{"id":140414,"date":"2026-04-22T09:25:44","date_gmt":"2026-04-22T09:25:44","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=140414"},"modified":"2026-04-22T09:25:44","modified_gmt":"2026-04-22T09:25:44","slug":"ireland-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/ireland-data-protection-cybersecurity\/","title":{"rendered":"Ireland: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-140414","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-ireland"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Byrne Wallace Shields LLP<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/05\/BWS_nostrapline_RGB-1.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Byrne Wallace Shields LLP<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/05\/BWS_nostrapline_RGB-1.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Ireland<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The primary legislation governing data protection and privacy in Ireland is the Data Protection Acts 2018, as amended (\u201c2018 Act\u201d), which gives further effect to the General Data Protection Regulation (\u201cGDPR\u201d) and transposes into national law, Directive (EU) 2016\/680 (\u201cLaw Enforcement Directive\u201d) which applies to the processing of personal data for law enforcement purposes. The Data Protection Acts 1988 to 2003 as amended also still apply in certain limited circumstances.<\/p>\n<p>The Data Protection Commission (\u201cDPC\u201d) is the national competent authority for the regulation and enforcement of this legislation.<\/p>\n<p>The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, as amended (\u201ce-Privacy Regulations\u201d) transpose Directive 2002\/58\/EC (\u201ce-Privacy Directive\u201d) in Ireland. The e-Privacy Regulations outline specific rules with regard to the use of cookies, marketing communications and security of electronic communications networks and services. The e-Privacy Regulations were amended by the European Union (Electronic Communications Code) Regulations 2022, which increased the range of service providers falling within the scope of the legislation.<\/p>\n<p>The Data Sharing and Governance Act 2019, as amended (\u201c2019 Act\u201d) regulates the sharing of information, including personal data, between public bodies in certain circumstances, provides for the establishment of base registries and the Personal Data Access Portal, and established the Data Governance Board.<\/p>\n<p>The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (\u201cNIS Regulations\u201d) which transpose Directive (EU) 2016\/114 remain in force in Ireland currently and apply a set of binding security obligations to critical infrastructure operators in the energy, healthcare, financial services, transport, water supply, digital infrastructure, and telecommunications sectors. A unit of the Department of Communications, Climate Action and Environment, the Computer Security Incident Response Team (\u201cCSIRT\u201d), is designated as the computer security incident response team in the State. The Minister for the Environment, Climate and Communications is the designated competent authority for the purposes of enforcement against providers within all sectors, including digital services providers, other than the banking and financial market infrastructure sectors to which the Central Bank of Ireland (\u201cCBI\u201d) is designated.<\/p>\n<p>The NIS Regulations apply to both Digital Service Providers (\u201cDSPs\u201d) and Operators of Essential Services (\u201cOES\u201d) in the State which are designated, either as a result of self-identification or identification by a competent authority, having regard to three cumulative criteria:<\/p>\n<ul>\n<li>Whether the entity performs a service that is \u201cessential for the maintenance of critical societal or economic activities\u201d,<\/li>\n<li>Whether the provision of that service depends on network and information systems, and<\/li>\n<li>Whether an incident would have a significant disruptive effect on the provision of the service offered.<\/li>\n<\/ul>\n<p>In practice, in comparison to the number of entities that will be subject to updated cybersecurity legislation in the State in the near future under the legislation transposing the NIS2 Directive, a relatively small number of entities are subject to the provisions of the NIS Regulations.<\/p>\n<p>Regulation (EU) 2019\/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (\u201cCybersecurity Act\u201d) has direct effect in Ireland and grants a cybersecurity certification and operational cooperation mandate to ENISA, in addition to introducing an EU-wide cybersecurity certification framework for ICT products, services and processes. In January 2026 the EU Commission announced new measures that were designed to strengthen cybersecurity resilience and capabilities. One of these measures is to revise the Cybersecurity Act by enhancing the security of the EU\u2019s information and communication technologies supply chains, by reducing the risks from third-country suppliers that raise cybersecurity concerns and by ensuring that digital products and services used by EU citizens are tested for security by clarifying rules and simplifying procedures under the European Cybersecurity Certification Framework.<\/p>\n<p>The Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 (as amended) gives effect to certain provisions of EU Directive 2018\/1972, which established the European Electronic Communications Code and was fully commenced on 9 June 2023. This Act mandates that providers of public electronic communications networks and services (such as phone and broadband providers) take appropriate and proportionate measures to manage the risks posed to the security of networks and services. This Act designates the communications regulator ComReg as the competent authority for the purposes of enforcement in Ireland. The European Union (Electronic Communications Code) Regulations 2022 transpose the remainder of the Directive.<\/p>\n<p>The Digital Services Act 2024 (\u201cDSA\u201d) was enacted on 17 February 2024, giving further effect to Regulation (EU) 2022\/2065 on a Single Market for Digital Services, which empowers the European Commission to regulate online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. It aims to prevent illegal and harmful activities online and the spread of disinformation. Ireland has designated Coimisi\u00fan na Me\u00e1n (\u201cCnaM\u201d) as the national Digital Services Coordinator responsible for supervising and enforcing the DSA. CnaM adopted the Online Safety Code in late 2024.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The data protection and cybersecurity landscape is expected to go through significant transition over the coming year due to a wave of continuing reforms and developments. EU legislation in areas such as AI, cybersecurity, and privacy, has and will continue to significantly impact Ireland\u2019s legislative framework. The data protection and cybersecurity landscape is constantly evolving as a result of technological advancements and initiatives from the European Parliament, and it is anticipated that there will be a substantial amount of change in this area during 2026 and beyond.<\/p>\n<p>Most significant is the NIS 2 Directive (Directive 2022\/2555) which is an enhanced European Union-wide cybersecurity law, aimed at strengthening security across critical sectors. It has not yet been transposed into law in Ireland. The heads of bill of the National Cyber Security Act were published by the Department of the Environment, Climate and Communications on 30 August 2024 but are still only in draft form and have yet to go through the legislative process. It is hoped that the legislation will be transposed in the second half of 2026. When the legislation is enacted, it will transpose the NIS2 Directive into Irish Law and will change the face of cybersecurity regulation in the State by dramatically increasing both the number of entities subject to cybersecurity legislation and the nature of the obligations on those entities.<\/p>\n<p>As part of its cybersecurity strategy, the EU has issued numerous new legal acts aimed at increasing the level of cybersecurity. The Cyber Resilience Act (\u201c<strong>CRA<\/strong>\u201d) entered into force on 10 December 2024. While the main obligations are applicable from 11 December 2027 certain incident reporting obligations apply as of 11 September 2026. The CRA will ensure that products and services are designed with appropriate cybersecurity measures and will strengthen Ireland\u2019s approach to digital platforms and consumer protection.