1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Since 25 May 2018, the EU General Data Protection Regulation (2016/679) (GDPR) is the main legal framework for data protection in all countries within the European Economic Area, which includes EU member states, Iceland, Norway and Lichtenstein.

In Ireland, the national law that gives further effect to the GDPR is the Data Protection Act 2018 (DPA 2018), which entered into force on the same day as the GDPR. The DPA 2018, in addition, transposed the EU Law Enforcement Directive (2016/680) (LED) into Irish law and provided for the necessary amendments to the previous data protection framework, established under the Data Protection Acts 1988 and 2003 (DPA 1988). In fact, despite being largely repealed by the DPA 2018, the DPA 1988 still applies in the cases set out in Section 8 of the DPA 2018. These include complaints made, investigations initiated but not completed and suspected contraventions that occurred prior to the DPA 2018 coming into force.

Moreover, according to the aforementioned Section 8, the DPA 1988 continues to apply to:

  • the processing of personal data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018; and
  • the processing of personal data for the purposes of safeguarding the security, defence or international relations of the state.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Ireland laid down a specific data protection framework with regard to the electronic communications sector in the ePrivacy Regulations (SI 336/2011), which transposed Directive 2002/58/EC (as last amended by Directive 2009/136/EC) into Irish law.

The ePrivacy Regulations apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks, and set out specific rules on issues such as cookies, unsolicited communications and traffic and location data.

With regard to the public sector, the Freedom of Information Act 2014 (FOI) grants individuals:

  • the right of access, to the greatest extent possible consistent with the public interest and the right to privacy, to records held by an FOI body (ie, public bodies, other bodies in receipt of funding from the state and certain other bodies);
  • the right to have personal information relating to them in the possession of such body amended where it is incomplete, incorrect or misleading; and
  • the right to obtain reasons for decisions of FOI bodies affecting the individual.

Currently, no special regimes apply in Ireland to specific data types.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Ireland is among the signatories and ratifiers of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and of its Additional Protocol regarding supervisory authorities and transborder data flows.

The convention is currently the only legally binding international instrument in the field of data protection and its core principles have largely been maintained by European data protection law.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

For the purposes of Article 51 of the GDPR and Article 41 of the LED, the independent supervisory authority in Ireland is the Data Protection Commission (DPC), which was established by the DPA 2018, replacing the previous Data Protection Commissioner.

The DPC's powers – largely modelled on Articles 58 of the GDPR and 47 of the LED – are set out in the DPA 2018, which provides for:

  • investigative powers, such as requiring the controller or processor to furnish certain information in writing and conducting data protection audits (see Sections 132 and 136 of the DPA 2018);
  • corrective powers, such as serving on the controller or processor an enforcement notice requiring it to take certain steps and imposing administrative fines (see Sections 133 and 141 of the DPA 2018);
  • authorisation and advisory powers; and
  • the power to bring infringements to the attention of the judicial authorities and to pursue litigation against controllers and processors.

The ability of the DPC to levy administrative fines directly is a key change introduced in Irish law by the DPA 2018. Indeed, under the previous data protection framework, the Data Protection Commissioner had no power to impose fines, with its enforcement action being mainly based on prohibition and enforcement notices and on the ability to bring and prosecute summary proceedings for offences under the DPA 1988.

According to Section 110 of the DPA 2018, in case of suspected infringements of the data protection legislation, statutory inquiries are conducted by the DPC either of its own volition or following a complaint.

A statutory inquiry comprises two distinct processes:

  • the investigatory process, which is carried out by a DPC investigator; and
  • the decision-making process, which results in a formal decision, usually made by the commissioner.

Where the DPC considers that there is a reasonable prospect of the parties reaching an amicable resolution, it may arrange or facilitate such a resolution (see Section 109 of the DPA 2018).

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Industry standards, best practices, data protection policies and guidance from regulators play a crucial role in the current data privacy regime, as the GDPR can be regarded as a principle-based and technology-neutral regulation, which leaves broad discretion to controllers and processors as to what measures to implement to comply with data protection rules.

This is particularly apparent in all cases (eg, data protection by design, data protection by default, outsourcing, security of processing) where the GDPR requires the implementation of appropriate technical and organisational measures without actually prescribing what specific measure or technique must be adopted in the specific case (with the exception of some generic examples) or what processing procedure must be followed to achieve the intended purpose.

In addition, adherence to standards, best practices and guidelines by controllers/processors contributes to the consistent application of data protection principles and facilitates their effective enforcement by regulators, as it enables a more thorough examination of companies' processing activities.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The General Data Protection Regulation (GDPR) applies to any entity that processes personal data under the conditions laid down in Articles 2 (material scope) and 3 (territorial scope) of the GDPR.

In particular, with regard to the material scope, the current data privacy regime applies to the processing of personal data carried out wholly or partly by automated means, and to processing other than by automated means where personal data forms part or is intended to form part of a filing system.

Regarding erritorial scope, the GDPR applies to:

  • controllers and processors that are established in any European Economic Area (EEA) country, where the processing of personal data is carried out in the context of the activities of such establishment, regardless of the actual place of processing (see Article 3(1) of the GDPR). The scope of application of such provision has been further clarified by the case law of the Court of Justice of the European Union (CJEU) (see, in particular, Case C-131/12, Google Spain v AEPD [2014]);
  • controllers and processors that are established outside the EEA, on an extra-territorial basis, where the processing of personal data is carried out under the conditions set out in Article 3(2) of the GDPR (see question 2.3); and
  • controllers that are not established in the EEA, but in a place where the national law of EEA countries applies by virtue of public international law (eg, embassies, consulates, ships and aircraft; see Article 3(3) of the GDPR).

