Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Data collected by a data controller cannot be used for direct marketing without the data subject’s express consent. The data controller must make it clear to the data subject that he or she has the right to opt out whenever he or she wishes.

Cookies

Are there rules governing the use of cookies?

Yes. Regulation 5 of the Processing of Personal Data (Electronic Communications Sector Regulations), which implements the provisions of the EU Privacy and Electronic Communications Directive (2002/58/EC), requires data controllers to obtain the data subject’s prior consent for processing his or her personal data, unless it is strictly necessary for the provision of an information society service. 

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Such transfers may be effected by the data controller if the data subject has given his or her unambiguous consent or if the transfer:

  • is necessary for the performance or conclusion of a contract between the data subject and the data controller;
  • is necessary for the performance or conclusion of a contract between the data subject and a third party;
  • is necessary on the grounds of public interest or for the establishment, exercise or defence of legal claims;
  • is necessary to protect the data subject’s vital interests; or
  • is made from a public register that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, provided that the conditions for consultation set out in the law are fulfilled in the particular case.

Are there restrictions on the geographic transfer of data?

The Third Country (Data Protection) Regulations (Subsidiary Legislation 440.03) provide that before transferring personal data to a third country, data controllers are required to notify the Office of the Information and Data Protection Commissioner about any transfers of data that may be involved as part of a processing operation. The transfer of data to third countries (ie, a country not included in the list maintained by the commissioner for this purpose) may be made only:

  • to a country that ensures an adequate level of protection (to be decided by the commissioner on a case-by-case basis);
  • to a country that does not ensure an adequate level of protection and the commissioner has made an exemption; or
  • with the data subject's unambiguous consent.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Sensitive personal data may be transferred to a third party only if a data subject explicitly consents thereto. 

Click here to view the full article.