<\/p>\n<p>The Cyber Solidarity Act (\u201c<strong>CSA<\/strong>\u201d) came into force on 4 February 2025 and is designed to help cross border defense against cyber-attacks, by implementing emergency and response management systems. The Cyber Solidarity Act includes a proposal for a European Cybersecurity Alert System to improve the detection, analysis and response to cyber threats. The European Union (Digital Operational Resilience) (No. 2) Regulations 2025 (S.I. 20\/2025) (Regulations) came into effect on 11 February 2025. From an Irish perspective, these regulations complete the implementation of the EU\u2019s Regulation 2022\/2554 on digital operational resilience for the financial sector (\u201c<strong>DORA<\/strong>\u201d) which has been applicable since 17 January 2025. The aim of DORA is to increase resilience in the financial sector by imposing increased security requirements. The NIS2 Directive, which was required to be transposed into domestic law by all Member States in October 2024, has not yet been transposed in Ireland. The heads of bill of the National Cyber Security Act were published by the Department of the Environment, Climate and Communications on 30 August 2024 but are still only in draft form and have yet to go through the legislative process.<\/p>\n<p>As part of its proposed new cybersecurity package to further strengthen the EU&#8217;s cybersecurity resilience and capabilities, the EU Commissions has proposed a new Cybersecurity Act which aims to increase cybersecurity capabilities and resilience and prevent fragmentation across the EU digital single market. This was published in January 2026 and we expect discussion and scrutiny of this Act at both EU and national level in 2026.<\/p>\n<p>As regards data protection, the European Commission is actively considering changes to the GDPR and is advancing the Digital Omnibus Package. The package involves the reduction of the administrative burden imposed by the GDPR and introducing amendments to the GDPR that facilitate AI development and use by clarifying how the &#8220;legitimate interests&#8221; legal basis may apply to processing personal data for developing and operating AI systems, subject to safeguards. It also proposes targeted amendments across the EU&#8217;s data protection and cybersecurity frameworks to reduce duplicative obligations and clarify how the rules interact.<\/p>\n<p>Regulation (EU) 2025\/2518 laying down additional procedural rules on the enforcement of Regulation (EU) 2016\/679 came into force on 1 January 2026. This Regulation lays down additional procedural rules on the enforcement of the GDPR to address shortcomings in the cooperation between supervisory authorities and provide for enhanced decision-making power of the EDPB. For example, the Regulation provides for stricter temporal deadlines for cross border investigations, an early resolution mechanism for complaints regarding access request rights, and improved co-operation procedures between supervisory authorities.<\/p>\n<p>Relevant to both the data protection and cybersecurity landscape is the EU AI Act (the \u201c<strong>AI Act<\/strong>\u201d) which has had direct effect in Ireland since August 2024 but will apply in a phased manner. 2026 is an important year for implementation of the AI Act as, from August 2026 the majority of the AI Act will begin to apply.\u00a0 For this reason, we expect to see much activity, discussion and debate in the area of AI.<\/p>\n<p>Further effect is to be given to the Act in Ireland by way of domestic legislation. The General Scheme of the Regulation of Artificial Intelligence Bill 2026 was published in February 2026. Once enacted, this legislation will give further effect to the AI Act by setting down certain measures that, under the Regulation, require national legislation to implement. Although initially it appeared that Ireland was adopting a distributed model for oversight and enforcement of the Act through the designation of 15 competent authorities, the establishment of a national AI Office to coordinate implementation and enforcement of the AI Act demonstrates a hybrid approach to regulation in this area. It is proposed that the national AI Office will gather expertise centrally and provide assistance to sectoral regulators on an as-needed basis. The AI Office is to be established by August 2026.<\/p>\n<p>August 2026 is also the deadline for which Member States must ensure that their competent authorities have established at least one AI regulatory sandbox at national level.<\/p>\n<p>The Irish legislation giving effect to the EU Data Act is expected in 2026.The EU Data Act entered into force on 11 January 2024 and aims to create a single market in the EU for data generated by Internet of Things products in order to promote innovation and increase competitiveness. The EU Data Act does this by making data more accessible, introducing fair contractual terms, and safeguarding data transfers. Key provisions of the EU Data Act became fully applicable from 12 September 2025 with transitional provisions for certain specific situations up until 12 September 2027. The Irish Government published the General Scheme of the Data Bill in February 2025. The Competition and Consumer Protection Commission (\u201c<strong>CCPC<\/strong>\u201d) and Commission for Communications Regulation (\u201c<strong>ComReg<\/strong>\u201d) are designated as competent authorities for the Data Act. The CCPC is also designated as the \u2018Data Coordinator.\u2019<\/p>\n<p>The following Bills are also being progressed by the Irish Government:<\/p>\n<p>(i) The pre-legislative scrutiny of the Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill was completed in March 2024. The purpose of this Bill is to allow An Garda S\u00edoch\u00e1na to request the preservation and production of data held on IT systems in order to investigate criminal offences. It is anticipated that the legislation will be published later in 2026.<\/p>\n<p>(ii) The Health Information Bill 2024 is currently in the final stages of the legislative process with final amendments being considered by Seanad Eireann. The Bill will provide a clear legal basis for the establishment of a Digital Health Record for people in Ireland.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>Data Protection:<\/strong><\/p>\n<p>Ireland is a key enforcement hub in Ireland having issued \u20ac4.04 billion in fines since May 2018, more fines than any other EU country and reinforcing Ireland\u2019s position as the EU\u2019s pre-eminent data protection regulator. Enforcement against big tech is a clear regulatory trend in Ireland. Regulatory inquiries have expanded into AI model training, biometric data, and health\u2011sector cybersecurity.<\/p>\n<p>As Lead Supervisory Authority for many big tech and social media companies, a clear priority for the DPC is in relation to AI. In 2024 the DPC led the way by requesting a statutory opinion from the European Data Protection Board (\u201cEDPB\u201d) on AI model development. This is a trend which we expect to see into the future and signal a shift towards more technical investigations targeting areas where data use is both innovative and potentially high impact.<\/p>\n<p>Although personal data breach notifications have increased across Europe generally, Ireland has only experienced a small increase in data breach notifications during 2025. This does not necessarily mean a substantive improvement in underlying security but could be due to a growing reluctance among businesses to report incidents.<\/p>\n<p>A further regulatory priority for the DPC is the protection of children\u2019s personal data. The DPC recently launched an initiative with the French data protection authority known as the \u201cPause Before You Post campaign. This is a campaign to raise awareness of the potential risks and consequences of \u201csharenting\u201d \u2013 the habitual sharing of personal information, photos and videos by parents of their children online. We expect the DPC to continue focusing on children\u2019s data into 2026 and beyond.<\/p>\n<p>The EDPB announced that its 2026 coordinated enforcement action (\u201cCEA\u201d) will focus on transparency and information obligations, the rules that require organizations to clearly explain how they collect, use, and share personal data, under Articles 12-14 of the General Data Protection Regulation. For this reason we expect the DPC may also choose to focus on transparency in 2026.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no registration or licensing requirements for controllers or processors in Ireland. All organisations that have appointed a Data Protection Officer (\u201cDPO\u201d) pursuant to the GDPR are required to notify the contact details to the DPC. While there are no registration or licensing requirements on entities under the NIS Regulations, the competent authorities are required to establish and maintain a Register of Operators of Essential Services (\u201cROES\u201d), without exception.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Data Protection Act 2018, \u201cpersonal data\u201d means information relating to\u2014<\/p>\n<p>(a) an identified living individual, or<\/p>\n<p>(b) a living individual who can be identified from the data, directly or indirectly, in particular by<br \/>\nreference to \u2014<\/p>\n<p>(i) an identifier such as a name, an identification number, location data or an online identifier, or<\/p>\n<p>(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual<\/p>\n<p>This definition is broad and applies to all natural persons.