Data Protection Act 2018

Although the GDPR is directly applicable as a law in all Member States, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which, amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018.

DATA PROTECTION ACT 2018

An Act to establish a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission; to give further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); to give effect to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; to give further effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981 and for those and other purposes to amend the Data Protection Act 1988; to provide for the consequential amendment of certain other enactments; and to provide for related matters.           [24th May, 2018]

Be it enacted by the Oireachtas as follows:

1 OJ No. L 119, 4.5.2016, p.1

2 OJ No. L 119, 4.5.2016, p.89

PART 1
PRELIMINARY AND GENERAL

1. Short title, citation and commencement

  1. This Act may be cited as the Data Protection Act 2018.
  2. This Act and the Data Protection Acts 1988 and 2003 may be cited together as the Data Protection Acts 1988 to 2018.
  3. This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions, and for the repeal of different enactments or provisions of enactments effected by section 7.

2. Interpretation

  1. In this Act—

"Act of 1988" means the Data Protection Act 1988;
"Act of 2014" means the Companies Act 2014;
"authorised officer" means a person appointed, or deemed to be appointed, to be an authorised officer under section 129;
"chairperson" means the chairperson of the Commission;
"civil servant" has the meaning assigned to it by the Civil Service Regulation Act 1956;
"Commission" has the meaning assigned to it by section 10;
"Commissioner" has the meaning assigned to it by section 15 and includes a member of staff authorised to act in place of a Commissioner under section 18;
"Data Protection Regulation" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
"Directive" means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;
"enactment" has the same meaning as it has in the Interpretation Act 2005;
"local authority" means a local authority within the meaning of section 2 of the Local Government Act 2001;
"Minister" means the Minister for Justice and Equality;
"political party" means a political party registered in the Register of Political Parties in accordance with section 25 of the Electoral Act 1992;
"prescribe" means prescribe by regulations;
"public authority" means—

  1. a Department of State,
  2. a regional assembly,
  3. a local authority,
  4. the office of the Director of Corporate Enforcement,
  5. the Irish Auditing and Accounting Supervisory Authority,
  6. any other person established by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act) other than—
  1. a recognised school or board within the meaning of section 2 of the Education Act 1998 but including a recognised school established and maintained by an education and training board and a board of a school so established and maintained, and
  2. a management committee established under section 37(3) of the Education Act 1998,
  1. a person with whom the Health Service Executive has, under section 38(1) of the Health Act 2004, entered into an arrangement for the provision of a health or personal social service by that person on behalf of the Executive,
  2. the Garda Síochána;

"public body" means—

  1. a company (within the meaning of the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act) a majority of the shares in which are held by or on behalf of a Minister of the Government,

  2. a subsidiary (within the meaning of section 7 of the Act of 2014) of a company referred to in paragraph (a);

"special categories of personal data", other than in Part 5, means—

  1. personal data revealing—
  1. the racial or ethnic origin of the data subject,

  2. the political opinions or the religious or philosophical beliefs of the data subject, or

  3. whether the data subject is a member of a trade union,

  1. genetic data,
  2. biometric data for the purposes of uniquely identifying an individual,
  3. data concerning health, or
  4. personal data concerning an individual's sex life or sexual orientation.
  1. Subject to subsection (1), a word or expression used in this Act, other than in Part 5, that is also used in the Data Protection Regulation has, unless the context otherwise requires, the same meaning in this Act as it has in that Regulation.
  2. Unless the context otherwise requires, a reference in this Act (other than in Part 5) to a numbered Article is a reference to the Article so numbered of the Data Protection Regulation.

3. Designation by appropriate authority

  1. An appropriate authority (within the meaning of the Civil Service Regulation Act 1956) may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a controller and while the designation is in force the civil servant so designated shall, other than for the purposes of sections 105(3) and 141(2) and (3), be deemed, for the purposes of this Act and the Data Protection Regulation, to be the controller in respect of the data concerned.
  2. Without prejudice to subsection (1), the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a controller and while the designation is in force the officer so designated shall, other than for the purposes of sections 105(3) and 141(2) and (3), be deemed, for the purposes of this Act and the Data Protection Regulation, to be the controller in respect of the data concerned.

  3. For the purposes of this Act and the Data Protection Regulation—

    1. where a designation by the relevant appropriate authority under subsection (1) is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

    2. where a designation under subsection (2) is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

    3. a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the Commissioner of the Garda Síochána.

4. Obligation not to require data subject to exercise right of access under Data Protection Regulation and Directive in certain circumstances

  1. A person shall not, in connection with—
  1. the recruitment of an individual as an employee,

  2. the continued employment of the individual, or

  3. a contract for the provision of services to the person by an individual, require that individual to—

  1. make a request under Article 15 or under section 91, or
  2. supply the person with data relating to that individual obtained as a result of such a request.

  1. A person who contravenes subsection (1) shall be guilty of an offence and shall be liable—
  1. on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

  2. on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

5. Expenses

The expenses incurred by the Commission and any Minister of the Government in the administration of this Act shall, to such an extent as may be sanctioned by the Minister for Public Expenditure and Reform, be paid out of moneys provided by the Oireachtas.

6. Regulations

  1. Regulations made under this Act may contain such incidental, supplementary and consequential provisions as appear to the person making the regulations to be necessary or expedient for the purposes of the regulations.
  2. Every regulation made under this Act, other than under section 51, 60 or 73, shall be laid before each House of the Oireachtas as soon as may be after it is made.

  3. Either House of the Oireachtas may, by a resolution passed within 21 sitting days after the day on which a regulation is laid before it under subsection (2), annul the regulation.

  4. The annulment of a regulation under subsection (3) takes effect immediately on the passing of the resolution concerned but does not affect the validity of anything done under the regulation before the passing of the resolution.

  5. Regulations may be made under section 51, 60 or 73 only if—

    1. a draft of the proposed regulations has been laid before each House of the Oireachtas, and

    2. a resolution approving the draft has been passed by each House.

7. Repeals and revocations

  1. Subject to subsection (4), the following provisions of the Act of 1988 are repealed:
  1. in section 1—
  1. subsection (1), the definition of "direct marketing", "financial institution" and "the register", and
  2. subsection (5);
  1. section 2(7) and (8);

  2. section 4(2), (6), (8) and (13);

  3. section 5(1)(d);

  4. section 9 and the Second Schedule;

  5. section 11(3) and (4)(b);

  6. sections 13, 14, 16, 17, 18, 19, 20, 22A and 33.
  1. Subject to subsection (4), section 14(2) of the Data Protection (Amendment) Act 2003 is repealed.
  2. Subject to subsection (4), the enactments specified in column (3) of Schedule 1 are revoked to the extent specified in column (4) of that Schedule.

  3. The repeals and revocations effected by this section shall not apply for the purposes of subsections (1)(b), (2) and (3) of section 8.

8. Application of Data Protection Act 1988

  1. Subject to this section, the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data (within the meaning of that Act) other than—
  1. the processing of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, or
  2. the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 to the extent that the Act of 1988 is applied in those Acts.

  1. The Act of 1988 shall apply to—

    1. a complaint by an individual under section 10 of that Act made before the commencement of this section, and

    2. a contravention of that Act that occurred before such commencement.

  2. An investigation under section 10 of the Act of 1988 that was begun but not completed before the commencement of this section shall be completed in accordance with that Act and that Act shall apply to such an investigation.

 

1 OJ No. L 119, 4.5.2016, p.1

2 OJ No. L 119, 4.5.2016, p.89

PART 2
DATA PROTECTION COMMISSION

9. Establishment day

The Minister shall, by order, appoint a day to be the establishment day for the purposes of this Act.

10. Establishment of Data Protection Commission

  1. On the establishment day there shall stand established a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission (in this Act referred to as the "Commission").
  2. Schedule 2 shall have effect in relation to the Commission.

11. Supervisory authority for Data Protection Regulation and Directive

The Commission shall be the supervisory authority within the meaning of, and for the purposes specified in—

  1. the Data Protection Regulation, and
  2. the Directive.

12. Functions of Commission

  1. In addition to the functions assigned to the Commission by virtue of its being the supervisory authority for the purposes of the Data Protection Regulation and the Directive, the general functions of the Commission shall include—
  1. any functions assigned to it by or under this Act,
  2. functions transferred to the Commission under section 14, and
  3. such other functions as may be assigned to it from time to time by or under any other enactment.
  1. The Commission shall monitor the lawfulness of processing of personal data in accordance with—
  1. Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 20131 on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast), and
  2. Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 20132 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast).
  1. The Commission is designated for the purposes of Chapter IV (Mutual assistance) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981.
  2. The Minister may, following consultation with the Commission, make any regulations that he or she considers necessary or expedient for the purpose of enabling Chapter IV (as referred to in subsection (3)) to have full effect.
  3. The Commission shall have all such powers as are necessary or expedient for the performance of its functions.
  4. The Commission shall disseminate, to such extent and in such manner as it considers appropriate, information in relation to the functions performed by it.
  5. The Commission shall be independent in the performance of its functions.
  6. Subject to this Act, the Commission shall regulate its own procedures.

13. Performance of functions of Commission by Commissioner or member of staff

  1. Where more than one Commissioner stands appointed under section 15, the functions of the Commission, other than the functions specified in subsection (3), may be performed through or by a Commissioner where he or she is authorised in that behalf by the Commission.
  2. The functions of the Commission, other than the functions specified in subsection (3), may be performed through or by any member of staff of the Commission where he or she is authorised in that behalf by the Commission.
  3. The functions referred to in subsections (1) and (2) are the functions of the Commission under sections 12(8), 21, 28, 43, 84(9) and (10), 129, 134(1) and (4), 135(1), 149 (other than subsection (1)), paragraph 1 of Schedule 2 and its function, as supervisory authority, under Article 35(4) and (5) of the Data Protection Regulation.
  4. A Commissioner or member of staff of the Commission who performs any of the functions of the Commission is presumed in any proceedings to have been authorised to do so on its behalf unless the contrary is shown.

14. Transfer of functions of Data Protection Commissioner to Commission

  1. All functions that, immediately before the establishment day, were vested in the Data Protection Commissioner are transferred to the Commission.
  2. A reference in any enactment or instrument under an enactment to the Data Protection Commissioner or to the Office of the Data Protection Commissioner shall be construed as a reference to the Commission.
  3. A reference in the Act of 1988 (other than in section 1(3)(c)(iii) in so far as it refers to to the Commissioner of the Garda Síochána) to the Commissioner shall be construed as a reference to the Commission.
  4. This section shall come into operation on the establishment day.

