Data Protection Commissioner


The Office of the Data Protection Commissioner is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

Role and operations of the Data Protection Commissioner

The independent role and powers of the Data Protection Commissioner are as set out in legislation in the and . These Acts transpose the Council of Europe 1981 Data Protection Convention and the 1995 EU Data Protection Directive.

Investigation of complaints

Complaints received from individuals who feel that their personal information is not being treated in accordance with data protection law are investigated under section 10 of the Data Protection Acts. It is the statutory obligation of the Office to seek to amicably resolve complaints in the first instance. Where amicable resolution cannot be achieved, the Commissioner may make a Decision on whether, in her opinion, there has been a breach of the law. If the complainant or the data controller disagrees with the Commissioner’s finding, they have the right to appeal the Decision to the Circuit Court. The DPC’s main priority, if a complaint is upheld, is that the data controller complies with the law and puts right the matter concerned. If an organisation does not voluntarily cooperate with an investigation, the DPC has powers of compulsion to require such cooperation.
In 2015, the Office received 932 complaints that were opened for investigation. Investigations into 1,015 complaints were concluded.

Audits

Section 10 of the Acts provides that "the Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof." These investigations often take the form of audits of selected organisations. The aim of an audit is to identify any issues of concern about the way the organisation under scrutiny manages personal data.
In 2015, the DPC carried out 51 audits and inspections of organisations in the public and private sectors.

Enforcement Activity

Offences under the Electronic Communications Regulations

All breaches of the Privacy and Electronic Communications Regulations 2003 for which the Office of the Data Protection Commissioner has responsibility are offences. The offences relate primarily to the sending of unsolicited marketing communications by electronic means. The offences are punishable by fines - up to €5,000 for each unsolicited message on summary conviction and up to €250,000 on conviction on indictment. The Office of the Data Protection Commissioner may bring summary proceedings for an offence under the Regulations.
Enforcement responsibility is shared with the Commission for Communications Regulation.