<\/p>\n<p>The expansive definition means that personal data is not limited to obvious identifiers such as name or ID number but also to indirect identifiers. The definition can capture information about a person in both private and professional context. However, information about a company or business is generally not \u2018personal data.\u2019<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, data known as Special Category Data is considered more sensitive and is subject to additional protection. Under the GDPR and Data Protection Act 2018, \u201cspecial categories of personal data\u201d means:<\/p>\n<p>(a) personal data revealing (i) the racial or ethnic origin of the data subject, (ii) the political opinions or the religious or philosophical beliefs of the data subject, or (ii) whether the data subject is a member of a trade union,<\/p>\n<p>(b) genetic data,<\/p>\n<p>(c) biometric data for the purposes of uniquely identifying an individual,<\/p>\n<p>(d) data concerning health, or<\/p>\n<p>(e) personal data concerning an individual\u2019s sex life or sexual orientation.<\/p>\n<p>\u201cBiometric data\u201d means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual that allow or confirm the unique identification of the individual, including facial images or dactyloscopic data.<\/p>\n<p>Data relating to criminal offences is also considered to be more sensitive and can only be processed under official authority of where specifically permitted by Irish or EU law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 5 of the GDPR sets out key principles for the protection of personal data. These principles, both directly and indirectly, influence the other rules and obligations found throughout the applicable legislation. Compliance with these fundamental principles of data protection is the first step for controllers in ensuring that they fulfil their obligations under the GDPR. The following is a brief overview of the Article 5 principles:<\/p>\n<p><strong>Lawfulness, fairness, and transparency<\/strong>: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them is collected, used, consulted, or otherwise processed and to what extent the personal data is or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. Data subjects must be provided with information as to the categories of recipients that their personal data has been or will be disclosed, as well as information as to any further processing that is carried out.<\/p>\n<p><strong>Purpose Limitation<\/strong>: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data is processed should be explicit, legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.<\/p>\n<p><strong>Data Minimisation<\/strong>: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data is stored is limited to a strict minimum (see also the principle of \u2018Storage Limitation\u2019 below).<\/p>\n<p><strong>Accuracy:<\/strong> Controllers must ensure that personal data is accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that is not inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.<\/p>\n<p><strong>Storage Limitation:<\/strong> Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data is not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.<\/p>\n<p><strong>Integrity and Confidentiality<\/strong>: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to, or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical and\/or organisational and security measures.<\/p>\n<p><strong>Accountability:<\/strong> The controller is responsible for and must be able to demonstrate compliance with all of the above principles. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.<\/p>\n<p>In addition, it is necessary to establish one of the six legal bases for processing personal data provided by Article 6(1) of the GDPR. Article 6(1) of the GDPR sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.<\/p>\n<p>Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person\u2019s sex life or sexual orientation (i.e. special category data) is prohibited, unless one of the conditions set out in Article 9(2) of the GDPR applies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Irish law, explicit consent is required for the use of personal data for health research purposes pursuant to the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations, as amended.<\/p>\n<p>Pursuant to the e-Privacy Regulations, consent is required in respect of electronic direct marketing for new customers. Consent is not required in respect of electronic direct marketing for existing customers, where certain conditions are satisfied.<\/p>\n<p>Consent is required for the use of non-essential cookies or other tracking technologies. Consent is often the most appropriate basis for the use of biometric data.<\/p>\n<p>In order for consent to be valid under the GDPR it must be freely given, unambiguous and fully informed. It must be specific to the data processing in question and distinguished from other matters when requested. Data subjects must give an unambiguous indication of their agreement to the data processing operations, by a clear affirmative, rather than a passive, act.<\/p>\n<p>In order to ensure that consent is freely given, controllers should avoid using consent as the legal basis for processing where there is a clear imbalance of power between the data subject and the controller, such as in the context of an employer\/employee relationship.<\/p>\n<p>The GDPR expressly provides for the right of a data subject to withdraw his\/her consent at any time and requires consent to be as easy to withdraw as to give in the first place.<\/p>\n<p>There have been a number of judgments from the Courts of Justice of the European Union which have provided clarity on what constitutes \u2018valid consent\u2019, such as confirmation that an opt-out option which has been pre-selected by a controller cannot be considered to be valid consent, that consent obtained should be granular rather than bundled, and that blanket acceptance of general terms and conditions is not be considered to be clear, affirmative action.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The GDPR provides extra protection for certain categories of sensitive personal data, called \u201cspecial category data\u201d, under Article 9 of the GDPR. Special category data is:<\/p>\n<p>\u201cpersonal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person\u2019s sex life or sexual orientation\u201d.<\/p>\n<p>These categories of personal data shall not be processed, unless a controller can avail of one of the exceptions under Article 9(2) of the GDPR. These exceptions include where the controllers has the explicit consent of the data subject, exceptions on the basis of employment or social protection law or where the processing is for the establishment, exercise of defense of legal claims.<\/p>\n<p>Criminal offence data is also offered special protection and can only be processed in certain limited circumstances. Different restrictions apply where the data is processed for law enforcement purposes.<\/p>\n<p>In addition to the protections under the GDPR and the 2018 Act, the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018, as amended, set out stringent rules governing the collection, use and sharing of personal data for health research purposes.<\/p>\n<p>The GDPR and the 2018 Act apply to children and adults equally. Although children\u2019s data is not considered as a separate category of data protection law recognises that children merit specific protection. Under Section 29 of the 2018 Act, a child is defined as a person under the age of 18 years. Sections 30 to 33 of the 2018 Act relate specifically to children and relate to the micro-targeting and profiling of children, the consent of a child in relation to information society services, codes of conduct in relation to children and a child\u2019s right to be forgotten. Section 30, which relates to the micro-targeting and profiling of children, has not yet been commenced.<\/p>\n<p>The age of digital consent in Ireland has been specified as 16 and online providers (such as providers of apps and social media platforms) must make \u201creasonable efforts\u201d to verify that a person with parental responsibility has consented to the processing of a child under the age of 16\u2019s personal data on their behalf, where consent is the legal basis relied upon for that processing.<\/p>\n<p>The protection of children\u2019s personal data and the protection of children online is an important topic of discussion in Ireland at present with the Government currently indicating that it will consider a social media bank for under 16s. In November 2025, the DPC launched its \u201cPause Before You Post\u201d campaign to raise awareness of the potential risks and consequences of \u201csharenting\u201d \u2013 the habitual sharing of personal information, photos and videos by parents of their children online.