Data Protection

The General Data Protection Regulation (GDPR) in Ireland-a Beginner’s Guide


Have you heard about the GDPR (General Data Protection Regulation)?

Do you know the changes it will bring to data protection law in Ireland?

Do you know when it is to come into effect here?

These questions, and similar foundational ones, are what I am about to look at.


Let’s go.

The “big bang” date for the this Regulation to come into effect in Ireland will be 25th May, 2018. As EU regulations have direct effect in Irish law, it will not require any act of transposition or formal introduction into Irish law.

The effect of the GDPR will be to replace the existing data protection framework in Ireland. If you are data controller, and you currently have obligations under data protection law, you will need to know what new obligations the GDPR will have for you and your organisation or business.

At its core it strengthens the rights of EU citizens to data privacy and central to this is the three principles of

  1. Security
  2. Accountability
  3. Transparency.

You will note that these are the principles inherent in the current data protection regime in Ireland, pursuant to the Data Protection Act 1988 and Data Protection (Amendment) Act, 2003. It will be a relief to discover that if you are in line with current legislation you will be broadly covered for the new regime.

However, there is some new elements being introduced by GDPR which you need to be aware of. The Office of the Data Protection Commissioner has suggested a 12 step approach to the new regime. Those 12 steps are:

1. Becoming aware

Key personnel need to be aware the law is changing in this area from 25th May, 2018.

2. Become accountable.

Gather up your existing personal data and review it under the following headings

  • Why are you holding it?
  • How did you obtain it?
  • Why was it gathered?
  • How long will you retain it?
  • How secure is it?
  • Do you share it with 3rd parties? If so, on what basis?

This will cover the accountability principle mentioned at number 2 above.

3. Communicate with staff and service users

This involves lettering your staff or service users know about the collection of their personal data.

Under GDPR new obligations include:

  • Providing information about the legal basis for processing the data
  • Retention periods
  • Complaint procedures
  • Their individual rights under GDPR
  • Whether the data will be subject to automated decision making.

4. Personal Privacy Rights

Generally, the rights afforded to individuals will be similar to what they currently enjoy eg to have inaccuracies corrected, to have data deleted, to object to direct marketing.

You will also need to consider how you will provide data electronically if requested by the data subject. You will need to consider,too, how long it will take to locate the data and who will make decisions about deletion of data.

5. How will access requests change

The GDPR will change the timescale for responding to data protection requests to one month so you need to review how you will deal with this faster timescale.

It will be less likely that you will be able to charge for such requests and the ground for refusal will need to be founded in well documented policies and procedures for refusal.

You will also need to provide additional information to data subjects such as information about the data retention periods and having inaccurate data amended.

6. The legal basis

You will have to explain your legal basis for processing personal data and data subjections will have stronger grounds for having their data deleted and the legal bases for processing data will be reduced significantly.

If customer consent is the only justification for processing data the data subject will be in a stronger position to request that it be deleted.

7. Customer consent as a ground to process data

Consent must be ‘freely given, specific, informed and unambiguous’ in relation to customer consent. The customer must not be duped or forced into giving the information. They must also know what exactly they are consenting to and requires a positive action of approval; it cannot be inferred be silence or a failure to take action eg tick a box to opt out.

Subjects also need to be told of their right to withdraw consent. You need to be able to show how consent was obtained, and have a record of it. Generally, where consent is relied upon, the data subject has stronger rights in relation to their personal data.

8. Processing children’s data

If you must gather children’s data you need to be careful about being able to verify the age of the child and obtain the consent of the guardian.

Special protections in respect of children’s data will be introduced, especially in relation to social media use and commercial internet services.

9. Reporting data breaches

You must ensure you have sound procedures in place to detect, report and investigate any data protection breach. The GDPR will introduce mandatory data breach reporting obligations to the Data Protection Commissioner.

Failure to report a breach will result in a fine in addition to the fine for the breach and breaches will typically have to be reported within 72 hours.

10. Data protection impact assessments (DPIA)

This involves the systematic consideration of how a particular initiative will impact on the privacy of individuals. This assessment may involve discussions with groups and stakeholders.

If this assessment leads the organiser to believe that the risks to personal data cannot be mitigated fully it may be necessary to contact the Data Protection Commissioner before starting the process of gathering data.

If a project requires a DPIA you will need to consider

  • Who carries it out?
  • Who needs to be involved?
  • Will it be run locally or centrally?

