019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for AV.pptx
1. Your Data Protection Responsibilities
Under the General Data Protection Regulation
(GDPR)
This course covers your fundamental data protection responsibilities and obligations. It will iden
Music: https://www.bensound.com/royalty-free-music
2. What is Personal Data?
ā¢ Any information relating to an identified or identifiable person
ā¢ Not just identifiers, also images and information about a person
4 Hermitage Green
1234567T
Liam Kelly
BIC BOFIIE2D
IBAN IE29BOFI90583812345678
192.168.1.255
Payment card details
3. What is Processing?
ā¢ Any operation (or set of operations) performed on personal data
(or sets of personal data), whether automated or not
ā¢ Collection
ā¢ Recording
ā¢ Organisation
ā¢ Structuring
ā¢ Storage
ā¢ Adaptation or alteration
ā¢ Retrieval
ā¢ Consultation
ā¢ Use
ā¢ Disclosure by
ā¢ Transmission
ā¢ Dissemination
ā¢ Otherwise making available
ā¢ Alignment or combination
ā¢ Restriction
ā¢ Erasure or destruction
Destruction
Storage
4. What is Privacy?
ā¢ Right to be let alone
ā¢ Right to be protected against intrusion into personal/family life or affairs by
ā¢ Direct physical means
ā¢ Publication of information
ā¢ No privacy law
ā¢ Implied right under article 40.3.1
ā¢ Privacy is a fundamental right
ā¦but is not an absolute right
ā¢ Data Protection seeks to balance
ā¢ Individualās right to privacy
ā¢ Legitimate information requirements of organisations for their continued business
activities and functions
ā¢ GDPR
ā¢ Protects the fundamental rights and freedoms of people regarding the processing of
personal data
ā¢ Does not restrict or prohibit the free movement of personal data within the EU 5
Right to Privacy
Right to run
a business
6. Characters Meet the DP Dramatis Personae
ā¢ Natural person
ā¢ Living human being
ā¢ Legal person
ā¢ Commissioners of Public I
Works in Ireland
ā¢ Data Subject
ā¢ A natural person who can be identified directly or indirectly
ā¢ Controller
ā¢ Legal/natural person who determines the purposes and means of the processing of personal data
ā¢ Processor
ā¢ Legal/natural person who processes personal data on behalf of a Controller
ā¢ NOT an employee of Controller who processes it in the course of their work
ā¢ Recipient
ā¢ Anybody to whom personal data is disclosed
ā¢ Third Party
7. Data Protection Officer (DPO)
ā¢ A public body must have a Data Protection Officer (DPO)
ā¢ Data subjects may contact DPO on all data protection issues
ā¢ To make Data Subject Access Requests (DSARs)
ā¢ To make other requests to exercise their rights
ā¢ DPO ā¦
ā¢ Must be fully involved in all data protection issues from the start
ā¢ Must be given access to personal data
ā¢ Informs/advises management/staff of their
data protection obligations
ā¢ Monitors compliance with data protection legislation
ā¢ Liaises and cooperates with the Data Protection Commission (DPC)
ā¢ Is independent
ā¢ Is bound by secrecy/confidentiality
8. CCTV
ā¢ CCTV images are personal data
ā¢ Can give a person a copy of their own CCTV
images but must pixelate those of others
ā¢ Warning signs must state purposes for
which images are recorded
ā¢ CCTV cannot be used for any other purpose
ā¢ Retain CCTV images for a max. of 28 days
ā¢ GardaĆ investigating a crime
ā¢ Can freely view CCTV on site
ā¢ Do not hand over CCTV without a formal written
request, signed by Gardaās superior
ā¢ Do not give CCTV images to third parties
ā¢ Members of the public or staff
ā¢ Damage to cars in car parks
ā¢ Accidents (e.g. trips and falls)
9. European Union (without
Croatia)
EFTA (Iceland, Norway, and
Liechtenstein)
Provisional EU members
EFTA signatories that have not
ratified
Former EU members
European Economic
Area (EEA) member
states
Extra-territorial nature
10. 1. Process personal data fairly, lawfully and transparently
2. Collect it for specified, explicit and legitimate purposes and not
further process it in a way incompatible with purposes
3. Ensure it is adequate, relevant and limited to what is necessary
4. Ensure it is accurate and, where necessary, kept up to date
5. Do not keep it in an identifiable form for longer than necessary
6. Process it to ensure appropriate security, to protect it from:
ā¢ Unauthorised or unlawful processing
ā¢ Accidental
ā¢ Loss
ā¢ Disclosure
ā¢ Destruction
7. We are responsible for and must demonstrate compliance with 1-6
Principles of Data Protection [Article 5]
11. Lawfulness of Processing [Article 6]
ā¢ Lawful only if at least one of the following is true:
a) Contract (where Data Subject is a party)