<\/p>\n<p>There is a strong focus in the Digital Service Act 2024 (\u201cDSA\u201d) on better protection for children from online harm. The DSA requires providers of online platforms accessible to minors to put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security for minors on their service. From a data protection perspective, the DSA introduces several significant obligations specifically designed to safeguard children&#8217;s privacy and limit the exploitation of their personal data in the digital environment.<\/p>\n<p>The Online Safety and Media Regulation Act, 2022 (the \u201c2022 Act\u201d) aims to regulate the provision of content though non-traditional media ranging from social media to online gaming. The 2022 Act aims to regulate harmful content and create a safer online environment, in particular by addressing the causes of cyber bullying, self-harm or suicide, and material that promotes nutritional deprivation. 2024, Coimisi\u00fan na Me\u00e1n (the regulator under the 2022 Act) published the Online Safety Code which sets binding rules for video-sharing platforms in order protect users, especially children, from harmful content.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The GDPR and the 2018 Act apply to children and adults equally. Under Section 29 of the 2018 Act, a child is defined as a person under the age of 18 years. Sections 30 to 33 of the 2018 Act relate specifically to children and to the micro-targeting and profiling of children, the consent of a child in relation to information society services, codes of conduct in relation to children and a child\u2019s right to be forgotten.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The GDPR and the 2018 Act set out various derogations, exemptions, exclusions and limitations, for example in relation to data subject rights. Article 23 of the GDPR creates the right for Member States to introduce derogations to data protection law in certain situations. Member States can introduce derogations from transparency obligations and data subject rights, but only where the measure \u201crespects the essence of fundamental rights and freedoms and is necessary and proportionate in a democratic society\u201d.<\/p>\n<p>In addition to this, the provisions in Chapter IX of the GDPR provide for a mixed set of derogations, exemptions and powers to impose additional requirements, in respect of GDPR obligations and rights, for particular types of processing.<\/p>\n<p>The 2018 Act permits controllers to restrict data subject rights where it is necessary and proportionate to safeguard certain objectives, as set out in Sections 60 and 94 of the 2018 Act. Examples of such restrictions include:<\/p>\n<ol>\n<li>Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2020 restricts data subject access to information for which the Central Bank of Ireland is the controller in certain circumstances.<\/li>\n<li>The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 restrict data subject access to health data, where the application of that right would be likely to cause serious harm to the physical or mental health of the data subject.<\/li>\n<\/ol>\n<p>Derogations also exist in relation to the rules applicable to the transfer of data outside the EEA which can be relied upon in limited circumstances.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The legislative requirements have been interpreted as requiring organisations to carry out risk assessments in relation to data processing activities on an extensive basis. Where controllers or processors are processing personal data that is likely to result in a high risk to the data subject\u2019s rights, a Data Protection Impact Assessment (\u201cDPIA\u201d) must be carried out prior to commencement. The GDPR provides some non-exhaustive examples of when data processing is likely to result in high risks. High risk processing includes large scale processing of special categories of personal data, or processing of personal data relating to criminal convictions and offences. The DPC has published guidance in this area to assist organisations in determining when a DPIA is required.<\/p>\n<p>Organisations will differ in how risk assessments are carried out and much will depend on the organisation\u2019s risk assessment policy. It is important that the organisation\u2019s DPO is involved in such assessments.<\/p>\n<p>In addition, where the legitimate interest\u2019s ground is relied on under Article 6(1)(f) of the GDPR as a lawful basis for processing, it is recommended best practice for the controller to carry out a Legitimate Interests Assessment (\u201cLIA\u201d) which involves assessing the impact of the proposed processing on individuals\u2019 interests through a balancing test.<\/p>\n<p>If personal data is being transferred to a third country outside the EEA that is not covered by an adequacy decision, a Transfer Impact Assessment (\u201cTIA\u201d) should be carried out to ensure that the third country provides an equivalent level of protection to personal data as provided by the GDPR or, where this is not the case, that supplementary measures are put in place to protect the data. This is a legal obligation when data is being transferred based on a reliance on one of the transfer tools set out in Article 46 of the GDPR.<\/p>\n<p>Additional risk assessment requirements will apply under the AI Act for specified categories of AI and will need to be carried out in conjunction with data protection and IT security risk assessments.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific codes of practice regarding the processing of personal data.<\/p>\n<p>The DPC has published comprehensive guidance in relation to various different processing activities for example; guidance in relation to the processing of children\u2019s data entitled \u2018Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing.\u2019 The purpose of this guidance is to assist organisations implement and develop strong data protection standards for the processing of children\u2019s personal data.<\/p>\n<p>Organisations may prepare codes of conduct and they must formally submit their draft codes of practice to the DPC for approval. If a code of conduct covers processing activities in more than one member state, the draft code is sent to the EDPB for review and approval. For non-public sector organisations, the code of conduct must identify a Monitoring Body to ensure compliance with the code.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 30 of the GDPR imposes a duty on controllers, processors and their representatives to record data processing activities (a \u201cROPA\u201d). The ROPA must be in writing, including electronic form and must be updated regularly and available for submission to the DPC upon request. Organisations with fewer than 250 employees are exempt from keeping this record in certain circumstances, although a ROPA is mandatory for all organisations for HR related data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 5 of the GDPR provides that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Specific time periods for retention of personal data are not stipulated by the GDPR or the 2018 Act. A controller must ensure that an appropriate time limit is established for the erasure of personal data and the carrying out of periodical reviews of the need for retention of that data. A written data retention policy is advisable for the purposes of demonstrating compliance with this obligation.<br \/>\nCertain Irish legislation stipulates minimum retention periods for certain personal data, such as employee-related records.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Where a controller determines, by way of data protection impact assessment (\u201cDPIA\u201d) that the intended processing would result in a high risk to the data protection rights of individuals in the absence of mitigation measures, they must consult with the DPC. The controller is obliged to carry out the DPIA, together with the DPO and any data processors. A controller has an obligation under the GDPR to notify the DPC within 72 hours once becoming aware of a personal data breach.<\/p>\n<p>Organisations must submit draft codes of conduct to the DPC and are strongly advised to engage with the DPC informally at the early stages of the drafting of a code of conduct.