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The GDPR does not apply where personal data is processed:

  • in the course of an activity that falls outside the scope of EU law (eg, activities concerning national security; see Article 2(2)(a) of the GDPR);
  • by EU member states in the course of activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union (ie, activities concerning the common foreign and security policy of the European Union; see Article 2(2)(b) of the GDPR);
  • by a natural person in the course of a purely personal or household activity, with no connection to a professional or commercial activity (see Article 2(2)(c) of the GDPR);
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (in such instances, the Law Enforcement Directive applies, in conjunction with the relevant provisions of the Data Protection Act 2018; see Article 2(2)(d) of the GDPR); or
  • by EU institutions, bodies, offices and agencies (in such instances, Regulation (EC) 45/2001 applies; see Article 2(3) of the GDPR).

Moreover, the GDPR does not apply to:

  • the processing of personal data of deceased persons;
  • anonymous information (ie, information that does not relate to an identified or identifiable natural person or data rendered anonymous in such a manner that the data subject is not or no longer identifiable); or
  • the processing of personal data concerning legal persons, such as undertakings.

2.3 Does the data privacy regime have extra-territorial application?

The extra-territorial scope of the current data privacy regime is determined by Article 3(2) of the GDPR, which states that the regulation also applies to controllers and processors that are established outside the EEA, where the processing of personal data relates to:

  • the offering of goods or services to data subjects who are located in the EEA (regardless of whether a payment of the data subject is required); or
  • the monitoring of the behaviour of data subjects who are located in the EEA, insofar as their behaviour takes place within the EEA.

In such instances, controllers and processors that are established outside the EEA must designate in writing a representative in the EEA, unless one of the exemptions provided for in Article 27(2) of the GDPR applies.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (see Article 4(2) of the General Data Protection Regulation (GDPR)).

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (see Article 4(8) of the GDPR). The term does not include employees of a data controller who process personal data in the course of their employment.

(c) Data controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (see Article 4(7) of the GDPR).

(d) Data subject

Any identified or identifiable natural person to whom personal data relates. The GDPR and the Data Protection Act 2018 (DPA 2018) apply only to living persons who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual (see Article 4(1) of the GDPR).

(e) Personal data

Any information relating to an identified or identifiable natural person (see Article 4(1) of the GDPR).

(f) Sensitive personal data

This term is replaced by the GDPR and DPA 2018 with the term ‘special categories of persona data', which includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purposes of uniquely identifying a natural person, and data concerning health and data concerning a natural person's sex life or sexual orientation (see Article 9(1) of the GDPR).

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, through a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (see Article 4(11) of the GDPR).

Overall, Section 2(2) of the DPA 2018 clarifies that every word or expression used in the DPA 2018 that is also used in the GDPR has the same meaning as it has in the GDPR, unless the context otherwise requires.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

Under the current data protection framework, the following terms are also relevant:

  • Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of such natural person, including facial images or dactyloscopic data (see Article 4(14) of the GDPR).
  • Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person, which gives unique information about the physiology or the health of such natural person and which results, in particular, from an analysis of a biological sample from the natural person in question (see Article 4(13) of the GDPR).
  • Data concerning health: Personal data relating to the physical or mental health of a natural person, including the provision of healthcare services that reveal information about the status of his or her health (see Article 4(15) of the GDPR).
  • Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (see Article 4(12) of the GDPR).
  • Child: A person under the age of 18 years (see Section 29 of the DPA 2018). This reflects the definition of ‘child' enshrined in the United Nations Convention on the Rights of the Child. Regarding child consent in relation to information society services, Section 31 of the DPA 2018 sets out that the digital age of consent in Ireland is 16 years – the same as that provided for in Article 8(1) of the GDPR.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

No, in Ireland, under current law, there is no legal requirement for businesses to register with the Data Protection Commission (DPC) or to notify the DPC of their processing activities, with such registration and notification requirements being removed following the entry into effect of the General Data Protection Regulation (GDPR) (see Recital 89 of the GDPR).

However, controllers/processors must inform the DPC of the appointment of a data protection officer and provide the DPC with the relevant contact details, which must also be published by the controller or processor (see Article 37(7) of the GDPR and Section 88(4) of the Data Protection Act 2018).

4.2 What is the process for registration?

Not applicable (see question 4.1).

4.3 Is registered information publicly accessible?

Not applicable (see question 4.1).

