The Minister of Finance has passed new Regulations, the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, permitting data subjects’ rights under Articles 12-22 and Article 34, and controllers’ obligations under Article 5 GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank of Ireland (CBI) to carry out certain functions.
The restrictions set out in these Regulations are in addition to, and not in substitution of, any other restrictions to data subjects’ rights or controllers’ obligations set out under any other enactment or EU law. The Regulations came into operation on 30 October 2019.
The Regulations apply to personal data (including special categories of personal data and criminal convictions/offences data), in respect of which the CBI is the controller, and are processed by the CBI in the pursuit of a “relevant objective” .
A “relevant objective” is defined as an important objective of general public interest, referred to in paragraphs (b) to (g) or (i) to (m) of section 60(7) of the Data Protection Act (DPA) 2018, and pursued by the CBI in exercising a “relevant function” (regulation 4).
The“relevant objectives” set out in those paragraphs of the DPA 2018 include, amongst others: avoiding obstructions to any official or legal inquiry, investigation or process; preventing, investigating or prosecuting breaches of ethics for regulated professions; taking any action for the purposes of investigating a complaint made to a regulatory body; and safeguarding the economic or financial interests of the EU or the State.
A “relevant function” is defined as a function of the CBI under: (a) financial services legislation; (b) the Treaty on the Functioning of the European Union or (c) the Statute of the European System of Central Banks and of the European Central Bank, which relates directly or indirectly to certain prescribed task of the CBI, including protecting the best interests of consumers of financial services, and supervising and enforcing compliance with financial services legislation.
The restriction of data subjects’ rights or controllers’ obligations pursuant to these Regulations must be: (a) necessary to safeguard a relevant objective; and (b) proportionate to the need to safeguard that relevant objective. This includes, for example, where the exercise of the right or obligation may interfere with: (i) the prevention, detection or investigation of a breach of, or enforcement of, financial services legislation; (ii) a procedure, investigation or settlement being undertaken by the CBI, or (iii) proceedings pending before a court.
Obligation to notify data subjects where a right is restricted
Where a data subject’s right or controller’s obligation is restricted, the CBI must notify the data subject concerned in writing, in a timely manner, unless such notification may prejudice the achievement of a relevant objective.
The notification must inform the data subject of:
(a) the right or obligation affected by the restriction;
(b) whether the right or obligation has been restricted in part or in whole;
(c) the reasons for the restriction, unless such information may prejudice the achievement of a relevant objective; and
(d) the right to lodge a complaint with the Data Protection Commission. The right to lodge a complaint is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the CBI, including judicial review of a decision of the CBI, and the right to appeal a decision of the CBI under the Central Bank Act 1942.