The principal national laws regulating the collection, use and disclosure of personal data in Ireland are: 

• the EU’s GDPR;
• the Irish Data Protection Act 2018 (DPA), which primarily transposes parts of the GDPR; and 
• the ePrivacy Regulations (S.I. No. 336 of 2011; the “e-Privacy Regulations”), which transposes the EU’s ePrivacy Directive 2002/58/EC (as amended by Directive 2006/24/EC and 2009/136/EC). 

Other laws relevant to the collection and use of personal data in Ireland include:

• the Data Protection Acts 1988 and 2003;
• the Freedom of Information Act 2014, which governs freedom of information requests;
• the Communications (Retention of Data) Act 2011, which transposes EU Directive 2006/24/EC;
• the Criminal Justice (Miscellaneous Provisions) Act 2023;
• the EU’s Law Enforcement Directive 2016/680 (primarily transposed through Part 5 of the DPA);
• the EU’s Data Governance Act (Regulation 2018/1724); and 
• the Constitution of Ireland, which includes a general right to privacy.

The EU’s Data Act (Regulation (EU) 2023/2854) will impact on the exchange of personal data. It has entered into force but will not become applicable until September 2025.

For brevity, the remainder of these responses will focus on the principal national laws related to the processing of personal data in Ireland, i.e., the GDPR, the DPA and the e-Privacy Regulations.

The GDPR applies to “controllers”, “processors” and “data subjects”.

A “controller” is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

A “processor” is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

A “data subject” is an identifiable natural person who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal data” is defined broadly as “any information relating to an identified or identifiable natural person (‘data subject’)”. 

The e-Privacy Regulations apply to the processing of personal data in connection with the provision of publicly available electronic communications services (e.g., telephone and email services). The Regulations create rights and obligations for the providers, users and subscribers of such services. 

Under Article 3, the GDPR applies to:

• the processing of personal data in the context of activities of an establishment of a controller or a processor located in the European Economic Area (EEA), regardless of whether the processing itself takes place in the EEA or not; 
• the processing of personal data of data subjects located in the EEA, by a controller or processor not established in the EEA, where the processing activities are related to:
  • the offering of goods or services to such data subjects in the EEA; or
  • the monitoring of the behaviour of such data subjects; and
• the processing of personal data by a controller not established in the EEA but in a place where EU Member State law applies by virtue of public international law.

The e-Privacy Regulations apply to the provision of publicly available electronic communications services in Ireland, and where relevant, the EU.

The GDPR regulates the act of “processing” personal data, which is given a broad meaning. The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

“Processing” is intended to be a technologically neutral definition and applies to processing by manual means (where the personal data is contained or intended to be contained in a filing system), and automated means.

The e-Privacy Regulations apply to the processing of personal data in connection with the provision of publicly available electronic communications services.

Article 4(1) of the GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’)”.

The GDPR considers “pseudonymised” data to be “personal data”. The GDPR defines “pseudonymisation” as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, which is held separately and which is subject to technical and organisational measures. 

The GDPR does not provide a definition of anonymisation. However, the DPC has provided guidance on the status of pseudonymised and anonymised data (see www.dataprotection.ie/sites/default/files/uploads/2019-06/190614%20Anonymisation%20and%20Pseudonymisation.pdf). The DPC’s guidance considers anonymisation to mean processing personal data with the aim of irreversibly preventing the identification of the individual to whom it relates. The DPC considers that such “anonymised” data no longer constitutes “personal data”, within the meaning of the GDPR. 

Special category data

Article 9 of the GDPR provides additional restrictions on processing certain “special categories” of personal data. Article 9 prohibits processing such special category data unless one of the specific exceptions in Article 9(2) applies. 

Under Article 9, “special categories” of personal data are: 

• genetic data; 
• biometric data for the purpose of uniquely identifying a natural person;
• data concerning health; 
• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and 
• data concerning a natural person’s sex life or sexual orientation.

Criminal convictions and offences data

Under Article 10 of the GDPR, the processing of personal data relating to criminal convictions and offences may only be carried out if: (a) it is carried out under the control of an official authority or (b) when the processing is authorised by EU or Member State law.

Children’s data 

There is a general obligation under the GDPR to ensure that personal data is processed in a manner that ensures appropriate security and protection from misuse. Recital 38 of the GDPR explicitly notes that children merit specific protection with regard to their personal data and that such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.

Processing of data 

Under Article 6 of the GDPR, personal data may only be processed where one of the following grounds applies:

• the data subject has provided their consent; 
• the processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract; 
• the processing is necessary for compliance with a legal obligation;
• the processing is necessary to protect the vital interests of a natural person;
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; or
• the processing is necessary for the purposes of the legitimate interests. 

Consent 

Under Article 4(11) of the GDPR, “consent” is defined as being “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Article 7 of the GDPR provides further details on the necessary conditions for valid GDPR consent. These include:

• The controller must be able to demonstrate that the data subject has given consent — i.e., the controller should keep a record of the consent obtained.
• Requests for consent must be presented in a clear manner, separate from other matters, in an easily accessible form, using straightforward language.
• Data subjects must have the right to withdraw their consent at any time. Data subjects must be informed about their right to withdraw before giving consent, and it must be as easy to withdraw consent as it is to give it.

