Legal basis under Irish data protection law

Public interest

Part 3 Section 38 of the Irish Data Protection Act specifies Art. 6 (1) e GDPR  in that processing of personal data is lawful where necessary for the performance of a task carried out in the public interest or for the exercise of official authority vested in the controller.

Therefore, the processing has to be necessary and proportionate for the performance of a function conferred on a controller by or under an enactment or by the constitution.

Secondary purposes

Part 3 Section 41 of the Irish Data Protection Act provides for the processing of personal data for certain purposes other than the purpose for which the data was collected. These include processing that is necessary and proportionate for the purposes of preventing a threat to national security and defense or public security; preventing, investigating or prosecuting criminal offences; and for the purposes of legal claims and legal proceedings.

Childrens’ consent

Part 3 Section 31 (1) of the Irish Data Protection Act provides that “the age of a child specified for the purposes of Article 8 (GDPR) is 16 years of age. Further, the term “information society services“ does not include a reference to preventative or counseling services.

Consent

Consent under Article 4 (11) GDPR requires a freely given, specific, informed and unambiguous action by the data subject, whereas explicit content is assumed only for the purposes of special categories of data in Article 9 of the GDPR.

Where the processing of personal data is to be carried out on the basis of the consent of the data subject, the processing shall be lawful only when–and to the extent of having been informed of the intended purpose of the processing and the identity of the controller–the data subject gives his or her consent freely and explicitly, and the request for consent is expressed in clear and plain language. The data subject may withdraw his or her consent at any time and shall be informed of this possibility prior to giving consent (Part 5 Section 71 (3) of the Irish Data Protection Act).

Assuming no distinction is drawn between what categories of data is processed, it is uncertain if the lawmaker intentionally wanted to implement stricter requirements as set in the GDPR.