Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

The processing of personal data is allowed by law only if:

  • the data subject gives his or her unambiguous consent;
  • it is necessary for the performance of a contract to which the data subject is party. If the data controller is not party to the contract, it may still process the information when the data subject requests it for this reason;
  • it is necessary to fulfil a legal obligation by the data controller;
  • it is necessary to protect the data subject’s vital interests;
  • it is necessary for carrying out an activity in the public interest or in the exercise of official authority; or
  • it is necessary for the purpose of a legitimate interest of the controller, insofar as that interest will not violate the data subject’s fundamental rights and freedom.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Although the Data Protection Act states that personal data should not be kept for “a period which is longer than is necessary” having regard to the purposes for which the data is processed, there are no objective timeframes provided for specific categories of data. However, it is possible for data controllers to draft their own customised data retention policies and submit them to the Office of the Information and Data Protection Commissioner for review and approval.

Telecommunications companies and internet service providers that fall within the parameters of the Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary legislation 440.01) must retain data required to:

  • trace and identify a communication’s source;
  • identify a communication’s destination;
  • identify a communication’s date, time and duration;
  • identify the type of communication;
  • identify users’ communication equipment or what purports to be their equipment; and
  • identify the location of mobile communication equipment.

Where the communication’s data relates to internet access and email logs, the retention period is six months from the date on which the communication was created.

Conversely, where the communication data relates to fixed network or internet telephony, the data must be retained for one year from the date on which the communication was created.

Under the same regulations, the police are granted the power to issue an order for the conservation of data by a data controller. Where such an order has been issued, the service provider must conserve the data:

  • for a further six months following the basic retention period outlined above (subject to a two-year maximum). If such order is issued by a magistrate or a competent court, the retention obligation may exceed two years; or
  • for criminal proceedings which have been commenced within the above retention periods, the data controller may be obliged to retain the relevant data for such time as may be necessary until the conclusion of the proceedings. 

Do individuals have a right to access personal information about them that is held by an organisation?

The data subject has the right to access any personal data held by a data controller in his or her regard, provided that such requests are made by the individual at reasonable intervals.

The law requires that data controllers provide the following information on request:

  • actual information about the individual data subject that has been processed;
  • where the data was collected;
  • the recipients of the processed data;
  • the purpose of processing the data; and
  • a simple explanation of the automated processes involved in processing the data.

Do individuals have a right to request deletion of their data?

If the data subject requests it, the data controller must immediately rectify, block or erase personal data that has not or is not being processed in accordance with the provisions of the Data Protection Act and its subsidiary legislation.

In such circumstances, the data controller must also notify all other third-party data controllers to whom it may have disclosed such data. This notification is not required in circumstances where it would involve a disproportionate effort.

Consent obligations

Is consent required before processing personal data?

Yes. The data subject must give his or her consent freely and unambiguously. 

If consent is not provided, are there other circumstances in which data processing is permitted?

Data may be processed without consent where the processing is required:

  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • for compliance with a legal obligation to which the controller is subject;
  • in order to protect the data subject’s vital interests;
  • for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
  • for a purpose that concerns a legitimate interest of the data controller or of a third party to whom the personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and – in particular – the right to privacy.

Sensitive personal data may be processed without consent where:

  • the data subject has made the data public;
  • the data controller can comply with his or her duties or exercise his or her rights under any law regulating the conditions of employment;
  • the vital interests of the data subject or another person will be protected and the data subject is physically or legally incapable of giving his or her consent;
  • legal claims will be able to be established, exercised or defended;
  • a body of persons (not being a commercial body or entity with political, philosophical, religious or trade union aims) is processing sensitive data concerning its own members or other persons who are in regular contact with the body (for internal purposes);
  • the processing is for health and hospital care purposes, provided it is necessary for preventative medicine and the protection of public health, medical diagnoses, healthcare or the treatment or management of health and hospital care services; or
  • the processing is for research and statistical purposes, provided that it is necessary for the public interest. 

What information must be provided to individuals when personal data is collected?

In all cases where data is collected for processing, the data controller must provide the following information to the data subject:

  • the identity and habitual residence or principal place of business of the data controller and any other person authorised by him or her in that capacity;
  • the purpose of the data processing;
  • any information relating to the recipients, whether the reply to any questions asked is mandatory or not; and
  • information about the right of access.

In all cases where data is obtained from a third party in order to contact the data subject, the same information as above must be provided to the data subject with respect to the data controller who acquired the data from the other data controller.

Click here to view the full article.