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

According to Article 6 of the General Data Protection Regulation (GDPR), personal data can be processed lawfully only if one the following legal bases applies:

  • Consent: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Contract: The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Legal obligation: The processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Vital interests: The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Public task: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Legitimate interests: The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

However, special categories of personal data (see question 3.1) can be processed lawfully only if the processing is justified on the basis of one of the specific legal grounds set out in Article 9(2) of the GDPR.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Article 5(1) of the GDPR sets out the following key principles, which apply to all types of personal data and regardless of whether it is outsourced:

  • Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
  • Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  • Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data – including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage – using appropriate technical or organisational measures;

In addition, Article 5(2) of the GDPR enshrines the principle of accountability (a key change introduced by the GDPR), according to which data controllers are responsible for complying with the six aforementioned principles and must also be able to demonstrate their compliance.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

Information provision obligations are a key component of the current data privacy regime, as they aim to ensure that data subjects are provided, in a concise, transparent, intelligible and easily accessible form, with all necessary information about the processing of their personal data, including their rights (see Article 12 of the GDPR). In practice, a data controller achieves this by presenting data subjects with a privacy notice, which is usually also published on the controller's website.

Moreover, the accountability regime introduced by the GDPR provides for a number of key requirements for processing personal data, including:

  • data protection by design, which requires controllers to ensure, when developing new systems, services and products and also during the whole lifecycle, that any action involving the processing of personal data is done with data protection in mind, by implementing appropriate technical and organisational measures (see Article 25(1) of the GDPR);
  • data protection by default, which requires controllers to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed (see Article 25(2) of the GDPR);
  • security of processing, which requires controllers to implement, following a risk-based approach, technical and organisational measures that can ensure a level of security appropriate to the risk (see Article 32 of the GDPR); and
  • data protection impact assessment, which requires controllers, prior to the processing, to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data where the processing is likely to result in a high risk to the rights and freedoms of natural persons (see Article 35 of the GDPR).

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

The General Data Protection Regulation (GDPR) defines a ‘third party' as a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Without prejudice to disclosure obligations laid down by law for specific purposes (as in the case of disclosure requests made by law enforcement bodies), the sharing of personal data with third parties is permitted only with the consent of the data subject, who has the right to be informed in the privacy notice about any recipient of his or her personal data (see Articles 13 and 14 of the GDPR).

According to Article 4(12) of the GDPR, the unauthorised disclosure of personal data to third parties constitutes a personal data breach, as it infringes the principle of confidentiality.

In Ireland, unauthorised disclosure by a processor or by third parties that have obtained the personal data without the prior authority of the controller or processor constitutes an offence under Sections 144 and 145 of the Data Protection Act 2018 (DPA 2018). Accordingly, a person who knowingly or recklessly contravenes such provisions is subject:

  • on summary conviction, to a fine not exceeding €5,000 or imprisonment for a term not exceeding 12 months or both; and
  • on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding five years or both.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Transfers of personal data outside the European Economic Area (EEA) to any third country or international organisation can take place only if one of the following mechanisms applies:

  • a European Commission adequacy decision, assessing that the third country, a territory or one or more specified sectors within that third country, or the international organisation, ensures an adequate level of protection for the personal data transferred (see Article 45 of the GDPR);
  • binding corporate rules (for transfers of personal data from an EEA-based entity of a group undertakings to another entity of the group based outside the EEA), approved by the competent data protection authority following the opinion of the European Data Protection Board (EDPB) (see Articles 46(2)(b) and 47 of the GDPR);
  • standard contractual clauses (SCCs) adopted by the European Commission (see Article 46(2)(c) of the GDPR);
  • standard data protection clauses adopted by the competent data protection authority following the opinion of the EDPB and approved by the European Commission (see Article 46(2)(d) of the GDPR);
  • codes of conduct approved by the competent data protection authority (see Articles 40,41 and 46(2)(e) of the GDPR);
  • approved certification mechanisms (see Articles 42,43 and 46(2)(f) of the GDPR);
  • legally binding and enforceable instruments between public authorities or bodies (see Article 46(2)(a) of the GDPR);
  • tailored or ad hoc data transfer agreements between EEA-based controllers or processors and non-EEA based controllers, processors or recipients of the personal data, subject to the authorisation from the competent data protection authority (see Article 46(3) of the GDPR); and
  • specific derogations pursuant to Article 49 of the GDPR.

In addition, in Ireland, the minister for justice and equality may, in the absence of an adequacy decision, make regulations restricting the transfer of categories of personal data to a third country or an international organisation for important reasons of public policy (see Section 37 of the DPA 2018).

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

There are no specific requirements or restrictions for data transfers within the EEA, as one of the objectives of the GDPR is to ensure the free flow of personal data between EEA countries.

Regarding international data transfers, the recent judgment of the Court of Justice of the European Union in Schrems II (see Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited [2020]) has invalidated the EU-US Privacy Shield and established that SCCs may continue to be used to transfer personal data to ‘non-adequate' countries only if the data subjects are afforded "a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union".

Accordingly, before transferring personal data to a ‘non-adequate' country on the basis of SCCs, EEA-based controllers and processors must assess on a case-by-case basis the level of data protection by taking into account a number of different factors, including the relevant aspects of the legal system of that third country (in particular, those set out, in a non-exhaustive manner, in Article 45(2) of the GDPR).