The whole thrust of the DPIA is to identify potential problems with an initiative involving the gathering of personal data and look at ways to mitigate those issues.

11. Data protection officers

Some organisations will need to designantt a DPO (data protection officer) under the GDPR regime. Such organisations would include public bodies, large organisations, and so forth but you need to consider whether you need a data protection office in your organisation.

He/she will need to be conversant with GDPR and its obligations. You may appoint an external advisor to this role, if there is nobody suitable or qualified in your organisation.

12. GDPR and international organisations

For organisations which have operations in many EU states you will be entitled to deal with one data protection authority, a Lead Supervisory Authority (LSA) as your single regulating body in the country where you are mainly established.

This will generally be determined as the country where the main administration of the organisation is carried out.

How will GDPR affect your organisation?

We know that the GDPR (General Data Protection Regulation) will come into effect in all EU member states including Ireland on 25th May, 2018.

In addition to this EU regulation having direct effect from May, 2018 Ireland will have its own additional data protection legislation, with a bill  being drafted and finalised in late 2017.

What differences will we see from the existing data protection regime in Ireland? Let’s take a look, shall we?

1. Severe financial penalties and compensation

Currently, if an individual is aggrieved about a breach of his/her data protection rights he can report this to the Data Protection Commissioner. However, it is up to the Data Protection Commissioner as to whether she takes any action by way of criminal prosecution in the District Court. For the individual concerned, there is no compensation for a breach unless he/she has suffered loss or damage.

I have written about this elsewhere: Data Protection Breaches-Are You Entitled to Damages?

Under the new regime the Data Protection Commissioner (DPC) will have the power to impose eye watering fines for breaches of data protection rules. These penalties can reach 4% of an organisation’s worldwide turnover or €20 million for breaches of the data protection law.

In the case of public bodies the DPC will have the power to impose these fines by way of administrative fines; in other cases she will have to prosecute through the District Court as criminal prosecutions.

Crucially the GDPR includes the right of an individual whose rights have been breached to be compensated for material or non material damage. This would include for stress arising from the breach which is a big change from the existing position that the individual must show material damage/actual loss suffered.

These new, stiff financial penalties are critical motivators for all organisations which keep data to analyse where there is any potential infirmities in their data protection obligations.

2. Greater transparency

Up to now there has been a general obligation on the data controller to obtain data/information fairly and to let the data subject know who is gathering the data, why they are gathering it, and who it might be provided to. The gathering of the data must be fair, and the data subject must not be surprised by any of the uses to which his/her personal data is being put.

The obligations in this area have increased significantly to comply with a fundamental principle of GDPR: the principle of lawfulness, fairness, and transparency.

The GDPR now obliges the data controller to address a list of questions about the gathering of the data-questions like the legal basis for processing the data, how long it will be retained, and detailed information for the data subject about their data protection rights.

GDPR also places an increased focus on the necessity of gathering the data for the purpose for which it is being gathered. If it is not necessary for the avowed purpose, it should not be gathered.

Organisations, therefore, need to be disciplined about the personal data which they gather.

The data controller will also become more accountable for the application of the data protection laws in the organisation and must be able to show compliance with the principles of the GDPR.

The obligation to be more transparent and comply with the principle of gathering only necessary data will almost certainly force organisations to take a closer look at their existing data protection policies, and ensure clear, effective communication with the data subjects. This communication would not be confined to simply distributing the policy document but also telling the subject at the data collection point why this particular data is being gathered and telling them what their rights are arising from GDPR (see “7” below).

3. Record keeping obligation

There is an increased onus on organisations in respect of record keeping, even though there is no requirement to register with the Data Protection Authority in Ireland.

However, this record keeping burden does not rest with organisations with less than 250 employees. These organisations need to ensure that they have implemented “appropriate data protection policies”(Article 24) which might include a general data protection policy, a website cookie and privacy statement policy, a policy for the use of CCTV, email, internet and social media policies, and so forth, depending on the organisation.

4. Consent-is it enough for a legal basis for processing?

The principle of consent is an important one in the GDPR and the conditions for consent.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

It is vital that the consent that is given is given freely and it can be freely withdrawn at any time and it should be as easy to do so as when giving it. The consent needs to be freely given, specific, informed and unambiguous.