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>An organisation is required to appoint a designated DPO, where the processing is carried out by a public authority or body; the core activities require regular and systematic monitoring of data subjects on a large scale; or the core activities consist of processing on a large scale of special category data or data relating to criminal convictions and offences. The duties of DPOs include advising the organisation on data protection obligations, monitoring compliance including audits and training, acting as a contact point for the DPC and handling queries or complaints of data subjects. Article 27 of the GDPR requires non-EU organisations to designate in writing a representative in the EU unless one of the specified exemptions applies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>One of the legislative duties of the DPO is to oversee training of staff by the organisation. The DPC advises that it is good practice to provide all staff with data protection training on or shortly after commencing employment. Evidence of ongoing training is considered necessary to demonstrate compliance with the principle of accountability and to ensure compliance with other provisions of the GDPR.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The principle of transparency set out in the GDPR, requires controllers to provide information to individuals about how their data is processed. The minimum required information to be provided to data subjects includes the identity of the controller, the reason for processing the data, the lawful basis for processing the personal data, applicable data transfer details, data retention timeframe and the existence of the individual\u2019s rights under data protection law. The information above is typically provided by way of a data privacy notice.<\/p>\n<p>Pursuant to the e-Privacy Regulations, subscribers must be informed of the types of data that are processed, the duration of such processing, the possibility to withdraw their consent and whether the data will be transmitted to a third party for specified purposes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The GDPR imposes obligations on both controllers and processors. However, a clear distinction is drawn: primary responsibility for the protection of personal data under the GDPR is placed on controllers. A processor will be liable only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Monitoring is not specifically restricted or prohibited by the GDPR or the 2018 Act. However, a controller must establish a lawful basis for processing, and large-scale monitoring of a publicly accessible area requires completion of a DPIA.<\/p>\n<p>Automated decision making (including profiling) is prohibited, where it produces legal effects concerning an individual. There are some exceptions to this prohibition, for example where the decision is authorised or required under Irish law.<\/p>\n<p>The e-Privacy Regulations prohibit the use of cookies or other tracking technologies which are not strictly necessary, unless the user has given explicit consent to that use. The standard of consent is set out under the GDPR. Consent for the placement of non-essential cookies is not valid if they were either bundled or obtained by way of pre-checked boxes that users must deselect. Controllers must ensure that opt-in consent is obtained for each purpose for which cookies are set and consent must be as easy to withdraw as it was to provide in the first place.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>Cookies:<\/strong><\/p>\n<p>In Ireland the use of cookies is regulated mainly by the e-Privacy Regulations which provide that consent is required except for cookies which are strictly necessary to provide a service which has been explicitly requested by the user.<\/p>\n<p>The DPC has set out <a href=\"https:\/\/www.dataprotection.ie\/en\/dpc-guidance\/guidance-cookies-and-other-tracking-technologies\">guidance<\/a> on cookies and other tracking technologies, providing that the standard of consent is as defined in the GDPR. Under GDPR, consent must be a clear, affirmative act, freely given, specific, informed and unambiguous. Users must be provided with easily accessible, clear and comprehensive information, on the technology used by the website to collect personal data, and the purpose for which the collected data will be used.<\/p>\n<p><strong>Targeted advertising: <\/strong><\/p>\n<p>Both targeted and behavioural advertising are forms of data processing that must have a legal basis. The appropriate legal basis for behavioural advertising is currently the subject of much debate before the regulators and the Courts. Regulator decisions have struck down contractual necessity and legitimate interests as appropriate legal bases for behavioural advertising. As a result, consent is now considered the only appropriate legal basis. The EU\u2019s Digital Markets Act (\u201c<strong>DMA<\/strong>\u201d) requires that users\u2019 consent is obtained for combining their personal data between services for advertising purposes and that users who do not consent must have access to a (less personalised) but equivalent alternative. These developments have led to the implementation of \u2018consent or pay\u2019 models by large online platforms. In April 2024 the EDPB issued a decision on these models, finding that large online platforms are unlikely to be able to comply with the requirements for valid consent if they provide users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes or paying a fee. There have been significant questions raised about this \u2018consent or pay\u2019 model with regard to economic equity, transparency and data subject choice, in circumstances where it may present a potential economic divide between data subjects who can afford to pay for this option and those who cannot. It could also introduce undue pressure on data subjects to consent to data collection in circumstances where they could be exploited. Meta has been the subject of a significant fine by the EU Commission for non-compliance in this area. The DSA prescribes transparency rules and prohibits the use of certain data types (including special category data) for targeted advertising for online platforms. The DSA prohibits targeted advertising aimed at children and requires service providers to carry out a risk assessment of the risk that their platform may pose to children.<\/p>\n<p>The most recent updates clarify that the EDPB\u2019s April 2024 opinion remains the position, with the EU General Court in April 2025 rejecting Meta\u2019s attempt to annual the opinion. In addition, in April 2025 the European Commission imposed a \u20ac200 million fine on Meta under the DMA for failing to provide an equivalent, non\u2011personalised alternative to users who declined data sharing.\u00a0 As a result, in December 2025 the European Commission announced that Meta had committed to giving EU users a choice as to whether to receive personalized ads from January 2026.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>\u201cSale\u201d in the context of sale of personal information is not defined in Irish law, however, is captured by the broad definition of processing. Therefore, a controller must comply with all of the legal obligations applicable to the processing of personal data under the GDPR, including the core principles as outlined in response to question 5 above. A purchaser of personal data would need to verify the data\u2019s usability, i.e. ensuring its lawful collection and subsequent use. This would include reviewing the vendor\u2019s record of processing activities to ensure the vendor has complied with all legal requirements, such as obtaining valid consent and conducting a legitimate interests assessment.<\/p>\n<p>There is no statutory definition of \u201cdata broker\u201d in either the GDPR, the 2018 Act, or other Irish legislation. Organisations that engage in data broker activities are regulated through the general data protection framework. Under the GDPR, any entity that collects or processes personal data for resale or profiling purposes is treated simply as a data controller and is fully subject to obligations such as lawful basis requirements, transparency duties, data subject rights, and restrictions on international transfer.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Regulation 13 of the e-Privacy Regulations, affirmative consent of the recipient, for example specifically opting in, is required for electronic direct marketing. Where a direct marketer has the consent of a data subject, that consent may be withdrawn by the data subject. Under Article 21 GDPR, in all cases of direct marketing, the data subject has the right to object at any time to the use of their personal data for such marketing, which includes profiling related to such direct marketing.\u00a0The right to object must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.<\/p>\n<p>Regulation 13(11) of the e-Privacy Regulations does allow for direct marketing in the context of the sale of a product or a service without specifically requiring affirmative consent where certain conditions are met.<\/p>\n<p>Under the e-Privacy Regulations, marketing calls to mobile phones are prohibited unless the caller has been notified by the subscriber or user that he or she consents to the receipt of such calls on his or her mobile telephone, or the subscriber or user has consented generally to receiving marketing calls and that such consent to receive marketing calls is recorded in the National Directory Database \u00a0(\u201c<strong>NDD<\/strong>\u201d) in respect of his or her mobile telephone number.