In addition, according to the Schrems II ruling, the competent data protection authority must suspend or prohibit the transfer of personal data to a ‘non-adequate' country (where the controller or a processor has not itself suspended or put an end to the transfer), if it is of the opinion that SCCs are not or cannot be complied with in such third country and the protection of the data transferred that is requited by EU law cannot be ensured by other means.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Under the current data privacy regime, data subjects are afforded the following rights:

  • Right to information: The right to be provided with all necessary information about the processing of their personal data. Exceptions apply in specific situations, for example where the data subject already has the information (see Articles 13 and 14 of the General Data Protection Regulation (GDPR)).
  • Right of access: The right to access information held about them and to obtain a copy of their personal data. The exercise of this right must not adversely affect the rights of third parties (see Article 15 of the GDPR).
  • Right to rectification: The right to have inaccurate and incomplete personal data rectified and completed (see Article 16 of the GDPR).
  • Right to erasure (right to be forgotten): The right to have their personal data deleted in the cases set out in the GDPR, such as where the personal data is no longer necessary for the purpose for which it was collected or it has been unlawfully processed. Exceptions apply in specific situations – for example, where the processing of personal data is necessary to exercise the right of freedom of expression and information or for reasons of public interest in the area of public health (see Article 17 of the GDPR). A specific right to be forgotten for children is provided for by the Data Protection Act 2018 (DPA 2018) (see Section 33).
  • Right to restriction of processing: The right to temporarily block the processing of their personal data in the cases set out in the GDPR, such as where the accuracy of data is contested by the data subject (see Article 18 of the GDPR).
  • Right to data portability: The right to receive the personal data provided to a controller in a structured, commonly used and machine-readable format, and to transmit such data to another controller without hindrance from the previous controller, where the processing is based on consent or contract and is carried out by automated means (see Article 20 of the GDPR).
  • Right to object: The right to object to the processing of their personal data carried out for direct marketing purposes or on the basis of legitimate interests of the controller or public tasks (see Article 21 of the GDPR).
  • Right not to be subject to automated decision making: A general prohibition against decision making based solely on automated processing and producing legal effects on the data subject. Such a prohibition may be waived in specific situations (eg, where the data subject gives his or her explicit consent to automated decision making), provided that the controller implements suitable measures to safeguard the data subject's rights (see Article 22 of the GDPR).

The DPA 2018 provides for a number of specific restrictions on the rights of data subjects, such as:

  • for important objectives of general public interest;
  • for archiving purposes in the public interest;
  • for scientific or historical research purposes;
  • for statistical purposes; and
  • where the information is covered by legal privilege (see Sections 60, 61 and 162 of the DPA 2018).

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects can exercise their rights by making a request to the controller, which must be honoured without undue delay and at the latest within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests (in this case, the controller must give the reasons for the delay).

Any information or action relating to the request must be provided by the controller free of charge, following confirmation of the identity of the requester.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

  • charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  • refuse to act on the request.

7.3 What remedies are available to data subjects in case of breach of their rights?

According to the GDPR, and without prejudice to any other administrative or judicial remedy, data subjects who consider that their rights under GDPR have been infringed or that the processing of their personal does not comply with the GDPR are entitled to:

  • lodge a complaint with a supervisory authority, in the European Economic Area (EEA) country of their habitual residence or place of work, or where the alleged infringement took place (see Article 77 of the GDPR); or
  • bring legal proceedings against the controller or processor before the courts of the EEA country where the controller or processor has an establishment or where the data subject has his or her habitual residence (see Article 79 of the GDPR; for jurisdiction in Ireland, see question 12.1). In this context, the data subject also has the right to claim compensation from the controller or processor for any material or non-material damage suffered as a result of an infringement of the GDPR (see Article 82).

In addition, according to Article 78 of the GDPR, data subjects are also entitled to bring legal proceedings against a supervisory authority, before the courts of the EEA country where the authority is established in the following instances:

  • to challenge a legally binding decision of the authority concerning the data subject; or
  • where the authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

According to Article 37(1) of the General Data Protection Regulation (GDPR), the appointment of a data protection officer (DPO) is mandatory where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or processor consist of processing on a large scale of sensitive data or personal data relating to criminal convictions and offences.

Failure to appoint a DPO in the abovementioned cases may result in administrative fines of up to €10 million (in the case of non-undertakings) or up to the higher of €10 million and 2% of the total worldwide annual turnover of the preceding financial year (in case the of undertakings).

According to Section 34 of the Data Protection Act 2018 (DPA 2018), in cases where the appointment of a DPO is not mandatory, the minister for justice and equality may make regulations requiring controllers, processors, associations or other bodies representing categories of controllers or processors to designate a DPO.

8.2 What qualifications or other criteria must the data protection officer meet?

The GDPR and the DPA 2018 do not specify the qualifications or credentials that a DPO must have. They state only that the DPO must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, and the ability to fulfil his or her tasks (see Article 37(5) of the GDPR and Section 88(3) of the DPA 2018).

Once appointed, controllers/processors must ensure that the DPO is:

  • involved, properly and in a timely manner, in all data protection issues;
  • able to operate independently, without receiving any instruction regarding the exercise of their tasks; and
  • provided with all resources necessary to carry out his or her tasks.

8.3 What are the key responsibilities of the data protection officer?

According to Article 39 of the GDPR, as reflected in Section 88(5) of the DPA 2018, the key responsibilities of the DPO include:

  • informing and advising the controller, and the employees of the controller who carry out processing, of their obligations under the current data privacy regime;
  • monitoring compliance with the current data privacy regime, and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness raising and training of staff involved in processing operations, and related audit activities;
  • providing advice, where requested to do so, in relation to the carrying out of a data protection impact assessment and monitoring its performance;
  • cooperating with the Data Protection Commission (DPC) and acting as a contact point for the DPC for issues relating to processing carried out by the controller, including the prior consultation referred to in Article 36 of the GDPR; and
  • acting as the contact point for data subjects with regard to all issues relating to the processing of their personal data and to the exercise of their rights.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Outsourcing the DPO role is permitted by Article 37(6) of the GDPR, which states that the DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

In addition, groups of undertakings are permitted to appoint a single DPO, provided that the DPO is easily accessible from each establishment.

