Ireland's Instructions for Implementing the General Data Protection Regulation (GDPR)

Ireland's Instructions for Implementing the General Data Protection Regulation (GDPR)

In Ireland, personal data protection laws under the General Data Protection Regulation (GDPR) specifically apply only to living natural persons, meaning that the personal data of deceased persons is not covered by the GDPR and related Irish data protection legislation.

This means that organisations in Ireland are not obliged to provide access to personal data relating to deceased persons under Data Subject Access Requests (DSARs) or other data protection rights frameworks. Therefore, any processing or handling of data related to deceased persons is not regulated by the Irish Data Protection Act or GDPR. However, organisations should still demonstrate due diligence in their data processes and be able to show evidence of lawful bases for any data processing conducted.

It is worth noting that some privacy policies or organisations might provide options for individuals to define guidelines about what happens to their personal data after death, but these are specific to the organisation’s terms and not statutory requirements under Irish law. Additionally, for death registration or repatriation matters within the EU, including Ireland, specific rules exist but relate to civil and administrative procedures rather than data protection rights.

In cases where personal data is processed for scientific or historical research purposes or statistical purposes, the rights of data subjects under Arts. 15 (access right), 16 (right to rectification), 18 (right to restriction) & 21 (right to object) GDPR will be restricted to the extent that the exercise of those rights would likely render impossible, or seriously impair the achievement of those purposes, and the restriction is necessary for fulfilling those purposes in Ireland.

Data transfers are not subject to restrictions beyond those set out in the GDPR, but under the 2018 Act there is the potential for ministerial regulations to be enacted for reasons of important public policy. Relevant legislation in Ireland includes the Data Protection Act 2018, the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018, the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2018, and the Data Sharing and Governance Act 2019.

An Impact Assessment is required in certain circumstances in Ireland, including the profiling of vulnerable persons (including children) to target marketing or online services at them and the profiling or use of algorithms or sensitive personal data to determine access to services. The Health Research Regulations also require that an Impact Assessment be carried out in certain circumstances where personal data is processed for health research purposes.

[1] GDPR defines personal data as “any information relating to an identified or identifiable natural person,” which excludes deceased individuals. [2] Some service providers may allow data directives after death via contractual terms, but this is not a legal requirement under Irish law. [3] Separate procedures exist for death registration and related formalities, but these are not within data protection scope.

1. White & Case, a renowned international law firm, has issued a press release regarding the complexities and intricacies surrounding personal data protection of deceased individuals in Ireland.
2. The legal framework in Ireland, under the General Data Protection Regulation (GDPR), does not apply to the personal data of deceased persons, leaving organizations with no obligation to provide access to such data via Data Subject Access Requests (DSARs) or other data protection rights frameworks.
3. Despite this, legal entities should exercise due diligence when processing or handling deceased persons' data, ensuring they can demonstrate lawful bases for their actions.
4. Some organizations' privacy policies might offer the option for individuals to determine what happens to their personal data posthumously, but these provisions are company-specific, rather than statutory requirements under Irish law.
5. White & Case LLP offers a wide range of services, including guidance on the regulatory practice of data protection and compliance, which can be instrumental for organizations navigating such complexities.
6. In certain EU member states, including Ireland, specific rules exist for death registration and repatriation that fall outside the scope of data protection rights.
7. For scientific or historical research purposes, or statistical purposes, the rights to access, rectify, restrict, and object under GDPR may be restricted to prevent substantial impairment of the research objectives.
8. Under the 2018 Irish Data Protection Act, there is a potential for ministerial regulations to address matters of significant public policy, beyond the standard GDPR restrictions on data transfers.
9. Relevant legislation in Ireland includes the Data Protection Act 2018, various Health Research Regulations, and the Data Sharing and Governance Act 2019.
10. An Impact Assessment is necessary in certain circumstances in Ireland, including profiling vulnerable individuals (such as children) and the use of sensitive personal data or algorithms to access services.
11. In the realm of education and self-development, understanding the nuances of data protection laws and regulations, including those relevant to personal data of deceased individuals, can foster a strong foundation for career growth in the technology-driven legal sector.
12. The general news, sports, finance, and lifestyle sections of whitecase.com are also rich resources for staying updated on the latest US and international legal trends, providing valuable insights for clients and associates alike.

Read also: