Ireland: International Comparative Legal Guide - Data Protection 2014


1.1 What is the principal data protection legislation?

The Data Protection Acts 1988 and 2003 ("DPA").

1.2 Is there any other general legislation that impacts data protection?

S.I. No. 658/2007 – Data Protection (Fees) Regulations 2007

This outlines the fee for registration and for prior checking.

S.I. No. 347/1988 – Data Protection (Fees) Regulations, 1988

The fee that an organisation may charge for an Access Request (€6.35) and the fee for a certified copy of a Register entry (€2.54).

S.I. No. 657/2007 – Data Protection Act 1988 (Section 16(1)) Regulations 2007

This outlines the organisations that will be required to register with the ODPC.

S.I. No. 351/1988 – Data Protection (Registration) Regulations, 1988

This outlines the details that must be contained in forms for registration with the ODPC.

S.I. 350 of 1988 – Period of Registration

This outlines the period that registration lasts for (1 year).

S.I. No. 83/1989 – Data Protection (Access Modification) (Social Work) Regulations, 1989

Outlines specific restrictions in respect of social work data. 1.3 Is there any sector specific legislation that impacts data protection?

S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 ("E-Privacy Regulations")

This deals with specific data protection issues relating to use of electronic communication devices, and particularly with direct marketing restrictions.

S.I. No. 95/1993 – Data Protection Act, 1988 (Section 5 (1) (D)) (Specification) Regulations, 1993

This outlines the exemption from the DPA of the use of personal data in the performance of certain functions of the Central Bank, the National Consumer Agency, various functions performed by auditors under the Companies Acts, etc.

S.I. No 421 of 2009 – Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009

This outlines the exemption from the DPA of the use of personal data in the performance of certain functions of the Director of Corporate Enforcement and inspectors appointed by the High Court or Director of Corporate Enforcement.

S.I. No. 687/2007 – Data Protection (Processing of Genetic Data) Regulations 2007

This outlines restrictions in respect of processing genetic data in relation to employment.

S.I. No. 81/1989 – Data Protection Act, 1988 (Restriction of Section 4) Regulations, 1989

This outlines the restriction on the right of access to information on adopted children and information the Public Service Ombudsman gets during an investigation.

S.I. No. 82/1989 – Data Protection (Access Modification) (Health) Regulations, 1989

This outlines certain restrictions in the right of access relating to health data.

1.4 What is the relevant data protection regulatory authority(ies)?

The Office of the Data Protection Commissioner ("ODPC").


2.1 Please provide the key definitions used in the relevant legislation:

  • "Personal Data"

    Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
  • "Sensitive Personal Data"

    Means personal data as to:

    1. the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject;
    2. whether the data subject is a member of a trade union;
    3. the physical or mental health or condition or sexual life of the data subject;
    4. the commission or alleged commission of any offence by the data subject; or
    5. any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
  • "Processing"

    In relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including:

    1. obtaining, recording or keeping the information or data;
    2. collecting, organising, storing, altering or adapting the information or data;
    3. retrieving, consulting or using the information or data;
    4. disclosing the information or data by transmitting, disseminating or otherwise making it available; or
    5. aligning, combining, blocking, erasing or destroying the information or data.
  • "Data Controller"

    Means a person who, either alone or with others, controls the contents and use of personal data.
  • "Data Processor"

    Means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.
  • "Data Owner"

    No definition in Irish law.
  • "Data Subject"

    Means an individual who is the subject of personal data.
  • "Pseudonymous Data"

    No definition in Irish law.
  • "Direct Personal Data"

    No definition in Irish law.
  • "Indirect Personal Data"

    No definition in Irish law.


