Data Protection Law
Colin Rooney, Partner, Technology and Innovation
29 May 2014
– Irish Law
• Data Protection Acts 1988 & 2003
• European Communities (Electronic Communications
Networks And Services) (Privacy And Electronic
Communications) Regulations 2011
– Apply where a person/organisation is
• established in Ireland and is processing in
context of establishment;
• has an office, branch or agency in Ireland;
• uses the company or third party server to
collect data which is located in Ireland – and is
not merely in “transit” through Ireland.
• Data Controller
• Data Processor
• Data Subject
• Personal Data
• Sensitive Personal Data
8 Core Principles
Obtain and process the information FAIRLY
Keep it only for one or more specified and lawful purposes
Use & disclose it only in a manner compatible with
Ensure that it is adequate, relevant and non-excessive
Keep it accurate and up-to-date
Retain it no longer than is necessary for purposes
Ensure appropriate security measures are taken
Comply with individual access requests
• The data subject’s consent has been obtained
• consent – can be verbal or written but must be freely given!
• The processing is necessary:
– for the performance of a contract to which data subject
– compliance with a non-contractual legal obligation;
– to prevent serious injury, loss or damage; or
– for the legitimate purpose of a data controller, except
where processing is unwarranted having regard to the
fundamental rights of the data subject
– Even more conditions for Sensitive Personal Data!
• Data Capture – Collection of Data
• Data Use – Processing
• Data Disclosure / Sharing and Data
• Data Retention/Destruction
– General Rule:
• Where an agent/third party is processing personal
data, there should be a contractual basis for this,
with appropriate security safeguards in place.
– In data protection terms:
• Where a data controller engages the services of a
data processor, it must take certain steps to ensure
that data protection standards are maintained.
Application to Data Processors
– Key requirements are as follows:
• must be a written contract between the parties;
• including appropriate security safeguards;
• specifically providing that the data processor will
process personal data only on the basis of the
authorisation and instructions received from the
• committing the data processor to apply appropriate
security measures; and
• the data controller must satisfy itself that the data
processor has suitable technical security measures
and organisational measures in place.
Sending Data Abroad
• When transferring, or making available, Personal Data
abroad, must have regard to the provisions of DPA which
limit or restrict foreign transfers.
• Section 11 DPA provides that:
– “The transfer of personal data by a data controller to a
country or territory outside the European Economic
Area may not take place unless that country or
territory ensures an adequate level of protection for
the privacy and the fundamental rights and freedoms
of data subjects in relation to the processing of
Sending Data Abroad (cont.)
• Export of Personal Data outside the EEA
– consent is given to data exports; or
– the personal data is exported for the
purpose of fulfilling a contract; or
– the personal data is exported to countries
which are deemed by the EU Commission
to have adequate data protection laws; or
– the company has put adequate privacy
safeguards in place for the transfer.
Sending Data Abroad (cont.)
Types of transfers approved
by the Commissioner
Binding Corporate Rules
The Isle of Man
• Review existing data exports to check that either
information is not transferred outside the EEA, or
• Does appropriate DPA exemption apply (e.g.
consent, contractual necessity or vital interests)?
• Put in place appropriate model form clauses for
• Consideration could be given to self-certification (by
the US body) under the ‘Safe Harbor’ rules on
trans-Atlantic data exports – requires action from
party in the US.
• N.B. The other DPA Principles must still be adhered
• Basic Rule: data controllers and data processors must
take ‘appropriate security measures’ for personal data,
to guard against unauthorised access, loss, or
• Factors to be taken into account include:
– State of technological development;
– Cost of implementing measures;
– Harm that might result from unauthorised unlawful
– Nature of the data concerned; and
– Obligation for staff awareness and compliance with
Data Security Considerations
• DPA does not detail the specific security measures that
an organisation must have in place.
• Adherence to technical security arrangements, both
internal and external.
– e.g. password protection, data encryption, etc.
• Security should also be borne in mind when personal
data are being destroyed.
• Where personal data are being transferred out of/into
company security of the transfer method is vital.
What does this mean in practice?
– Obligations on security need to be actively
– Party should adhere to a “need to know” principle
– Hence staff should only be able to access the
personal data that they need to carry out their
functions – seems this is the case!
– Organisations must have adequate access controls,
firewalls and virus protection
– Don’t forget about manual files (and Relevant
• Presently high profile area
• Hence represents legal / compliance / reputational risk
• Be aware of nature of legal requirements:
– Not IT specific
– Principles based legislation
• Appropriate security is judged by variety of factors
– nature of information & cost of available technology.
• Ongoing compliance review and staff training is crucial.
Obligation to Report a Breach?
Despite Personal Data Security Breach
Code of Practice presently no explicit
obligation to notify Commissioner’s Office or
data subject if breach of information security.
Exception: ISPs and Telecos.
However may be advisable to do so.
First consult with your legal advisors.
Note: this position will change shortly on foot of
• Depends on the nature of the Personal Data
• Certain Data Controllers must register
• Data Processors must register if process on
behalf of a Data Controller required to be
• Personal Data must not be kept for longer than
necessary for the purpose for which it was
• Consider the length of time that you will need to
keep various types of data.
• No specific retention periods are set by the data
What rights does the Data Subject have?
• Right of access – 40 days to comply
• Right of rectification and/or erasure
• Right to complain to Data Protection
Data Protection Commissioner
• Investigates complaints of non-compliance.
• Codes of good practice.
• DPC can obtain information and issue
enforcement notices requiring the company to
take steps that include ceasing data capture or
• “Dawn Raids”
• DPC can bring prosecutions and ask the Courts
to impose criminal fines.
• DPC’s office are far more active than ever before
Consequences of Breach
• Criminal Offence – in certain circumstances -
• €3,000 (summary conviction)
• €100,000 (indictment).
• Damages - compensation
• Information, Enforcement or Prohibition
• Public shame – DPC’s Annual report
• Erasure of database
• Compliance cost
• New Data Protection Regulation
• Unified EU Data Protection law
• Applicable from 2015/2016
• Nominate Data Protection Officer
• Put in place a Data Breach procedure
• More obligations for Data Processors
A Final Thought!
| Using your new presentation template25
Thank you for your
29 May 2014