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The processing of biometric data, including facial recognition, is strictly regulated under Irish data protection law and is subject to specific obligations. Biometric data is classified as \u2018special category\u2019 personal data under the GDPR but only where it is used for the purpose of uniquely identifying an individual.<\/p>\n<p>Biometric data processed for the purpose of uniquely identifying a natural person is subject to the highest level of protection and may only be processed where one of the limited Article 9(2) exemptions applies, such as explicit consent or substantial public interest.<\/p>\n<p>Under the GDPR, biometric data is defined as \u2018personal data resulting from specific technical processing relating to the physical, physio logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data\u2019.<\/p>\n<p>Recent DPC enforcement in 2025 against the Department of Social Protection for unlawful facial biometric processing, demonstrates the strict approach and reinforces that organisations must have a robust legal basis, clear necessity, transparency, and strong safeguards when using biometric identifiers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Ireland, there is currently no stand-alone data protection law that specifically governs AI or machine learning.<\/p>\n<p>The EU AI Act (not yet fully implemented in Ireland) began phased application in 2025 and regulates AI systems broadly based on their level of societal risk rather than focusing exclusively on personal data. It introduces obligations for high risk, limited risk, and prohibited AI systems and applies to AI systems regardless of whether the processing involves personal data.<\/p>\n<p>The GDPR and the 2018 Act applies to all processing of personal data, including use of such data for training or operating AI systems.<\/p>\n<p>Certain GDPR provisions are especially relevant to AI. For example, the rules of automated decision making and profiling restrict decisions made solely by automated means that have a legal effect on individuals.<\/p>\n<p>The DPC has been active in scrutinising how organisations\u2019 use personal information to train AI tools<strong>.<\/strong><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no explicit data localization requirements in this jurisdiction. Organisations are not required to store personal data within Ireland, nor are they generally prohibited from storing data in other jurisdictions.<\/p>\n<p>Ireland is subject to GDPR, which allows the free flow of personal data within the EU\/EEA. There are no law that mandates the storing or data locally (either in Ireland or the EU\/EEA). However, there are strict conditions which must be complied with when storing or transferring personal data outside of the EEA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Transfers of personal data from Ireland to non-EEA or \u2018third\u2019 countries are governed by Chapter V of the GDPR. Such transfers are permitted, either where there is an EU Commission adequacy decision in place or, alternatively, where appropriate safeguards are implemented, such as standard contractual clauses (\u201c<strong>SCC<\/strong>s\u201d) or Binding Corporate Rules (\u201c<strong>BCR<\/strong>s\u201d), under Article 46 of the GDPR. Derogations may also apply in limited circumstances under Article 49 of the GDPR. In June 2021, the European Commission approved four separate modular sets of SCCs and the appropriate module to be used will depend on the data protection role of the data exporter and data importer. Where SCCs are used, they should comply with the EDPB recommendations. In particular, the exporter must carry out a transfer risk assessment and also identify and implement supplementary measures, where required, to ensure an \u201cessentially equivalent\u201d level of protection applies to the personal data in third country.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers and processors are obliged to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk arising from processing activities. Article 32 of the GDPR sets out specific examples of measures (on a non-exhaustive basis) to ensure security of processing of personal data as well as certain considerations that should be taken into account, such as the costs of implementation and the nature, scope, context and purposes of processing.<\/p>\n<p>The e-Privacy Regulations impose certain security obligations on undertakings providing a publicly available electronic communications network or service. Security measures must at least ensure that the personal data can be accessed only by authorised personnel for legally authorised purposes, protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and ensure the implementation of a security policy with respect to the processing of personal data.<\/p>\n<p>The DPC issued Data Security Guidance for Microenterprises in July 2019 and a separate Guidance for Controllers on Data Security in February 2020.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific security requirements set out in law for specific types of data. However, data protection law takes a risk-based approach to security. At the core is the GDPR principle that security must be appropriate to the risk. This means that the more sensitive the data the greater the potential harm is compromised and therefore the stronger the safeguards that are expected.<\/p>\n<p>Article 32 GDPR requires controllers and processors to implement security measures proportionate to the risk, which requires stronger controls such as encryption, pseudonymisation, and resilience measures to be applied when handling sensitive data.<\/p>\n<p>In addition, Section 51(4)(b) of the 2018 Act specifically mandates that any processing of special category data or criminal offence data under substantial public interest grounds must include \u2018suitable and specific measures\u2019 to safeguard individuals\u2019 rights, with Section 36 providing examples such as enhanced logging and encryption.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The term \u2018personal data breach\u2019 is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.<\/p>\n<p>The NIS Regulations define the term \u201cincident\u201d as any event having an actual adverse effect on the security of network and information systems.<\/p>\n<p>A controller is obliged to notify the DPC within 72 hours of becoming aware of a personal data breach, unless it is unlikely to result in a risk to individuals. Controllers are also obliged to notify the affected data subject of the personal data breach, where the breach is \u2018likely to result in a high risk to the rights and freedoms of the natural person\u2019.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In accordance with the GDPR, individuals have various rights including the right of access, right of erasure, right of rectification, right of restriction, right of data portability and right to make a complaint to the DPC. Data subjects can exercise their rights by contacting the controller who must respond without undue delay and at the latest within one month of receipt of the request (this time period can be extended by up to two months in exceptional circumstances).<\/p>\n<p>If a request is refused, a controller must inform a data subject without delay of the reasons why their request is refused and also of the possibility of lodging a complaint with the DPC and\/or seeking a judicial remedy.<\/p>\n<p>There are various exceptions to data subjects\u2019 rights, set out in section 60 and 94 of the Data Protection Act 2018, which seek to balance the rights of data subjects on the one hand with the rights of third parties, or the needs of civil society, on the other hand. For example, personal data that is legally privileged is not required to be provided on foot of a DSAR nor is personal data required to be erased if processing is necessary for compliance with a legal obligation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Where a data subject considers that their rights have been infringed as a result of personal data processing, they may bring a data protection action against the controller or processor concerned to the District, Circuit or High Court, depending on the value of the claim. The Courts and Civil Law (Miscellaneous Provisions) Act 2023 added the District Court to the choices of venues for data protection litigation, the monetary average compensation for data breach claims is very modest and well within the District Court level. However, the 2018 Act granted jurisdiction to the Circuit Court and High Court only. This resulted in costs of these claims exceeding their value.<\/p>\n<p>Irish law does not allow for class action but does allow for representative action.