The Data Protection (Complaints handling procedure and enforcement) Regulations, 2021
In our previous two articles in this series (see part I on the General Regulations and part II on the Registration Regulations), we analysed the extent to which the Data Protection Act, 2019 (DPA) empowered data subjects with numerous mechanisms through which to exercise their privacy-related rights. One such mechanism is a complaint to the Office of the Data Protection Commissioner (ODPC) in relation to the conduct of data controllers or data processors. In addition to receiving complaints, the ODPC may also initiate its own investigations into the conduct of data controllers and data processors.
In 2021, we witnessed the ODPC’s investigative and complaints handling functions being called into action in two separate instances. Despite these specific instances being handled within the framework of the DPA, there were no enabling regulations to give clarity on the various procedures involved in an investigation. This has since changed with the issuance of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the Complaints Regulations).
In part III of the series, we set out the key highlights of the Complaints Regulations, which have been issued to facilitate a fair and expeditious complaints mechanism administered by the ODPC. They further clarify the ODPC’s powers of investigation and enforcement and also for alternative dispute resolution.