ā¢ Before entering a contract (at Data Subjectās request)
b) Legal obligation on Controller
c) Protection of the vital interests of the Data Subject
ā¢ Another natural person
d) Performance of a task carried out in the public interest
ā¢ Exercising of official authority vested in the controller
ā¢ Need a legal basis for this
e) Legitimate interests of Controller
ā¢ Only where these are not related to the public tasks
ā¢ Consent of the Data Subject not available for public authorities
ā¢ Clear imbalance between Data Subject and Controller
12. Data Subject Rights [Articles 12-23]
ā¢ We must allow our Data Subjects to exercise their rights
1. Right to information and communication
2. Right of access to their personal data (DSAR)
3. Right to rectification
4. Right to erasure
ā¢ Right to be forgotten
5. Rights to restriction of processing and notification of lifting of such restrictions
6. Rights to be notified of any rectification, erasure or restriction of processing
7. Right to data portability
8. Right to object
9. Right not to be subject to a decision based solely on automated processing,
including profiling
13. Data Sharing [Article 26]
ā¢ Two (or more) Controllers jointly determine
the purposes and means of processing
ā¢ Must decide their who does what to comply with the
GDPR for:
ā¢ Data Subject rights
ā¢ Providing information to Data Subject
in a Data Sharing Agreement or Joint Controller
Agreement made between them
ā¢ Data sharing between public bodies governed by
ā¢ Data Sharing and Governance Act 2019
01010
10101
01010
10101
01010
10101
00110
01100
11001
Joint Controllers
14. Processor Contracts
[Article 28]
ā¢ The OPW is jointly and severally liable for GDPR
infringements/breaches by its Processors
ā¢ The OPW can only use Processors who
ā¢ Comply with the GDPR
ā¢ Protect the rights of the Data Subject
ā¢ The OPW must have a binding legal contract
with each of its Processors
ā¢ Article 28 details what must be in this contract
ā¢ Processor must not process the data except on
documented instructions from the OPW
ā¢ Processor must implement appropriate security
measures based on level of risk to Data Subject
15. Records of Processing Activities [Article 30]
ā¢ The OPW must maintain a written record of its processing activities
ā¢ Processing activity: One or more processing operations carried out
for a specific purpose
ā¢ Key information to record for each processing activity
a) Purposes of the processing of the personal data
b) Legitimate (lawful) reason for processing the personal data [Article 13]
c) Categories of Data Subjects and of personal data
d) Categories of recipients to whom personal data are be disclosed
e) Transfers of personal data to a third country or
international organisation
f) Retention periods
ā¢ Processing Activities identified via workshops with business areas
ā¢ Collected via online questionnaires
16.
17.
18.
19. Records of Processing Activities [Article 30]
ā¢ The OPW must maintain a written record of its processing activities
ā¢ Processing activity: One or more processing operations carried out
for a specific purpose
ā¢ Key information to record for each processing activity
a) Purposes of the processing of the personal data
b) Legitimate (lawful) reason for processing the personal data [Article 13]
c) Categories of Data Subjects and of personal data
d) Categories of recipients to whom personal data are be disclosed
e) Transfers of personal data to a third country or
international organisation
f) Retention periods
ā¢ Processing Activities identified via workshops with business areas
ā¢ Collected via online questionnaires
ā¢ Record is a large spreadsheet
ā¢ DPC regards these records as vital for transparency and can ask to see them at any time
20. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
21. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
22. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
23. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
24. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
25. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
26. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
27. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.e]
Necessary for the
exercise of
official authority
vested in the
OPW
Arterial
Drainage
Act 1945
and 1995
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
28. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
29. DPO
Name DPO Address DPO Email DPO Phone DPO Fax
Purpose of
Processing Lawful Ground
Legal Basis
for
Processing
Legitimate
Interests
Data
Subject -
Personal
Data
Data
Subjects
-
Volume
Liam S.