3.1 What are the key principles that apply to the processing of personal data?

  • Transparency

    Data subjects must be provided with information relating to the processing of their data. This includes:

    1. the identity of the data controller or their representative and/or the data processor;
    2. the purposes for which the data are intended to be processed; and
    3. any other information that is necessary, having regard to the specific circumstances in which data are to be processed, including but not limited to details of recipients or categories of recipients of the personal data and information as to the existence of the right of access and the right to rectify data.
  • Lawful basis for processing

    1. consent of the data subject (specific, freely given, informed); and
    2. the processing is necessary:

      1. for the performance of a contract to which the data subject is a party;
      2. in order to take steps at the request of the data subject prior to entering into a contract;
      3. for compliance with a legal obligation to which the data controller is subject rather than an obligation imposed by contract;
      4. to prevent:

        1. injury or other damage to the health of the data subject; and
        2. serious loss or damage to property of the data subject, or otherwise to protect his or her vital interests where the seeking of the consent of the data subject is likely to result in those interests being damaged;
      5. for compliance with a legal obligation including:

        1. the administration of justice;
        2. for the performance of a function conferred on a person by law;
        3. for the performance of a function of the government or a minister of the government;
        4. for the performance of any other function of a public nature which is performed in the public interest; and
      6. for the purposes of the legitimate interests pursued by the data controller (or third party to whom the personal data are disclosed).
  • Purpose limitation

    Personal data should only be obtained for one or more specified, explicit and legitimate purposes and should not be further processed in a manner incompatible with that power or those purposes.
  • Data minimisation

    Personal data should not be kept for longer than is necessary for the purposes for which they were obtained.
  • Proportionality

    Personal data collected must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed.
  • Retention

    Personal data should not be kept for longer than is necessary for the purpose for which it was obtained.

    If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner.
  • Other key principles

    Data security (covered in more detail in section 13 below).


4.1 What are the key rights that individuals have in relation to the processing of their personal data?

  • Access to data

    Under section 3 of the DPA, data subjects have the right to, free of charge, find out if an organisation or an individual holds information about them. This includes the right to be given a description of the information and to be told the purposes for which that information is held. A request for this information must be made in writing by the data subject and the individual must receive a reply within 21 days according to the DPA.

    Section 4 of the DPA provides that data subjects have the right to obtain a copy of any information which relates to them that is held either on a computer or in a structured manual filing system, or that is intended for such a system. A fee of €6.35 is required when a request is made under section 4 and the organisation or entity is given 40 days to reply to such a request.

    Exceptions to the right of access:

    The DPA set out specific circumstances when an individual's right of access to their personal information held by an organisation may be restricted.

    Disclosure is not required if the information would be likely to:

    1. hinder the purposes of anti-fraud functions;
    2. damage international relations;
    3. impair the security or order in a prison or detention facility;
    4. hinder the assessment or collection of any taxes or duties; or if
    5. disclosure of estimates of damages or compensation regarding a claim against the data controller is likely to cause damage to the data controller.

    Certain information is also exempt from disclosure if the information is:

    1. protected by legal privilege;
    2. used for historical, statistical or research purposes, where the information is not disclosed to anyone else, and where the results of such work are not made available in a form that identifies any of the individuals involved;
    3. an opinion given in confidence; or
    4. used to prevent, detect or investigate offences, or will be used in the apprehension or prosecution of offenders.

    If a request would be either disproportionately difficult or impossible to process the data controller or processer does not have to fulfil the request.

    Exemptions also apply in respect of access to social work data, disclosure of such may be refused if it is likely to cause serious damage to the physical, mental or emotional condition of the data subject.

    A request for health data may also be refused if disclosure of the information is likely to seriously damage the physical or mental health of that data subject.
  • Correction and deletion

    Section 6 of the DPA provides data subjects with the right to request in writing to have their data either deleted or corrected where the data is not obtained lawfully or is inaccurate. The data controller or processor must respond within a reasonable amount of time and no later than 40 days after the request. There is no express right of a data subject to request the deletion of their information if it is being processed lawfully.
  • Objection to processing

    Under Section 6A of the DPA, data subjects have the right to object to processing which is likely to cause damage or distress. This right applies to processing that is necessary for the purposes of legitimate interests pursued by the data controller to whom the personal data is, or will be disclosed or processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  • Objection to marketing

    Under section 2.7 of the DPA, data subjects have the right to, following a request by writing, require the data controller to cease processing data for that purpose, and where it is only retained for that purpose they have the right to have it erased. The data controller must do this within 40 days.

