Data Protection Act 2018 (DPA 2018) Ireland

    Overview

    The Data Protection Act 2018 (DPA 2018) is Ireland's implementation of the General Data Protection Regulation (GDPR). It governs the processing of personal data by public and private entities and provides additional regulations specific to Ireland, such as requirements for handling children's data and the establishment of the Data Protection Commission as the supervisory authority. The DPA 2018 also gives effect to EU Directive 2016/680 regarding data processing by authorities in the justice system.

     

    Regulation Summary

    Timeline
    • Enacted: May 25, 2018 (in line with the GDPR)
    • Effective: May 25, 2018
    What Businesses Are Affected
    • All businesses and organizations in Ireland processing personal data.
    • Entities based outside Ireland that process personal data of Irish residents.
    Exemptions
    • Data processed for national security and public interest.
    • Data processing for personal, household, and journalistic purposes.
    Responsibilities for Businesses
    • Appoint a Data Protection Officer (DPO) for monitoring compliance.
    • Obtain explicit consent from individuals for data collection.
    • Provide clear, accessible privacy notices and policies.
    • Implement adequate technical and organizational measures to ensure data security.
    • Report data breaches within 72 hours to the Data Protection Commissioner (DPC) and affected individuals.
    Specific Responsibilities for Website Owners
    • Ensure clear and informed consent mechanisms for cookies and tracking technologies.
    • Provide privacy policies that outline how personal data is collected, used, and shared.
    • Enable individuals to exercise their rights, including access, rectification, and deletion of personal data.
    Additional Requirements
    • Cross-Border Transfers: Transfers of personal data outside the EU are allowed only to countries with adequate protection or based on approved contractual arrangements.
    • Sensitive Data: Extra safeguards are required for processing special categories of personal data, such as health or biometric data.
    • Data Retention: Personal data should not be retained longer than necessary for the purposes for which it was collected.
    Data Subject Rights
    • Access their personal data.
    • Request the correction or deletion of inaccurate or outdated data.
    • Object to data processing for direct marketing.
    • Withdraw consent at any time.
    • Request the transfer of their data to another organization.
    Enforcement
    • Regulatory Authority: The Data Protection Commissioner (DPC).
    • Penalties: Fines up to €20 million or 4% of annual global turnover (whichever is higher) for non-compliance with GDPR and the Data Protection Act 2018.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596