The benefits of an external DPO include an absence of a conflict of interest between the DPO and other business activities, which is an essential condition pursuant to Article 38(6) of the GDPR, as it allows the DPO to fulfil other tasks and duties only if they do not result in a conflict of interest.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

According to Article 30 of the GDPR and Section 81 of the DPA 2018, controllers/processors must keep written records of their processing activities. Such records, which must be made available at the DPC's request for inspection and examination, must contain the following information:

  • the name and contact details of the controller/controllers, processor/processors and DPO;
  • the purposes of and legal bases for the processing;
  • a description of the categories of data subjects, the categories of personal data and the categories of recipients to which the personal data has been or will be disclosed;
  • any transfers of personal data to a third country or an international organisation, where applicable;
  • the envisaged time limits for erasure of the different categories of data; and
  • a general description of the security measures referred to in Article 32(1) of the GDPR.

Although record-keeping obligations do not apply to all organisations (see Article 30(5) of the GDPR), it is good practice for all controllers/processors to keep logs of their data processing activities.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

In the case of outsourcing, where the controller decides to delegate all or part of a data processing activity to a processor, compliance with Article 28 of the GDPR is required.

In particular, the relationship between the controller and processor must be governed by a written contract (commonly known as data processing agreement), ensuring that the processor:

  • processes personal data only on documented instructions from the controller;
  • does not engage another processor without prior specific or general written authorisation of the controller (in such instances, the same data protection obligations as set out in the contract between the controller and the processor must be imposed on the subprocessor; however, the initial processor remains fully liable to the controller for any failure by the subprocessor);
  • assists the controller in ensuring compliance with the GDPR, especially with regard to data subject rights, security of processing, data breach notifications, data protection impact assessments and prior consultation with the supervisory authority;
  • takes the most appropriate security measures pursuant to Article 32 of the GDPR;
  • makes available to the controller all information necessary to demonstrate compliance with the GDPR and allows for and contributes to audits conducted by the controller; and
  • deletes or returns all the personal data to the controller at the end of the contract.

Moreover, Article 28(10) of the GDPR clarifies that if a processor infringes the GDPR by determining the purposes and the essential elements of the means of processing, such processor must be considered to be a controller in respect of that processing.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

According to Article 32 of the General Data Protection Regulation (GDPR), controllers/processors must implement technical and organisational measures that can ensure a level of security appropriate to the risk posed to personal data (in particular by the processing), taking into account:

  • the state of the art;
  • the costs of implementation;
  • the nature, scope, context and purposes of processing; and
  • the risk of varying likelihood and severity for the rights and freedoms of natural persons.

In practice, controllers/processors must adopt a risk-based approach to the assessment of what controls can be deemed appropriate in the specific case, as there is no one-size-fits-all solution.

Examples of appropriate technical and organisational measures include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
  • a robust data security policy, describing:
    • all of the security measures in place;
    • the operating procedures that must be followed to process personal data securely; and
    • the responsibilities and duties of anyone who has access to the data.

In addition, it is best practice for controllers/processors to provide their employees with regular security awareness training.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Pursuant to Article 33 of the GDPR, in the case of a personal data breach (see question 3.2 for definition), the controller must – without undue delay and not later than 72 hours after having become aware of it – notify the data breach to the Data Protection Commission (DPC), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (see question 9.4 for the concept of risk).

The notification – which can be done through the breach notification form on the DPC's website – must contain at least the following information:

  • a description of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including any measures taken or proposed to be taken to mitigate its possible adverse effects; and
  • the name and contact details of the controller's DPO or other point of contact.

This information can also be provided in phases, if it is not possible for the controller to provide all of the aforementioned elements at the time of the notification.

Where a personal data breach occurs under the watch of the processor, the latter must notify the data breach to the controller in any event and without undue delay after becoming aware of it.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Pursuant to Article 34 of the GDPR, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller, in addition to notifying the DPC, must communicate the personal data breach to the affected data subjects without undue delay (see question 9.4 for the concept of high risk).

However, this communication – which must basically contain the same information as that provided in the notification to the DPC – is not required if:

  • the controller, prior to the personal data breach, had implemented appropriate technical and organisational protection measures able to render the personal data unintelligible to any person who is not authorised to access it (eg, encryption);
  • the controller, after the personal data breach has occurred, has taken steps to prevent the high risk from materialising; or
  • the communication would involve disproportionate effort (in such case there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner).

Moreover, if the controller has not already communicated the personal data breach to the data subject, the DPC has the power to require the controller to carry out such communication where the DPC considers that the breach is likely to result in a high risk.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Controllers must keep records of any personal data breaches (comprising the facts relating to the breach, its effects and the remedial action taken), in order to enable retrospective examination by the DPC.