    Under sections 13 and 14 of the E-Privacy Regulations, data subjects have the right to have their "opt-out" preference recorded in the National Directory Database, which constitutes an objection to direct marketing to them.
  • Complaint to relevant data protection authority(ies)

    Under Section 10 of the DPA, data subjects have a right of complaint to the ODPC in relation to the treatment of their personal data. The ODPC must investigate such complaints unless it considers them to be 'frivolous or vexatious'.


5.1 In what circumstances is registration or notification required to the relevant data protection regulatory authority(ies)? (E.g., general notification requirement, notification required for specific processing activities.)

Generally, all data controllers and processors must register unless an exemption applies, either under Section 16(1)(a) or (b) or under SI No. 657 of 2007. Under section 3 of SI No. 657 of 2007 the following are excluded from registration:

  1. organisations that only carry out processing to keep, in accordance with law, a register that is intended to provide information to the public;
  2. organisations that only process manual data (unless the personal data had been prescribed by the ODPC as requiring registration); and
  3. organisations that are not established or conducted for profit and that are processing personal data related to their members and supporters and their activities.

There is also a wide exemption applied to normal commercial activity, which by definition requires the processing of personal data.

If an exemption does apply however, it is limited only to the extent to which personal data is processed within the scope of that exemption.

Additionally, the Irish Minister for Justice and Equality has specified that the following data controllers and data processors are not required to register (provided they do not fall within any of the above categories):

  1. data controllers who only process employee data in the ordinary course of personnel administration and where the personal data is not processed other than where it is necessary to carry out such processing;
  2. solicitors and barristers;
  3. candidates for political office and elected representatives;
  4. schools, colleges, universities and similar educational institutions;
  5. data controllers (other than health professionals who process data relating to the physical or mental health of a data subject for medical purposes) who process data relating to past, existing or prospective customers or suppliers for the purposes of:
  6. advertising or marketing the data controller's business, activity, goods or services;
  7. keeping accounts relating to any business or other activity carried on by the data controller;
  8. deciding whether to accept any person as a customer or supplier;
  9. keeping records of purchases, sales or other transactions for the purpose of ensuring that requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions;
  10. making financial or management forecasts to assist in the conduct of business or other activity carried on by the data controller;
  11. performing a contract with the data subject;
  12. where the personal data is not processed other than where it is necessary to carry out such processing for any of the purposes set out above;
  13. companies who process personal data relating to past or existing shareholders, directors or other officers of a company for the purpose of compliance with the Companies Acts;
  14. data controllers who process personal data with a view to the publication of journalistic, literary or artistic material; and
  15. data controllers or data processors who operate under a data protection code of practice.

Subject to the above, all data controllers and data processors are required to register, except to the extent that:

  1. they carry out processing for the sole purpose of keeping in accordance with law of a register that is intended to provide information to the public and is open to consultation either by the public in general or by any person demonstrating a legitimate interest;
  2. they process manual data (other than such categories, if any, of such data as may be prescribed);
  3. they carry out any combination of the above; or
  4. the data controller is a body that is not established or conducted for profit and is carrying out processing for the purposes of establishing or maintaining membership of or support for the body or providing or administering activities for the members of the body or persons who have regular contact with the body.

The ODPC is obliged not to accept an application for registration from a data controller who keeps 'sensitive personal data' unless he or she is of the opinion that appropriate safeguards for the protection of the privacy of the data subjects concerned are being, and will continue to be, provided by him or her.