The organisation must be able to prove that they obtained the consent and it is unlikely that the consent will be regarded as freely given if the parties are in an imbalanced relationship, for example employer/employee.

It is also worth noting that it is unlikely that the mere giving of consent gives an organisation a legal basis for data collection. A more reasonable legal basis for collection would be the performance of the employment contract or compliance with legal obligations (eg tax obligations or record keeping for employment law purposes) or the legitimate interest of the employer.

Also, the consent must not be bundled in with other terms and conditions of a contact between the parties, but must be separated in a separate consent declaration and the burden of proof of proving that a valid consent was obtained is on the employer.

In summary, the question of consent has been given much more importance than the previous standard of “freely given” consent and consent cannot be relied upon where the relationship is imbalanced, as you have in an employer/employee situation.

Standard clauses in employment contracts will not be sufficient to allow extensive use of the employee’s data eg transfer overseas and consent should only be relied on when absolutely necessary.

5. Data Protection Officer (DPO)

Under GDPR certain organisations are required to appoint an independent data protection officer. These include

  1. Public authorities
  2. Organisations who systematically and regularly monitor data subjects on a large scale
  3. Organisations who process sensitive personal data on  a large scale or data in relation to criminal offences.

The DPO must inform and advise the organisation of its obligations under GDPR, provide advice, act as a point of contact with the supervisory authority, and monitor the organisation’s compliance with the law and its own policies.

The GDPR does not require any particular professional qualification but should be a professional with expert knowledge of data protection law and practice.

The DPO can be an external consultant or an employee of the organisation. If an employee, however, his/her other duties must not give rise to a conflict of interest.The contact details of the DPO must be published and provided to the supervisory authority and he/she must be involved regularly in meetings of middle and senior management, and consulted in relation to any data protection issues or breaches.

The DPO must also be given sufficient resources to do fulfill the role and act independently.

It is estimated that nearly 30,000 DPOs will need to be appointed to private sector organisations in the EU before May, 2018.

6. Data breaches notification

Any data breach must be notified to the Data Protection Commissioner within 72 hours. However, if there is no risk to employees’ data rights there is no obligation to report it. If the breach is likely to pose a high risk to employees’ rights and freedoms then it must be notified.

The notification must set out the circumstances of the breach, who has been affected, the likely consequences, the contact person/DPO of the organisation,  and the measures taken to mitigate any adverse consequences.

7. Enhanced rights for data subject

GDPR gives even more rights to data subjects. These rights include

  • To have inaccurate data rectified
  • To have personal data erased without delay (the right to be forgotten)
  • To restrict the processing of their personal data
  • To object to its processing altogether (this should be on compelling legitimate grounds)
  • The right to data portability (the right to obtain and use their own data for their own purposes across different services)
  • The right not to be evaluated on the basis of automated processing of data

These rights are not absolute, however, and for personal data to be erased it must no longer be required for the purpose for which it was acquired.

These new rights will create new, more onerous obligations for organisations and employers.

8. Data protection impact assessments (DPIA)

Data protection impact assessments may have to be carried out by employers, and the purpose is to ensure recognition of a principle: a data protection by design approach. This means that all the policies of an organisation should keep in mind privacy considerations of the data subject.

The organisation should also consider how to minimise the processing of personal data, as much transparency as possible, and allow the data subject to monitor processing.

Data protection rights and privacy of individuals should be considered in relation to the design of new products and services, and all internal policies of the organisation.

A DPIA will be necessary when a new processing activity may result in a high degree of risk for data subjects. The DPIA should contain:

  • A description and purpose of the processing
  • An assessment of the necessity for the processing operation
  • An assessment of the risks to the rights of the data subjects
  • What steps will be taken to reduce the risks.

A DPIA would be necessary for example where an employer is going to commence monitoring employees’ use of the internet or where a hospital may start processing its patients’ health data.

9. Data portability

This is a new concept and allows the data subject to transmit his personal data to another data controller. This can be done by the data subject receiving the data and giving it to the new data controller or having the first one transfer it to the new one.

However, the right is not an absolute one and does not apply to all data provided by an employee to an employer; it applies to

  1. a) automated data
  2. b) which was actively and knowingly provided by the employee to employer and
  3. c) the personal data must have been processed by the employer with the employee’s consent.

The automated data requirement above means that the right does not apply to  paper records.

This would not apply to data which was held by the employer and processed based on the legal ground of legitimate interest or for a specific legal obligation connected with the employment relationship eg payment of statutory obligations such as tax/prsi.

