Controlling and processing personal data (2023)

TheGeneral Data Protection Regulation (GDPR) came into force across the EU on25 May 2018.

The DataProtection Act 2018, which was signed into law on 24 May 2018, gave furthereffect to the GDPR in areas where member states have flexibility (for example,the digital age of consent).

The GDPR very significantly increases the obligations and responsibilitiesfor organisations and businesses in how they collect, use and protect personaldata. Organisations and businesses are required to be fully transparent abouthow they are using and safeguarding personal data, and to be able todemonstrate accountability for their data processing activities.

Data protection definitions

Under the GDPR, personal data is data that relates to or canidentify an individual either by itself or together with other availableinformation. Personal data can include your name, address, contact details, anidentification number, IP address, CCTV footage, access cards/co-tags,audio-visual or audio recordings of a person and location data.

A data subject is the individual to whom the personal data relates.You can read about the rights of data subjects in our document Accessing yourpersonal data under GDPR.

Doing anything with your personal data, including storing it, is known asprocessing.

The organisation or business who decides what to do with your data is knownas a controller. However, that entity can allow another person orentity to process your personal data on its behalf. The person who processesthe information on behalf of the data controller is known as aprocessor.

This document outlines the obligations of data controllers and processorsunder the GDPR.

The obligation to lawfully process personal data

Organisations can only use or keep personal data where there is a lawfulreason. The GDPR sets out the six standard lawful reasons which can be used byan organisation:

• You have given your free and informed consent.
• The processing is necessary to carry out a contract which you are a party to, such as the delivery of a product
• The processing is necessary for the controller to comply with a legal obligation, such as the mandatory collection of details for anti-money laundering or tax purposes
• The processing is necessary to protect your vital interests or the vital interest of another person, such as accessing medical records in an emergency
• The processing is necessary for the performance of a task carried out in the public interest or where the controller has official authority, such as public security processing
• The processing is necessary in the legitimate interests of the processing organisation if it doesn’t conflict with your rights, such as to prevent fraud

You must be given enough information in simple and clear language to knowwhat an organisation is going to do with your personal data. This is oftenfound in privacy policies on websites or in forms which you can read or sign inperson.

The obligation to design and operate appropriate processing systems

The GDPR has introduced the concepts of data protection by designand data protection by default.

Data protection by design means data protection measures must be includedwhen any system is being designed by a controller. As a result, the chances ofinadvertent breaches of data protection legislation are reduced.

Data protection by default means that systems should be set up to be dataprotection friendly. This should mean the only necessary personal data iscollected, that it is kept for the minimum period necessary and that a personis not automatically opted-in to any unnecessary processing.

Controllers can apply for certification in Ireland from the Data ProtectionCommission, which will demonstrate that their processes are designed to complywith the Regulation.

The obligation to use processors that meet the requirements of thelegislation

Where processing is to be carried out by a processor and not the controller,the controller must use only those processors who guarantee that their systemsof processing meet the requirements of the Regulation.

Examples of processors of his nature include payroll companies, accountantsand market research companies, all of which could hold or process personalinformation on behalf of someone else. Cloud providers arealso generally data processors.

The controller must have a contract with the processor setting out the scopeof the processing required by the controller and the processor’s obligationsunder the Regulation. A processor cannot outsource this processing to anotherprocessor without the controller's consent and a similar contract agreed withthat second processor.

Processors should follow any relevant code of conduct that may be preparedby the Data Protection Commission. Processors may also receive certificationdemonstrating their compliance with the Regulation.

The obligation to keep records

Under the GDPR, any controller that has more than 250 employees, or thatprocesses sensitive information, must keep a record of the processingactivities under its responsibility.

That record should consist of:

• The name and contact details of the controller
• The purposes of the processing
• A description of the categories of data subjects and personal data
• Categories of recipients of the data
• Any transfers of data to third countries and that country's data safeguards
• Time limits for erasure of data
• A description of the data security measures in place

Processors must keep similar records. These records can be inspected by theData Protection Commission on request.

The obligation to keep data secure

Controllers and processors have an obligation to keep personal data secure.They must also ensure that any employees do not access or process any dataunless they are required to do so. Under the GDPR, controllers and processorsmust consider implementing modern security measures appropriate for the risksinvolved in their activities. For example, risks may come from accidental orunlawful destruction of stored data or unauthorised disclosure, access oralteration.

The security measures may include anonymisation or encryption of data andrestoring or backing up stored data. Controllers and processors need toregularly review and evaluate their security measures and also consider datasecurity when disposing of equipment.

The obligation to report data breaches

Under the GDPR, a controller must notify the Data Protection Commission of apersonal data breach without delay where that breach is a likely to result in arisk to the rights and freedoms of the data subject. Notification should bemade. at the latest, within 72 hours of the controller becoming aware of thebreach. Data processors must notify the respective controllers if the processorbecomes aware of a breach. The controller should then notify the data subjectwithout delay.

A controller must also notify a data subject without delay in clear andplain language if the data breach is likely to result in a high risk to therights and freedoms of the data subject. An example of a high risk situationwould be where your bank details are stolen.

The obligation to carry out data protection impact assessments

Under the GDPR, when a controller intends to carry out high-risk processing,they must first carry out a data protection impact assessment (DPIA). The DataProtection Commission has published a list of Data Processing Operations whichrequire a DPIA.

These processes include processing using new technology, profiling andautomated decision-making processing, processing large amounts of sensitivepersonal data or systematically monitoring a publicly accessible area.

