ICT and GDPR

Electronic Data Interchange

This is a system that electronically links the computers of two different companies. They are programmed to send standard documents (such as orders and invoices) directly from one to the other without any human involvement.

Data Protection

Data Protection is the means by which the privacy rights of individuals are safeguarded in relation to the processing of their personal data. For example, a business might use “encryption” as a method of data protection.

Rights of Data Subjects

• Right to be informed

• Right to access

• Right to rectification

• Right to erasure

• Right to object

• Right in relation to automated decision making

The right to be informed

When a data controller is collecting information from you, she must identify herself and give you her contact details. She must also inform you why she wants your personal data and details of who else will see it.

The right to access

If a data controller is processing an individual’s personal data, he has the right to be given a copy of all the personal information she has on him. It must be in a transparent, understandable and easily accessible manner.

The right to Rectification

If your personal data is inaccurate, you have the right to have the data corrected, by the controller, without undue delay. If your personal data is incomplete, you have the right to have data completed.

The right to erasure

You have the right to have your personal data deleted by the data controller, when she no longer needs it for the purpose for which it was collected or processed. This is also known as the ‘right to be forgotten’.

The right to object

If a data controller uses your personal details for the purpose of marketing something directly to you, you can object at any time. The data controller must stop processing as soon as they receive your objection.

Rights in relation to automated decision making

You have the right to not to be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.

Obligations of Data Controllers

• Obtain and process data fairly

• Keep data safe

• Delete information once they longer need it

• Give a copy

• Report data breaches

Obtain and process data fairly

When a data controller is collecting information from an individual, she must identify herself and give the individual her contact details. She must also inform him why she wants his personal data and who else will get to see it.

Keep data safe

The data controller must take appropriate security measures to protect individuals’ personal data. For example, the business should use encryption technologies for transferring, storing, and receiving individuals personal information.

Delete information when no longer needed

Data controllers cannot keep an individual’s personal data if they no longer need it. If there is no good reason for keeping someone’s personal information, the data controller must delete it.

Give a copy

The data controller must provide the individual with a copy of his personal data, if he requests it, free of charge, within a month.

Report Data Breaches

A data breach occurs when the data for which the controller is responsible is lost or stolen. If that happens the controller has to notify the Data Protection Commission within 72 hours after having become aware of the breach.

Function of Data Protection Commission

• Examines complaints from individuals

• Inform people of their rights

• Undertake investigations of its own volition

• Punishes data controllers that break the law

Examines complaints from individuals

The Data Protection Commission must investigate any complaints it receives from individuals who feel that their personal data is not being treated according to the rules of the GRPR. The Data Protection Commission considers all the evidence and makes a decision on the matter.

Inform people of their rights

The Data Protection Commission promotes awareness amongst members of the public of their rights to have their personal information protected under data protection law. It has a website and offers online guides to the law.

Undertake investigation of its own volition

The Data Protection Commission can conduct statutory inquiries into possible infringements of data protection legislation even if it has not received a complaint.

Punishes data controllers that break the law

The Data Protection Commission is responsible for enforcing the GDPR in Ireland. It has the power impose sanctions including fines on businesses that break this law.