Recital 75 of the GDPR outlines the possible outcomes of a personal data breach (which can lead to physical, material or non-material damage); and Recital 76 clarifies that the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing, and that the risk should be evaluated on the basis of an objective assessment. Beyond this, however, there is no definition of ‘risk' or ‘high risk' in the current data privacy regime. Therefore, best practices and guidance from supervisory authorities play a key role in the assessment of the level of risk.

In particular, the WP29 Guidelines on personal data breach notification under the GDPR, endorsed by the European Data Protection Board, provide useful criteria and examples to assist controllers in determining whether they need to notify and communicate a data breach in different scenarios.

Similarly, the DPC has released a practical guide to personal data breach notifications under the GDPR and has also published the following risk rating on its website:

  • Low risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal.
  • Medium risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial.
  • High risk: The breach may have a considerable impact on affected individuals.
  • Severe risk: The breach may have a critical, extensive or dangerous impact on affected individuals.

Given the difficulty of such assessment, it is good practice for controllers to err on the side of caution by notifying borderline or uncertain cases.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

As the right to privacy extends to the workplace, the processing of employee data must comply with the provisions set out in the General Data Protection Regulation (GDPR) – in particular, those relating to key principles, legal bases for processing and data subject rights.

Regarding employee consent to processing, it is worth noting that, based on Recital 43 of the GDPR, which indicates that consent should not provide a valid legal ground for processing personal data where there is a clear imbalance between the data subject and the controller, the European Data Protection Board Guidelines on consent under the GDPR (05/2020) clarify that an imbalance of power traditionally occurs in the employment context (given the dependency that results from the employer/employee relationship), making it problematic for employers to rely on consent when processing employee data.

Article 9(2)(b) of the GDPR, moreover, provides for a legal basis that may be relied upon by employers to process sensitive employee data (ie, processing that is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law, insofar as it is authorised by EU or domestic law or a collective agreement).

In addition, Article 88 of the GDPR allows member states to provide for, by law or collective agreements, more specific rules to ensure the protection of personal data in the employment context. Those rules must include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings and the monitoring systems in the workplace.

Currently, no specific national rules apply in Ireland with regard to the processing of personal data in the context of employment.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

Workplace monitoring is a sensitive matter, as it requires that a balance be struck between the employer's right to run and protect its business and employees' right to privacy.

Although surveillance in the workplace is generally allowed in Ireland, and no particular restrictions apply to the different surveillance practices in use (including closed circuit television (CCTV) and data loss prevention tools), employers wishing to carry out workplace monitoring must ensure compliance with at least the following data protection principles:

  • Purpose limitation: The employer must clearly identify the purpose of the monitoring (eg, ensuring the security of premises and protecting goods, customers and employees), as personal data cannot be collected on a ‘just in case' basis.
  • Lawfulness: The employer must have a legal basis for the processing of personal data that will take place (often, employers can justify the monitoring on the basis of their legitimate interests; this legal basis, however, cannot be relied upon to process special categories of persona data).
  • Necessity and proportionality: The monitoring and methods used must be necessary and proportionate to the achievement of the purpose (eg, CCTV should not be installed if the same purpose can be achieved by adopting less intrusive solutions).
  • Transparency: The employer must clearly inform employees of the monitoring (eg, in case of CCTV, by placing easily read, well-lit signs in prominent positions).
  • Storage limitation: The employer must define a data retention period appropriate to the purpose of the monitoring, as personal data cannot be kept for longer than necessary.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The protection of personal data in the employment context should also be considered in relation to whistleblowing schemes, which must permit employees to report unlawful or improper activity taking place within the workplace and, at the same time, ensure that the whistleblower's identity remains confidential.

In Ireland, pending the implementation of the EU Whistleblowing Directive (2019/1937), the current whistleblowing legislation is set out in the Protected Disclosures Act 2014, which aims to protect whistleblowers by requiring employers not to disclose any information that may identify the employee who reported wrongdoing (except in particular circumstances), and by providing redress for employees who are penalised (eg, dismissal, unfair treatment or threats of reprisal) because of their disclosure.

In addition, as regards data protection at work, it is worth noting the requirement for people working with children or vulnerable adults in Ireland to be vetted by the National Vetting Bureau of An Garda Síochána (ie, the national police force), in accordance with the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012-2016.

Such vetting, in particular, is carried out following a request from a registered organisation to provide information on a certain prospective employee, who must have given his or her prior consent to vetting.

In such instances, if any criminal record about the person is held by An Garda Síochána, the record in question (including details of all convictions, pending prosecutions and other relevant information) is disclosed to the authorised liaison person in the registered organisation.

Vetting disclosures should be deleted by organisations not later than one year after receipt, except in exceptional circumstances.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

In Ireland, the current rules on cookies are laid down in the ePrivacy Regulations (SI 336/2011), which transposed Directive 2002/58/EC (as last amended by Directive 2009/136/EC) into Irish law.

In particular, according to Regulation 5(3), the use of cookies to store information or gain access to information already stored on the terminal equipment of a subscriber or user is prohibited, unless the subscriber or user has given his or her consent to that use after having been provided with clear and comprehensive information in accordance with the Data Protection Act 2018 (DPA 2018). Such information must be prominently displayed and easily accessible, and must include, without limitation, the purposes of the processing of the information.

Where technically feasible, user consent to cookies may also be given through the use of appropriate browser settings (see Regulation 5(4)).

