Text Size
Sunday, April 05, 2020

Irish Law

In Ireland, data protection law is set out in the:

  • Data Protection Act 1988;
  • Data Protection (Amendment) Act 2003; and
  • S.I. 336 of 2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“ePrivacy Regulations”).

The aim of the Data Protection Acts and the ePrivacy Regulations was to bring Ireland into line with EU requirements.

Data protection law in Ireland aims to ensure that the right of individuals to privacy in relation to the processing of their personal data is respected and so has important implications for businesses that collect and process information on living individuals, including employees.

The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 (the “Acts”)


The Data Protection Act 1988 gave effect to The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe of 1981. The Convention requires parties to it to respect an individual’s rights and fundamental freedoms, in particular, the right to data protection in relation to the automatic processing of his or her personal data. This right must be provided to all living individuals regardless of their nationality or place of residence.

Click here for the Data Protection Act 1988.

The Data Protection (Amendment) Act 2003 transposed into Irish law the EU Data Protection Directive 1995/46/EC, extending the application of data protection law in Ireland to all personal data whether automated or manual, and to the free movement of personal data between European Member States. It commenced into law on 1st July 2003.

However, for manual records created before 1st July 2003 the obligations to keep data accurate, complete and up-to-date, to ensure that it is adequate, relevant and not excessive and to retain it no longer than is necessary for the purpose(s) did not commence until 24th October 2007.

Under the Acts, certain types of data controller and all data processors are required to register with the Data Protection Commissioner. If you are required to register and you do not, you commit an offence under the Acts. However, regardless of whether you are required to register, all data controllers and data processors must comply with the Acts.

The Acts do not apply to:

  • personal data that in the opinion of the Minister for Justice, Equality and Law Reform or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State;
  • personal data consisting of information that the person keeping the data is required by law to make available to the public; or
  • personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.

Click here for the Data Protection (Amendment) Act 2003.

The ePrivacy Regulations 2011 (Statutory Instrument 336/2011)


The Regulations came into effect on 1 July 2011 and give effect to the EU ePrivacy Directive 2002/58/EC (as amended by Directive 2006/24/EC and 2009/136/EC). They revoke Statutory Instruments 535/2003 and 526/2008.

The Regulations apply to the processing of personal data by data controllers and data processors in connection with publicly available electronic communications networks and services. They are in addition to the general obligations applying to all data controllers and data processors under the Acts. The additional obligations are in the areas of data security (including data breaches), marketing, data retention and data disclosure. Failure to comply with these obligations can lead to severe criminal penalties.

The Regulations apply to:

  • electronic communications companies (telecommunications companies & internet services providers); and,
  • any entity using such communications and electronic communications networks to communicate with customers, for example, by telephone, by text, via a website or over email.

Click here for the ePrivacy Regulations 2011.

  • AML Consultancy Services +

    We are Compliance Ireland  We are Ireland’s leading specialist provider of regulatory, risk and corporate governance consulting, advisory and compliance training Read More
  • AML Directives +

    The third EU AML Directive came into force for EU member states on 15 December 2007. It resulted from the Read More
  • AML International Bodies +

    AML INTERNATIONAL BODIES  The following are other relevant international AML bodies.  Egmont Group  The Egmont Group of Financial Intelligence Units Read More
  • Financial Action Task Force +

    Financial Action Task Force (FATF) and the FATF Recommendations   FATF is an inter-governmental body that was set up in Read More
  • Criminal Justice Terrorist Offences Act 2005 +

    The Criminal Justice (Terrorist Offences) Act 2005 was signed into law on the 8th March 2005. Its provisions had immediate Read More
  • Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 +

     The Third Anti-Money Laundering Directive (2005/60/EC) was transposed into Irish law by the Criminal Justice (Money Laundering and Terrorist Financing) Read More
  • Credit Union Sectoral Guidance Notes +

    On the 7th February, the Department of Finance published the sectoral AML-CFT guidance notes for Credit Unions. The Guidance Note Read More
  • What to expect from the Central bank moving forward? +

      The work of the AML unit is not complete. Firms should expect more inspections as the annual program of Read More
  • 1
  • 2
  • 3