Data Protection Legislation

Key Data Protection legislative frameworks applicable from 25 May 2018

The Data Protection Commission (DPC) is governed by a number of legislative frameworks. Details of the key legislation and guidance about how the laws are applied is outlined below.

From 25 May 2018 the key legislative frameworks are:

The General Data Protection Regulation (GDPR) applies from 25 May 2018. It has general application to the processing of personal data in the EU, setting out more extensive obligations on data controllers and processors, and providing strengthened protections for data subjects. Although the GDPR is directly applicable as a law in all Member States, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which, amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018.

However, in some instances, depending on the nature and circumstances of the personal data processing, the type of personal data being processed, or when the data protection issue occurred, the GDPR will not apply and instead another legal framework concerning the regulation of the processing of personal data may apply. For example, if a data protection complaint or a possible infringement of the law relates to an incident which occurred before the GDPR became applicable on 25 May 2018, then the Data Protection Acts 1988 – 2003, and not the GDPR, will apply. After 25 May 2018, if the processing of personal data is carried out for a law enforcement purpose (in other words the prevention, investigation, detection or prosecution of a criminal offence or the execution of criminal penalties) then the GDPR will not apply and instead the Law Enforcement Directive, which has been transposed into Irish law by way of the Data Protection Act 2018, will apply.

A very brief summary of the main data protection frameworks, which the DPC will supervise and enforce from 25 May 2018 onwards, is set out in the table below.

GDPR

The GDPR will apply by default to the majority of personal data processing, but in Ireland further rules on certain issues (for example the reasons for, and extent to which, data subject rights may be restricted) are set out in the Data Protection Act 2018.

Law Enforcement Directive  (as transposed by provisions in Parts 5 and 6 of the Data Protection Act 2018)

The Law Enforcement Directive is transposed into Irish law by the Data Protection Act 2018, in Part 5 and Part 6 of that Act. Those provisions set out the laws in Ireland which apply concerning the processing of personal data by data controllers who are competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, where personal data is being processed for these purposes.

Data Protection Acts 1988 and 2003 (as retained by sections 7(4) and 8 of the Data Protection Act 2018)

Data Protection Acts 1988 and 2003 (as retained by sections 7(4) and 8 of the Data Protection Act 2018). The Data Protection Acts 1988 and 2003 (without the repeals and revocations in section 7 the Data Protection Act 2018) apply to:

  • Ongoing investigations by, and complaints to, the Data Protection Commissioner respectively commenced or made before 25 May 2018;
  • New complaints and potential contraventions of the Data Protection Acts 1988 and 2003 which arose prior to the 25 May 2018 but which are made or investigated on or after 25 May 2018; and
  • Processing of personal data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018.
Data Protection Acts 1988 and 2003 (as amended by section 7 of the Data Protection Act 2018)

The Data Protection Acts 1988 and 2003 (as amended by the repeals and revocations in section 7 the Data Protection Act 2018) apply to:

  • Complaints and potential contraventions of data protection law concerning the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State (as per section 8(1)(a) of the Data Protection Act 2018).
ePrivacy Regulations

From 25 May 2018, processing of personal data in the context of certain electronic communications (including, amongst other things, unsolicited electronic communications made by phone, e-mail, and SMS) is subject to both the general laws set out in the GDPR and the specific laws set out in the “ePrivacy Regulations” (S.I. No. 336 of 2011, under which the ePrivacy Directive 2002/58/EC (as amended by Directive 2006/24/EC and 2009/136/EC) was transposed into Irish law).

This information is purely for guidance, and does not constitute legal advice or legal analysis. Up to date as of 31.01.2019.