Data protection rights
Individuals have privacy rights in relation to the processing of their personal data.
Changes in 2018
A new European Union-wide framework known as the General Data Protection Regulation (GDPR) changes the rules on data protection. It provides for a more uniform interpretation and application of data protection standards across the EU.
The GDPR came into force across the EU on 25 May 2018. However, member states have flexibility in certain areas and can make their own laws in these areas. (For example, the GDPR specifies 16 years as the digital age of consent but allows member states to provide for a lower age – which cannot be lower than 13.)
An accompanying Directive establishes data protection standards in the area of criminal offences and penalties. This is known as the law enforcement Directive.
The GDPR and the law enforcement Directive provide for significant reforms to current data protection rules. They provide for higher standards of data protection for individuals and impose increased obligations on organisations that process personal data. They also increase the range of possible sanctions for infringements of these rules.
The Data Protection Act 2018, which was signed into law on 24 May 2018, changes the previous data protection framework, established under the Data Protection Acts 1988 and 2003 (pdf). Its provisions include:
- Establishing a new Data Protection Commission as the State’s data protection authority
- Transposing the law enforcement Directive into national law
- Giving further effect to the GDPR in areas where member states have flexibility (for example, the digital age of consent)
Where we mention “current legislation” in this document, we refer to the situation up to the enactment of the Data Protection Act 2018 and the coming into force of the GDPR.
This document will be updated as more information becomes available.
Rules before 25 May 2018
The Data Protection Acts state that information about you must be accurate, must only be made available to those that should have it and must only be used for specified purposes. You have the right to access personal information relating to you and have any errors corrected or, in some cases, have the information erased.
If your information is being held for the purposes of direct marketing, you can have your details removed.
Data protection rights apply to information held on computer or in manual or paper files.
The Data Protection Commissioner is appointed by the Government. The Commissioner is independent in the exercise of their functions. Individuals who feel their rights are being infringed can complain to the Commissioner, who has powers to enforce the provisions of the Act.
If you suffer damage as a result of a breach of your data protection rights, you may sue for damages through the courts.
The Commissioner also maintains a register, available for public inspection, giving general details about the data handling practices of many important data controllers, such as government departments and State-sector bodies, financial institutions, and any person or organisation who keeps sensitive types of personal data.
How to apply
To access information relating to you, send a letter or email to the organisation or person holding your personal details and ask them for a copy of this information. You should receive it within 40 calendar days of your request. You may have to pay a small fee of €6.35.
If you find that an organisation or person has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details. If you feel that they do not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details. You can also ask them not to use your personal details for purposes other than their main purpose.
Write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, they must do as you ask or explain why they will not do so.
Further information on your rights and how to obtain them is available on the Commissioner’s website.
To make a complaint to the Data Protection Commissioner, simply write to or email the Commissioner explaining your case. You should include the following details:
- The name of the organisation or person you are complaining about
- The steps you have taken to have your concerns dealt with
- The details of any response you have received
You should provide copies of any letters or emails exchanged between you and the organisation or person.
If the Commissioner agrees with your complaint, they will try to make sure that the organisation or person obeys the law and puts matters right. If the Data Protection Commissioner does not accept your complaint, you may appeal to the Circuit Court against this decision within 21 days.
Read more about complaining
to the Data Protection Commissioner.