Doing Business In... 2025

IRELAND Law and Practice Contributed by: Philip Tully, Emma Doherty, Geraldine Carr, Simon Shinkwin and Carlo Salizzo, Matheson LLP

a GDPR infringement. The decision does not confirm what proof of non-material damage is required other than there is no threshold of seri - ousness and further consideration of this ques - tion is anticipated by the Irish courts. On 10 January 2024, the Commercial Court awarded damages in Nolan & Ors v Dildar & Ors [2024] IEHC 4 despite no factual material or non- material damage being found. Damages were awarded “to mark the fact that their rights had been infringed”. The case arose from a breach in 2013 and the Court considered the scope of data controllers’ liability to data subjects for infringement of their rights under the 1988 and 2003 Data Protection Acts. While the breach predated the GDPR and the Data Protection Act 2018, the judgment indicat - ed the potential quantum and heads of damages that may be awarded to data subjects bringing compensation claims for damage suffered due to data protection violations under the new regime. The European Commission is required to con - duct a review of GDPR rules every four years. As part of this process, the Commission will likely look at problematic areas identified, such as the exercise of Data Subject Access Requests, the applicability of GDPR to SMEs, and international data transfers. Other Relevant Legislation Ireland has transposed the ePrivacy Directive via SI No 336/2011 – European Communities (Electronic Communications Networks and Ser - vices) (Privacy and Electronic Communications) Regulations 2011 (the “ePrivacy Regulations”). The ePrivacy Regulations deal with security and data breach reporting obligations for certain tel - ecommunications companies and, more gener - ally, electronic direct marketing rules. The same

implementing legislation addresses the local Irish requirements around obtaining consent for the use of cookies and similar technologies. Social welfare legislation such as the Social Welfare Act 2005 strictly prohibits the use of the Irish Personal Public Services Number (PPSN) for purposes other than dealing with specified government bodies. 8.2 Geographical Scope The GDPR applies to the processing of personal data by controllers and processors established in the EU (regardless of whether the processing itself takes place in the EU). The GDPR also applies to controllers and pro - cessors not established in the EU, where the organisation’s processing activities involve either the offering of goods or services to data subjects in the EU or the monitoring of the behaviour of data subjects in the EU. 8.3 Role and Authority of the Data Protection Agency The Irish Data Protection Commission (DPC) is the independent authority responsible for enforc - ing the GDPR and the DPA in Ireland. The DPC has investigative powers to examine complaints from individuals in relation to potential infringe - ments of data protection law and can order cor - rective measures where necessary. The DPC has extensive investigative and information-gather - ing powers. The DPC co-operates with other European supervisory authorities and will act as the lead supervisory authority in respect of cross-border processing of personal data by organisations that have their main establishments (from a data processing perspective) in Ireland.

391 CHAMBERS.COM

Powered by