protection Act 2018) apply to:
|
ePrivacy Regulations |
From 25 May 2018, processing of personal data in the context of certain electronic communications (including, amongst other things, unsolicited electronic communications made by phone, e-mail, and SMS) is subject to both the general laws set out in the GDPR and the specific laws set out in the “ePrivacy Regulations” (S.I. No. 336 of 2011, under which the ePrivacy Directive 2002/58/EC (as amended by Directive 2006/24/EC and 2009/136/EC) was transposed into Irish law). |
This information is purely for guidance, and does not constitute legal advice or legal analysis. Up to date as of 31.01.2019.