15. Membership of Commission

  1. The Commission shall consist of such and so many members (not being more than 3) as the Government determines.
  2. Each member of the Commission shall be known as a Commissioner for Data Protection (in this Act referred to as a "Commissioner").
  3. Subject to subsections (4), (8) and (9) and section 18, a Commissioner shall be appointed by the Government on the recommendation of the Public Appointments Service and the appointment shall be for a period of not less than 4 and not more than 5 years from the date of his or her appointment.
  4. If, immediately before the establishment day, there is a person holding office as the Data Protection Commissioner, he or she shall, on the establishment day, be a Commissioner for the remainder of the term of office, and upon the same terms and conditions, for which he or she was appointed as the Data Protection Commissioner.
  5. Subject to subsection (7), the Public Appointments Service shall recommend a person for appointment as Commissioner following an open selection competition held by the Service for that purpose.
  6. The Public Appointments Service shall appoint a selection panel to assist it in holding an open selection competition.
  7. The Public Appointments Service shall ensure that a person is recommended under subsection (5) for appointment only if it is satisfied that the person has the qualifications, experience and skills necessary to enable the Commission to effectively perform its functions.
  8. A Commissioner to whom subsection (3) applies and whose term of office expires by the efflux of time may be reappointed to the Commission by the Government for one further period of not less than 4 and not more than 5 years without the need for a further recommendation by the Public Appointments Service.
  9. A Commissioner to whom subsection (4) applies and whose term of office expires by the efflux of time may be reappointed to the Commission by the Government for one further period of not less than 4 and not more than 5 years.
  10. A Commissioner shall—
  1. act on a full-time basis subject to such terms and conditions (other than the payment of remuneration and allowances for expenses) as the Government may determine,
  2. be paid by the Commission such remuneration and allowances for expenses (if any) as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time determine,
  3. not hold any other office or occupy any other position in respect of which emoluments are payable or carry on any business, and
  4. cease to be a Commissioner on reaching the age of 70 years, but where the person is a new entrant (within the meaning of section 2 of the Public Service Superannuation (Miscellaneous Provisions) Act 2004) the requirement to cease to be a Commissioner on grounds of age shall not apply.

16. Appointment of chairperson of Commission

  1. The Minister shall, where the Commission consists of more than one Commissioner, appoint one of the Commissioners to be chairperson and such allowance (if any) may be paid by the Commission to the chairperson as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time determine.
  2. The chairperson shall have a casting vote in the case of decisions to be taken by the Commission in the event of a tied vote.
  3. Where a chairperson stands appointed under subsection (1), and is unavailable to perform his or her duties due to absence or incapacity, the Minister shall appoint another existing Commissioner to act as chairperson for the duration of the period of absence or incapacity.

17. Resignation, removal, disqualification of Commissioner, ineligibility to become Commissioner

  1. A Commissioner may resign from office by giving notice in writing to the Government of his or her resignation and the resignation shall take effect from such date as is specified in the notice which date shall be at least 90 days after the giving of the notice to the Government.
  2. The Government may remove a Commissioner from office if they are satisfied that one or more of the grounds referred to in subsection (3) apply to the Commissioner.
  3. The grounds referred to in subsection (2) are that a Commissioner—
  1. has become incapable through ill health or otherwise of effectively performing the functions of the office, or
  2. has engaged in serious misconduct.
  1. Where the Government propose to remove a Commissioner under subsection (2), they shall notify the Commissioner concerned in writing of their proposal.
  2. A notification under subsection (4) shall include a statement—
  1. of the reasons for the proposed removal,
  2. that the Commissioner may, within a period of 30 working days from the sending of the notification or such other period as the Government may, having regard to the requirements of natural justice, specify in the notice, make representations to the Government in such form and manner as may be specified by the Government, as to why the Commissioner should not be removed from office, and
  3. that where no representations are received within the period referred to in paragraph (b) the Government will, without further notice to the Commissioner, proceed with the removal of the Commissioner from office in accordance with this section.
  1. In considering whether to remove a Commissioner from office under subsection (2), the Government shall take into account—
  1.         (a) any representations made by the Commissioner under subsection (5)(b) within the period referred to in that subsection, and
  2.         (b) any other matter the Government consider relevant for the purpose of their decision.
  1. Where, having taken into account the matters referred to in subsection (6), the Government decide the Commissioner should be removed from office in accordance with this section, they shall notify the Commissioner in writing of their decision and the reasons for their decision.
  2. Where the Government decide to remove a Commissioner from office in accordance with this section, they shall prepare a statement of the reason or reasons for such removal and cause that statement to be laid before each House of the Oireachtas as soon as practicable after the decision is made.
  3. A Commissioner shall cease to hold office if he or she—
  1. is convicted on indictment of an offence,
  2. is convicted of an offence involving fraud or dishonesty,
  3. has a declaration made against him or her under section 819 of the Act of 2014 or is deemed to be subject to such a declaration by virtue of Chapter 5 of Part 14 of that Act, or
  4. is subject to, or is deemed to be subject to, a disqualification order within the meaning of Chapter 4 of Part 14 of the Act of 2014 whether by virtue of that Chapter or of any other provision of that Act.
  1. A person shall not be eligible for appointment as a Commissioner if any of paragraphs (a) to (d) of subsection (9) are applicable in respect of the person.

18. Acting Commissioner

  1. Where one Commissioner only stands appointed for the time being under section 15, the Minister may authorise a member of staff of the Commission to perform the functions of a Commissioner during any period when that Commissioner is absent from duty or absent from the State or is, for any other reason, unable to perform the functions of a Commissioner.
  2. Where a vacancy occurs in the office of Commissioner and no Commissioner stands appointed for the time being under section 15, the Minister may authorise a member of staff of the Commission to perform the functions of a Commissioner during the period of that vacancy, but an authorisation under this subsection shall cease upon the appointment of a Commissioner under section 15 whether or not such appointment was made for the purpose of filling that vacancy.
  3. An authorisation under subsection (2) shall not remain in force for a period of more than 6 months unless the Minister is satisfied that it is not reasonably practicable for an appointment under section 15 to be made within that period, in which case he or she may extend that period by such further period as he or she is satisfied is a period within which it is reasonably practicable for an appointment to be made under that section.
  4. The Minister may at any time terminate an authorisation under this section.
  5. A member of staff of the Commission in respect of whom an authorisation under this section is in force may perform the functions of a Commissioner under this Act, and, for that purpose, references to a Commissioner in this Act (other than in sections 15(3), 17(2) to (8) and 22) shall be construed as including references to such member of staff.

19. Accountability of Commissioner to Oireachtas Committees

  1. In this section, "Committee" means a Committee appointed by either House of the Oireachtas or jointly by both Houses of the Oireachtas (other than a committee referred to in section 19(1) of the Comptroller and Auditor General (Amendment) Act 1993 or the Committee on Members' Interests of Dáil Éireann or the Committee on Members' Interests of Seanad Éireann) or a sub-committee of such a Committee.
  2. Subject to subsection (3), a Commissioner shall, at the request in writing of a Committee, attend before it to give account for the general administration of the Commission.
  3. The Commissioner shall not be required to give account before a Committee for any matter which is or has been or may at a future time be the subject of proceedings before a court or tribunal.
  4. Where the Commissioner is of the opinion that a matter in respect of which he or she is requested to give an account before a Committee is a matter to which subsection (3) applies, he or she shall inform the Committee of that opinion and the reasons for the opinion and, unless the information is conveyed to the Committee at a time when the Commissioner is before it, the information shall be so conveyed in writing.
  5. Where the Commissioner has informed a Committee of his or her opinion in accordance with subsection (4) and the Committee does not withdraw the request referred to in subsection (2) in so far as it relates to a matter the subject of that opinion—
  1. the Commissioner may, not later than 21 days after being informed by the Committee of its decision not to do so, apply to the High Court in a summary manner for determination of the question whether the matter is one to which subsection (3) applies, or
  2. the Chairperson of the Committee may, on behalf of the Committee, make such an application,

and the High Court shall determine the matter.

  1. Pending the determination of an application under subsection (5), the Commissioner shall not attend before the Committee to give account for the matter the subject of the application.
  2. If the High Court determines that the matter concerned is one to which subsection (3) applies, the Committee shall withdraw the request referred to in subsection (2), but if the High Court determines that subsection (3) does not apply, the Commissioner shall attend before the Committee and give account for the matter.
  3. In this section, a reference to "Commissioner" shall, where more than one Commissioner has been appointed under section 15, be taken to be a reference to the chairperson.

20. Assignment and transfer of staff to Commission

  1. Every civil servant who, immediately before the establishment day, stands assigned to act as a member of staff of the Data Protection Commissioner shall, on the establishment day, stand assigned to act as a member of staff of the Commission.
  2. The Minister may, as he or she considers appropriate, designate in writing such and so many persons who stand assigned under subsection (1) to act as members of staff of the Commission to become and be members of staff of the Commission on and from such date as the Minister may specify in the designation (in this section referred to as the "effective date").
  3. A member of staff designated in accordance with subsection (2) shall become and be a member of staff of the Commission on and from the effective date.

21. Staff of Commission

  1. The Commission may, subject to the approval of the Minister given with the consent of the Minister for Public Expenditure and Reform, appoint such number of persons to be members of its staff as it may determine.
  2. The Commission shall, subject to the approval of the Minister given with the consent of the Minister for Public Expenditure and Reform, determine the grades of members of its staff and the numbers in each grade.
  3. Members of staff of the Commission shall be civil servants.

22. Superannuation of Commissioners

  1. The Minister may, with the consent of the Minister for Public Expenditure and Reform, make a scheme or schemes for—
  1. the granting of superannuation benefits to or in respect of a Commissioner ceasing to hold office, or
  2. the making of contributions to a pension scheme approved of by the Minister with the consent of the Minister for Public Expenditure and Reform which has been entered into by the Commissioner.
  1. The Minister may, with the consent of the Minister for Public Expenditure and Reform, make a scheme amending or revoking a scheme made under subsection (1), including a scheme amended under this subsection.
  2. If any dispute arises as to the claim of a Commissioner to, or the amount of, any superannuation benefit payable in pursuance of a scheme made under subsection (1), such dispute shall be submitted to the Minister who shall refer it to the Minister for Public Expenditure and Reform for determination by him or her.
  3. A scheme made under subsection (1) shall be carried out by the Minister in accordance with its terms.
  4. No superannuation benefit shall be granted by the Minister to or in respect of any Commissioner ceasing to hold office otherwise than—
  1. in accordance with a scheme under subsection (1), or
  2. with the consent of the Minister for Public Expenditure and Reform.
  1. A scheme made under subsection (1) shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the scheme is passed by either such House within the next 21 days on which that House has sat after the scheme is laid before it, the scheme shall be annulled accordingly but without prejudice to the validity of anything previously done under that scheme prior to the resolution.
  2. In this section, "superannuation benefits" means pensions, gratuities and other allowances payable on resignation, retirement or death.

23. Accounts of Commission

  1. The Commission shall keep, in such form as may be approved by the Minister with the consent of the Minister for Public Expenditure and Reform, all proper and usual accounts of all money received or expended by it and, in particular, shall keep in such form as aforesaid all such special accounts as the Minister may, with the consent of the Minister for Public Expenditure and Reform, from time to time direct.
  2. Accounts kept in accordance with this section shall be submitted, not later than 1 April in the year immediately following the financial year to which they relate or on such earlier date as the Minister may from time to time specify, by the Commission to the Comptroller and Auditor General for audit and, immediately after the audit, a copy of the accounts, and of such other special accounts (if any) kept in accordance with this section as the Minister, after consultation with the Minister for Public Expenditure and Reform, may direct and a copy of the Comptroller and Auditor General's report on the accounts shall be presented to the Minister and the Commission shall, as soon as may be thereafter, cause copies thereof to be laid before each House of the Oireachtas.
  3. Subject to subsections (4) and (5), subsections (1) and (2) shall cease to have effect on the date of the coming into operation of section 176(b).
  4. Accounts kept in accordance with this section that relate to the period specified under subsection (5) shall be submitted by the Commission to the Comptroller and Auditor General for audit not later than 3 months after the date of the coming into operation of section 176(b).
  5. The Minister may, for the purposes of subsection (4), specify a period which—
  1. shall end on the date immediately preceding the date of the coming into operation of section 176(b), and
  2. may be longer or shorter than a financial year of the Commission.