Article 5 of the GDPR outlines a number of general obligations which apply when processing personal data:

• Accuracy. Personal data must be kept accurately and up to date.
• Storage limitation. Personal data must be kept for no longer than is necessary for the purposes for which the personal data is processed.
• Confidentiality. Personal data must be processed in a way that ensures an appropriate level of security.
• Transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Data minimisation. Personal data must be adequate, relevant and limited to what is necessary for the purposes of the processing. 
• Accountability. Controllers must be able to demonstrate compliance with the principles set out in Article 5.

Additional obligations are set out in other sections of the GDPR including:

• Right to be informed. Data subjects have the right to be provided with certain information in respect of the processing. This includes information on who is processing their data, the purposes of processing, how long the data will be stored for, etc. (Articles 13 and 14).
• Security of processing. Data controllers and processors are obliged to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32).
• Data breaches and notifications. Where a personal data breach has occurred, the controller must, within 72 hours, notify the DPC (unless the breach is unlikely to result in a risk to the rights of natural persons) (Article 33). Furthermore, where the personal data breach is likely to result in a substantial risk to natural persons, the controller must communicate the breach to the data subject, without undue delay (Article 34).
• Impact assessments. Where a proposed processing activity is likely to result in a “high risk" to the rights of individuals, controllers are obliged to ensure a data protection impact assessment is completed, to identify and address any data privacy problems (Article 35).

Under the GDPR, data subjects have specific rights in relation to personal data. These include:

• Right to be informed. As noted above in Question 8, data subjects have the right to be provided with certain information regarding the processing of their personal data (Articles 13 and 14).
• Right of access. Data subjects have the right to access copies of their personal data by making a request to the controller (Article 15).
• Right to rectification. Data subjects have the right to obtain the rectification of inaccurate personal data (Article 16). 
• Right of erasure. Data subjects have a limited right to obtain the erasure of their personal data in certain circumstances, e.g., where personal data is no longer necessary in relation to the purposes for which it was collected, or where a data subject withdraws his/her consent and there is no other legal ground for the processing (Article 17).
• Right to restrict processing. Data subjects have a limited right to restrict the processing of data in specific circumstances. Where the processing of personal data is restricted, it can be stored by the controller, but other processing actions will require the permission of the data subject (Article 18).
• Rights to data portability. Data subjects have the right to obtain their data and have their data transmitted to another controller without hindrance where (i) the legal basis for processing the data is consent or for the performance of a contract; and (ii) the processing is carried out by automated means (Article 20).
• Right to object. Data subjects have the right to object to the processing of personal data in specific circumstances, i.e., where (i) processing is based on public interest or legitimate interests grounds; (ii) processing is for direct marketing; or (iii) the processing is for scientific or historical research.
• When a data subject objects to such processing, the controller must stop processing, unless they demonstrate: (a) compelling grounds for the processing which override the right; or (b) the processing is necessary for the defence of legal claims (Article 21).
• Automated decision-making. Data subjects have the right to not be the subject of decisions based solely on automated processing, including profiling, which produce a legal effect or similar significant effect on an individual (Article 22).
• Right to lodge a complaint with a supervisory authority. Data subjects have the right to lodge a complaint with a supervisory authority and a right to an effective judicial remedy (Articles 77–79).
• Right to nominate a third party to exercise rights on behalf of the data subject. Data subjects also have the right to nominate a third party to lodge a complaint or seek an effective judicial remedy on their behalf (Article 80).

Postal marketing. The GDPR dictates the rules in respect of sending postal direct marketing (i.e., unsolicited marketing communications may be sent using personal data, provided there is a sufficient legal basis, e.g., legitimate interests, and the personal data use complies with the other rules of the GDPR). 

The e-Privacy Regulations set out specific rules in respect of direct marketing communications sent through specific modes of communication.

SMS/email. The general rule under the e-Privacy Regulations is that consent must be obtained in order to send direct marketing by SMS/email messages to a data subject (Regulation 13(1)). However, there are two exceptions whereby such messages can be sent without obtaining prior consent, but recipients must be given the opportunity to “opt out” of receiving further, similar communications:

1. The “Existing Customer Exception” (Regulation 13(11)) — marketing messages may be sent on an opt-out basis to an existing customer, where the message promotes similar products or services (provided certain conditions are met). 
   
   
2. The “Business-to-Business” exception (Regulation 13(12)) — marketing messages can be sent on an opt-out basis where it reasonably appears to the sender that the contact information is used by the recipient in the context of their commercial or official activity and the mail relates to that activity.

The e-Privacy Regulations use the same definition of “consent” as the GDPR (as detailed in Question 7, above).

Calls to landlines. Under the e-Privacy Regulations, unsolicited direct marketing calls to landlines may be made unless the landline user (i) has notified the entity calling that they object to such a call; or (ii) has registered an objection with the National Directory Database (NDD; Regulation 13(5)).

