IRELAND

The Irish Data Protection Commissioner’s website: http://www.dataprotection.ie/docs/Home/4.htm

The Data Protection Act 1988 and Data Protection (Amendment) Act 2003: http://www.dataprotection.ie/viewdoc.asp?DocID=796&ad=1

What needs to be done prior to collection?

CONTACT THE DATA SUBJECT

Section 4 (2D) – The Data Protection (Amendment) Act 2003

Fair Processing of Personal Data

(1)     Personal data shall not be treated, for the purposes of section (2)(1)(a) of this Act, as fairly processed unless –

a.       In the case of data obtained from the data subject, the data controller ensures, so far as is practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (2) of this section

b.       In any other case, the data controller ensures, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (3) of this section –

                                                               i.      Not later than the time when the data controller first processes the data, or

                                                             ii.      If disclosure of the data to a third party is envisaged, not later than the time of the disclosure

(2)     The information referred to in subsection (1)(a) of this section is:

a.       The identity of the data controller,

b.        If he or she has nominated a representative for the purposes of this Act, the identity of the representative,

c.        The purpose or purposes for which the data are intended to be processed, and

d.       Any other information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data to be fair to the data subject such as information as to the recipients or categories of recipient of the data, as to whether replies to questions asked for the purpose of the collection of the data are obligatory, as to the possible consequences of failure to give such replies and as to the existence of the right of access to and the right to rectify the data concerning him or her

(3)     The information referred to in subsection (1)(b) of this section is:

a.       The information specified in subsection (2) of this section,

b.       The categories of data concerned, and

c.        The name of the original data controller

(4)     The said subsection (1)(b) does not apply –

a.       Where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of the information specified therein proves impossible or would involve a disproportionate effort, or

b.       In any case where the processing of the information contained or to be contained in the data by the data controller is necessary for compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract ,

If such conditions as may be specified in regulations made by the Minister after consultation with the Commissioner are complied with

REGISTRATION WITH THE DATA PROTECTION COMMISSIONER

The following sections are a combination of the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 – Same Section number in each

Section 16 – Registration

(1)     In this section ‘person to whom this section applies’ means a data controller and a data processor (other than such (if any) categories of data controller and data processors as may be specified in regulations made by the Minister after consultation with the Commissioner except in so far as –

a.       They carry out –

                                                               i.      Processing whose sole purpose is the keeping in accordance with law of a register that is intended to provide information to the public and is open to consultation either by the public in general or by any personal demonstrating a legitimate interest

                                                             ii.      Processing of manual data (other than such categories, if any, of such data as may be prescribed), or

                                                           iii.      Any combination of the foregoing categories of processing

b.       The data controller is a body that is not established or conducted for profit and is carrying out processing for the purposes of establishing or maintaining membership of or support for the body or providing or administering activities for individuals who are either members of the body or have regular contact with it

(2)     The Commissioner shall establish and maintain a register (referred to in this Act as the register) of persons to whom this section applies and shall make, as appropriate, an entry or entries in the register in respect of  each person whose application for registration therein is accepted by the Commissioner.

(3)(a) Members of the public may inspect the register free of charge at all reasonable times and may take copies of, or extracts from, entries in the register

(3)(b) A member of the public may, on payment to the Commissioner of such a fee (if any) as may be prescribed, obtain from the Commissioner a copy (certified by him or by a member of his staff to be a true copy) of, or an extract from, any entry in the register.

(3)(c) In any proceedings –

(i)                  A copy of, or an extract from, an entry in the register certified by the Commissioner or by a member of his staff to be a true copy shall be evidence of the entry or extract,

(ii)                A document purporting to be such a copy, and to be certified, as aforesaid shall be deemed to be such a copy and to be so certified unless the contrary is proved

Section 17 – Applications for Registrations

(1)

(a)     A person wishing to be registered in the register or to have a registration continued under section 18 of this Act or to have the particulars in an entry in the register altered shall make an application in writing in that behalf to the Commissioner and shall furnish to him such information as may be prescribed and any other information that he may require.

(b)     Where a data controller intends to keep personal data for two or more related purposes, he or she shall make an application for registration in respect of those purposes and, subject to the provisions of this Act, entries shall be made in the register in accordance with any such application

(c)     Where a data controller intends to keep personal data for two or more unrelated purposes, he shall make an application for separate registration in respect of each of those purposes and, subject to the provisions of this Act, entries shall be made in the Register in accordance with each such application

(2)     Subject to subsection (3) of this section, the Commissioner shall accept an application for registration, made in the prescribed manner an in respect of which such fee as may be prescribed has been paid, from a person to whom section 16 of this Act applies unless he is of opinion that-

a)       The particulars proposed for inclusion in an entry in the register are insufficient or any other information required by the Commissioner either has not been furnished or is insufficient, or

b)       The person applying for registration is likely to contravene any of the provisions of this Act.