24. Annual report

  1. The Commission shall, not later than 30 June in each year—
  1. prepare a report on its activities in the immediately preceding year, and
  2. cause copies of the report to be laid before each House of the Oireachtas.
  1. Notwithstanding subsection (1), if but for this subsection, the first report under this section would relate to a period of less than 6 months, the report shall relate to that period and to the year immediately following that period and shall be made as soon as may be, but not later than 6 months after the end of that year.
  2. The Commission may, at any time after subsection (1)(b) has been complied with, publish its annual report in such form and manner as it considers appropriate.
  3. For the purposes of the law of defamation, a report under subsection (1) shall be absolutely privileged.

25. Accountability for accounts of Commission

  1. The Commissioner, or where more than one Commissioner has been appointed under section 15, the chairperson, is the accounting officer in relation to the appropriation accounts of the Commission for the purpose of the Comptroller and Auditor General Acts 1866 to 1998.
  2. Section 19(2) of the Comptroller and Auditor General (Amendment) Act 1993 shall, in so far as it relates to data protection matters, not apply to the Commissioner or chairperson who is the accounting officer pursuant to subsection (1).

26. Prohibition on disclosure of confidential information

  1. A relevant person shall not disclose confidential information obtained by him or her while performing functions under this Act or the Data Protection Regulation unless he or she is required or permitted by law, or duly authorised by the Commission, to do so.
  2. Subsection (1) shall not operate to prevent the disclosure by a relevant person of information—
  1. in a report to the Commission or a Commissioner,
  2. to a Minister of the Government, and
  3. to a public authority, whether in the State or otherwise, for the purposes of facilitating cooperation between the Commission and such authority in the performance of their respective functions.
  1. Subject to section 154, a person who contravenes subsection (1) commits an offence and is liable on summary conviction to a class A fine.
  2. In this section—

"confidential information" includes information that is expressed by the Commission to be confidential either as regards particular information or as regards information of a particular class or description;
"relevant person" means—

  1. a Commissioner,
  2. a member of staff of the Commission,
  3. an authorised officer,
  4. any other person engaged under a contract for services by the Commission or a member of the staff of such a person, or
  5. a person who has acted in a capacity referred to in any of paragraphs (a) to (d).

27. Civil proceedings for contravention of section 26

  1. A person who suffers loss or harm as a result of a contravention of section 26(1) may, subject to section 154, bring proceedings against the person specified in subsection 
  2. seeking relief by way of—
  1. an injunction or declaration, or
  2. damages, or both.
  1. The person specified for the purposes of subsection (1) is—
  1. where it is alleged that the contravention was committed by a Commissioner, member of staff of the Commission or an authorised officer and the applicant under that subsection is seeking an injunction or declaration, the Commissioner, member of staff or authorised officer concerned,
  2.  where it is alleged that the contravention was committed by a Commissioner, member of staff of the Commission or an authorised officer and the applicant under that subsection is seeking damages, the Commission, and
  3.  where it is alleged that the contravention was committed by a person other than a Commissioner, member of staff of the Commission or an authorised officer, that person.
  1. Proceedings under subsection (1), in so far as they seek the relief referred to in paragraph (b) of that subsection, shall be founded on tort.

1 OJ No. L 180, 29.06.2013, p.1

2 OJ No. L 180, 29.06.2013, p.31

PART 3
DATA PROTECTION REGULATION

CHAPTER 1 - General
CHAPTER 2 - Processing of special categories of personal data and processing of personal data relating to criminal convictions and offences
CHAPTER 3 - Rights, and restrictions of rights, of data subject and restrictions on obligations of controllers

PART 4
PROVISIONS CONSEQUENT ON REPEAL OF CERTAIN PROVISIONS OF DATA PROTECTION ACT 1988

62. Transfer of property of Data Protection Commissioner to Commission

  1. On the establishment day, all property (other than land), including choses-in-action, that immediately before that day was vested in the Data Protection Commissioner shall stand vested in the Commission.
  2. Every chose-in-action vested in the Commission by virtue of subsection (1) may, on and from the establishment day, be sued on, recovered or enforced by the Commission in its own name, and it shall not be necessary for the Commission to give notice to any person bound by the chose-in-action of the vesting effected by that subsection.
  3. On the establishment day all records that, immediately before that day, were records of the Data Protection Commissioner shall be records of the Commission and shall, accordingly, be transferred to the Commission.

63. Transfer of rights and liabilities of Data Protection Commissioner to Commission

  1. All rights and liabilities of the Data Protection Commissioner subsisting immediately before the establishment day and arising by virtue of any contract or commitment (express or implied) shall on that day stand transferred to the Commission.
  2. Every right and liability transferred by subsection (1) to the Commission may, on and after the establishment day, be sued on, recovered or enforced by or against the Commission in its own name, and it shall not be necessary for the Commission to give notice to the person whose right or liability is transferred by that subsection of such transfer.

64. Liability for loss occurring before establishment day

  1. A claim in respect of any loss or injury alleged to have been suffered by any person arising out of the performance before the establishment day of any of the functions of the Data Protection Commissioner shall after that day, lie against the Commission and not against the Data Protection Commissioner.
  2. Any legal proceedings pending immediately before the establishment day to which the Data Protection Commissioner is a party, shall be continued, with the substitution in the proceedings of the Commission for the Data Protection Commissioner.
  3. Where, before the establishment day, agreement has been reached between the parties concerned in settlement of a claim to which subsection (1) relates, the terms of which have not been implemented, or judgment in such a claim has been given in favour of a person but has not been enforced, the terms of the agreement or judgment, as the case may be, shall, in so far as they are enforceable against the Data Protection Commissioner, be enforceable against the Commission and not the Data Protection Commissioner.
  4. Any claim made or proper to be made by the Data Protection Commissioner in respect of any loss or injury arising from the act or default of any person before the establishment day shall be regarded as having been made by or proper to be made by the Commission and may be pursued and sued for by the Commission as if the loss or injury had been suffered by the Commission.

65. Provisions consequent upon transfer of functions, assets, rights and liabilities to Commission

  1. Anything commenced and not completed before the establishment day by or under the authority of the Data Protection Commissioner may, in so far as it relates to a function transferred to the Commission under section 14, be carried on or completed on or after the establishment day by the Commission.
  2. Every instrument made under an enactment and every document (including any certificate or notice) granted, made or issued, in the performance of a function transferred by section 14, shall, if and in so far as it was operative immediately before the establishment day, have effect on and after that day as if it had been granted, made or issued by the Commission.
  3. References to the Data Protection Commissioner in the memorandum or articles of association of any company shall, on and after the establishment day, be construed as references to the Commission.
  4. A certificate signed by the Minister that any property, right or liability has or, as the case may be, has not vested in the Commission under section 62 or 63 shall be sufficient evidence, unless the contrary is shown, of the fact so certified for all purposes.

66. Final accounts and final annual report of Data Protection Commissioner

  1. The Commission shall, in respect of the period specified under subsection (3), prepare final accounts of the Data Protection Commissioner.
  2. The Commission shall submit the final accounts to the Comptroller and Auditor General for audit not later than 3 months after the establishment day.
  3. For the purposes of subsection (1), the Minister may specify a period that is longer or shorter than a financial year of the Data Protection Commissioner.
  4. The Commission shall prepare the final annual report for the Data Protection Commissioner and cause a copy of the report to be laid before each House of the Oireachtas not later than 6 months after the establishment day.

67. Saver for scheme relating to superannuation

A scheme made under section 9 and paragraph 7(a) of the Second Schedule to the Act of 1988 that was in force immediately prior to coming into operation of section 7 in so far as it relates to the repeal of section 9 and paragraph 7(a) of the Second Schedule to the Act of 1988 shall continue in force on and after that coming into operation as if the scheme had been made under section 22 and—

  1. a person who was a member of the scheme on that coming into operation shall continue to be a member, and
  2. the provisions of that section shall apply accordingly.

68. Saver for regulations under Act of 1988

  1. Notwithstanding subsection (1) of section 8, the Data Protection Act 1988 (Section 2A) Regulations 2013 (S.I. No. 313 of 2013) and the Data Protection Act 1988 (Section 2A) Regulations 2016 (S.I. No. 220 of 2016) shall, in addition to applying for the purposes referred to in that subsection, apply for all other purposes for which they applied immediately before the commencement of that subsection and, in so far only as they apply for the second-mentioned purposes, they shall be deemed to have been made under section 38 and may be amended or revoked accordingly.
    1. The Data Protection Health Regulations shall continue in force upon and after the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) until the first set of regulations are made under section 60(5)(a).
    2. The Data Protection Health Regulations are amended—
  1. in Regulation 3, by—
  1. the deletion of the definition of "the Act",
  2. the deletion of the definition of "health professional", and
  3. the insertion of the following definitions:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'health practitioner' has the same meaning as it has in the Health Identifiers Act 2014.",

  1. in Regulation 4(1), by—
  1. the substitution of "a request under Article 15 of the Data Protection Regulation" for "a request under section 4(1)(a) of the Act", and
  2. the substitution of "the physical or mental health of the data subject, but this restriction on providing information applies only to the extent to which, and for so long as, that likelihood pertains." for "the physical or mental health of the data subject.",
  1. in Regulation 5, by—
  1. the substitution of "health practitioner" for "health professional" in each place it occurs,
  2. the substitution, in paragraph (1)(a), of "a request under the said Article 15 of the Data Protection Regulation" for "a request under the said section 4(1)(a)", and
  3. the substitution, in paragraph (2)(a), of "within the meaning of section 2 of the Medical Practitioners Act 2007 or a medical practitioner practising medicine pursuant to section 50 of that Act" for "within the meaning of the Medical Practitioners Act 1978 (No. 4 of 1978), or registered dentist, within the meaning of the Dentists Act 1985 (No. 9 of 1985)",

and

  1. by the deletion of Regulation 6.
  1. A request referred to in Regulation 4(1) of the Data Protection Health Regulations which includes a request for health data (within the meaning of those Regulations) that was received but not responded to before the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) shall be treated as if it were a request under Article 15 of the Data Protection Regulation.
    1. The Data Protection Social Work Regulations shall continue in force upon and after the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) until the first set of regulations are made under section 60(5)(b).
    2. The Data Protection Social Work Regulations are amended—
    1. in Regulation 3, by—
    1. the deletion of the definition of "the Act",
    2. the insertion of the following definition:

    " 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

    and

    1. the substitution of the following definition for the definition of "social work data":