<\/p>\n<p>Following the introduction of the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023, which came into force on 30 April 2024 and transposed the EU Collective Redress Directive, there is provision for representative action litigation for violation of privacy\/GDPR rights. This regime permits designated Qualified Entities, currently only the Irish Council for Civil Liberties (\u201cICCL\u201d, the European Centre for Digital Rights (\u201cNOYB\u201d), and Digital Rights Ireland to bring representative actions on behalf of groups of consumers. In May 2025, the High Court approved the initiation of Ireland\u2019s first ever GDPR representative action, brought by the ICCL against Microsoft, confirming that collective redress is now available in Ireland for data protection infringements. The proceedings which appear to be ongoing concern Microsoft&#8217;s use of personal data in the contest of &#8220;real-time bidding&#8221; (\u201cRTB\u201d) technology in its online advertising business. The case is ongoing.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Section 117 of the 2018 Act permits an individual to seek compensation for damage caused as a result of the infringement of data protection laws. Damage includes material and non-material damage. The interpretation of \u2018non-material damage\u2019 has been the subject of a number of decisions of the Irish domestic Courts and the CJEU.<\/p>\n<p>Another matter which has come before the Courts is whether claims for mental distress, anxiety, upset or inconvenience arising from a data breach, where no recognised psychiatric injury is alleged, constitute \u201cpersonal injuries\u201d under the Personal Injuries Assessment Act 2003. In 2025, the Irish Supreme Court in the case of Dillon v Irish Life Assurance clarified that this type of non-material damage does not come within the definition of personal injuries. The impact of this is that these claims do not require Personal Injuries Assessment Board (\u201cPIRM\u201d) authorisation.<\/p>\n<p>The Supreme Court also clarified that claims for mental distress, anxiety, upset or inconvenience, where no recognised psychiatric injury is alleged will only attract very modest awards.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Privacy and data protection laws are enforced through the DPC and the Courts. The DPC possesses broad enforcement powers, as well as investigatory powers including search and seizure powers, power to issue information and enforcement notices for which failure to comply is an offence and a right to apply to the High Court for the suspension or restriction of processing of data, where it is considered that there is an urgent need to act. The DPC also has the power to prosecute offences under the 2018 Act and the e-Privacy Regulations.<\/p>\n<p>The DSA will be enforced by the European Commission and Member States\u2019 DSCs in respect of intermediary services with their main establishment in that Member State. The DSA designates CNM as the DSC in Ireland. The DSCs have wide powers of investigation and powers to impose administrative sanctions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Organisations may face administrative fines of up to \u20ac10 million or 2% of global annual turnover for lower tier infringements, and up to \u20ac20 million or 4% of global turnover for more serious violations. The DPC can also impose reprimands, compliance orders, processing bans, and corrective measures.<\/p>\n<p>The 2018 Act imposes a maximum fine of up to \u20ac1,000,000 on public authorities or bodies that do not act as an \u2018undertaking\u2019 within the meaning of the Irish Competition Act 2002.The maximum criminal penalty for summary offences under the 2018 Act is \u20ac5,000 and\/or 12 months\u2019 imprisonment. Indictable offences and carry a maximum penalty of \u20ac250,000 and\/or five years\u2019 imprisonment.<\/p>\n<p>Although Ireland has no separate national fine calculation guidelines, the DPC applies the criteria under Article 83 of the GDPR, considering factors such as the nature, gravity, and duration of the breach, intent, cooperation, and the categories of data affected, and follows the harmonised fining approach developed through EDPB guidance. In practice, Ireland is the EU\u2019s most active enforcer, having issued over \u20ac4 billion in GDPR fines to date, including some of the largest penalties ever recorded.<\/p>\n<p>The DPC does not have the power to impose regulatory fines pursuant to the e-Privacy Regulations. However, offences under these regulations can be prosecuted in the Court. A summary offence carries a maximum fine of \u20ac5,000. Indictable offences carry a maximum fine of \u20ac250,000, depending on the nature of the offence being prosecuted.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Ireland, controllers or processors can appeal fines imposed by the DPC, within 28 days of receipt of the decision. Upon hearing an appeal, the Court may confirm the decision of the DPC, impose a different fine, or annul the decision. Where an organisation wishes to challenge the decision-making process of the DPC they may do so by way of judicial review.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The NIS Regulations apply a set of binding security obligations to critical infrastructure operators in the energy, healthcare, financial services, transport, water supply, digital infrastructure, and telecommunications sectors. Both Digital Service Providers (<strong>\u201cDSPs\u201d<\/strong>) and Operators of Essential Services (\u201c<strong>OES<\/strong>\u201d) are required to identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems used by them. Those measures are required to ensure a level of security which is appropriate to the risk posed and also take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing &amp; testing and compliance with international standards.<\/p>\n<p>OES are required to take appropriate measures to prevent and minimize the impact of incidents affecting the security of the network and information systems used by it in the provision of essential services. This is to ensure continuity of those services.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While Ireland does not yet impose general mandatory cybersecurity audits or certifications on all organisations, mandatory audit\u2011style oversight and a national cybersecurity certification scheme are imminent under the transposition of NIS2. These obligations will apply to thousands of additional entities and will represent Ireland\u2019s first structured, legally mandated cyber\u2011compliance programme.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Other than the overarching requirements set out above in relation to risk management measures to be adopted, there are no specific requirements relating to supply chain management under the NIS Regulations.<\/p>\n<p>The NIS2 Directive imposes specific requirements regarding supply chain management and security for entities. Member States are required to adopt policies addressing cybersecurity in the supply chain for ICT products, and ICT services used by entities for the provisions of their service. Article 21 of the NIS2 Directive, which relates generally to cybersecurity risk management measures, requires that entities ensure supply chain management, including security related aspects, between them and their direct suppliers or service providers.<\/p>\n<p>For the financial sector, DORA stipulates that Financial Entities are required to ensure that where services are provided by Third Party ICT Suppliers that their contracts with those entities contain certain minimum requirements. These requirements are extended in respect of entities providing a service considered by the Financial Entity to support a critical or important function.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific obligation under the NIS Regulations to officially appoint a chief information security officer, regulatory point of contact or other person responsible for cybersecurity. Notwithstanding this, the regulation relates to offences committed by bodies corporate and provides that where such an offences has been committed with the consent or connivance or was attributable to any wilful neglect by a director, manager, secretary or other officer purporting to act in that role, that individual, as well as the corporate body will be liable to criminal prosecution.<\/p>\n<p>The NIS2 Directive, when transposed in Ireland, will place greater levels of responsibility on C-suite management in this regard. Competent authorities will have the power, where there has been a failure to comply with a direction of a national competent authority, to prohibit temporarily any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level in the entity from discharging those responsibilities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The NIS Regulations set out the following obligations relating to incident notifications:<\/p>\n<p>Regulation 18 provides that an OES shall notify the CSIRT of any incident concerning it that has a significant impact on the continuity of an essential service provided by it in respect of which it is designated as an operator of essential services. The notification shall be made as soon as possible and not later than 72 hours after the OES concerned becomes aware of the occurrence of the incident. Regulation 18(4) sets out the factors in determining whether the incident has a significant impact on the continuity of essential service.