Compliance with data protection regulation has far reaching and profound consequences; from questions of evidential admissibility arising in recent criminal and civil trials to the controversy in respect of the retention of Primary school children’s data; from Edward Snowdon to Cloud computing.   In today’s data driven world every organisation, company and individual involved in the control, use, storage of personal data must be able to answer a fundamental question.    “AM I A DATA CONTROLLER OR A DATA PROCESSOR?”  The answer to this question will dictate the level of responsibility that you or your organisation has over data under both Irish and EU data protection legislation.

The main legislation governing data protection in Ireland is the Data Protection Act 1988 which was amended by the Data Protection Amendment Act 2003 which brought into force the EU Data Protection Directive 95/46/EC. This legislation creates two categories of individuals or organisations dealing with personal data;

  • a data controller and
  • a data processor.

A data controller is the individual or the “legal person” who controls and is responsible for the retention and use of personal information on a computer or in structured manual files. Data controllers can be individuals for example, doctors and pharmacists who keep personal information about their patients or “legal persons” such as limited liability companies Government departments, banks, clubs, societies and other incorporated entities.  Onerous legal responsibilities follow on from being a data controller so you or your organisation should ensure you know if these responsibilities rest with you.

In order to determine whether or not you or your organisation is a data controller, you should ask yourself if you decide what information is to be collected and stored, to what use it is put and when it should be deleted or altered.

The responsibilities of data controllers are summarised in eight basic rules:

1. Obtain and process information fairly,

2. Keep it only for one or more specified, explicit and lawful purposes,

3. Use and disclose it only in ways compatible with these purposes,

4. Keep it safe and secure,

5. Keep it accurate, complete and up-to-date,

6. Ensure that it is adequate, relevant and not excessive,

7. Retain it for no longer than is necessary for the purpose or purposes,

8. Give a copy of his/her personal data to an individual, on request.

Other responsibilities include the obligation on certain categories of data controllers to register with the Data Protection Commission and the responsibilities surrounding marketing by phone, e-mail, fax or other electronic means, including text messaging.

These are just some of the responsibilities of data controllers under the legislation. To ensure compliance with these responsibilities, adequate staff training and an internal data protection policy are important elements to put in place.

A data processor is an entity that holds or processes personal data, but does not exercise responsibility for or control over the personal data. Examples may include accountancy firms and market research companies. Cloud computing providers are generally data processors under the data protection legislation. One individual or organisation can be both a data controller and a data processor, in respect of distinct sets of personal data but not in respect of the same data.

Responsibilities of data processors are limited compared to those of data controllers. Data processors must only process personal data on the instruction of the data controller. Further responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. A data processor that processes data on behalf of a data controller who is obligated to register with the Data Protection Commission must also register with the Data Protection Commission.

The Data Protection Commissioner has wide ranging powers conferred upon it by the Data Protection Act. These powers include the power of authorised officers to enter and examine private premises of a data controller or data processor to allow the Commission to carry out its work, the power to obtain information necessary to carry out its function and the power to enforce compliance with the Act.

The wide ranging powers of the Commission highlight the importance of knowing whether your organisation is a data controller or a data processor as without this knowledge one’s legal responsibilities cannot be ascertained.

Take action now.   Clarify your status.  Develop your policies.  Train your staff.  It will be too late when problems develop, the Commissioner comes calling and you have been sued for compensation on foot of a breach. 

Noel Doherty is a Partner with FitzGerald Solicitors.  FitzGerald Solicitors are located in 6 Lapps Quay, Cork.


Please note that you should contact your Solicitor for specific legal advice tailored to your needs as each case is different and the foregoing article is not intended to provide legal advice.


Leave a reply