    " 'social work data' means personal data kept for, or obtained in the course of, carrying out social work by a public authority, public body, voluntary organisation or other body but excludes any health data within the meaning of the Data Protection (Access Modification) (Health) (Regulations) 1989 (S.I. No. 82 of 1989) and 'social work' shall be construed accordingly.",

    1. in Regulation 4—
    1. in paragraph (1), by—
    1. the substitution of "a request under Article 15 of the Data Protection Regulation" for "a request under section 4(1)(a) of the Act", and
    2. the substitution of "the physical or mental health or emotional condition of the data subject, but this restriction on providing information applies only to the extent to which, and for as long as, that likelihood pertains." for "the physical or mental health or emotional condition of the data subject.",

    and

    1. in paragraph (3), by the substitution of "under Article 15 of the Data Protection Regulation" for "under section 4(1)(a) of the Act",

    and

    1. the deletion of Regulation 5.
    1. A request referred to in Regulation 4(1) of the Data Protection Social Work Regulations which includes a request for social work data (within the meaning of those Regulations) that was received but not responded to before the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) shall be treated as if it were a request under Article 15 of the Data Protection Regulation.
    1. The Regulations of 2011 shall apply to—
    1. each special category of personal data that, immediately before the coming into operation of this section—
    1. constituted sensitive personal data to which those Regulations applied, or
    2. would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

    and

    1. Article 10 data that, immediately before such coming into operation—
    1. constituted sensitive personal data to which those Regulations applied, or
    2. would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.
    1. The Regulations of 2011 are amended—
    1. in Regulation 3, by the substitution of "Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, processing" for "Processing",
    2. in Regulation 4, by the substitution of "Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, processing" for "Processing", and
    3. by the insertion of the following Regulation after Regulation 6:

    "7. In these Regulations, "suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects" shall be construed in accordance with section 36 of the Data Protection Act 2018.".

    1. The Regulations of 2015 shall, in addition to applying to sensitive personal data to which the Act of 1988 applies, apply to—
    1. each special category of personal data that, immediately before the coming into operation of this section—
    1. constituted sensitive personal data to which those Regulations applied, or
    2. would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

    and

    1. Article 10 data that, immediately before such coming into operation—
    1. constituted sensitive personal data to which those Regulations applied, or
    2. would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.
    1. The Regulations of 2015 are amended—
    1. in Regulation 2, by the substitution of "Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing" for "The processing", and
    2. by the insertion of the following Regulation after Regulation 2:

    "3. In these Regulations, "suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects" shall be construed in accordance with section 36 of the Data Protection Act 2018.".

    1. The Regulations of 2016 shall, in addition to applying to sensitive personal data to which the Act of 1988 applies, apply to—
    1. each special category of personal data that, immediately before the coming into operation of this section—
    1. constituted sensitive personal data to which those Regulations applied, or
    2. would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

    and

    1. Article 10 data that, immediately before such coming into operation—
    1. constituted sensitive personal data to which those Regulations applied, or
    2. would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.
    1. The Regulations of 2016 are amended—
    1. in Regulation 2, by the substitution of "Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing" for "The processing", and
    2. by the insertion of the following Regulation after Regulation 2:

    "3. In these Regulations, "suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects" shall be construed in accordance with section 36 of the Data Protection Act 2018.".

    1. In this section—

    "Article 10 data" has the meaning assigned to it in section 55;
    "Data Protection Health Regulations" means the Data Protection (Access Modification) (Health) Regulations 1989 (S.I. No. 82 of 1989);
    "Data Protection Social Work Regulations" means the Data Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No. 83 of 1989);
    "Regulations of 2011" means the Data Protection Act 1988 (Section 2B) Regulations 2011 (S.I. No. 486 of 2011);
    "Regulations of 2015" means the Data Protection Act 1988 (Section 2B) Regulations 2015 (S.I. No. 240 of 2015);
    "Regulations of 2016" means the Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016 (S.I. No. 427 of 2016);
    "sensitive personal data" has the meaning assigned to it by the Act of 1988.

1 OJ No. L 119, 4.5.2016, p.1

2 OJ No. L 119, 4.5.2016, p.1

PART 5
PROCESSING OF PERSONAL DATA FOR LAW ENFORCEMENT PURPOSES

CHAPTER 1 - Preliminary and general (Part 5)
CHAPTER 2 - General principles of data protection
CHAPTER 3 - Obligations of controllers and processors
CHAPTER 4 - Rights, and restriction of rights, of data subject (Part 5)
CHAPTER 5 - Transfers of personal data to third countries or international organisations
CHAPTER 6 - Independent supervisory authority

PART 6

ENFORCEMENT OF DATA PROTECTION REGULATION AND DIRECTIVE

CHAPTER 1 - Preliminary
CHAPTER 2 - Enforcement of Data Protection Regulation
CHAPTER 3 - Enforcement of Directive
CHAPTER 4 - Inspection, Audit and Enforcement
CHAPTER 5 - Investigations
CHAPTER 6 - Administrative Fines
CHAPTER 7 - Offences
CHAPTER 8 - Miscellaneous

157. Supervisory authority for courts acting in judicial capacity

  1. The judge ("assigned judge") for the time being assigned for that purpose by the Chief Justice shall be competent for supervision of data processing operations of the courts when acting in their judicial capacity.
  2. The assigned judge shall, in particular—
  1. promote awareness among judges of the provisions of the Data Protection Regulation, the Directive and any enactment, rule made under section 158(3) or other rule of law that gives further effect to the Data Protection Regulation or effect to the Directive, and ensure compliance with those provisions, and
  2. handle, and investigate to the extent appropriate, complaints in relation to data processing operations of the courts when acting in their judicial capacity.

158. Restrictions on obligations of controllers and rights of data subjects for objective of safeguarding judicial independence and court proceedings

  1. The rights and obligations provided for in—
  1. Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22, and
  2. sections 87, 90, 91, 92 and 93, and section 71 in so far as it relates to those sections,

are restricted to the extent that the restrictions are necessary and proportionate to safeguard judicial independence and court proceedings.

  1. Subsection (1) is without prejudice to any other enactment or rule of law which restricts the rights and obligations referred to in that subsection.
  2. Without prejudice to the generality of subsection (1), a panel may make such rules as it considers necessary for the purpose of ensuring the effective application of a restriction under that subsection.
  3. Rules made under subsection (3) may relate to such matters as the panel considers appropriate for the purpose referred to in that subsection and, without prejudice to the generality of that subsection, may—
  1. relate to one or more than one of the following:
  1. a class or classes of data subject;
  2. a category or categories of personal data;
  3. civil or criminal proceedings, or both;
  4. a class or classes of civil or criminal proceedings, or both;
  5. the circumstances in which, or the conditions under which, a restriction under subsection (1) shall apply,
  1. include, where relevant, specific provisions as to the matters referred to in Article 23(2), and 
  2. make provision for such incidental, supplementary and consequential matters as appear to the panel to be necessary or expedient for the purposes of the rule.
  1. Rules under subsection (3) shall be published in such manner (which may include publication on the website of the Courts Service) as the panel considers appropriate.
  2. In this section, "panel" means a panel of three judges nominated by the Chief Justice for the purposes of this section.

159. Processing of personal data where court is controller

  1. The Superior Courts Rules Committee may make processing rules in respect of personal data that are contained in a record of a superior court of record.
  2. The Circuit Court Rules Committee may make processing rules in respect of personal data that are contained in a record of the Circuit Court.
  3. The District Court Rules Committee may make processing rules in respect of personal data that are contained in a record of the District Court.
  4. The panel referred to in section 158(6) may make processing rules in respect of personal data—
  1. that are not personal data to which subsection (1), (2) or (3) applies, and
  2. in respect of which a court, when acting in its judicial capacity, is a controller.
  1. Processing rules made under this section shall be binding on a processor of personal data in respect of which the rules are made.
  2. Processing rules made under subsection (4) shall be published in such manner (which may include publication on the website of the Courts Service) as the panel referred to in that subsection considers appropriate.
  3. Subject to subsection (8), a Committee referred to in subsection (1), (2) or (3) may make rules—
  1. authorising the disclosure, for the purpose of facilitating the fair and accurate reporting of the proceedings, to a bona fide member of the Press or broadcast media and at the member's request, of information contained in a record of proceedings before a court for which the Committee is the rule-making authority, and
  2. prescribing any conditions subject to which such disclosure is to be made.
  1. Rules made under subsection (7)—
  1. shall not apply to proceedings required by law to be held otherwise than in public, and
  2. shall apply subject to any order made or direction given by a court in the proceedings concerned.
  1. In this section, "processing rules", in relation to personal data, means rules made for the purposes of Article 28(3) of the Data Protection Regulation and Article 22(3) of the Directive, governing the processing by a processor of the personal data.

160. Publication of judgment or decision of court or court list

The processing of personal data shall be lawful where that processing—

  1. consists of the publication of—
  1. a judgment or decision of a court, or
  2. a list or schedule of court proceedings or hearings in court proceedings, or
  1. is necessary for the purposes of such publication.

161. Rules of court for data protection actions

  1. It shall be the function of the courts in data protection actions to ensure that parties to such actions comply with such rules of court as apply in relation to such actions so that the trial of data protection actions within a reasonable period of their having been commenced is secured.
  2. Where rules of court prescribe a period of time for the service of a document, or the doing of any other thing, in relation to a data protection action, the period within which that document may be served or thing may be done, shall not be extended beyond the period so prescribed unless—
  1. the parties to the action agree to the period being extended, or
  2. the court considers that—
  1. in all the circumstances the extension of the period by such further period as it may direct is necessary or expedient to enable the action to be properly prosecuted or defended, and
  2. the interests of justice require the extension of the period by that further period.
  1. For the purposes of ensuring compliance by a party to a data protection action with rules of court, a court may make such orders as to the payment of costs as it considers appropriate.
  2. Nothing in this section shall be construed as limiting or reducing the power of an authority, having (for the time being) power to make rules regulating the practice and procedure of a court, to—
  1. make such rules in relation to data protection actions provided such rules do not derogate from, and are not inconsistent with, any provision of the Data Protection Regulation or this Act, or
  2. make such rules in relation to proceedings or actions other than data protection actions.
  1. In this section, "data protection action" means a data protection action under section 117 or section 128.
  2. In subsections (1) and (2), a reference to the courts or the court includes a reference to the Master of the High Court and a county registrar.

162. Legal privilege

The rights and obligations provided for in—

  1. Articles 12 to 22 and 34 of the Data Protection Regulation (as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22), and
  2. sections 87, 90, 91, 92 and 93 and section 71, insofar as it relates to those sections,

do not apply—

  1. to personal data processed for the purpose of seeking, receiving or giving legal advice,
  2. to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and his or her legal advisers or between those advisers, or
  3. where the exercise of such rights or performance of such obligations would constitute a contempt of court.