The data controller cannot charge a fee for the provision of personal data and in a HR/employment law context the request for data should be considered on a case by case basis.

10. Data subject access requests

For employers the timeframe for responding to a data request has been shortened to one month. Employers, however, can extend this by two months if there is complexity involved in fulfilling the request.

If a request is “manifestly unfounded” or “excessive” the employer can refuse the request or charge a fee. However, “manifestly unfounded” and “excessive” in this context has not been defined so it remains to be seen how this is to be assessed.

11. Demonstrating compliance

The data controller will need to be able to demonstrate how they comply with  the data protection principles.

This would mean that employers, for example, would need to be able to show that consent was given and that there are compelling legitimate grounds for processing the data where the data subject objects.

12. Conclusion

The GDPR is a far reaching piece of secondary legislation emanating from Europe and should be of particular concern for employers who need to look very carefully at their existing data protection policies, how they gather data, whey they gather it, their procedures for responding to data protection requests in future, when they need to carry out a data protection impact assessment (DPIA), review their existing data privacy policies and notices, and whether they need to appoint a DPO (data protection officer).

Useful links:

Data Protection

Data Protection Breaches-Are You Entitled to Damages?

data protection breach ireland

Have you suffered a breach of your data protection rights?

If so, what is your redress?

And are you entitled to damages/compensation for the breach?

If you are concerned that your data protection rights have been breached you may bring a complaint to the Office of the Data Protection Commissioner. This is a free service and covers situations where

  1. There has been no response to a data protection request you have made
  2. There has been a response but it has been inadequate
  3. Data is being withheld incorrectly, by claiming an exemption
  4. Other problems.

If your complaint is upheld the Data Protection Commissioner will seek to ensure compliance with his finding, and can make a legal order concerning the issue. The failure of the data controller to comply with this order can be punished by the Courts.

What about compensation/damages for you, however?

Compensation and Damages

The question arises, though: are you entitled to compensation for mishandling of your personal data, or breaches of your data protection rights?

Section 7 of the Data Protection act, 1988 states that data controllers and data processors owe data subjects a duty of care.

But what does this mean in practice?

A 2013 case, Collins v FBD Insurance p.l.c. [2013 IEHC 137], provides clarity in this area. In this case Mr. Collins’s data protection rights were breached by FBD, according to the Data Protection Commissioner. In fact, there were two findings against FBD for breaches of the Data Protection acts.

Mr. Collins brought a claim to the Circuit Court seeking damages against FBD and was awarded €15,000 general damages by way of compensation for the tort-the civil wrong-and the failure of FBD to discharge its duty of care, as set out in section 7.

FBD appealed the case to the High Court and the High Court found that in order to be entitled to damages a data subject needed to prove 3 things:

  1. There has been a breach of the Data Protection Act and the duty of care contained in section 7
  2. That damage has resulted from the breach
  3. The breach has caused the damage/loss.

If you cannot prove all three elements you will not be entitled to damages for the breach, according to the High Court, and it overturned the decision of the Circuit Court.

Justice Feeney held:

4.4 Section 7 is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts. To obtain a compensation for a breach of duty of care, it is necessary for a claimant to establish that there has been a breach, that there has been damage and that the breach caused such damage. The tort of negligence, unlike the tort of trespass to person, requires proof of damage.

6.1 In this case the plaintiff has failed to prove any damage resulting from the breach of the duty of care owed by the defendant.

Read the full decision here.


Please note the situation has changed since the introduction of GDPR in Ireland from 25th May, 2018.

Business and Company Law Data Protection

Privacy Statements and Cookie Notices on Websites-What You Need to know


Have you noticed those annoying website “cookie” notices popping up nearly everywhere on the  internet?

Well, there is good reason for them.

They are a legal requirement in Ireland and Europe and breaches of the law covering data protection-the Data Protection Acts 1988 and 2003 and Statutory Instrument 336 of 2011-can lead to fines of up to €100,000 and deletion of the data collected via the website.

(Statutory instrument 336 of 2011 deals with European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011.)

Privacy statement v privacy policy

Note that there is a significant difference between a privacy statement and a privacy policy.

A privacy statement is a legal requirement for all websites in Ireland and the EU. It is a public statement of how the owner/operator of the website applies the 8 data protection principles to data processed on its website.

