Skip to content

Part 10 » Transfer of Personal Data Outside the Republic

70. Cross-border transfer of personal data

  1. A data controller shall process and store personal data on a server or data centre located in the Republic.
  2. Despite subsection (1), the Minister may prescribe categories of personal data that may be stored outside the Republic.
  3. Despite subsection (2), sensitive personal data shall be processed and stored in a server or data centre located in the Republic.

71. Conditions for Cross- border transfer of personal data

  1. Personal data other than personal data categorised in accordance with section 70(2) may be transferred outside the Republic where —

    1. the data subject has consented and

      1. the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Data Protection Commissioner; or
      2. the Minister, has prescribed that transfers outside the Republic is permissible; or

    2. the Data Protection Commissioner approves a particular transfer or set of transfers as permissible due to a situation of necessity.

  2. The Minister may, by statutory instrument, prescribe the criteria for cross border data transfers under subsection (1)(a)(ii) where the Minister considers that —

    1. the relevant personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements; and
    2. the enforcement of data protection laws by authorities with appropriate jurisdiction is effective.

  3. The Data Protection Commissioner shall monitor the circumstances applicable to data that has been transferred outside the Republic under subsection (1)(a)(ii)in order to review decisions made under this Act.

  4. Despite subsection (2), personal data may be transferred outside the Republic —

    1. in case of an emergency, to a particular person or entity engaged in the provision of health services or emergency services;
    2. where the data subject has explicitly consented to that transfer of sensitive personal data; and
    3. to a particular international organisation or country which complies with subsection (1)(a)(ii), where the Data Protection Commissioner is satisfied that the transfer or class of transfers is necessary for any class of data controllers or data subjects and does not hamper the effective enforcement of this Act.

  5. The Data Protection Commissioner shall approve standard contracts or intra-group schemes under subsection (1)(a) where contracts or schemes effectively protect the rights of data subjects under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

  6. Where a data controller seeks to transfer personal data subject to a standard contract or intragroup scheme under subsection (1)(a), it shall certify and periodically report to the Data Protection Commissioner as may be specified, that the transfer is made under a contract that adheres to these standard contractual clauses or intragroup schemes and that it shall bear any liability for the harm caused due to any noncompliance with the standard contractual clauses or intragroup schemes by the transferee.