The DPA also provide that, where a data controller intends to keep personal data for two or more related purposes, they are only required to make one application in respect of those purposes. If, on the other hand, they intend to keep personal data for two or more unrelated purposes, then they will be required to make separate applications in respect of each of those purposes and entries will be made in the register in accordance with each such application.

Where the ODPC refuses an application for registration he shall notify the applicant in writing and specify the reasons for the refusal. An appeal against such decision can be made to the Circuit Court.

5.2 On what basis are registrations/notifications made? (E.g., per legal entity, per processing purpose, per data category, per system or database.)

Registrations are made per legal entity.

5.3 Who must register with/notify the relevant data protection authority(ies)? (E.g., local legal entities, foreign legal entities subject to the relevant data protection legislation, representative or branch offices of foreign legal entities subject to the relevant data protection legislation.)

Any legal entity processing personal data in Ireland not subject to the exemptions in question 5.1 above must register with the ODPC.

5.4 What information must be included in the registration/notification? (E.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes.)

There are separate registration forms available on the ODPC's website for the registration of either a data processor or a data controller. A data controller must provide a general statement of the nature of their business or trade or profession and of any additional purposes for which they keep personal data. Each application of personal data relating to the purposes that the controller lists along with the types of personal data (such as name, email, date of birth, etc.) must also be listed or described. For each of these applications listed, a list of the persons or bodies to whom the personal data maybe disclosed must also be given.

For data processors, a name, address and details on the nature of the data being processed must also be provided.

Information on any sensitive personal data that is kept by the controller must also be given (such as data relating to race, religion, sexual life, criminal convictions, etc.).

If any transfers are made (or intended to be made) to a country outside of the EU Member States, a list of these countries along with a description of the data to be transferred and the purpose of the transfer must be provided.

Finally, for both processors and controllers details of a 'compliance person' who will supervise the application of the DPA within the organisation in relation to personal data which is collected must be given.

5.5 What are the sanctions for failure to register/notify where required?

  1. Fines:

    1. maximum €3,000 on summary conviction; and
    2. maximum €100,000 on indictment; and
  2. order for erasure of personal data.

5.6 What is the fee per registration (if applicable)?

Postal Applications Online Applications
Applicants with 26 Employees or more (inclusive) €480 €430
Applicants with 6 to 25 Employees (inclusive) €100 €90
Applicants with 0 to 5 Employees (inclusive) €40 €35

5.7 How frequently must registrations/notifications be renewed (if applicable)?

Registration must be renewed annually.

5.8 For what types of processing activities is prior approval required from the data protection regulator?

Prior approval required for transfer abroad in certain circumstances – see question 8.3 below.

5.9 Describe the procedure for obtaining prior approval, and the applicable timeframe.

See question 8.3 below.


6.1 Is the appointment of a Data Protection Officer mandatory or optional?

The appointment of a data protection officer is optional, though when registering with the Data Protection Commissioner both data controllers and processors must give details of a 'compliance person' who will act as a contact point for the ODPC.

6.2 What are the sanctions for failing to appoint a mandatory Data Protection Officer where required?

As there is no legal requirement, there are no sanctions.

6.3 What are the advantages of voluntarily appointing a Data Protection Officer (if applicable)?

The advantages of voluntarily appointing a data protection officer include:

  1. ensuring an officer with appropriate qualifications and data protection expertise within an organisation;
  2. helps establish central professional data protection management within the organisation, particularly risk management functions, with one contact point for all data protection related issues;
  3. builds a relationship with the ODPC;
  4. develops relationships with customers and a reputation generally;
  5. helps handle emergencies, such as audits or data breaches; and
  6. improves data protection awareness within the organisation.

6.4 Please describe any specific qualifications for the Data Protection Officer required by law.

As there is no legal requirement for a data protection officer, no specific qualifications are required.

6.5 What are the responsibilities of the Data Protection Officer, as required by law or typical in practice?

In practice, it is the duty of data protection officers to ensure that the organisation complies with the DPA and to be the contact point relating to all such matters. They provide support, assistance, advice and training to all employees of an organisation on data protection matters and add to any risk management process.

6.6 Must the appointment of a Data Protection Officer be registered/notified to the relevant data protection authority(ies)?

As there is no legal requirement for a data protection officer, there is no need to notify this to the ODPC.


7.1 Please describe any legislative restrictions on the sending of marketing communications by post, telephone, e-mail, or SMS text message. (E.g., requirement to obtain prior opt-in consent or to provide a simple and free means of opt-out.)

When using automatic dialling machines, fax, email or SMS to send messages to an individual or making telephone calls to an individual or non-natural person's mobile telephone to make direct marketing communications, the data subject's prior opt-in consent must be obtained.

The use of automatic dialling machines, fax, email or SMS for direct marketing to a non-natural person (i.e. body corporate) is allowed as long as they have not either recorded their objection in the National Directory Database (under "objection to marketing" under question 4.1 above), or has not opted out.

Marketing messages may be sent by post to either an individual or non-natural person, unless they opt-out in writing.

The making of telephone calls for direct marketing to a subscriber or user is prohibited if the subscriber or user has recorded its objection in the National Directory Database (as under "objection to marketing" under question 4.1 above), or has opted out.

Where making direct marketing communication, the name, address and telephone number of the marketer must be included in the communication in order to give the data subject the option of opting-out.

7.2 Is the relevant data protection authority(ies) active in enforcement of breaches of marketing restrictions?

Yes. The Data Protection Commissioner has pursued a number of prosecutions in recent years for offenders.

7.3 What are the maximum penalties for sending marketing communications in breach of applicable restrictions?

On summary conviction a fine of €5,000, or on indictment a €250,000 fine where it is a body corporate or in the case of a natural person, a fine of €50,000. A court may make an order for the destruction or forfeiture of any data connected with the breach. Where the communication is done by post, a fine of €3,000 on summary conviction or €100,000 on indictment.

7.4 What types of cookies require explicit opt-in consent, as mandated by law or binding guidance issued by the relevant data protection authority(ies)?

Cookies are not strictly necessary for a transaction that the data subject has requested require express and informed consent. This may be obtained as part of a prominent notification on a website containing a link to a cookie statement.

7.5 For what types of cookies is implied consent acceptable, under relevant national legislation or binding guidance issued by the relevant data protection authority(ies)?

Where a cookie is strictly necessary to facilitate a transaction, (and that transaction has been specifically requested by the data subject), implied consent is acceptable.

7.6 To date, has the relevant data protection authority(ies) taken any enforcement action in relation to cookies?

The ODPC has been active in this field. For instance, in 2012, they wrote to 80 website operators seeking information on their consent procedures.

7.7 What are the maximum penalties for breaches of applicable cookie restrictions?

A fine of €5,000 and an order for the destruction or forfeiture of any data connected with the breach.


8.1 Please describe any restrictions on the transfer of personal data abroad.

There is no restriction on the transfer of personal data to countries within the EEA. However, personal data may not be transferred outside the EEA unless one of the following applies:

  1. the transfer is authorised by law;
  2. consent to the transfer is given by the data subject;
  3. the transfer is necessary for the performance of a contract to which the data subject is party;
  4. the transfer is necessary to conclude a contract with someone other than the data subject, where it is in their interests;
  5. the transfer is necessary for reasons of substantial public interest;
  6. the transfer is necessary for obtaining legal advice for legal proceedings;
  7. the transfer is necessary to prevent injury or damage to the data subject;
  8. the personal data to be transferred are an extract from a statutory public register established by law for public consultation; or
  9. the transfer is done through one of the mechanisms described in question 8.2 below.

Even where one of the above elements exists, the Data Protection Commissioner retains the power to prohibit the transfer of personal data abroad to any country inside or outside the EEA.

8.2 Please describe the mechanisms companies typically utilise to transfer personal data abroad in compliance with applicable transfer restrictions.

In addition to the methods outlined above, the three methods by which companies typically transfer personal data abroad are as follows:

  1. Use of "model clauses" between the data controller and the person/organisation to whom they intend to pass the information to abroad. These are contractual clauses approved by the EU Commission and which assure an adequate level of protection for the personal data. They do not usually require the approval of the ODPC, however it can approve transfers based on contractual clauses which do not directly conform to the European model clauses.
  2. Transfer to a country that is on the EU Commission "adequate standard of protection" list, or US organisations that have agreed to be bound by the rules of the "Safe Harbour" agreement (essentially a streamlined version of EU data protection law).
  3. A further method that is rarely used is the use of Binding Corporate Rules ("BCR"), whereby personal data can be transferred to other companies within a group and based abroad, as long as certain legally enforceable rules exist within the group whereby they must give the data an adequate level of protection. It is rarely used because of the expense and difficulty involved in having these rules approved by the Data Protection Commissioner.

8.3 Do transfers of personal data abroad require registration/notification or prior approval from the relevant data protection authority(ies)? Describe which mechanisms require approval or notification, what those steps involve, and how long they take.

Where data is transferred abroad under contracts that vary from the "model clauses", this must be notified to and approved by the ODPC by application to them. There is no necessity to deposit the contracts with the ODPC once the process is complete. Ordinarily, the ODPC will only consider authorising contracts that are general in nature, i.e., 'model contracts' that can be relied upon by a number of different data controllers within a sector or category rather than specific contracts. The time this process takes varies depending on the nature of the modifications to the model clauses.

The ODPC must also approve BCR mechanisms used to transfer data abroad but within a corporate group. This requires engagement with the ODPC by the company involved. At the time of writing, only one company within Ireland has implemented BCRS, as they are difficult to obtain. This took almost a year of engagement with the ODPC.


9.1 What is the permitted scope of corporate whistle-blower hotlines under applicable law or binding guidance issued by the relevant data protection authority(ies)? (E.g., restrictions on the scope of issues that may be reported, the persons who may submit a report, the persons whom a report may concern.)

Ireland does not have specific whistleblowing legislation, so it is a matter for each employer to decide who may make reports and about whom such reports can be made. However, there should be no discriminatory element in the scope decided by the employer.

For instance, if it is open to employees, it should be open to all classes of employees, be they part-time workers, fixed-term workers or agency workers.

9.2 Is anonymous reporting strictly prohibited, or strongly discouraged, under applicable law or binding guidance issued by the relevant data protection authority(ies)? If so, how do companies typically address this issue?

Anonymous reporting is discouraged under non-binding guidance from the Data Protection Commissioner.

In our experience, companies deal with this by pointing out to whistleblowers the benefits in their whistleblowing policy of disclosing their identity, such as protection from retaliation and the increased effectiveness of any whistleblowing report where identity is given. They also demonstrate that the identity of whistleblowers is kept confidential. However, companies generally do not make it mandatory for identity to be disclosed in order for a report to be acted on.

9.3 Do corporate whistle-blower hotlines require separate registration/notification or prior approval from the relevant data protection authority(ies)? Please explain the process, how long it typically takes, and any available exemptions.

There is no requirement to register whistleblower hotlines in Ireland.


10.1 Does the use of CCTV require separate registration/notification or prior approval from the relevant data protection authority(ies)?

There is no requirement to register separately for the use of CCTV.

10.2 What types of employee monitoring are permitted (if any), and in what circumstances?

There is no hard restriction on the type of monitoring that employees may be put under including monitoring of their electronic communications or surveillance by CCTV. However, as this involves the collection of personal data, the principles outlined in question 3.1 above must be followed, in particular the principle of proportionality, whereby employers must only collect relevant, adequate and non-excessive amounts of personal data, having regard to their legitimate aims.