163. Application to High Court concerning adequate level of protection or appropriate safeguards

  1. The Commission, where it considers that a place to which personal data are to be transferred does not ensure an adequate level of protection, may apply to the High Court for a determination as to whether the level of protection ensured by the place is adequate.
  2. An application under subsection (1) may be made notwithstanding that the place concerned is the subject of an implementing act pursuant to Article 45(3) of the Data Protection Regulation or, as the case may be, Article 36(3) of the Directive.
  3. The Commission, where it considers that a standard data protection clause does not provide for appropriate safeguards, may apply to the High Court for a determination as to whether the standard data protection clause provides for appropriate safeguards. 
  4. For the purposes of this section, the adequacy of the level of protection referred to in subsection (1) shall be assessed in accordance with, as the case may be, Article 45(2) of the Regulation or Article 36(2) of the Directive.
  5. In this section—

"place" means a third country, a territory or one or more specified sectors within a third country, or an international organisation;
"standard data protection clause" means a standard data protection clause to which point (c) or (d) of Article 46(2) of the Data Protection Regulation applies.

164. Court may order destruction, erasure of data

  1. Where a person is convicted of an offence under this Act, the court may order any personal data that appears to the court to be connected with the commission of the offence to be destroyed or erased.
  2. The court shall not make an order under subsection (1) where it considers that a person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data concerned, unless such steps as are reasonably practicable have been taken for notifying that person and giving him or her an opportunity to show cause why the order should not be made.

165. Reference to personal data in enactment

Subject to this Act, a reference in any enactment to personal data within the meaning of the Act of 1988 shall be construed as including a reference to personal data within the meaning of—

  1. the Data Protection Regulation, and
  2. Part 5.

166. Reference to processing in enactment

Subject to this Act, a reference in any enactment to processing within the meaning of the Act of 1988 shall be construed as including a reference to processing within the meaning of—

  1. the Data Protection Regulation, and
  2. Part 5.

167. Amendment of Firearms Act 1925

The Firearms Act 1925 is amended by the insertion of the following section after section 27A:

"Provision of information by Commissioner to Minister for purposes of Act and Firearms (Firearm Certificates For Non-Residents) Act 2000

27B.

  1. The Minister may request the Commissioner to provide any information necessary for the performance of the Minister's functions under sections 9, 10, 11 and 17 and under section 2 of the Firearms (Firearm Certificates For Non-Residents) Act 2000, and the Commissioner shall, notwithstanding anything contained in any other enactment or rule of law, but subject to the Data Protection Regulation and the Data Protection Act 2018, comply with that request.
  2. In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

168. Amendment of section 33AK of Central Bank Act 1942

Section 33AK(5) of the Central Bank Act 1942 is amended—

  1. in paragraph (az), by the substitution of "(S.I. No. 349 of 2016), or" for "(S.I. No. 349 of 2016).",
  2. by the insertion of the following paragraph:

"(ba) to the Data Protection Commission that is required for the performance of that Commission's functions under the Data Protection Regulation or the Data Protection Acts 1988 to 2018.",

and

  1. by the insertion in subsection (10) of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);".

169. Amendment of section 2 of Civil Service Regulation Act 1956

Section 2(2) of the Civil Service Regulation Act 1956 is amended—

  1. in paragraph (h), by the deletion of "and",
  2. in paragraph (i), by the substitution of "Síochána, and" for "Síochána.", and
  3. by the insertion of the following paragraph after paragraph (i):

"(j) in relation to a member of staff of the Data Protection Commission, the Commissioner for Data Protection or, where more than one Commissioner for Data Protection stands appointed, the chairperson (within the meaning of the Data Protection Act 2018).".

170. Amendment of section 24 of Misuse of Drugs Act 1977

Section 24 of the Misuse of Drugs Act 1977 is amended—

  1. in subsection (1)(c), by the substitution of "(including those containing any data that constitutes personal data)" for "(including any data within the meaning of the Data Protection Acts 1988 and 2003)",
  2. in subsection (2)(c), by the substitution of "(including those containing any data that constitutes personal data)" for "(including any data within the meaning of the Data Protection Acts 1988 and 2003)", and
  3. by the insertion of the following subsection after subsection (7):

"(8) In this section—

'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20163 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Data Protection Act 2018.".

171. Amendment of section 15A of Control of Clinical Trials Act 1987

Section 15A of the Control of Clinical Trials Act 1987 is amended—

  1. by the substitution of the following paragraph for paragraph (d):

"(d) inspect and copy or extract information from any data including data that constitutes personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Data Protection Act 2018.",

and

  1. the insertion of the following subsection after subsection (10):

"(11) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20164 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

172. Amendment of Data Protection Act 1988

  1. The Act of 1988 is amended—
  1. in section 24, by the substitution of the following subsection for subsection (1):

"(1) In this section 'authorised officer' has the same meaning that it has in section 2(1) of the Data Protection Act 2018.",

and

  1. in section 26—
  1. in subsection (1)—
  1. in paragraph (b), by the substitution of "notice, and" for "notice", and
  2. by the deletion of paragraph (c), and
  1. in subsection (4)—
  1. in paragraph (a), by the substitution of "paragraph (a) or (b) of subsection (1) of this section" for "paragraph (a), (b) or (c) of subsection (1) of this section", and
  2. by the substitution of "with a requirement or prohibition specified in the notice" for "with a requirement or prohibition specified in the notice, or, as the case may be, a contravention by him of section 19 of this Act,".
  1. The amendments effected by subsection (1) shall not apply for the purposes of subsections (1)(b), (2) and (3) of section 8.

173. Amendment of Bankruptcy Act 1988

The Bankruptcy Act 1988 is amended by the insertion of the following section:

"Restriction of right of access to personal data in certain circumstances
140D.

  1. Article 15 (Right of access) of the Data Protection Regulation is restricted to the extent necessary and proportionate to safeguard the effective performance by the Official Assignee of his or her functions under section 61, where the performance of those functions gives rise to the processing of personal data to which the Data Protection Regulation applies.
  2. In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20165 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

174. Amendment of Firearms and Offensive Weapons Act 1990

The Firearms and Offensive Weapons Act 1990 is amended by the insertion of the following section after section 16:

"Provision of information by Commissioner to Minister
16A.

  1. The Minister may request the Commissioner of the Garda Síochána to provide any information necessary for the performance of the Minister's functions under sections 9C and 9E and the Commissioner shall, notwithstanding anything contained in any other enactment or rule of law, but subject to the Data Protection Regulation and the Data Protection Act 2018, comply with that request.
  2. In this section 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20166 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

175. Amendment of section 13A of Electoral Act 1992

Section 13A of the Electoral Act 1992 is amended by the insertion of the following subsection after subsection (3B):

"(3C) In addition to any other electoral purpose for which the information contained in the register prepared under section 13, including a draft register or the supplement to the register prepared under section 15 or an electors list published under section 16, being information which is excluded from the edited register, may be used, that information may be used—

  1. by a specified person (within the meaning of section 39 of the Data Protection Act 2018), for the purpose of communicating with a data subject in accordance with section 39 of that Act, or
  2. by an elected representative (within the meaning of section 40 of the Data Protection Act 2018) for the purposes of section 40 of that Act.".

176. Amendment of Comptroller and Auditor General (Amendment) Act 1993

The Comptroller and Auditor General (Amendment) Act 1993 is amended—

  1. in section 10, by the substitution of the following subsection for subsection (3):

"(3) In this section—

'automated data' means information that—

  1. is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
  2. is recorded with the intention that it should be processed by means of such equipment;

'data' means automated data and manual data;
'data equipment' means equipment for processing data;
'data material' means any document or other material used in connection with, or produced by, data equipment;
'manual data' means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
'relevant filing system' means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;",

and

  1. by the insertion of the following section after section 18B:

"Application of this Act to the Data Protection Commission
18C.

This Act applies to the Data Protection Commission as if it were a Department.".

177. Amendment of section 8 of Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993

Section 8 of the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 is amended in subsection (1A) by the substitution of "the functions of the Data Protection Commission under section 10 of the Data Protection Act 1988 and Part 6 of the Data Protection Act 2018" for "the functions of the Data Protection Commissioner under section 10 of the Data Protection Act 1988".

178. Amendment of section 24 of Statistics Act 1993

Section 24 of the Statistics Act 1993 is amended—

  1. by the substitution of the following subsection for subsection (2):

"(2) Without prejudice to the Data Protection Regulation and the Data Protection Act 2018, persons and undertakings may provide information and records, or copies thereof, which they may possess to the Director General or officers of statistics on invitation under the provisions of this Act.",

and

 

  1. by the insertion of the following subsection:

"(3) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20167 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

179. Amendment of section 57B of Irish Aviation Authority Act 1993 

Section 57B(1) of the Irish Aviation Authority Act 1993 is amended by the substitution of the following paragraph for paragraph (d):

"(d) inspect, copy or extract information from any material (including information in any form) or thing found or produced to the authorised person.".

180. Amendment of section 18F of Health Insurance Act 1994

Section 18F of the Health Insurance Act 1994 is amended—

  1. in subsection (2)(d), by the substitution of "data (including data that constitutes personal data)" for "data (within the meaning of the Data Protection Acts 1988 and 2003)", and
  2. in subsection (12), by the insertion of the following definitions:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20168 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Data Protection Act 2018.".

181. Amendment of section 142 of Consumer Credit Act 1995 

Section 142 of the Consumer Credit Act 1995 is amended—

  1. in subsection (2), by the substitution of the following paragraph for paragraph (b):

"(b) which relates to information that constitutes personal data to which the Data Protection Regulation applies.",

  1. in subsection (4), by the substitution of the following paragraph for paragraph (b):

"(b) which relates to information that constitutes personal data to which the Data Protection Regulation applies.",

and

  1. by the insertion of the following subsection after subsection (4):

"(5) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20169 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

182. Amendment of section 32B of Irish Medicines Board Act 1995

Section 32B of the Irish Medicines Board Act 1995 is amended—

  1. in subsection (3), by the substitution of the following paragraph for paragraph (l):

"(l) inspect and copy or extract information from any data, including data that constitutes personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Data Protection Act 2018.",

and

  1. by the insertion of the following subsection after subsection (11):

"(12) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201610 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

183. Amendment of section 77 of Central Bank Act 1997

Section 77 of the Central Bank Act 1997 is amended by the substitution of the following subsection for subsection (12):

"(12) In this section—

'automated data' means information that—

  1. is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
  2. is recorded with the intention that it should be processed by means of such equipment;

'data' means automated data and manual data;
'data equipment' means equipment for processing data;
'data material' means any document or other material used in connection with, or produced by data equipment;
'manual data' means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
'relevant filing system' means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.".

184. Amendment of section 1 of Health (Provision of Information) Act 1997

The Health (Provision of Information) Act 1997 is amended by the substitution of the following section for section 1:

"Requests for and provision of information
1

  1. The National Cancer Registry Board (established under the Health (Corporate Bodies) Act 1961) may request from any person personal data (including data concerning health and genetic data within the meaning of the Data Protection Regulation) held by, or in the possession of, that person for the purposes of the performance of that Board of its functions.
  2. Without prejudice to his or her obligations under the Data Protection Regulation and the Act of 2018, the person to whom a request is made under subsection (1) shall provide the personal data requested to the extent it is held by, or in the possession of, that person.
  3. The Health Service Executive may, for the purposes of compiling and maintaining a record of the names, addresses, telephone numbers, email addresses and dates of birth of persons who, for public health reasons, may be invited to participate in any cancer screening (including any breast, cervical or bowel cancer screening) programme operated by the Executive, request from any person the names, addresses, telephone numbers, e-mail addresses and dates of birth of persons held by, or in the possession of, that person.
  4. Without prejudice to his or her obligations under the Data Protection Regulation and the Act of 2018, the person to whom a request is made under subsection (3) may provide that information to the extent it is held by, or in the possession of, that person.
  5. In this section—

'Act of 2018' means the Data Protection Act 2018;
'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201621 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'personal data' means personal data within the meaning of the Data Protection Regulation.".