<\/p>\n<p>Regulation 22 provides that a relevant DSP shall notify the CSIRT of any incident that has a substantial impact on the provision by it of a digital service. The notification shall be made not later than 72 hours after the relevant DSP becomes aware of the occurrence of the incident. Section 2(4) sets out factors to take into account in determining whether to notify an incident.<\/p>\n<p>Regulation 6 provides for the co-operation of the competent authority where necessary with the DPC in relation to any matter concerning the regulations, including in relation to an incident resulting in personal data breach. Additionally, s6 provides that the competent authority, in accordance with law, may consult and co-operate, where necessary, by sharing information with the Garda S\u00edoch\u00e1na in relation to any matter to which the regulations apply.<\/p>\n<p>The CBI Cross Industry Guidance in respect of Information Technology and Cyber Security Risks provides that it is expected firms will notify the CBI when they become aware of a cybersecurity incident that could have a significant and adverse effect on a firm\u2019s ability to provide adequate services to its customers, its reputation or financial condition.<\/p>\n<p>Section 19 of the Criminal Justice Act 2011 imposes a mandatory obligation to report certain cybersecurity offences, in certain circumstances, to the Garda\u00ed.<br \/>\nProviders of public electronic communications networks and services must notify users of a significant threat of a security incident pursuant to the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023. Providers are required to notify ComReg, of any security incident that will have a significant impact on the provider\u2019s networks or services pursuant to this Act as well as the e-Privacy Regulations.<br \/>\nNIS2 imposes wider cybersecurity incident reporting duties beyond data protection concerns.<\/p>\n<p>The NIS2 Regulations, when implemented, will require \u2018Essential\u2019 and \u2018Important\u2019 entities to report significant cybersecurity incidents to the National Cyber Security Centre even where no personal data breach occurs. A cybersecurity incident is defined broadly as any event compromising the availability, integrity, authenticity, or confidentiality of data or network and information systems, and mandates rapid notice, including an early warning within 24 hours and a full incident report within 72 hours. GDPR obligations operate in parallel, requiring notification to the DPC within 72 hours only when the incident results in a personal data breach.<\/p>\n<p>DORA requires Financial Entities to report the occurrence of certain categories of cybersecurity incidents within 4 hours of the incident being classified as \u2018major\u2019 and within 24 hours after the entity becomes aware of it. A further intermediate report is required within 72 hours of the initial notification with a final report required no later than one month after the notification. These reports are made to the national competent authority (i.e. the Central Bank of Ireland).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Individuals can bring a private right of action for cybersecurity incidents, but the pathway depends on whether the incident constitutes a breach of data protection law or what type of harm is alleged otherwise. (breach of contract in the event of an incident etc.). See above for data protection breaches and the availability of class action suits in these instances.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the NIS Regulations, the Minister for the Environment, Climate and Communications is the designated competent authority for the purposes of enforcement against providers within all sectors as well as digital services providers, other than the banking and financial market infrastructure sectors to which the Central Bank of Ireland is designated. Enforcement actions have been relatively rare under the NIS Regulations, with an emphasis placed on ensuring compliance through supervision and collaboration.<\/p>\n<p>Under regulation 30, competent authorities can, if an authorised officer is of the view that there is non-compliance with the legislation, issue a compliance notice to an entity, requiring it to take certain remedial actions within a specified time period. The consequence for failing to comply with a compliance notice is criminal prosecution.<\/p>\n<p>The provisions relating to enforcement under the NIS2 Directive are more-broad and afford greater powers to regulators to ensure compliance with the legislation. The inclusion of an administrative fines regime will afford considerable power to regulators to ensure compliance. Further, several existing sectoral regulators will become National Competent Authorities for the purpose of the NIS2 Directive when the enacting legislation comes into force.<\/p>\n<p>ComReg is empowered to issue administrative sanctions in response to infringements of the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023.<\/p>\n<p>In relation to DORA, the Central Bank of Ireland is the primary regulatory body and effects enforcement through a range of measures set out in Part 4 of those Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The NIS Regulations provide certain powers to competent authorities to enable them to enforce the provisions of the Regulations effectively. These powers include the power to carry out security assessments (regulation 27), which allow competent authorities to assess OES and DSPs compliance with security and incident notification requirements. Similarly, regulation 31 provides for the issuing of information notices.<\/p>\n<p>As mentioned above, regulation 29 of the NIS Regulations affords powers to authorised officers which allows them to enter premises without consent or a warrant, inspect, examine, and require the production of records or information, secure and retain records or information, require assistance and cooperation from relevant persons, interview individuals and require truthful answers.<\/p>\n<p>These powers are likely to expand when the National Cybersecurity Bill (which will transpose NIS2) is enacted.<\/p>\n<p>In relation to DORA, the Central Bank is provided with broad powers to enforce the Regulations. These powers are set out in part 4 of the Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>Range and guidance for cybersecurity violations:<\/strong><\/p>\n<p>In addition to the issuing of compliance notices to entities, regulation 34 of the NIS Regulations provides that a person guilty of an offence under a number of the provisions is liable on summary conviction, to a class A fine or on conviction on indictment, to a fine not exceeding \u20ac50,000 (in the case of an individual) and \u20ac500,000 (in the case of a person other than an individual). We are not aware of any criminal sanction being applied in respect of an offence under the NIS Regulations to date.<\/p>\n<p>NIS2, when transposed, will bring significantly increased levels of fines for non-compliance with the legislation in addition to further powers aimed at ensuring compliance by essential and important entities. This will include measures to heighten the responsibilities placed on management boards of entities. The maximum fines under NIS2 will range from up to \u20ac7million or 1.4% of total worldwide annual turnover for Important Entities to up to \u20ac10million or 2% of total worldwide annual turnover in respect of Essential Entities.<\/p>\n<p>Where an adjudicator deems that a breach has been committed under the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023, they may issue a fine of up to \u20ac5,000,000 or 10% of turnover for a corporate body or up to \u20ac500,000 or 10% of the annual income of a natural person, which must be confirmed by the High Court.<\/p>\n<p>In relation to DORA , the maximum fine for a Financial Entity found to be in breach is \u20ac10million or 10% of its annual turnover in the previous financial year, whichever is higher. This is done through the Central Banks administrative sanctions regime under the Central Bank Act, 1942, as amended. The Central Bank also has the power to impose administrative sanctions of up to \u20ac1million on individuals who participated, while performing a \u201ccontrolled function\u201d, in a breach of DORA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">12924<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/140414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=140414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}