General Data Protection Regulations (GDPR)

Our barristers have expert knowledge and experience in dealing with data protection matters and can advise and assist you with any queries relating to the processing of personal data or the GDPR obligations of an organisation.

Our barristers have represented individual clients, employers, employees, and organisations and advised on compliance with the General Data Protection Regulations in court actions and in respect of complaints to the Irish Data Protection Commission. Our barristers can advise companies and organisations on their obligations under the General Data Protection Regulations, as well as individuals who have concerns about how and or why their personal data is being used.

The General Data Protection Regulations are regulations which were introduced in May 2018 by the European Union to protect EU citizens’ rights when it comes to personal data. Personal data is any data or information that identifies somebody as an individual or can be used with other data or information to identify somebody, such as a name, date of birth, address, email address and or video/CCTV footage.

Data Processing Principles

When processing personal data, organisations and or other persons (known as controllers), must adhere to certain principles. These are:

• Lawfulness, Fairness and Transparency – Controllers must process your personal data lawfully (in accordance with the law), fairly and with transparency.
• Data Minimisation – Controllers must only use the minimum amount of data necessary for the purpose that they are processing your data.
• Accuracy – Controllers must ensure that your personal data is accurate and kept up to date with reasonably regular updates.
• Storage Limitation – Controllers, subject to certain exceptions, must only retain and or store your personal data for as long as it is necessary to store such data given the purpose for which it was collected and or processed.
• Integrity and Confidentiality – Controllers must ensure that your personal data is securely protected, not shared with any unauthorised third parties and that only suitable and relevant persons within their organisation can access your personal data.

Lawfulness of Processing Personal Data

The default position under the General Data Protection Regulations is that personal data should not be processed (used in any way including being collected), unless one of the following criteria is met:

• Consent – the person to whom the data relates (known as the data subject i.e. you) has given their unambiguous and fully informed consent to the processing of personal data. There are specific rules around what constitutes consent, and your barrister can advise you on these.
• Necessary for Contract – the processing of your personal data is necessary to complete or carry out a contract that you have entered into with the controller.
• Legal Necessity – the processing of your personal data is required by law, either EU or Irish law.
• Vital Interests – the processing of your personal data is necessary to protect the vital interests of you or another person.
• Public Interest – the processing of your personal data is necessary to carry out a function or task that is in the public interests and or in the exercise of an official authority vested in the controller.
• Legitimate Interest – the processing of your data is necessary to further a legitimate interest of the controller as long as said legitimate interest is not outweighed by the interests and fundamental freedoms and rights of the data subject i.e. you.

There are specific rules on each of the above and your barrister will be able to advise you on whether or not any of these criteria apply in respect of your query.

Processing of Special Categories of Personal Data

“Special Category Data” is personal data that is more sensitive than ordinary personal data such as your name. Examples of special categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. There are enhanced rules about how and when special categories of personal data can be processed and our barristers will be able to advise you on these.

Remedies

Where a controller has breached any of the General Data Protection Regulations, a complaint can be made to the organisation (controller) itself, or to the Data Protection Commission in Ireland. The Data Protection Commission has certain powers to investigate complaints and to administer certain fines and orders on the controller if they are found to have breached the Regulations. These orders will usually include taking measures to correct their practices so that they are complying with the Regulations.

In certain cases of a breach of the Regulations, the data subject may be entitled to compensation from the Controller. This will depend on the extent of the breach and the effect the breach has had on the individual. Our barristers will be able to advise on whether or not compensation would be payable in the circumstances of your query.