185. Amendment of section 9M of Electricity Regulation Act 1999

Section 9M of the Electricity Regulation Act 1999 is amended—

  1. in subsection (4), by the substitution of "the Data Protection Regulation or the Data Protection Act 2018" for "the Data Protection Acts 1988 and 2003", and
  2. by the insertion of the following subsection after subsection (10):

"(11) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201612 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

186. Amendment of British-Irish Agreement Act 1999

Section 51 of the British-Irish Agreement Act 1999 is amended—

  1. in subsection (1) by—
  1. the substitution of the following definition for the definition of "Act of 1988":

" 'Act of 1988' means the Data Protection Act 1988, as amended by the Data Protection Act 2018;",

and

  1. the substitution of the following definition for the definition of "established":

" 'established', in relation to a data controller or a data processor, shall be construed in accordance with section 1(3B)(b) of the Act of 1988;",

and

  1. by the deletion of subsection (6).

187. Amendment of section 7D of Comhairle Act 2000

Section 7D of the Comhairle Act 2000 is amended—

  1. in subsection (3), by the substitution of "Subject to the Data Protection Regulation and the Data Protection Act 2018" for "Subject to the Data Protection Acts 1988 and 2003", and
  2. by the substitution of the following subsection for subsection (8): "(8) In this section—

'application', 'assessment' and 'service statement' have the meanings assigned to them respectively by Part 2 of the Disability Act 2005;
'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201613 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

188. Amendment of section 33 of Commission To Inquire Into Child Abuse Act 2000 

The Commission To Inquire Into Child Abuse Act 2000 is amended by the substitution of the following section for section 33:

"33.

  1. Article 15 (Right of access) of the Data Protection Regulation is restricted, to the extent necessary and proportionate to safeguard the effective performance by the Commission of its functions or a Committee of its functions, in so far as it relates to personal data (within the meaning of that Regulation) provided to the Commission or a Committee while the data is in the custody of the Commission or a Committee, or in the case of such data provided to the Confidential Committee, of a body to which it is transferred by the Commission upon the dissolution of the Commission.
  2. In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201614 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

189. Amendment of section 2 of Merchant Shipping (Investigation of Marine Casualties) Act 2000

Section 2(1) of the Merchant Shipping (Investigation of Marine Casualties) Act 2000 is amended in the definition of "record" by the deletion of the words "any form in which data (within the meaning of the Data Protection Act 1988) are held,".

190. Amendment of section 28 of Education (Welfare) Act 2000

Section 28 of the Education (Welfare) Act 2000 is amended—

  1. by the substitution of "controller" for "data controller" in each place it occurs, and
  2. in subsection (3), by the deletion of " 'data controller' and 'personal data' have the meanings assigned to them by the Data Protection Act 1988" and the insertion of the following:

" 'controller' means a controller within the meaning of the Data Protection Regulation;
'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201615 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'personal data' means personal data within the meaning of the Data Protection Regulation;".

191. Amendment of section 38 of Planning and Development Act 2000

Section 38 of the Planning and Development Act 2000 is amended in subsection (2) by the deletion of "and the Data Protection Acts 1988 and 2003".

192. Amendment of section 14 of Dormant Accounts Act 2001

Section 14(5) of the Dormant Accounts Act 2001 is amended by the substitution of the following paragraph for paragraph (b):

"(b) Nothing in paragraph (a) shall be construed as restricting the right of a person to inspect the register, in relation to an account, where the person—

  1. proves to the satisfaction of an institution that he or she is, or may be, the account holder,
  2. proves to the satisfaction of an institution that he or she is authorised by the account holder to so inspect, or
  3. may act on behalf of the account holder in relation to that account pursuant to regulations made under section 9.".

193. Amendment of section 30 of Residential Institutions Redress Act 2002

The Residential Institutions Redress Act 2002 is amended by the substitution of the following section for section 30:

"30.

  1. Article 15 (Right of access) of the Data Protection Regulation is restricted, to the extent necessary and proportionate to safeguard the effective performance by the Board of its functions and the Review Committee of its functions, in so far as it relates to personal data (within the meaning of that Regulation) provided to the Board while the data is in the custody of the Board or the Review Committee.
  2. In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201616 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

194. Amendment of section 2 of Official Languages Act 2003

Section 2(1) of the Official Languages Act 2003 is amended—

  1. in the Irish text, in the definition of "taifead", by the substitution of "aon fhoirm ina gcoimeádtar sonraí (lena n-áirítear foirm mheaisín-inléite) nó rud" for "aon fhoirm ina gcoimeádtar sonraí (de réir bhrí an Achta um Chosaint Sonraí 1988), aon fhoirm eile (lena n-áirítear foirm mheaisín-inléite) nó rud eile" and
  2. in the English text, in the definition of "record", by the substitution of "any form in which data are held (including machine-readable form)" for "any form in which data (within the meaning of the Data Protection Act 1988) are held, any other form (including machine-readable form)".

195. Amendment of section 86 of Personal Injuries Assessment Board Act 2003

Section 86 of the Personal Injuries Assessment Board Act 2003 is amended—

  1. in subsection (1), by the substitution of "but only if the processing (within the meaning of the Data Protection Regulation) of any particulars constituting personal data (within the meaning of that Regulation) in the database is in accordance with the Data Protection Regulation and the Data Protection Act 2018." for "but only if the database is, for the time being, maintained in accordance with the Data Protection Act 1988", and
  2. by the insertion of the following subsection after subsection (4):

"(5) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201617 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

196. Amendment of section 12 of Unclaimed Life Assurance Policies Act 2003

Section 12(5) of the Unclaimed Life Assurance Policies Act 2003 is amended by the substitution of the following paragraph for paragraph (b):

"(b) Nothing in paragraph (a) shall be construed as restricting the right of a person to inspect the register in relation to a policy where the person—

  1. proves to the satisfaction of an insurance undertaking that he or she is, or may be, the policy holder,
  2. proves to the satisfaction of an insurance undertaking that he or she is authorised by the policy holder to so inspect, or
  3. may act on behalf of the policy holder in relation to that policy pursuant to regulations made under section 7.".

197. Amendment of section 66 of Civil Registration Act 2004

Section 66 of the Civil Registration Act 2004 is amended—

  1. in subsection (1), by the substitution of "Notwithstanding anything contained in any other enactment, but subject to the Data Protection Regulation and the Data Protection Act 2018, an tArd-Chláraitheoir may" for "Notwithstanding anything contained in the Data Protection Acts 1988 to 2003 or any other enactment, an tArd-Chláraitheoir may", and
  2. by the substitution of the following subsection for subsection (2): "(2) In this section—

'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201618 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'information' includes personal data;
'personal data' means personal data within the meaning of—

  1. the Data Protection Act 1988,
  2. the Data Protection Regulation, or
  3. Part 5 of the Data Protection Act 2018.".

198. Amendment of section 39 of Commissions of Investigation Act 2004

Section 39 of the Commissions of Investigation Act 2004 is amended—

  1. by designating the section as subsection (1),
  2. in that designated subsection (1), by the substitution of "Article 15 (Right of access) of the Data Protection Regulation is restricted, to the extent necessary and proportionate to safeguard the effective operation of commissions and the future cooperation of witnesses, in so far as it relates to personal data (within the meaning of that Regulation) provided to a commission" for "Section 4 of the Data Protection Act 1988 does not apply to personal data provided to a commission", and
  3. by the insertion of the following subsection after subsection (1):

"(2) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201619 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

199. Amendment of section 55H of Health Act 2004

Section 55H of the Health Act 2004 is amended—

  1. in subsection (8), by the substitution of the following paragraph for paragraph (a):

"(a) submit a draft of the proposed procedures to the Data Protection Commission for its opinion as to whether any provision of the procedures would, if given effect, be likely to result in a contravention of the Data Protection Regulation or the Data Protection Act 2018, and",

  1. in subsection (9), by the substitution of "the Data Protection Commission" for "the Data Protection Commissioner", and
  2. by the insertion of the following subsection after subsection (9):

"(10) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201620 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

200. Amendment of section 2 of Safety, Health and Welfare at Work Act 2005

Section 2(1) of the Safety, Health and Welfare at Work Act 2005 is amended—

  1. by the substitution of the following definition for the definition of "record":

" 'record' includes any memorandum, book, report, statement, register, plan, chart, map, drawing, specification, diagram, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form in which data (including data that constitute personal data within the meaning of the Data Protection Regulation or Part 5 of the Data Protection Act 2018) are held, any form (including machine-readable form) or thing in which information is held or stored manually, mechanically or electronically, and anything that is a part or copy, in any form, of any of, or any combination of, the foregoing;",

and

  1. by the insertion of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201621 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);".

201. Amendment of section 265 of Social Welfare Consolidation Act 2005

Section 265 of the Social Welfare Consolidation Act 2005 is amended—

  1. in subsection (1)—
  1. by the substitution of the following definitions for the definitions of "data controller" and "personal data":

" 'controller' means a controller within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;

'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;", and
  1. by the insertion of the following definitions:

" 'Act of 2018' means the Data Protection Act 2018;
'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201622 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

and

  1. in subsection (2), by the substitution of "controller" for "data controller".

202. Amendment of Disability Act 2005

The Disability Act 2005 is amended—

  1. in section 12, by the deletion of subsection (3),
  2. in section 13, by the deletion of subsection (4),
  3. in section 41—
  1. by the deletion of the definition of "the Acts",
  2. by the substitution of the following definition for the definition of "processing":

" 'processing' means processing within the meaning of the Data Protection Regulation;", and

  1. by the insertion of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016323 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

  1. in section 42—
  1. by the substitution, in subsection (1)(b), of "the Data Protection Regulation", for "the Acts",
  2. by the deletion, in subsection (2)(a), of "save in accordance with the provisions of section 12A of the Data Protection Act 1988 (as inserted by the Data Protection (Amendment) Act 2003",
  3. by the substitution of the following subsection for subsection (4):

"(4) A person who contravenes subsection (2) or (3) shall be guilty of an offence and shall be liable—

  1. on summary conviction, to a class A fine, oron conviction on indictment, to a fine not exceeding €100,000.", and
  2. by the insertion of the following subsections:

"(5) Where a person is convicted of an offence under subsection (4), the court may order any personal data that appears to the court to be connected with the commission of the offence to be destroyed or erased.
(6) The court shall not make an order under subsection (5) where it considers that a person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data concerned, unless such steps as are reasonably practicable have been taken for notifying that person and giving him or her an opportunity to show cause why the order should not be made.",

  1. by the deletion of section 43, and
  2. in section 45, by the deletion of subsection (1).