(3)     The Commissioner shall not accept such n application for registration as aforesaid from a data controller who keeps sensitive personal data unless he or she is of opinion that appropriate safeguards for the protection of privacy of the data subjects are being, and will continue to be, provided by him or her.

(4)     Where the Commissioner refuses an application for registration, he shall, as soon as may be, notify in writing the person applying for registration of the refusal and the notification shall-

a)       Specify the reasons for the refusal, and

b)       State that the person may appeal to the Court under section 26 of this Act against the refusal within 21 days from the receipt by him of the notification.

(5)     If-

a)       The Commissioner, by reason of special circumstances, is of opinion that a refusal of an application for registration should take effect urgently, and

b)       The notification of the refusal includes a statement to that effect and a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act.

Paragraph (b) of subsection (4) of this section shall not apply in relation to the notification and paragraph (b) of subsection (6) of this section shall be construed and have effect as if for the words from and including "21 days" to the end of the paragraph there were substituted "7 days beginning on the date on which the notification was received.

(6)     Subject to subsection (5) of this section, a person who has made an application for registration shall-

a)       Until he is notified that it has been accepted or it is withdrawn, or

b)       If he is notified that the application has been refused, until the end of the period of 21 days within which an appeal may be brought under section 26 of this Act against the refusal and, if such an appeal is brought, until the determination or withdrawal of the appeal,

Be treated for the purposes of section 19 of this Act as if the application had been accepted and the particulars contained in it had been included in an entry in the register on the date on which the application was made.

(7)     Subsection (2) to (6) of this section apply, with any necessary modifications, to an application for continuance of registration and an application for alteration of the particulars in an entry in the register as they apply to an application for registration.

Section 18 – Duration and Continuance of registration

(1)     A registration (whether it is the first registration or a registration continued under this section) shall be for the prescribed period and on the expiry thereof the relevant entry shall be removed from the register unless the registration is continued as aforesaid.

(2)     The prescribed period (which shall not be less than one year) shall be calculated-

a)       In the case of a first registration, from the date on which the relevant entry was made in the register, and

b)       In the case of a registration which has been continued under this section, from the day following the expiration of the latest prescribed period

(3)     The Commissioner shall, subject to the provisions of this Act, continue a registration, whether it has previously been continued under this section or not.

(4)     Notwithstanding the foregoing provisions of this section, the Commissioner may at any time, at the request of the person to whom an entry relates, remove it from the register.

What needs to be done prior to shipping?

Section 12 – The Data Protection (Amendment) Act 2003

Prohibition on transfer of personal data outside the State

The following section is substituted for Section 11 of the Principal Act:

(1)     The transfer of personal data to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to—

a.       The nature of the data,

b.       The purposes for which and the period during which the data is intended to be processed,

c.        The country or territory of origin of the information contained in the data

d.       The country or territory of final destination of that information,

e.        The law in force in the country or territory referred to in paragraph (d),

f.         Any relevant codes of conduct or other rules which are enforceable in that country or territory,

g.        Any security measures taken in respect of the data in that country or territory, and

h.       The international obligations of that country or territory.

(2)     (a) Where in any proceedings under this Act a question arises—

a.       Whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area to which personal data are to be transferred, and

b.       A Community finding has been made in relation to transfers of the kind in question, the question shall be determined in accordance with that finding.

(b) In paragraph (a) of this subsection ‘Community finding’ means a finding of the European Commission made for the purposes of paragraph (4) or (6) of Article 25 of the Directive under the procedure provided for in Article 31(2) of the Directive in relation to whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area.

(3)     The Commissioner shall inform the Commission and the supervisory authorities of the other Member States of any case where he or she considers that a country or territory outside the European Economic Area does not ensure the adequate level of protection referred to in subsection (1) of this section.

What are the sanctions for non-compliance?

Section 19 – The Data Protection (Amendment) Act 2003

Penalties – Amendment of Section 31 Data Protection Act 1988

(1)     A person guilty of an offence under this Act shall be liable –

a.       On summary conviction, to a fine not exceeding EUR 3,000, or

b.       On conviction on indictment, to a fine not exceeding EUR 100,000

Please refer to the Irish Data Protection Commissioner’s website for further details on the Statute.