Calls to mobiles. The e-Privacy Regulations provide that unsolicited direct marketing calls to mobiles may only be made where the recipient of the call (i) has provided their consent to receive such calls to the relevant controller or (ii) has registered their consent with the NDD (Regulation 13(6)).

Under Article 44 of the GDPR, the transfer of personal data from Ireland to another jurisdiction may only take place where the transfer complies with the rules set out in Chapter 5 of the GDPR. We have summarised those rules as follows:

1. Transfers to EEA Member States. The transfer of personal data within the EEA is not subject to any further restrictions.
2. Transfers on the basis of an adequacy decision. A transfer to a non-EEA country may take place without further safeguards where an adequacy decision pursuant to Article 45 of the GDPR exists in respect of that country.
3. Appropriate safeguards. A controller or processor may transfer personal data to a non-EEA country where they have implemented “appropriate safeguards”, as described in Article 46 of the GDPR. These appropriate safeguards include “Standard Contractual Clauses” (as detailed in Article 46(2)) and “Binding Corporate Rules” (as detailed in Article 47).
4. Article 49 derogations. Article 49 of the GDPR provides derogations from the general need for an adequacy decision or appropriate safeguards in order to transfer personal data outside of the EEA. It permits transfers where:
   
   • the data subject has explicitly consented to the transfer;
   • the transfer is necessary for the performance of a contract;
   • there are public interest reasons;
   • it is for the defence of legal claims; or
   • it is in the vital interests of the data subject.

Where none of those derogations apply, Article 49 provides a final derogation which permits a transfer to a non-EEA country if: 

• the transfer is necessary for the compelling legitimate interests of the controller;
• the transfer is not repetitive;
• the transfer concerns only a limited number of data subjects; and
• the controller has provided suitable safeguards.

The DPC is Ireland’s supervisory authority under the GDPR. 

Article 58(1) of the GDPR grants supervisory authorities a number of investigative powers, including powers to:

• order controllers or processors to provide information;
• carry out data protection audits;
• obtain access, from a controller or processor, to personal data and the information necessary to perform its tasks; and
• obtain access to any premises of the controller or processor.

These powers are supplemented by provisions in the Irish DPA, which outline the processes for the DPC to utilise these powers, e.g., the steps the DPC must take to: inspect a premises (section 130); serve an information notice to request information (section 132); conduct data protection audits (section 136); or conduct an investigation (sections 137–140).

Article 58(2) of the GDPR outlines a number of supervisory authorities’ corrective powers, including powers to:

• issue warnings or reprimands where processing operations have infringed the GDPR;
• order a controller or processor to comply with the data subject’s request to exercise their rights;
• order a controller or processor to bring processing activities into compliance in a specified manner and time frame;
• impose a temporary or definitive limitation including a ban on processing;
• order the suspension of data flows to a recipient in a third country; or
• impose an administrative fine, in addition to or instead of, the other corrective measures.

Again, these powers are supplemented by the provisions of the Irish DPA, which further outline how they can be used, e.g., the steps the DPC must take to impose an administrative fine (sections 141–143).

Section 147 of the DPA also provides for the DPC to bring and prosecute certain criminal offences under the DPA. 

The DPC has similar powers to investigate and request information under Regulations 17–19 of the e-Privacy Regulations. The e-Privacy Regulations also provide for the DPC to prosecute certain offences under the Regulations.

The GDPR provides for the imposition of administrative fines in respect of infringements of the GDPR. For the most serious infringements, the maximum fine permitted under the GDPR is 4% of a company’s global annual turnover or EUR 20 million (whichever is greater).

The Irish DPA also establishes potential criminal offences for non-compliance with data protection laws. These include:

• Enforced access requests. It is an offence for a potential or current employer to require a data subject to (i) make a data access request or (ii) to supply any information obtained as a result of such a request (section 4). 
• Unauthorised disclosure by processor. It is an offence for a processor to disclose personal data being processed on behalf of a controller without the prior authority of the controller (section 144).
• Disclosure of personal data obtained without authority. It is an offence for a person to obtain and disclose personal data to a third party without the prior authority of the controller or processor, unless the disclosure is required or authorised by law. It is also an offence for a person to sell or offer to sell personal data that was unlawfully disclosed (section 145). 
• Offences by officers of bodies corporate. Where an offence under the DPA is committed by a company and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of a person being an officer of that company, that person and the body corporate shall be guilty of the offence and liable to be punished as if he/she were guilty of the first-mentioned offence (section 46). 
• Failure to co-operate with the DPC during audits and investigations. The DPA provides for several offences in relation to obstructing an authorised officer in the performance of his or her functions (sections 130(7) and 138(12)). 
• Failing to comply with an information or enforcement notice. It is an offence to fail to comply with a statutory information or enforcement notice served by the DPC (sections 132(6) and 133(10)).

Infringements of the e-Privacy Regulations can constitute a criminal offence and can result in a maximum fine of EUR 250,000.