Consent is not required, according to Regulation 5(5), for technical storage of information or access to information if cookies are:

  • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

In order to assist website and app operators in ensuring compliance with cookie legislation, the Data Protection Commission has issued detailed guidance on cookies and other tracking technologies.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Although the General Data Protection Regulation (GDPR) and the DPA 2018 do not specifically address cloud computing, cloud service providers should take utmost account of the following aspects:

  • Territorial scope of the GDPR: Although many cloud service providers are established outside the European Economic Area (EEA), the GDPR still applies to them if the conditions under Article 3(2) of the GDPR are met (see question 2.3).
  • Qualification: In relation to the data processing activities carried out on behalf of their customers, cloud service providers typically qualify as processors, even where they determine the technical and organisational means of the processing (eg, the type of hardware or software to be used), provided that they do not make decisions on the purposes and essential means of the processing.
  • Cloud service contracts: Cloud service providers acting as processors must carry out the processing activities relating to their services on the basis of written contracts that comply with Article 28 of the GDPR (see question 8.6).
  • International data transfers: Where cloud services providers are established outside the EEA, transfers of personal data from EEA-based controllers to such processors must take place on the basis of one of the transfer mechanisms set out in the GDPR (see question 6.2), which also include binding corporate rules for processors and controller-to-processor standard contractual clauses.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

In Ireland, Regulation 13 of the ePrivacy Regulations, which implements Article 13 of Directive 2002/58/EC (as last amended by Directive 2009/136/EC), sets out the following rules on unsolicited communications for direct marketing purposes (also known as spam):

  • Direct marketing by means of automated calling machine, fax and electronic mail (including email, SMS and MMS) is permitted only with the prior opt-in consent of the subscriber or user, who is a natural person. A limited exemption from this strict opt-in requirement exists in case of existing customers, allowing the sending of electronic mail marketing on an opt-out basis if the requirements set out in Regulation 13(11) are met.
  • Telephone marketing can be conducted on an opt-out basis (ie, without the prior opt-in consent of the subscriber or user), unless the subscriber or user has notified the marketer that he or she does not consent to the receipt of marketing calls or has his or her details recorded in the ‘do not call register' of the Irish National Directory Database (NDD), which holds consumers' preferences as to whether they wish to be contacted by direct marketing companies. Mobile numbers are ‘opted out' by default in Ireland, meaning that calling mobile phone numbers for direct marketing purposes is permitted only with the prior opt-in consent of the subscriber or user.
  • Business-to-business (B2B) marketing by means of electronic mail can be conducted on an opt-out basis, while the prior opt-in consent of the subscriber or user is required for B2B marketing by fax, automated calling machine and telephone if the subscriber or user has its details recorded in the ‘do not call register' of the NDD.
  • Postal marketing requires no prior opt-in consent and can therefore be conducted on an opt-out basis, as the ePrivacy Regulations apply only to digital marketing communications.

Regarding transparency in direct marketing, Regulation 13(10) clarifies that the information that must be provided to subscribers or users must include:

  • in the case of a call, the name of the person making the call and, if applicable, the name of the person on whose behalf the call is made;
  • in the case of a communication by means of an automated calling machine or fax, the name, address and telephone number of the person making the communication and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made; and
  • in the case of a communication by electronic mail, a valid address at which that person may be contacted.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

In Ireland, the courts having jurisdiction to hear and determine data protection actions are the circuit court and the High Court (see Section 117 of the Data Protection Act 2018 (DPA 2018)).

In particular, in line with what is set out in Article 79(2) of the General Data Protection Regulation (GDPR), the jurisdiction of the circuit court may be exercised by the judge of any circuit in which:

  • the controller or processor against which the action is taken has an establishment; and
  • the data subject has his or her habitual residence.

Data protection actions may be brought directly by the data subject or on his or her behalf by a not-for-profit body, organisation or association, provided that all conditions laid down in Article 80 of the GDPR are met.

Pursuant to Section 142 of the DPA 2018, appeals against decisions of the Data Protection Commission (DPC) imposing administrative fines may be brought before:

  • the circuit court, where the amount of the administrative fine does not exceed €75,000; or
  • the High Court, in any other case.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Data protections actions may be brought by data subjects (instead of making complaints to the DPC or in addition to complaints lodged) where they consider that their rights under the GDPR or the DPA 2018 have been infringed as a result of the processing of their personal data in a manner that fails to comply with data protection legislation.

According to Section 117 of the DPA 2018, the courts hearing data protection actions – which are actions founded on tort – have the power to grant the plaintiff the following remedies:

  • relief by way of injunction or declaration; and/or
  • compensation for damage suffered by the plaintiff as a result of the infringement of the GDPR or the DPA 2018.

In line with Article 82 of the GDPR, damage includes material and non-material damage, and can consist of:

  • loss of control over personal data;
  • limitation of data subject rights;
  • discrimination;
  • identity theft or fraud;
  • financial loss;
  • damage to reputation;
  • unauthorised reversal of pseudonymisation;
  • loss of confidentiality of personal data protected by professional secrecy;
  • any other significant economic or social disadvantage to the natural person concerned (see Recital 85 of the GDPR); and
  • stress and emotional suffering.