The circumstances in which different types of personal data may be collected are a matter of degree, involving a balance between legitimate aims of the employer. For instance, the constant monitoring of employees by CCTV would be difficult to justify, unless there was a specific security need for it.

Employees have a legitimate right to privacy in relation to communications made from the workplace unless informed otherwise, so there is an additional requirement that they give their consent to monitoring, as outlined in question 10.3 below.

10.3 Is consent or notice required? Describe how employers typically obtain consent or provide notice.

Employees must be notified of the existence of the surveillance and also the purposes for which the data are processed. Surveillance of electronic communications and otherwise is generally notified by making the employee aware of an acceptable usage policy.

10.4 To what extent do works councils/trade unions/employee representatives need to be notified or consulted?

The extent to which a works council/trade union/employee representative needs to be notified of such surveillance will depend on (i) the scope of the agreement with the relevant body, (ii) whether this topic has already been covered in the contract of employment, and (iii) the likelihood that the employer will need to rely on the monitoring in the future (in order to provide evidence in defending a claim from an employee, for example).

10.5 Does employee monitoring require separate registration/notification or prior approval from the relevant data protection authority(ies)?

There is no requirement to make a separate registration, notification or prior approval with the ODPC in respect of employee monitoring.


11.1 Is it permitted to process personal data in the cloud? If so, what specific due diligence must be performed, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

Personal data may be processed in the cloud, subject to the DPA. Under non-binding guidance from the ODPC, the data controller must ensure that the processor (the cloud provider) has sufficient security precautions in place for the personal data, which is a requirement placed on the data controller as outlined in question 13.1 below. The cloud should be able to give assurances on:

  1. continued access to data by the data controller (backup and recovery measures);
  2. prevention of authorised access to data (covers both protection against external "hacking" attacks and access by the cloud provider's personnel or by other users of the datacentre);
  3. adequate oversight including by means of contract of any sub-processors used;
  4. procedures in the event of a data breach (so that the data controller can take necessary measures); and
  5. right to remove or transfer data (if the data controller wishes either to move the data back under its own direct control or move it to another cloud provider).

11.2 What specific contractual obligations must be imposed on a processor providing cloud-based services, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

There must be a written contract with the cloud provider and any sub-processors. The obligations imposed by it should include:

  1. the cloud providers and sub-processors will only process data as instructed by the data controller;
  2. the security requirements as outlined in question 11.1 above; and
  3. model contract clauses where the data is processed outside the EEA.


12.1 Is the utilisation of big data and analytics permitted? If so, what due diligence is required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

There is nothing in Irish law that specifically prevents the use of big data and analytics, and no specific laws or binding guidance covering the precise due diligence required.

However, as data protection issues are likely to arise in many projects, it is strongly recommended to undertake thorough due diligence.


13.1 What data security standards (e.g., encryption) are required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

Under section 2 of the DPA, data controllers must have "appropriate security measures" in place, taking into account:

  1. the state of technological development;
  2. the cost of implementing the measures;
  3. the harm that might result; and
  4. the nature of the data concerned.

These measures must be appropriate to the nature of the data concerned and must provide a level of security that is appropriate to the potential level of harm that could result from any unauthorised or unlawful processing or from any loss or destruction of personal data. Data controllers and processors must also ensure that their employees comply with any and all security measures in place.

Non-binding guidance from the ODPC provides guidance on access control, access authorisation, encryption, anti-virus software, firewalls, software patching, remote access, etc.

13.2 Is there a legal requirement to report data breaches to the relevant data protection authority(ies)? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.

Providers of publicly available electronic communications services or public communications networks in Ireland are subject to a mandatory reporting obligation under the E-Privacy Regulations. For entities that are not providers of such networks or services, there is no strict legal requirement under the DPA to report data breaches. However, the ODPC expects voluntary breach reporting as outlined in the 'Personal Data Security Breach Code of Practice' ("the Code"), which contains specific data security breach guidelines.