The data protection impact assessment should include:

• A description of the processing and the purpose
• An assessment of the necessity of the processing
• An assessment of the risks to the rights and freedoms of the data subjects
• The measures to be used to address the risks

The controller may consult with the Data Protection Commission, which mayprovide advice to the controller. The Data Protection Commission has publisheddetailed guidance for controllers on how and when to carry out a DPIA.

The controller should carry out a review after the processing has begun toensure it is being performed in line with the data impact assessment that wascarried out.

The controller should also seek the advice of its data protectionofficer.

The obligation to appoint data protection officers (DPOs)

Under the GDPR, data protection officers must be appointed by controllersand processors whose core activities consist of processing that requiresregular and systematic monitoring of data subjects on a large scale or ofspecial categories of personal data or data relating to criminal convictionsand offences.

Data protection officers:

• Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
• May be a staff member or an external service provider
• Must provide contact details to the Data Protection Commission
• Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
• Must report directly to the highest level of management in their organisation
• Must not carry out any other tasks that could result in a conflict of interest

DPOs must be involved in all issues of data protection and must be given theresources to carry out their tasks.

You can contact the DPO of an organisation about any issues relating to yourpersonal data held by that organisation.

The tasks of the DPO are to:

• Inform and advise their organisation about its data protection obligations
• Monitor their organisation's compliance with the GDPR and any national data protection legislation
• Advise on data protection impact assessments and monitoring performance
• Liaise with the supervisory authority

The Data Protection Commission has issued published detailed guidanceon appropriate qualifications for a DPO.

The obligation to comply with codes of conduct and certification

Associations and other bodies representing controllers and processors mayprepare codes of practice that will specify how the GDPR should be specificallyapplied. These bodies must submit their draft codes of conduct to the DataProtection Commission for approval.

In order to enhance transparency and compliance with this Regulation, theGDPR will introduce certification mechanisms and data protection marks,allowing data subjects to quickly assess the level of data protection ofrelevant products and services. A list of certified organisations will bepublicly available.

Codes of conduct and approved certification mechanisms will also assistcontrollers, in identifying the risks related to their type of processing andin adhering to best practice.

Complying with an approved code of conduct or an approved certificationmechanism may be used as an element to demonstrate compliance with theobligations of the controller or processor under the GDPR.

The obligations relating to transferring data outside the EU

Any transfer of personal data outside the EU or to an internationalorganisation will be strictly regulated under the GDPR. The Regulation alsoapplies to any onward transfer of personal data from one non-EU member state toanother.

Such a transfer of personal data may take place where the EuropeanCommission has decided that the non-EU member state or business sector withinthat country has an adequate level of data protection in place. In deciding ifthere is adequate protection, the Commission will look at that country's laws,respect for human rights, the existence of any data protection authority andthe international commitments that country has made relating to personal data.After deciding if a country or sector has adequate data protection, theCommission will continue to monitor that country in terms of its dataprotection practices.

The Commission publishes a list of all such approved countries, sectors andinternational organisations.

If a controller or processor wants to transfer data to anunapproved country, sector or international organisation, thatcontroller or processor must provide the appropriate safeguards and ensure thatany data subjects will still be able to exercise their rights.

Transferring data to the UK

Before the end of the transition period, any personal information receivedby any company or organisation in the UK from companies and administrations inother member states was covered by the GDPR.

Transfers of personal data to the UK continue to be permitted on the basisof a formal decision (called an adequacy decision) made by the EuropeanCommission on 28 June 2021. That adequacy decision will remain in place forfour years unless the UK makes changes to its data protection legislation.

Independent supervisory authorities

Under the GDPR, each EU member state must have one or more independentpublic authorities responsible for monitoring the application of theRegulation. In Ireland, this supervisory authority is the Data ProtectionCommission.

The Data Protection Commission:

• Monitors and enforces the application of the GDPR
• Promotes public awareness of the rules and rights around data processing
• Advises the Government on data protection issues
• Promotes awareness among controllers and processors of their obligations
• Provides information to individuals about their data protection rights
• Maintains a list of processing operations requiring data protection impact assessment
• Handles complaints and conducts investigations related to compliance with data protection law

The Data Protection Commission has the power to order any controller orprocessor to provide information that the authority requires to assesscompliance with the Regulation. It may carry out investigations of controllersand processors in the form of data audits, including accessing the premises ofa controller or processor. It can order a controller or processor to changetheir processes, comply with data subject requests. The Data ProtectionCommission can also issue warnings to controllers and processors and can banprocessing as well as commence legal proceedings against a controller orprocessor.

Organisations that are engaged in cross-border processing of personal datacan choose to deal with a single lead supervisory authority, a onestop shop (OSS) for most of their processing activities.

European Data Protection Board

The GDPR introduced a new European data protection supervisory authority.The European DataProtection Board (EDPB) is responsible for ensuring the GDPR is appliedconsistently across The European Union. It will issue guidelines andrecommendations on the application of the Regulation. It will also advise theEU Commission on the application of the Regulation and any updates that may berequired.

The EDPB is made up of the head of one supervisory authority of each memberstate and a European Data Protection supervisor or their representatives.

Penalties

Penalties apply to both controllers and processors who breach theRegulation. There are different penalties, depending on the seriousness of thebreach.

Serious infringements

For the most serious infringements (for example, not having sufficientcustomer consent to process data or violating the core of privacy by designconcepts) organisations can be fined up to 4% of their annual global turnoveror €20 million, whichever is greater.

Lesser breaches

Under the GDPR, organisations in breach of the Regulation can be fined up to2% of their annual global turnover or €10 million, whichever is greater, forlesser breaches. Some examples of lesser breaches include: not having recordsin order, not notifying the supervisory authority and data subject about abreach or not conducting an impact assessment.