The right to claim compensation for non-material harm is a key change introduced in Irish law by the GDPR and the DPA 2018, as only compensation for financial and other material loss could be recovered under the previous data protection framework (see Collins v FBD Insurance Plc [2013] IEHC 137).

With regard to appeals brought by controllers/processors against administrative fines imposed by the DPC (see Section 142 of the DPA 2018), the court has the power to:

  • confirm the decision the subject of the appeal;
  • replace the decision with such other decision as the court considers just and appropriate, including a decision to impose a different fine or no fine; or
  • annul the decision.

12.3 Have there been any recent cases of note?

Although no cases have as yet been heard by the Irish courts under the DPA 2018, major developments are expected in the coming months in the High Court with regard to the well-known case involving Max Schrems, the DPC and Facebook Ireland – which led to the invalidation of the EU-US Privacy Shield and confirmation of the validity of the standard contractual clauses by the Court of Justice of the European Union (see question 6.3) – as the High Court has recently been called upon to judicially review the DPC's handling of Schrems's original complaint (dating back to 2013 and still pending) and a DPC's preliminary draft decision ordering Facebook Ireland to suspend personal data transfers from the European Union to the United States.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The General Data Protection Regulation (GDPR) has introduced significant changes in the European data privacy landscape, resulting in:

  • a more responsible attitude towards the processing of personal data;
  • enhanced protection for data subjects;
  • new requirements for controllers/processors; and
  • a compelling need to ensure consistent application and effective enforcement of the new data protection rules.

From an Irish perspective, the entry into force of the GDPR has also led to the strengthening of the Data Protection Commission's (DPC) role at both the national and EU level.

In addition to the new powers granted by the Data Protection Act 2018 (DPA 2018) (see question 1.4), the DPC is called upon to act as the lead supervisory authority in many cross-border processing cases pursuant to Article 56 of the GDPR, given that several multinational organisations – especially in the tech sector – have their European headquarters in Ireland.

As a result, a large number of inquiries and investigations on major data protection issues have been conducted by the DPC, most of which are still ongoing (in particular, those involving tech giants such as Facebook, Twitter, Apple and Google). According to the DPC's report on regulatory activity under the GDPR (published in June 2020), despite the sheer volume of cases investigated by the DPC since the GDPR came into effect, a further increase in these volumes is expected.

Naturally, since March 2020, the COVID-19 pandemic has been a major matter of concern for the DPC, which has published a number of useful guidelines, such as on how to protect personal data when working remotely.

Stronger protection for children's personal data is another growing issue in the Irish data privacy landscape. The particular attention reserved to this matter is reflected by the existence in the DPA 2018 of various provisions that are specifically addressed to children (see Sections 29-33), and by the recent opening by the DPC of two statutory inquiries into Facebook's processing of children's data on the Instagram platform.

Regarding future developments, it remains to be seen what impact Brexit will have on data transfers from the European Economic Area to the United Kingdom at the end of the transitional period (ie, 31 December 2020) – in particular, if the United Kingdom's legal system is deemed to be inadequate by the European Commission as to the protection of personal data.

Finally, one of the most long-awaited legislative reforms in Ireland concerns the review of the domestic legislation on the retention of and access to communications data – the Communications (Retention of Data) Act 2011. The validity of this act – which gives effect to Directive 2006/24/EC, declared invalid in 2014 by the Court of Justice of the European Union (CJEU) in Digital Rights Ireland (see Joined Cases C-293/12 and C‑594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources [2014]) – is being challenged in a case pending before the Irish Supreme Court, which in February 2020 referred the issue to the CJEU (see Dwyer v The Commissioner of An Garda Siochana [2020] IESC 4).

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Since the General Data Protection Regulation (GDPR) came into effect, the European Data Protection Board and the Data Protection Commission (DPC) have issued a large number of practical guidelines on data protection. Compliance by controllers and processors is key for better protection of personal data, as this guidance provides clarification on a wide range of data protection issues.

Consultation and cooperation with data protection authorities on an ongoing basis – not only in the event of personal data breaches, but also in relation to the specific measures that organisations should from time to time implement to ensure appropriate protection of personal data – is another highly recommended approach for controllers and processors, as this contributes to the more effective, less intrusive supervision of companies' processing activities.

In this regard, in its report on regulatory activity under the GDPR (published in June 2020), the DPC – which has been extremely busy in monitoring the application of the GDPR and the Data Protection Act 2018, and in promoting awareness of the new data protection rules – has highlighted that many of the personal data breaches examined could have been prevented by more stringent technical and organisational measures at source.

However, despite the huge number of breach notifications closed out by the DPC (almost 95%, according to the aforementioned report) and the many investigations being carried out, the enforcement actions taken by the Irish supervisory authority have been much less hard-hitting compared to those in other European Economic Area countries, as the DPC has imposed only five fines under the GDPR so far, for a total amount of €265,000.

In addition, a significant backlog of complaints is causing significant delays to the investigations conducted by the DPC (including those relating to alleged major infringements by a number of tech giants), which may result in failure to address serious issues in a timely manner.

Finally, state surveillance is another matter of concern in Ireland, as the current legislation – which includes the controversial Communications (Retention of Data) Act 2011 (see question 13.1) – contains major loopholes and sticking points, such as the lack of prior judicial authorisation for electronic surveillance, which allows law enforcement authorities to access individuals' phone data directly, without a court order.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.