Senior management and organisation
An organogram of the senior management structure can be found on the Data Protection Commission’s website, at www.dataprotection.ie/en/about/senior-management-committee-organisational-structure
When was the head of the authority appointed?
How long is their term of office?
Under Ireland's Data Protection Act 2018, up to three commissioners can be appointed for a period of not less than four and no more than five years.
What is the process for nominating the head of the authority?
Ireland’s government can appoint up to three data protection commissioners, on the recommendation of the Public Appointments Service.
What was the authority’s budget for the most recently available financial year?
The 2019 budget was €15.2 million.
How many data protection/privacy-focused staff does the authority employ?
In October 2018, the commission said a €3.5 million budget increase would allow it to recruit approximately 40 more staff, bringing its total to around 180.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach?
This can be reported via the commission’s website, at https://forms.dataprotection.ie/report-a-breach-of-personal-data.
How and where should companies or their advisers contact the authority to start the binding corporate rules approval process?
The commission can be contacted at https://forms.dataprotection.ie/contact.
What other contact information should companies and their advisers be aware of?
General contact details are available at www.dataprotection.ie/en/contact/how-contact-us.
Legal and enforcement framework
What are the commission’s investigative powers?
The Data Protection Commission can start investigations upon the receipt of complaints, or of its own volition. When handling complaints, the commission can take steps to amicably resolve the situation between the parties if it believes that is possible within a “reasonable time”.
The commission can direct authorised staff to carry out investigations and submit reports following their completion. Authorised staff must inform controllers or processors in writing as soon as is practicable. For complaint-led investigations, they must tell organisations about the particulars of the complaint; in investigations started by the commission’s own volition, it must set out matters to which the investigation relates.
Authorised officers can require the disclosure of documents or require individuals to attend meetings during which they must disclose information and can require individuals to answer under oath. Oral hearings are possible. Authorised officers can apply to the Circuit Court for an order forcing individuals to comply with relevant requirements. Individuals who obstruct officers in the performance of their functions; refuse to comply; or withhold, destroy, conceal or refuse to provide information, statements, records or documents, are liable to be sentenced to up to five years’ imprisonment or a €250,000 fine; or 12 months’ imprisonment or €5,000 fines for summary convictions.
The commission or an authorised officer can serve information notices on controllers or processors, forcing them to submit information in writing that is “necessary or expedient” for the performance of the powers of the commission or authorised officer. Information notices are subject to appeal. Appeals suspend the operation of information notices pending completion or withdrawal of the appeals. The commission can also order urgent compliance with information notices. Controllers or processors that fail to comply with information notice requirements, or submit information they know to be materially false or misleading, are liable to be sentenced to up to five years’ imprisonment or a €250,000 fine; or 12 months’ imprisonment or €5,000 fines for summary convictions.
The commission can also serve enforcement notices ordering controllers or processors to take certain steps within a specified amount of time. The commission can impose administrative fines for failures to comply with enforcement notices if the controller or processor lacks a reasonable excuse. The commission can also order that requirements in enforcement notices should be complied with urgently. Once controllers or processors comply with notices, they must notify steps taken to comply with the notice to the commission or authorised officer, and any data subject concerned, within 28 days. If compliance involves rectification or erasure or a restriction of data processing, controllers or processors must notify any recipients to whom the data has been disclosed. Controllers or processors that fail to comply with requirements in enforcement notices are liable to be sentenced to up to five years’ imprisonment or a €250,000 fine; or 12 months’ imprisonment or €5,000 fines for summary convictions.
Once investigations are complete, authorised officers must send controllers and processors a copy of a draft investigation report and give them the opportunity to make submissions on its content. The commission must consider final investigation reports, and can conduct an oral hearing if it believes it needs information required for it to make a decision.
If the commission considers there is an urgent need to act to protect data subject rights, it can apply to Ireland’s High Court after giving the relevant controller or processor notice. The High Court can make any order it considers appropriate, including orders suspending, restricting or prohibiting processing or transfer of the data to third countries or international organisations. The commission can apply for an ex parte interim order if it considers that immediate suspension, restriction or prohibition, or transfer to a third country or international organisation, is necessary to protect the rights of data subjects. The commission must communicate the details of urgent and non-urgent orders to the European Commission, the European Data Protection Board and other concerned data protection authorities.
The commission can appoint individuals to monitor compliance with its orders, or instruct controllers or processors to appoint them. Reviewers that provide materially false or misleading information to the commission, as well as persons that obstruct or impede reviewers or provide materially false or misleading information, are liable to be sentenced to up to five years’ imprisonment or a €250,000 fine; or 12 months’ imprisonment or €5,000 fines for summary convictions.
The commission can audit controllers or processors to determine whether their practices and procedures are compliant. It can order the disclosure of documents and information relevant to the audit.
The commission can impose administrative fines. They are capped at €1 million for public authorities (unless they act as undertakings within the meaning of Ireland’s 2002 Competition Act). Ireland’s Data Protection Act 2018 does not cap penalties, but the GDPR limits them to 4% of global turnover or €20 million, whichever is higher. Controllers and processors ordered to pay fines can appeal against decisions within 28 days of receiving notice of the decision. The Circuit Court hears appeals against fines that are less than €75,000, or the High Court for fines higher than that amount. If fines are not appealed, the commission must apply in a summary manner to the Circuit Court to confirm the decision and notify the relevant controller or processor. The court must confirm the decision unless it sees good reason not to do so.
Can the commission search premises or force the disclosure of information without having to approach the courts?
No. Authorised officers must apply for search warrants from the District Court if they believe there are reasonable grounds to suspect information required for the performance of their duties is held at any place.
What fines can the commission impose on companies that breach data protection rules?
Up to 4% of global turnover or €20 million, whichever is higher. Fines against public bodies are capped at €1 million.
What other measures can the commission take against companies that breach data protection rules?
Decision notices can order companies to take specific measures, such as rectification or erasure of personal data. The commission must approach courts to obtain orders forcing companies to cease processing data.
What emergency or interim measures can the commission take pending the full conclusion of its investigations?
The commission can order companies to take measures urgently, and seek interim measures from the courts.
Priorities and the future
What data protection/privacy-related guidelines has the commission issued to date?
The commission has released guidance in four categories.
- general guidance:
- data protection basics; and
- data sharing in the public sector;
- technological issues:
- securing cloud-based environment;
- connected toys;
- data security;
- “dash cam” use by drivers;
- community-based CCTV schemes;
- video recording;
- use of CCTV for data controllers; and
- use of CCTV for individuals;
- GDPR requirements;
- transfers of personal data from Ireland to the UK in the event of a no-deal Brexit;
- limiting data subject rights and the application of article 23 of the GDPR;
- anonymisation and pseudonymisation;
- guidance on data protection officer qualifications;
- processing operations that require data protection impact assessments;
- data security;
- guidance for SMEs;
- guidance for micro enterprises; and
- a practical guide to controller-processor contracts; and
- direct and electoral marketing:
- canvassing, data protection and electronic marketing – rights of individuals;
- canvassing, data protection and electronic marketing;
- guidance to retailers on issuing e-receipts; and
- elected representatives.