BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
Irish Statutory Instruments |
||
You are here: BAILII >> Databases >> Irish Statutory Instruments >> Data Protection Act 2018 (Section 60(6)) (Corporate Enforcement Authority) Regulations S.I. No. 602/2022 URL: http://www.bailii.org/ie/legis/num_reg/2022/0601.html |
[New search] [Help]
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 2nd December, 2022. | ||
I, LEO VARADKAR, Minister for Enterprise, Trade and Employment, in exercise of the powers conferred on me by section 60 (6) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (9)(b) and (10) of section 60 of that Act, hereby make the following regulations with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving the draft has been passed by each such House: | ||
Citation | ||
1. These Regulations may be cited as the Data Protection Act 2018 (Section 60(6)) (Corporate Enforcement Authority) Regulations 2022. | ||
Definitions | ||
2. In these Regulations - | ||
“Act of 2014” means the Companies Act 2014 (No. 38 of 2014); | ||
“Act of 2015” means the Irish Collective Asset-Management Vehicles Act 2015 (No. 2 of 2015); | ||
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018); | ||
“Article 10 data” has the same meaning as it has in section 55 of the Act of 2018; | ||
“Authority” means the Corporate Enforcement Authority; | ||
“enactment” has the same meaning as it has in the Interpretation Act 2005 (No. 23 of 2005); | ||
“Regulations of 2007” means the European Communities (European Public Limited-Liability Company) Regulations 2007 ( S.I. No. 21 of 2007 ); | ||
“Regulations of 2019” means the European Union (Qualifying Partnerships: Accounting and Auditing) Regulations 2019 ( S.I. No. 597 of 2019 ); | ||
“relevant function” has the meaning assigned to it by Regulation 3; | ||
“relevant objective” has the meaning assigned to it by Regulation 4. | ||
Relevant function | ||
3. In these Regulations, “relevant function” means a function of - | ||
(a) the Authority under - | ||
(i) the Regulations of 2007, | ||
(ii) the Act of 2014, | ||
(iii) the Act of 2015, or | ||
(iv) the Regulations of 2019, | ||
or | ||
(b) an inspector appointed under section 748, 763 or 764 of the Act of 2014. | ||
Relevant objective | ||
4. In these Regulations, “relevant objective” means - | ||
(a) the important objective of general public interest of ensuring the winding up of a company under section 569(1)(g) of the Act of 2014 that is pursued by the Authority when exercising a relevant function under that section, or | ||
(b) in relation to any other relevant function, an objective referred to in paragraph (b), (c), (d), (e), (f), (g), (i), (k), (l), (m) or (o) of section 60(7) of the Act of 2018 that is pursued by the Authority in exercising that function. | ||
Scope: categories of personal data | ||
5. These Regulations apply to personal data processed by the Authority (including special categories of personal data and Article 10 data), in respect of which the Authority is the controller. | ||
Scope: purpose of processing | ||
6. These Regulations apply to the processing, by the Authority, of personal data to which these Regulations apply in the pursuit of a relevant objective. | ||
Restriction | ||
7. (1) The rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22) of the Data Protection Regulation, in respect of processing to which these Regulations apply, are restricted to the extent that such a restriction is - | ||
(a) necessary to safeguard a relevant objective, and | ||
(b) proportionate to the need to safeguard that relevant objective, | ||
including, but not limited to, where the exercise of the right or compliance with the obligation, as the case may be - | ||
(i) may interfere with the prevention, detection or investigation of breaches of, or enforcement of, the Regulations of 2007, the Act of 2014, the Act of 2015 or the Regulations of 2019, | ||
(ii) may interfere with a process, procedure, investigation, inquiry, assessment, scheme, application or settlement undertaken by the Authority, | ||
(iii) may interfere with proceedings pending or due before a court, | ||
(iv) would disclose that the Authority is exercising a function in pursuit of a relevant objective, in a case in which such disclosure may prejudice the achievement of the relevant objective, or | ||
(v) would prevent the Authority processing personal data for a period of time, in a case in which any delay to the processing may prejudice the achievement of a relevant objective. | ||
(2) Matters which are relevant, for the purposes of paragraph (1), in determining whether a restriction of a right or obligation is necessary to safeguard a relevant objective and proportionate to the need to safeguard that relevant objective, include - | ||
(a) whether or not the exercise of the right or compliance with the obligation would prejudice the achievement by the Authority of that relevant objective, | ||
(b) the essence of the right to data protection of the data subject, and | ||
(c) the risks to the rights and freedoms of the data subject which may result from such a restriction. | ||
Information to be provided where a right is restricted | ||
8. (1) Where a right or obligation referred to in paragraph (1) of Regulation 7 is restricted in accordance with that paragraph, the Authority shall notify the data subject concerned in writing in a timely manner, unless so notifying the data subject may prejudice the achievement of a relevant objective. | ||
(2) A notification under paragraph (1) shall inform the data subject concerned of the following: | ||
(a) the right or obligation referred to in Regulation 7(1) affected by the restriction; | ||
(b) whether the right or obligation concerned has been restricted in whole or in part; | ||
(c) the reasons for the restriction, unless informing the data subject concerned of the reasons may prejudice the achievement of a relevant objective; | ||
(d) that the data subject concerned may lodge a complaint with the Commission pursuant to Article 77(1) of the Data Protection Regulation; | ||
(e) that the right referred to in subparagraph (d) is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the Authority, including judicial review of a decision of the Authority. | ||
(3) Where requested to do so by a data subject notified in accordance with paragraph (1), the Authority shall provide information on the policies and procedures referred to in Regulation 10(1) to the data subject. | ||
Communication with data subject | ||
9. The Authority shall ensure that all information provided to a data subject under or in relation to these Regulations is provided in a concise, intelligible and easily accessible form using clear and plain language. | ||
Safeguards | ||
10. (1) The Authority shall prepare and implement policies and procedures to provide for the matters referred to in Article 23(2)(d) and (f) of the Data Protection Regulation. | ||
(2) Without prejudice to the generality of paragraph (1), the policies and procedures referred to in that paragraph shall provide for the following: | ||
(a) the use of secure storage, passwords, encryption and other methods to ensure personal data can only be accessed by persons authorised by the Authority to access that personal data; | ||
(b) the use of controls to ensure that personal data is only disclosed to persons authorised by the Authority, or entitled or permitted by law, to receive that personal data; | ||
(c) the determination of appropriate storage periods for personal data or classes of personal data; | ||
(d) the treatment of personal data or classes of personal data at the expiry of the storage periods referred to in subparagraph (c); | ||
(e) data minimisation, including the use of anonymisation and pseudonymisation. | ||
(3) The policies and procedures referred to in paragraph (1) shall be reviewed by the Authority on a regular basis and updated where the Authority considers it appropriate to do so. | ||
Interaction with other law | ||
11. The restriction referred to in paragraph (1) of Regulation 7 is in addition to and not in substitution for any restriction of the rights and obligations referred to in that paragraph under any other enactment or law of the European Union. | ||
| ||
GIVEN under my Official Seal, | ||
28 November, 2022. | ||
LEO VARADKAR, | ||
Minister for Enterprise, Trade and Employment. | ||
EXPLANATORY NOTE | ||
(This note is not part of the Instrument and does not purport to be a legal interpretation.) | ||
These Regulations restrict, in limited circumstances, the rights and obligations provided for in the Data Protection Act 2018 . These restrictions apply only where necessary and proportionate to safeguard the statutory functions of the Corporate Enforcement Authority (CEA). For example, where the exercise of the right may interfere with the prevention, detection or investigation of breaches, or where disclosure may prejudice the achievement of a relevant objective. | ||
The Regulations provide that the essence of the right and any risk to the right that may result from a restriction are matters that are relevant in determining whether a restriction is necessary and proportionate to safeguard a statutory function. Furthermore, whether a restriction applies must be considered on a case-by-case basis following an assessment of the relevant circumstances. Whether it is necessary and proportionate to restrict the right in whole, or in part must also be considered. | ||
Where a right or obligation is restricted, the Regulations provide that the CEA is obliged to notify the data subject and provide the reasons for the restriction, unless to do so may prejudice the achievement of a relevant objective. A notification must inform the data subject of the right or obligation affected by the restriction, whether the restriction applies in whole or in part, and the data subject’s statutory right to lodge a complaint with the Data Protection Commission. | ||
The proposed measures also require the CEA to have in place certain policies and procedures relating to safeguards to prevent abuse or unlawful access or transfer and the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing. The measures also require that the CEA ensures that all information provided in relation to these Regulations is provided in a clear, concise and accessible manner. |