203. Amendment of section 2 of Railway Safety Act 2005

Section 2(1) of the Railway Safety Act 2005 is amended in the definition of "record" by the deletion of the words "in which data (within the meaning of the Data Protection Act 1988) are held, any other form".

204. Amendment of section 12 of Health (Repayment Scheme) Act 2006

Section 12(3) of the Health (Repayment Scheme) Act 2006 is amended by the substitution of "except after consultation with the Data Protection Commission" for "except after consultation with the Data Protection Commissioner within the meaning of the Data Protection Acts 1988 and 2003".

205. Amendment of section 19 of Electoral (Amendment) Act 2006

Section 19 of the Electoral (Amendment) Act 2006 is amended by the substitution of "A registration authority may," for "Notwithstanding anything in the Data Protection Acts 1988 and 2003, a registration authority may,".

206. Amendment of section 67 of Pharmacy Act 2007

Section 67 of the Pharmacy Act 2007 is amended—

  1. in subsection (3), by the substitution of the following paragraph for paragraph (l):

"(l) inspect and copy or extract information from any data, including data that constitutes personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Data Protection Act 2018.",

and

  1. by the insertion of the following subsection after subsection (12):

"(13) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201624 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

207. Amendment of Passports Act 2008

The Passports Act 2008 is amended—

  1. in section 2, by—
  1. the deletion of the definitions of "Act of 1988", "automated data" and "data",
  2. the insertion of the following definition:

" 'Act of 2018' means the Data Protection Act 2018;",

  1. the substitution of the following definition for the definition of "biometric data":

" 'biometric data' means biometric data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;",
  1. the insertion of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201625 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

  1. the substitution of the following definition for the definition of "personal data":

" 'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;", and
  1. the substitution of the following definition for the definition of "processing":

" 'processing' means processing within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018.",
  1. in section 8, by the substitution in subsection (1) of "Subject to the Data Protection Regulation and the Act of 2018" for "Subject to the Data Protection Acts 1988 and 2003", and
  2. in section 21(1)(b), by the substitution of "personal data" for "data" in each place it occurs.

208. Amendment of Criminal Justice (Mutual Assistance) Act 2008

The Criminal Justice (Mutual Assistance) Act 2008 is amended—

  1. in section 76(1), by the insertion of the following definition:

" 'controller' means a controller within the meaning of Part 5 of the Data Protection Act 2018;",

  1. in section 79C(7), by the insertion of "or, as the case may be, controller" after "data controller" in each place it occurs,
  2. in section 94, by—
  1. the substitution of the following subsections for subsections (5) and (6):

"(5) Article 7, in its application in relation to the use of personal data contained in evidence or information obtained under the Treaty by a person in the State, is without prejudice to the application of—

  1. subject to section 8 of the Act of 2018, section 7 (duty of care owed by data controllers and data processors) of the Act of 1988 in respect of the use of such data (within the meaning of the Act of 1988), and
  2. Part 5 of the Act of 2018, in respect of the use of such data (within the meaning of that Part).

(6) 

  1. Subject to section 8 of the Act of 2018, the Data Protection Acts 1988 and 2003 apply in relation to personal data referred to in subsection (5)(a), in respects other than those related to their use.
  2. Part 5 of the Act of 2018 applies in relation to personal data referred to in subsection (5)(b), in respects other than those related to their use.",

and

  1. the insertion of the following subsection: "(8) In this section—

'Act of 1988' means the Data Protection Act 1988;
'Act of 2018' means the Data Protection Act 2018.",

and

  1. in section 107, by—
  1. the substitution of the following subsections for subsections (2) and (3): "(2) Subsection (1) is without prejudice to the application of—
  1. subject to section 8 of the Act of 2018, section 7 (duty of care owed by data controllers and data processors) of the Act of 1988 in respect of the use of such data (within the meaning of the Act of 1988), and
  2. Part 5 of the Act of 2018, in respect of the use of such data (within the meaning of that Part).

(3)

  1. Subject to section 8 of the Act of 2018, the Data Protection Acts 1988 and 2003 apply in relation to personal data referred to in subsection (2)(a), in respects other than those related to their use.
  2. Part 5 of the Act of 2018 applies in relation to personal data referred to in subsection (5)(b), in respects other than those related to their use.",

and

  1. by the insertion of the following subsection after subsection (4): "(5) In this section—

'Act of 1988' means the Data Protection Act 1988;
'Act of 2018' means the Data Protection Act 2018.".

209. Amendment of section 2 of Chemicals Act 2008

Section 2(1) of the Chemicals Act 2008 is amended by—

  1. the substitution of the following definition for the definition of "record"—

" 'record' includes any memorandum, book, report, statement, register, plan, chart, map, drawing, specification, diagram, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form in which data (including data that constitute personal data within the meaning of the Data Protection Regulation or Part 5 of the Data Protection Act 2018) are held, any form (including machine-readable form) or thing in which information is held or stored manually, mechanically or electronically, and anything that is a part or copy, in any form, of any of, or any combination of, the foregoing;",

and

  1. the insertion of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201626 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);".

210. Amendment of Nursing Homes Support Scheme Act 2009

The Nursing Homes Support Scheme Act 2009 is amended—

  1. in section 26, by the deletion of subsection (12), and
  2. in section 45(1), by the substitution of "Subject to the Data Protection Regulation and the Data Protection Act 2018" for "Notwithstanding any provision of the Data Protection Acts 1988 to 2003".

211. Amendment of section 23 of Criminal Justice (Miscellaneous Provisions) Act 2009

Section 23 of the Criminal Justice (Miscellaneous Provisions) Act 2009 is amended by the substitution of the following subsections for subsection (2):

"(2) The Data Protection Act 1988 shall, subject to any necessary modifications, apply and have effect in relation to the processing (within the meaning of that Act) of personal data (within the meaning of that Act) for the purposes of the operation of the Council Decision and the Schengen Convention.
(3) The Data Protection Act 2018 shall, subject to any necessary modifications, apply and have effect to the processing (within the meaning of Part 5 of that Act) of personal data (within the meaning of that Part) for the purposes of the operation of the Council Decision and the Schengen Convention.".

212. Amendment of section 201 of National Asset Management Agency Act 2009

The National Asset Management Agency Act 2009 is amended by the substitution of the following section for section 201:
"201.

  1. For the avoidance of doubt, an obligation on a credit institution or any other person under this Act to disclose information to NAMA, a NAMA group entity or the NTMA extends to personal data within the meaning of the Data Protection Regulation.
  2. In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201627 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

213. Amendment of Criminal Justice (Money Laundering and Terrorist Financing) Act 2010

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 is amended—

  1. in section 2(1), by the insertion of the following definitions:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201628 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'personal data' means personal data within the meaning of—

  1. the Data Protection Act 1988,
  2. the Data Protection Regulation, or
  3. Part 5 of the Data Protection Act 2018;",
  1. in section 52(2), by the deletion of "(within the meaning of the Data Protection Acts 1988 and 2003)", and
  2. in section 88(2), by the deletion of "(within the meaning of the Data Protection Acts 1988 and 2003)".

214. Amendment of section 12 of Communications (Retention of Data) Act 2011

Section 12 of the Communications (Retention of Data) Act 2011 is amended by the substitution of the following subsections for subsection (4):

"(4) The designated judge may, if he or she considers it desirable to do so, communicate with the Taoiseach or the Minister concerning disclosure requests and with the Data Protection Commission in connection with its functions under the Data Protection Regulation and the Data Protection Acts 1988 to 2018.
(5) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201629 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

215. Amendment of section 17A of Ministers and Secretaries (Amendment) Act 2011

Section 17A of the Ministers and Secretaries (Amendment) Act 2011 is amended—

  1. in subsection (2), by the substitution of "Data Protection Regulation" for "Data Protection Acts 1988 and 2003", and
  2. by the insertion of the following subsection after subsection (3):

"(4) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201630 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

216. Amendment of section 28 of Student Support Act 2011

Section 28 of the Student Support Act 2011 is amended—

  1. by the substitution of "controller" for "data controller" in each place it occurs,
  2. in subsection (1), by the substitution of "Notwithstanding anything contained in any enactment (other than the Act of 2018)" for "Notwithstanding anything contained in the Data Protection Acts 1988 and 2003 or any other enactment", and
  3. in subsection (5), by—
  1. the substitution of the following definitions for the definition of "data controller":

" 'Act of 2018' means the Data Protection Act 2018;
'controller' means a controller within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;

'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201631 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

  1. the substitution of the following definition for the definition of "personal data":

" 'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;", and
  1. the substitution of the following definition for the definition of "processing":

" 'processing' means processing with the meaning of—

  1. the Data Protection Regulation, or (b) Part 5 of the Act of 2018;".

217. Amendment of Communications Regulation (Postal Services) Act 2011

The Communications Regulation (Postal Services) Act 2011 is amended—

  1. in section 65A(1), by—
  1. the deletion of the definition of "Act of 1988",
  2. the insertion of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201632 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

  1. the substitution of the following definition for the definition of "personal data":

" 'personal data' means personal data within the meaning of the Data Protection Regulation;", and

  1. the substitution of the following definition for the definition of "processing":

" 'processing' means processing within the meaning of the Data Protection Regulation;",

  1. in section 66A(2), by the deletion of paragraph (a), and (c) in section 66C—
  1. in subsection (1), by the substitution of "the Data Protection Regulation and the Data Protection Act 2018" for "the Data Protection Acts 1988 to 2003", and
  2. by the substitution of the following subsection for subsection (2):

"(2) Article 21 (Right to object) of the Data Protection Regulation shall not apply to processing of personal data that is required for the purposes of carrying out legitimate postcode activity.".

218. Amendment of Property Services (Regulation) Act 2011

The Property Services (Regulation) Act 2011 is amended—

  1. in section 2(1), by the insertion of the following definition after the definition of "connected relative":

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201633 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

  1. in section 42, by the substitution of the following subsection for subsection (2):

"(2) The Commissioner of the Garda Síochána shall, notwithstanding anything contained in any other enactment or rule of law, but subject to the Data Protection Regulation and the Data Protection Act 2018, comply with a request under subsection (1).",

and

  1. by the substitution of the following section for section 93:

"Restriction of right of access to personal data in certain circumstances
93.
Article 15 (Right of access) of the Data Protection Regulation is restricted, to the extent necessary and proportionate to enable the Authority to effectively perform its functions under this Act in so far as the functions relate to carrying out an investigation, in so far as it relates to personal data (within the meaning of that Regulation) processed by the Authority.".

219. Amendment of section 56 of Credit Union and Co-operation with Overseas Regulators Act 2012

Section 56 of the Credit Union and Co-operation with Overseas Regulators Act 2012 is amended—

  1. by the substitution of the following subsection for subsection (2):

"(2) A credit union may disclose to ReBo personal data within the meaning of the Data Protection Regulation.",

and

  1. by the insertion of the following subsection after subsection (3):

"(4) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201634 on the protection of natural persons with regard to the process

220. Amendment of Europol Act 2012

Section 1 of the Europol Act 2012 is amended by—

  1. the substitution of the following definition for the definition of "data":

" 'data' means automated data and manual data;",

  1. the substitution of the following definition for the definition of "personal data":

" 'personal data' has the meaning it has in Part 5 of the Data Protection Act 2018;",

  1. by the substitution of the following definition for the definition of "processing":

" 'processing', in relation to personal data, has the meaning it has in Part 5 of the Data Protection Act 2018;", and

  1. the insertion of the following definitions:

" 'automated data' means information that—

  1. is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
  2. is recorded with the intention that it should be processed by means of such equipment;

'manual data' means information that is recorded as part of a relevant filing system, or with the intention that it should form part of a relevant filing system;
'relevant filing system' means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;".

