Last review date: 13 January 2025

Yes.

The following are potential legal bases for processing personal data:

☒        the data subject has provided consent to the processing for the identified purposes
☒        the personal data is necessary to perform a contract with the data subject
☒        the personal data is necessary to comply with a legal obligation
☒        the personal data is necessary to protect the vital interests of a natural person
☒        the personal data is necessary for a public interest
☒        the personal data is necessary to fulfill a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)
☒        other

Sections 39-44 of the DPA 2018 permit the processing of personal data in the specific situations set out below:

• Communicating in writing with data subjects by political parties, candidates and holders of political offices in the course of electoral activities in Ireland (section 39).
• Processing by elected representatives to enable them to act on behalf of a data subject when they receive a request to do so (section 40).
• Further processing for a purpose other than that for which it was collected, where such processing is necessary and proportionate for the purpose of:
  • preventing a threat to national security
  • preventing, detecting, investigating or prosecuting criminal offences, or
  • providing legal advice or legal proceedings (section 41)
• For archiving, scientific or historical research or statistical purposes, subject to such processing respecting the principle of data minimization (section 42).
• For the purpose of exercising the right to freedom of expression insofar as compliance with the GDPR would be incompatible with such purposes (section 43).

Where a request for access to an official record containing such data is granted under the Freedom of Information Act 2014 or the Access to Information on the Environment Regulations 2007 (section 44).

Last review date: 13 January 2025

Yes

The following are potential legal bases for processing sensitive personal data:

☒        the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")
☒        processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
☒        processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
☒        processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions
☒        processing relates to personal data which are manifestly made public by the data subject
☒        processing is necessary for the establishment, exercise or defense of legal claims
☒        processing is necessary for reasons of substantial public interest
☒        processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
☒        processing is necessary for reasons of public interest in the area of public health
☒        processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
☒        other

The DPA 2018 sets out some supplementary legal bases for processing sensitive personal data, including:

• processing necessary for the purpose of legal advice or legal proceedings (section 47);
• processing revealing political opinions for electoral activities and functions of the Referendum Commission (section 48);
• processing for the purposes of the administration of justice or the performance of functions conferred on a person by an enactment or by the Constitution (section 49);
• processing of health data for insurance or pension purposes or the mortgaging of property (section 50);
• processing by elected representatives to enable them to act on behalf of a data subject when they receive a request to do so (section 40); and
• further processing for a purpose other than that for which it was collected, where such processing is necessary and proportionate for the purpose of:
• preventing a threat to national security
• preventing, detecting, investigating or prosecuting criminal offences, or
• providing legal advice or legal proceedings (section 41)

Last review date: 13 January 2025

Yes.

A minor within the meaning of data privacy laws is a person below the age of: 18 (but see below).

Last review date: 13 January 2025

☒         in the context of information society services only if processing is based on consent
☒         other

For the purposes of the general application of the GDPR in Ireland, a reference to "child" in the GDPR is to a person under 18 years of age (section 29, DPA 2018).

However, in the context of information society services, where processing is based on the consent of a child, a child is a person under 16 years of age (section 31, DPA 2018). In this case, consent must be given/authorized by a parent/guardian.

Last review date: 14 January 2025

☒        consent must be given or authorized by the holder of parental responsibility over the child
☒        additional data subject rights are granted to minors (e.g., deletion, access, transparency)

Additional Rights:

Organizations have an express obligation under the GDPR to ensure that any transparency information about data processing which is addressed to a child under 18 years of age should be in clear and plain language so that the child can understand it (Article 12.1, GDPR and section 29, DPA 2018).

Section 33 of the DPA 2018 provides a specific right to erasure for children where personal data have been collected in relation to the offer of information society services. However this right will not apply where the processing is necessary for the purposes set out in Article 17(3) of the GDPR (e.g., to comply with a legal obligation).

☒        other

The processing of the personal data of a child under 18 years of age for the purposes of direct marketing, profiling or micro-targeting is prohibited (section 30, DPA 2018). No date has been set for the commencement of this provision due to concerns that it imposes limitations in Irish law on the processing of personal data that is lawful under the GDPR.

The DPC has an obligation under section 32 of the DPA 2018 to encourage the drawing up of codes of conduct to contribute to the proper application of the GDPR with regard to:

• the protection of children;
• the information to be provided by a controller to children;
• the manner in which the consent of holders of parental responsibility over a child is to be obtained for the purposes of Article 8 GDPR;
• integrating the necessary safeguards into processing in order to protect the rights of children in an age-appropriate manner for the purposes of data protection by design and by default; and
• the processing of the personal data of children for direct marketing purposes and creating personality and user profiles.