James Browne (Wexford, Fianna Fail) | Oireachtas source

I move amendment No. 2:

In page 7, line 19, after “2015;” to insert the following: “to provide for the Data Protection Commission to issue a reprimand to a controller or processor in certain circumstances and”

This group of amendments relates to the Data Protection Act 2018. Amendments Nos. 2 and 3 amend the Long Title, while amendments Nos. 22, 23, 25 and 26 clarify that the Data Protection Commission will resolve a complaint by issuing a reprimand on the basis of the various non-statutory inquiry options that have been set out in the 2018 Act. The 2018 Act already provides for the use of reprimands in relation to a number of circumstances but is silent as to whether a reprimand may be used in the context of a complaint, handling of domestic cases, cross-border complaints where an inquiry has not been conducted and complaint handling in relation to alleged infringement proceedings of the law enforcement directive. The vast majority of complaints handled by the Data Protection Commission are not subject to an inquiry process as they are generally reserved for matters related to high-risk systemic processing. However, in individual complaint handling cases where the commission finds there has been an infringement by a data controller-processor, the commission is currently limited in the actions it may take to those prescribed by section 109(5). In expressly providing for the power of a reprimand to be imposed on a controller-processor in an individual complaint handling case, this amendment will clarify and strengthen the commission's suite of enforcement tools in the majority of cases. The scenarios in which the Data Protection Commission envisages issuing a reprimand outside a formal inquiry process are limited to where there is no dispute in relation to the matters under examination, for example, complaints of a failure to respond to a data access request within the specified timeframe under the general data protection regulation, GDPR.

While amendment No. 24 inserts a new section 117(B) to provide in primary legislation for express right on the part of individuals to enforce third party beneficiary rights conferred on data subjects under binding corporate rules and standard data protection clauses adopted by the European Commission or by a supervisory authority, the amendment also clarifies data subjects' third party beneficiary rights to subprocessors engaged by the data exporter to carry out specific processing activities on behalf of the data exporter. It supersedes SI 297 of 2021.

See this speech in context