221. Amendment of Personal Insolvency Act 2012

The Personal Insolvency Act 2012 is amended—

  1. in section 2(1), by—
  1. the insertion of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201635 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);", and

  1. the substitution of the following definition for the definition of "personal data":

" 'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Data Protection Act 2018;",
  1. by the deletion of section 21A, and
  2. by the substitution of the following section for section 186:

"Restriction of right of access to personal data in certain circumstances
186.
Article 15 (Right of access) of the Data Protection Regulation, in so far as it relates to personal data (within the meaning of that Regulation) processed by the following persons or bodies, is restricted to the extent necessary and proportionate to enable the person or body to effectively perform his, her or its functions under this Act, in so far as those functions relate to the supervision of personal insolvency practitioners in accordance with section 176A or to carrying out an investigation under this Part:

  1. the Insolvency Service;
  2. an inspector appointed under section 176; (c) an authorised officer appointed under section 176B; (d) the Complaints Committee.".

222. Amendment of section 2 of Animal Health and Welfare Act 2013

Section 2(1) of the Animal Health and Welfare Act 2013 is amended, in the definition of "record", by the deletion of "(within the meaning of the Data Protection Acts 1988 and 2003)".

223. Amendment of section 8 of Health (Alteration of Criteria for Eligibility) Act 2013

Section 8 of the Health (Alteration of Criteria for Eligibility) Act 2013 is amended—

  1. in subsection (4), by the substitution of "Subject to compliance with the Data Protection Regulation and the Act of 2018 and subject to this section" for "Notwithstanding anything contained in the Data Protection Acts 1988 and 2003, but subject to this section",
  2. in subsection (7), by the substitution of "the Data Protection Commission" for "the Data Protection Commissioner",
  3. by the deletion of subsection (8),
  4. in subsection (9), by the substitution of "references in this section to personal data shall include references to special categories of personal data (within the meaning of section 2 of the Act of 2018)" for "references in this section to personal data shall include references to sensitive personal data", and (e) by the substitution of the following subsection for subsection (10):

"(10) In this section—

'Act of 2018' means the Data Protection Act 2018;
'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201636 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

'personal data' means personal data within the meaning of the Data Protection Regulation.".

224. Insertion of section 957A to Companies Act 2014

The Companies Act 2014 is amended by the insertion of the following section after section 957:

"Restriction of application of certain articles of Data Protection Regulation
957A.

  1. Articles 14 (Information to be provided where personal data have not been obtained from the data subject) and 15 (Right of access by the data subject) of the Data Protection Regulation are restricted, to the extent necessary and proportionate to safeguard the effective performance by the Director of his or her functions referred to in paragraph (b) and (e) of section 949(1), where the performance of those functions give rise to the processing of personal data to which the Data Protection Regulation applies.
  2. In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201637 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

225. Amendment of Health Identifiers Act 2014

The Health Identifiers Act 2014 is amended—

  1. in section 2(1)—
  1. by the insertion of the following definition after the definition of "Act of 2013":

" 'Act of 2018' means the Data Protection Act 2018;",

  1. by the insertion of the following definition after the definition of "conditions":

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201638 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

  1. by the substitution of the following definition for the definition of "personal data":

" 'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;",
  1. by the substitution of the following definition for the definition of "processing":

" 'processing' means processing within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Act of 2018;",
  1. in paragraph (g)(iii) of the definition of "secondary purpose", by the substitution of "in accordance with the Data Protection Regulation and the Act of 2018" for "in accordance with the Data Protection Acts 1988 and 2003", and
  1. by the substitution of the following Part for Part 6:

"PART 6
APPLICATION OF DATA PROTECTION REGULATION

Application of Data Protection Regulation
27.
Article 32 of the Data Protection Regulation shall apply to a deceased individual's relevant information (individual) as it applies to a living individual's relevant information (individual).".


226. Amendment of section 15 of Freedom of Information Act 2014

Section 15 of the Freedom of Information Act 2014 is amended—

  1. by the substitution of the following subsection for subsection (3):

"(3) A record shall not be within subsection (2) by reason only of the fact that it contains information constituting—

  1. personal data within the meaning of the Data Protection Act 1988 to which that Act applies,
  2. personal data within the meaning of the Data Protection Regulation to which that Regulation and the Act of 2018 apply, or
  3. personal data within the meaning of Part 5 of the Act of 2018 to which that Act applies.",

and

  1. by the insertion of the following subsection after subsection (4):

"(5) In this section—

'Act of 2018' means the Data Protection Act 2018;
'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201639 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

227. Amendment of section 41 of Customs Act 2015

Section 41 of the Customs Act 2015 is amended by the deletion of subsections (4), (5) and (10).

228.Amendment of section 7 of Regulation of Lobbying Act 2015 

Section 7 of the Regulation of Lobbying Act 2015 is amended—

  1. by the insertion of the following definition after the definition of "Commission":

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201640 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);", and

  1. by the substitution of the following definition for the definition of "personal data":

" 'personal data' means personal data within the meaning of—

  1. the Data Protection Regulation, or
  2. Part 5 of the Data Protection Act 2018.".

229. Amendment of Sport Ireland Act 2015

The Sport Ireland Act 2015 is amended—

  1. in section 40, by—
  1. the insertion of the following definition before the definition of "anti-doping organisation":

" 'Act of 2018' means the Data Protection Act 2018;",

  1. the insertion of the following definition after the definition of "anti-doping rule violation":

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201641 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);",

  1. the substitution of the following definition for the definition of "personal data":

" 'personal data' means personal data within the meaning of the Data Protection Regulation;", and

  1. the substitution of the following definition for the definition of "processing":

" 'processing' means processing within the meaning of the Data Protection Regulation;",

  1. in section 42(4), by the substitution of "Subject to compliance with the Data Protection Regulation and the Act of 2018, Sport Ireland shall" for "Sport Ireland shall", and
  2. in section 43—

(i) in subsection (1), by the substitution of "Data Protection Regulation and the Act of 2018" for "Data Protection Acts 1988 and 2003", and (ii) by the deletion of subsection (3).

230. Amendment of section 12 of Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016

Section 12 of the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 is amended—

  1. by designating the section as subsection (1),
  2. in that designated subsection (1), by the deletion of "(within the meaning of the Data Protection Act 1988)", and
  3. by the insertion of the following subsection after subsection (1): "(2) In this section—

'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201642 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
'personal data' means personal data within the meaning of—

  1. the Data Protection Act 1988,
  2. the Data Protection Regulation, or
  3. Part 5 of the Data Protection Act 2018.".

231. Amendment of section 62 of Financial Services and Pensions Ombudsman Act 2017

Section 62 of the Financial Services and Pensions Ombudsman Act 2017 is amended—

  1. in subsection (2), by the substitution of the following paragraph for paragraph (b):

"(b) ensures compliance with the Data Protection Regulation and the Data Protection Act 2018.",

and

  1. by the insertion of the following subsection after subsection (4):

"(5) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201643 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".

232. Amendment of National Shared Services Office Act 2017

The National Shared Services Office Act 2017 is amended—

  1. in section 2, by the insertion of the following definition:

" 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201644 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).",

  1. in section 9(2)(a)(iv), by the substitution of "processing (within the meaning of the Data Protection Regulation) personal data (also within the meaning of that Regulation)" for "processing (within the meaning of the Data Protection Act 1988) personal data (also within the meaning of that Act)", and
  2. in section 35—
  1. in subsection (1)—
  1. by the substitution of "Notwithstanding anything contained in any enactment, but subject to the Data Protection Regulation and the Data Protection Act 2018" for "Notwithstanding anything contained in the Data Protection Acts 1988 and 2003", and
  2. by the substitution of "controller" for "data controller" in each place it occurs,
  1. in subsection (3), by the substitution of "controller" for "data controller", and
  2. in subsection (4)—
  1. by the substitution of the following definition for the definition of "data controller":

" 'controller' has the same meaning as it has in the Data Protection Regulation;", and

  1. by the deletion of the definition of "data subject".

 

1 OJ No. L 119, 4.5.2016, p.1

2 OJ No. L 119, 4.5.2016, p.1

3 OJ No. L 119, 4.5.2016, p.1

4 OJ No. L 119, 4.5.2016, p.1

5 OJ No. L 119, 4.5.2016, p.1

6 OJ No. L 119, 4.5.2016, p.1

7 OJ No. L 119, 4.5.2016, p.1

8 OJ No. L 119, 4.5.2016, p.1

9 OJ No. L 119, 4.5.2016, p.1

10 OJ No. L 119, 4.5.2016, p.1

11 OJ No. L 119, 4.5.2016, p.1

12 OJ No. L 119, 4.5.2016, p.1

13 OJ No. L 119, 4.5.2016, p.1

14 OJ No. L 119, 4.5.2016, p.1

15 OJ No. L 119, 4.5.2016, p.1

16 OJ No. L 119, 4.5.2016, p.1

17 OJ No. L 119, 4.5.2016, p.1

18 OJ No. L 119, 4.5.2016, p.1

19 OJ No. L 119, 4.5.2016, p.1

20 OJ No. L 119, 4.5.2016, p.1

21 OJ No. L 119, 4.5.2016, p.1

22 OJ No. L 119, 4.5.2016, p.1

23 OJ No. L 119, 4.5.2016, p.1

24 OJ No. L 119, 4.5.2016, p.1

25 OJ No. L 119, 4.5.2016, p.1

26 OJ No. L 119, 4.5.2016, p.1

27 OJ No. L 119, 4.5.2016, p.1

28 OJ No. L 119, 4.5.2016, p.1

29 OJ No. L 119, 4.5.2016, p.1

30 OJ No. L 119, 4.5.2016, p.1

31 OJ No. L 119, 4.5.2016, p.1

32 OJ No. L 119, 4.5.2016, p.1

33 OJ No. L 119, 4.5.2016, p.1

34 OJ No. L 119, 4.5.2016, p.1

35 OJ No. L 119, 4.5.2016, p.1

36 OJ No. L 119, 4.5.2016, p.1

37 OJ No. L 119, 4.5.2016, p.1

38 OJ No. L 119, 4.5.2016, p.1

39 OJ No. L 119, 4.5.2016, p.1

40 OJ No. L 119, 4.5.2016, p.1

41 OJ No. L 119, 4.5.2016, p.1

42 OJ No. L 119, 4.5.2016, p.1

43 OJ No. L 119, 4.5.2016, p.1

44 OJ No. L 119, 4.5.2016, p.1

Schedules 1, 2, & 3

SCHEDULE 1
SCHEDULE 2
SCHEDULE 3