A privacy policy, on the other hand, sets out how the operator/owner of the website applies the 8 principles to the way in which it processes data across the organisation. This data would include employee, third party, and customer data.

Website cookies

Regulation 5 of SI 336 of 2011 covers the use of “cookies” by website operators/owners. A cookie in this context is a small file that can be downloaded to your computer or phone when you visit certain websites. This regulation provides

  1. that you as website visitor should be told why this is being done and
  2. that you should be given the opportunity to give your consent or decline.

This, then, and a prosecution by the Data Protection Commissioner and a potential fine of €100,000 is why you will have seen these “cookie consent” notices popping up on websites.

If you operate a website and it uses cookies or web beacons, or collects personal data, or collects ip addresses or emails, your website needs a privacy statement.

What information should be contained in a privacy statement?

  1. The clear identity and contact details for the operator of the website
  2. The purpose of collecting the data
  3. The right of access to any personal data collected
  4. The right of rectification or erasure
  5. If the data collected can be released to a 3rd party-this should be made clear
  6. The extent of the data being collected
  7. Whether the website uses cookies and the extent
  8. If cookies are used, the visitor should be able to consent to their use or opt out.

If your privacy statement contains the information set out above your website should be compliant with the law in this area and the requirements of the Data Protection legislation in Ireland.

However, you can also go a step further by providing the following information:

  • Your commitment to maintaining security of any data collected
  • Some form of complaints resolution mechanism should be considered
  • How long you retain data, for example credit card information could be deleted once a transaction is complete
  • That the data collection is not excessive but only relevant data is collected
  • How data subjects can update their information to ensure the data that is held is accurate.

Where to put the privacy statement

It should be readily accessible from any page on your website, not just on your home page, as a huge amount of traffic visiting your site may visit your site through landing on a page other than your home page.

What you should do now

If you are responsible for a website or blog you should ensure that you have a legally compliant and robust privacy statement on your site.

I can provide you with one-you can contact me here.


Data Protection Employment Law

Data Protection Law in Ireland-Some Important Issues in Employment, Direct Marketing and Schools

data protection law

Everyone has strong rights when it comes to the data that is held on them thanks to the Data protection act of 2003  and Data protection act of 1988.

And it is up to the data protection commissioner to uphold those rights.

The role of the data protection commissioner in protecting your privacy rights when it comes to data being held about you is critical.

Firstly though, it is important to understand what a data controller and what a data subject is as defined under the legislation. Many data controllers do not understand the vital responsibility that they have when it comes to retaining data on employees, customers etc.

The article below goes into the role of the data protection commissioner, the data protection act and the various forms of redress that you have against data controllers if you feel that they are in breach of data protection law.

For data controllers there may also be a mandatory requirement on them to register as data controllers with the Data Protection commissioner and the three categories of people who may be obliged to register are set out in this article.

Data Protection for Employers

As an employer you should be concerned with other aspects of your role as a data controller such as the usefulness of online backup services which can provide online backups of your valuable data or offsite backup if that is more convenient for you.

All businesses should be concerned about data protection and the Data Protection Acts 1988 and 2003. These 2 acts attempt to balance the rights of individuals in relation to personal data that is stored by various organisations about them.

People who control and use data about others are called ‘data controllers’ and are recognised in the acts above as having certain obligations imposed on them by law.

Individuals should know when they provide personal information to any organisation…..

  • Who is gathering the data
  • What use this data will be put
  • Who the data will be disclosed to

If a data controller has the data for a specific purpose but in the future decides to use it for a new purpose he must ask the person whose information he has whether they are agreeable to that new use or not as the data shall only be held for specified purposes.

Personal data should not be excessive in relation to the purpose for which it is held and should not be kept for longer than is necessary for that purpose.

Non compliance with data protection law

Non-compliance with data protection law may lead to a complaint to the Data Protection Commissioner and the Data Controller can be held liable under normal common law principles (eg the law of contract, confidential information etc.)

It should be noted that Irish data protection legislation only applies to data controllers who are established here.

Processing of personal data

In order to process personal data the most important pre-condition to be satisfied is that the data may only be processed where the subject has given his consent.

However there is considerable debate as to what ‘consent’ in this context means-is it the opt-in procedure (where the subject must expressly consent to his data being processed)?