The Code is non-binding in nature, although certain industries have developed codes of practice (for example, the insurance industry) which make the Code binding on industry stakeholders on a voluntary basis.

Under the Code, any incident which has put personal data at risk should be reported to the ODPC as soon as the data controller becomes aware of it. There are some limited exceptions to this provided for in the Code i.e., this is not required where:

  1. it affects fewer than 100 data subjects;
  2. the full facts of the incident have been reported without delay to those affected;
  3. the breach does not involve sensitive personal data or personal data of a financial nature; or
  4. if the personal data was protected by technological measures (such as encryption) to such an extent that it would be unintelligible to any person who is not authorised to access it, then the data controller may decide that there is no risk to the personal data (and so no notification to the data subject is necessary).

If the data controller is unclear about whether to report the incident or not, the Code advises that the incident should be reported to the ODPC. The Code advises that the controller should make contact with the ODPC within two working days of the incident occurring.

13.3 Is there a legal requirement to report data breaches to individuals? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.

There is no legal requirement, however the Code requires that data controllers must give immediate consideration to notifying the affected data subjects, unless there is no risk to the personal data because of a level of encryption as outlined in question 13.2 above.

The notification should include information on the nature of the personal data breach and a contact point where more information can be obtained and should also recommend measures to mitigate the possible adverse effects of the breach.

14 Enforcement and Sanctions

14.1 Describe the enforcement powers of the data protection authority(ies):

Investigatory Power Civil/Administrative Sanction Criminal Sanction
Investigation of complaint under s.10 DPA, or of its own Accord Damages under Negligence Summary €3,000 Indictment €100,000
Privacy audit This is not applicable Summary €3,000 Indictment €100,000
Power to obtain Information This is not applicable Summary €3,000 Indictment €100,000
Power to enforce compliance with DPA with enforcement notice Damages under Negligence Summary €3,000 Indictment €100,000
Power of authorised officers to enter and examine premises This is not applicable Summary €3,000 Indictment €100,000

14.2 Describe the data protection authority's approach to exercising those powers, with examples of recent cases.

The ODPC exercises all of these powers on a regular basis. The ODPC has conducted investigations recently, obtained information and conducted inspections of many organisations. A recent example of all three is the investigation, inspection and subsequent obtaining of information from LoyaltyBuild, a customer data database provider which had an extensive data breach.

The ODPC has also conducted many audits, and is currently running sequential audits of popular social media platforms including Twitter, LinkedIn and Facebook.

Finally, the ODPC has also used its power to enforce compliance with an enforcement notice on many occasions, including recently with the enforcement notice on a large telecoms provider, Eircom, to cease releasing personal data of subscribers.


15.1 How do companies within Ireland respond to foreign e-discovery requests, or requests for disclosure from foreign law enforcement agencies?

Where data are sought for use in civil proceedings in a foreign country, Irish companies may be compelled under a subpoena from an Irish court to provide them. This happens frequently between EU countries, but it is also possible for a request from outside the EU to succeed.

In relation to requests from foreign law enforcement agencies, there is a legal framework in place that allows for the law enforcement agencies of foreign signatories of certain Hague Conventions to seek the disclosure of data held by Irish companies by the Irish police, who then issue a warrant for it. Where the request is made by the law enforcement agencies of countries who are not signatories, this is determined by the Department of Justice and Equality on a case-by-case basis. Generally where proper undertakings are given by the agency making the request, it will be granted, and Irish companies will be compelled to disclose the data.

15.2 What guidance has the data protection authority(ies) issued?

The ODPC has issued no guidance on E-discovery/disclosure to foreign law enforcement agencies.

This article appeared in the 2014 edition of The International Comparative Legal Guide to: Data Protection; published by Global Legal Group Ltd, London.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.