GDPR

What is the GDPR?

In a nutshell, the GDPR establishes rules on how companies, governments and other entities can process the personal data of citizens who are EU citizens or residents. The GDPR aims to strengthen and unify data protection laws for all individuals across the European Union. 

What is personal data?

“Personal data” under Article 4(1) of the General Data Protection Regulation (GDPR) is defined as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

In simple terms Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data.

What constitutes personal data is a broad concept, but it covers information that relates to individuals such as one’s name, address or health records. However, sometimes it is not clear if the data is in fact personal data and then a case-by-case assessment must be made as to whether the data could be deemed personal data.

If data is fully anonymised, then the GDPR does not apply. Data is considered ‘anonymised’ when individuals are no longer identifiable. If the data is ‘pseudonymised’, it is still considered personal data. 

Personal data can include:

  • Your name
  • Your address
  • Your contact details,
  • Identification numbers (for example your PPS number)
  • Your Internet Address
  • CCTV footage
  • Access cards
  • Audio-visual or audio recordings of you

 

Data protection laws mean that your personal data should generally only be stored where there is a lawful basis, such as your consent, or where there is a legal obligation.

Where the GDPR applies

The GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.

Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU.

What are the principles of GDPR Ireland?

  • Lawfulness, 
  • fairness, and transparency. 
  • Purpose limitation. 
  • Data minimisation; 
  • Accuracy. 
  • Storage limitation 
  • Integrity 
  • confidentiality. 
  • Accountability. 

The Data Protection Commission

The Data Protection Commission (DPC) is responsible for upholding the fundamental right of individuals in the European Union to have their personal data protected. It monitors organisations to make sure that they comply with the GDPR and other data protection legislation. It can also deal with complaints in relation to data protection breaches.

Data Subject

Under data protection law, if an organisation or company is holding or using your personal data, you are known as a data subject.

The organisation or company holding or using that data, is known as a data controller. However, the data controller can allow another person, organisation or company, known as a data processor, to process your personal data on its behalf. Doing anything with your personal data, including storing it, is known as processing.

General data protection principles

You are entitled to have your personal information:

  • Protected
  • Used in a fair and legal way
  • Made available to you when you ask for a copy
  • Corrected if you ask for the information to be corrected

Organisations must give you information

You must be given enough information in simple and clear language to know what an organisation is going to do with your personal data. This is often found in privacy policies on websites or in forms which you can read or sign in person. For instance, you should be told:

  • The identity and contact details of the data controller or their EU representative
  • The contact details for the organisation or company’s Data Protection Officer
  • The reason for the intended processing and its legal basis
  • What ‘legitimate interest’ the data controller has in your personal data if they are relying on a ‘legitimate interest’ to process the data
  • Who will have access to your personal data
  • Whether your personal data may be transferred outside the EU and if so, the data safeguards in that country
  • How long your personal data will be stored or how that time period will be decided
  • Whether you are required by law or a contract to provide your personal data and the consequences of not providing it
  • If your personal data will be subject to any automated decision-making (decisions made by computer with no human input) or profiling processes

The organisation should also tell you about your rights, including your right to:

  • Request access to your data
  • Request your data to be corrected
  • Ask for your data to be erased
  • Ask for your data to be restricted
  • Object to your data being processed
  • Right to receive the data held in a form which allows you to transfer it to another person
  • Withdraw consent if consent is the basis for your personal data being processed
  • Lodge a complaint

In general, only personal data necessary for those stated purposes for which it is collected should be collected and processed. Your personal data should only be kept for as long as is necessary for the purpose for which it was collected.

While it is being stored or processed, your personal data must be kept safe, and policies and procedures must be in place to make sure that there is no unauthorised access.

Special categories of data and limits on processing

Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:

  • Personal data revealing racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
  • Data concerning health.
  • Data concerning a natural person’s sex life or sexual orientation.

Some types of processing fall outside the GDPR, such as when used by Gardai during criminal investigations and prosecutions and the processing of passenger names to prevent terrorist activities.

Children’s personal data

Children have the same data protection rights as adults and can make access requests. However, they are given specific protection with regard to their personal data. This is because they may be less aware of the risks and consequences of sharing their personal data. Also, they may be less aware of the safeguards available and their rights in relation to how their personal information is processed.

Parents and guardians may also be able to make access requests or exercise any other data protection right on behalf of their children. If a request is made by a parent or guardian, the data controller must consider the nature and circumstances of the request, including the age, capacity and views of the child and the child’s best interests.

Digital age of consent

Article 8 of the GDPR directs countries to set a minimum age at which online service providers, including social media companies, can rely on a child’s own consent to process their personal data. In Ireland, the Data Protection Act 2018 has set the age of digital consent at 16. This means that if an organisation is relying on consent as the legal basis (justification) for processing a child’s personal data and the child is under 16, then consent must be given or authorised by the child’s parents or guardians.