Or is it the opt-out procedure (where the subject is asked if they object to their data being processed)

There are additional preconditions relating to the processing of sensitive personal data such as racial or ethnic origin, political opinion, religious belief etc. In these circumstances the data subject must expressly consent and the ‘opt out’ procedure would not be sufficient in these situations.

Rights of Data Subjects

These rights derive from the Data Protection acts and include

  • The right to be informed of data being kept on them
  • The right to access to the data (there are a number of exceptions to this right)
  • It is worth noting that the Data Protection Commissioner appears to be of the opinion that CCTV footage of a person is data within the meaning of the acts.
  • Right to prevent processing where it may cause damage or distress

The transfer of data outside the state is restricted to countries outside of the European Economic Area.

It may not occur unless that country provides an adequate level of protection and this causes problems re transfer of such data to USA as there are varying standards of protection in the USA.

Their Safe Harbour scheme is a voluntary scheme which provides similar standards of data protection to europe but not all companies sign up.

Data Protection and Employment Law

The Data Protection Acts 1988 and 2003 also impose stringent requirements on the data kept by employers about employees and in particular in respect of sensitive personal data. Employers are of course data controllers and processors within the legislation.

The Data Protection Commissioner can impose fines of up to €100,000 and employees can succeed in claims in relation to breaches of data protection law.

The principle obligations on the employer in respect of sensitive personal data is to collect and process it fairly, is accurate and up to date, and is kept no longer than necessary. For this reason employers should ensure that they have a data protection policy in the workplace.

Employee as Data Subject

The employee, as a data subject, has a general right to know what personal data is held about him/her, to whom it is disclosed, and to have it deleted or amended if incorrect. A written data request from an employee should be responded to within 40 days.

The Data Protection Acts, section 8 in particular, set out the circumstances where the employer may disclose the employee’s data to a third party. Whether the 3rd party is a member of the EEA (European Economic Area) or not will determine whether the request can be complied with or not by the employer. If the data is being disclosed to a 3rd party within the EEA then a written contract is required.

If not, the transfer of data is prohibited (subject to exceptional safeguards).

Registration with the Data Protection Commissioner

Data controllers fall into 3 categories for the purpose of registration

  1. Categories of persons who are always obliged to register-this includes Banks and financial institutions, insurance companies, internet service providers, phone companies
  2. Categories of persons who may be required to register –this includes data controllers who process personal data relating to mental and physical health
  3. Categories who are excluded- not for profit organisations, elected representatives, data processed for the normal course of personnel administration, solicitors and barristers, data for journalistic, literary or artistic material

Please note that these are not exhaustive lists and you may need to consult the legislation or a solicitor who has an expertise in this area if you are in doubt.

Electronic Communication Regulation 2003

This legislation strengthens the safeguards concerning direct marketing and attempt to tackle the nuisance of Spam. It provides that

  • The use of automatic dialling machines, fax, email or text messaging for direct marketing purposes to individuals is prohibited unless the subscriber’s consent has been obtained in advance;
  • The use of the same methods is prohibited if the target has registered it’s objection in the National Directory Database of has advised the sender that it does not wish to receive such messages;
  • The making of phone calls for direct marketing is prohibited if the recipient has recorded it’s objection in the National Directory Database.

Breach of this regulation (13) is a criminal offence.
If in doubt see or the Data Protection Commissioner or contact your solicitor.

For any data controller who is maintaining a data base it is prudent to consider offsite backup of data or an online data backup to ensure that data is not lost or falls into the wrong hands.

Data Protection and Schools

Data protection legislation applies to schools even though the Freedom of Information Act does not.

The Data Protection Commissioner has stated that

CCTV may be used legitimately for security related purposes at the perimeter of a school. Any use beyond this would need to be fully justifiable and evidence-based with a very high threshold for such evidence. This is particularly the case in a school environment as most of the personal data processed will relate to minors.

Data requests can be made by parents on behalf of children or any member of staff. Learn more about how the law applies in schools in Ireland at education law Ireland.


Direct Marketing and Data Protection Issues

Many direct marketers are blissfully unaware of the significant conditions in the Data Protection Acts 1988 and 2003 concerning the use of personal data for direct marketing purposes.


For example the Data Protection Act 1988 provides that the data controller/direct marketer has forty days to agree to a request from the recipient to stop using his data for direct marketing.

There is also a positive obligation on the data controller/direct marketer to let the recipients (data subjects) know that they can object in writing and free of charge to the data controller using their data for direct marketing purposes.

