16.ODPC.pdf

(36 KB) Pobierz
Responsible for upholding the rights of individuals
and enforcing obligations upon data controllers.
Summary
conviction: a fine
of up to €3.000 per offence
Conviction on
indictment:
a fine
of up to €100.000 per offence
Summary
conviction: a fine of up to €5.000
Conviction of
indictment,
a natural
person: a fine of up to €50.000
Conviction on
indictment,
a body
corporate: a fine of up to €250.000
Where committed by an
electronic communications
company relating to security
obligations, punishable by:
Punishable by:
The Commissioner is independent.
Individuals can make complaints to the
commissioner, who will investigate and take
whatever steps they may deem necessary to resolve
the issue.
To conduct investigations
Criminal Sanctions
Any data material or data equipment connected with the
commission of the offence may be forfeited/destroyed.
Any relevant data may be erased.
Penalties and
sanctions
Forfeiture
Powers & duties
of the ODPC
To issue enforcement notices to
data controllers and data processors
Authorise persons to enter premises
to inspect personal data
Must investigate any complaints from individuals,
unless complaints are considered ‘frivolous’.
Purpose: to prevent further damage being done using the data.
Action based on negligence under the law of torts.
The damage may be to the data subject’s reputation, financial
loss or mental distress.
The action based on negligence as the data controller/data
processor owes a duty of care to data subjects.
The duty based on proximity between the parties and the
foreseeability of the damage/loss.
ODPC
The Office of Data
Protection
Commissioner
Civil Sanctions
Is obliged to seek an amicable resolution. If impossible, the
Commissioner may make a decision on the complaint. That
decision may be appealed against to the Circuit Court.
May launch an investigation of his own initiative.
An investigation launched by the Commissioner
Purpose: is to ensure compliance with the Acts
In some situations requires controllers to inform the ODPC
where there is a breach.
Depending on the severity of the breach, this reporting
obligation may be extended to data subjects and others.
The data controller must report the breach within two
working days of becoming aware of the incident.
The amount and nature of the personal
data that has been compromised
The measures being taken to
secure/recover the compromised data
The action being taken to inform those
affected or reasons not to inform them
The action being taken to limit damage/distress
to those affected by the incident
A chronology of events leading up to
the loss of control of the data
The measures being taken to
prevent repetition of the incident.
Privacy Audit
Data Security
Breach Code of
Practice
The data controller usually gets notice and is informed of the
aim of the audit.
An
‘information notice’
issued by the Commissioner. Failure
to comply without a reasonable excuse, as well as providing
false or misleading information, are criminal offences.
An
‘enforcement notice’
issued by the Commissioner. Failure
to comply is an offence. It formally requires a Data Controller
to take whatever steps are considered necessary to comply
with the legislation.
The
report
must
include
If the breach does not
require notifying the ODPC
The data controller must
maintain a record of the incident
The record should include a description of the
event and why the ODPC was not informed.
These records must be made
available upon the ODPC’s request.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin