GDPR

Sources of Privacy

• Irish Constitution

• European Convention of Human Rights

• EU Charter of Fundamental Rights

Data Protection

The collection, use or processing of personal data

What is EU legislation

• EU charter of fundamental rights (Article 8)

• GDPR (General Data Protection Regulation - Direct Effect in Ireland)

• Data Protection Act 2018

EU Charter of Fundamental Rights

1. Everyone has the right to protection of personal data concerning them

2. Must be processed fairly on the basis of the convent of the person concerned or other legitimate basis laid down by law

3. Right if access to data

4. Right to have it rectified

General Data Protection Regulation (GDPR)

• EU Regulation

• Automatically applicable (doesn’t need implementing legislation)

• Governs when information about someone is processed by a data controller

• Sets our RIGHTS for data subjects and OBLIGATIONS on data controllers

Data controller obligations

• May only process personal data where it’s done with a lawful basis e.g consent, contractual necessity, compliance with a legal obligation etc.

Consent

• Must be specific, informed and unambiguous

• Obtained on the basis of a statement or clear affirmative action

Personal Data Breach

1. Data processors must notify data controllers without delay

2. Data controllers must notify national authority within 72 hours

3. Individuals affected must be notified if there is high risk

When is data processing likely to result in high risks?

• Systematic and extensive evaluation of personal aspects

• Processing on a large scale of special categories of data

• Systematic monitoring of a publicly accessible area

What happens when data is pseudonymised?

There are less stringent requirements to comply with data access requests

Data Protection Commissioner

• Ireland’s domestic supervisory authority who monitors and enforced application of GDPR

• Responsible for supervising and enforcing EU law against multinationals e.g Apple

Data Protection Commissioner: Fines

• Fines can be up to 20 million euro or 4% of total worldwide turnover (whichever is higher)

Extra-Territoriality

• EU Commission can decide that a third country has an adequate level of protection (no authorisation for transfer of data required)

Cookie Law

• Small text file stored on a users device by a website they have visited

• Enables website to recognise the user when visited

GDPR Caselaw

• Max Schrems filed suit against Google and Facebook for coercing users into accepting data collection policies

• Whatsapp fined by DPC