The significance of this is that there is a real obligation on the marketer to let the “target” know that they are being targeted for direct marketing purposes.

The basic rule is this:

The basic rule that applies to direct marketing is that you need the consent of the individual to use their personal data for direct marketing purposes.

The Electronic Communications Regulations 2003 (SI 535 of 2003)

These regulations (subsequently revoked-see below) provide further protection to the consumer/recipient of direct marketing messages and cover, amongst other things

  • Email marketing
  • SMS messaging
  • Processing of location data.

These regulations aim to protect recipients from unwanted and unsolicited SMS messages and email.

In summary the Electronic Communications Regulations provide that

  1. The use of email, fax, automatic dialling machines, and SMS messaging for direct marketing purposes to individuals without the advance consent of the recipient is prohibited
  2. The use of these methods of direct marketing to businesses is prohibited if the business (or non-natural person) had recorded their objection in the National Directory Database or has told the sender that they do not consent
  3. The use of telephone marketing is also prohibited if the phone subscriber has recorded their objection in the National Directory Database or advised the caller that they do not consent
  4. Unsolicited telephone callers must provide their name and, if requested, their address and phone number
  5. The same situation applies in relation to sending SMS messages or emails for direct marketing purposes
  6. If a customer gives their contact details in the course of a transaction or purchase then their details can be used for direct marketing purposes only if it is made clear to the recipient that they are provided with an easy and free way of objecting. And this direct marketing is only permissible in respect of similar goods or services to the original purchase.

Breach of all of the activities 1-6 above is actually a criminal offence, unlike much of Data Protection Law breaches.


It is worth noting also for example that the Data Protection Commissioner has found that unsolicited political soliciting of support has been found to be unlawful direct marketing.

For further useful information and frequently asked questions in this potentially dangerous area for direct marketers take a look at which is the website of the Data Protection Commissioner.


The above statutory instrument and SI 526 of 2008 were revoked by statutory instrument, 336/2011, European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.

SI 336/2011-European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011

Different rules apply to phone, fax, text message and e-mail marketing.

Direct Marketing by Post

The Data Protection Acts determine how you can market by direct mail through the postal service.

For the protection of the Data Protection Acts to apply, the letter must be addressed to a named individual.

Unaddressed mail or post addressed to the ‘householder’ or ‘homeowner’ for example is not covered as this type of mail is deemed not to use ‘personal data’.

In addition, post addressed to corporate entities and/or named office holders in those entities is not covered by data protection legislation.

In order to use personal data for direct postal marketing, you must firstly tell the person that you intend using their personal data for this purpose and give them the opportunity to ‘opt out’.

A person can withdraw their consent at any time.

Electronic Marketing

The rules surrounding marketing by email, text, phone, fax are more stringent than those applying to direct marketing by post.

And certain more restrictive rules apply to marketing tocorporate entities than applies re marketing by post.

You cannot make a marketing call to a person or business if they have indicated their preference to not receive such calls in the National Directory Database. The same rule applies to a person or business that has made it known to you that they do not consent to such calls.

You cannot make a call to a mobile phone unless the person has consented to such calls or the person has indicated his/her willingness generally to receive such calls on the National Directory database.


Electronic Mail

Electronic mail includes email, phone text, MMS messages, voice messages, image messages, and sound messages.

Individual and business customers : Consent is again required; in addition the offer you are making must be of a kind similar to that which you sold the person to begin with, you must have given them the opportunity to object to such marketing in an easy manner, every time you send a marketing message you must give the person the opportunity to opt out again, and the original sale must have occurred in the last 12 months.

Individuals who are not customers: consent is required to send marketing messages

Business contacts: you cannot send marketing messages where the business has advised you that they do not consent to such messages.



You cannot send a fax with a marketing message to a person if they have not previously consented. However, the fax line must be used for personal/domestic purposes and any use in relation to a business will see that line being treated as part of the business and not a residential line.

You may not send a marketing fax to a business which has indicated its unwillingness to receive such messages on the National Directory Database. Nor can you send one if the business has told you they do not wish to receive them.


The onus is on you, if you are prosecuted, to prove that you had consent for the sending of marketing messages. Any consents that you have should be retained for 2 years.

The penalties for breaches of data protection legislation and electronic communications regulations are very stiff.

And each breach attracts a new penalty.