Kelly
Data Protection
Officer, The Office of
Public Works Head
Office, Jonathan
Swift Street, Trim,
Co. Meath, Ireland,
C15 NX36.
dpo@opw.ie (0761)
106000 /
(046) 942
6000 / (01)
647 6000 /
1890 213
414 (LoCall)
(046) 948
1793
Recording for
purposes of H&S
and security of
staff and visitors
[Article 6.1.f]
Necessary for the
purposes of the
legitimate
interests pursued
by the OPW or a
third party**
Security of
staff, visitors
and building
Employees,
Visitors
10,000-
100,000
Name
Managing
Organization Description Controller Controller Address
Controller
Email
Controller
Phone Controller Fax
CCTV:
Rathfarnham
Castle
National
Historic
Properties
External cameras
surrounding
Rathfarnham Castle
and one internal
camera in the
tearooms monitor
activities for
reasons of Health
and Safety and
Security of visitors
and staff.
The
Commissioners of
Public Works in
Ireland
The Office of Public
Works Head Office,
Jonathan Swift
Street, Trim, Co.
Meath, Ireland, C15
NX36
info@opw.ie (0761) 106000 /
(046) 942 6000 /
(01) 647 6000 /
1890 213 414
(LoCall)
(046) 948 1793
Security of staff visitors and building
30. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland; F
rance; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta;
Netherlands;
Norway; Poland;P
ortugal; Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
31. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland; F
rance; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta;
Netherlands;
Norway; Poland;P
ortugal; Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
32. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland; F
rance; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta;
Netherlands;
Norway; Poland;P
ortugal; Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
33. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland; F
rance; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta;
Netherlands;
Norway; Poland;P
ortugal; Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
34. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland; F
rance; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta;
Netherlands;
Norway; Poland;P
ortugal; Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
35. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland; F
rance; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta;
Netherlands;
Norway; Poland;P
ortugal; Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
36. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland;
France; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta; Nether-
lands; Norway;
Poland; Portugal;
Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
37. Data
Subjects
ā Region
Data
Category -
Personal
Data
Data
Element -
Personal
Data Recipients Locations
Reci-
pient
Country
Inter-
national
Organ-
isation
Transfer
Dero-
gation
Transfer
Safe-
guards
Adequacy
Decision
Data
Retention Security Measures
Europe
(EEA)
Employees -
Personal
Identification,
Visitors -
Personal
Identification
Employees -
CCTV
Images,
Visitors -
CCTV Images
Other
Government
Bodies/
Public
Authorities
EEA (except UK):
Austria; Belgium;
Bulgaria; Croatia;
Cyprus; Czech
Republic;
Denmark;
Estonia; Finland;
France; Germany;
Greece; Hungary;
Iceland; Ireland;
Italy; Latvia;
Liechtenstein;
Lithuania;
Luxembourg;
Malta; Nether-
lands; Norway;
Poland; Portugal;
Romania;
Slovakia;
Slovenia; Spain;
Sweden
28 days Signage advising
public of CCTV in
place. Screens not
visible to general
public. Guiding staff
have access to live
feed only. Security
staff aware of
regulations
regarding viewing
of recorded
material. Screens
and recording
equipment in
secure security
room located away
from public. Access
to security room via
door with coded
keypad.
38. Records of Processing Activities [Article 30]
ā¢ The OPW must maintain a written record of its processing activities
ā¢ Processing activity: One or more processing operations carried out
for a specific purpose
ā¢ Key information to record for each processing activity
a) Purposes of the processing of the personal data
b) Legitimate (lawful) reason for processing the personal data [Article 13]
c) Categories of Data Subjects and of personal data
d) Categories of recipients to whom personal data are be disclosed
e) Transfers of personal data to a third country or international organisation
f) Retention periods
ā¢ Processing Activities identified via workshops with business areas
ā¢ Collected via online questionnaires
ā¢ Record is a large spreadsheet
ā¢ All business areas must provide full details of their processing activities to the DPO
ā¢ Processors must maintain a written record of all categories of processing activities carried out on
behalf of the OPW
ā¢ DPC regards these records as vital for transparency and can ask to see them at any time
39. Secure Your Space [Article 32]
ā¢ Lock your computer with <Windows>-L whenever
you leave your desk
ā¢ Do not leave personal data lying about unattended
ā¢ Lock it away, remove the key and secure it
ā¢ Do not leave uncollected jobs on the printer tray or
fax machine
ā¢ Do not leave scanned documents in scanner folder
ā¢ Choose strong passwords and protect them
ā¢ Do not give them to anyone else
ā¢ Do not stick them under your keyboard or write them in a
desk diary
40. Mandatory Reporting of Data
Breaches [Articles 33 and 34]
ā¢ What is a Data Breach?
ā¢ Accidental loss, disclosure or destruction of personal data
ā¢ The OPW is legally obliged to notify a personal data breach to the DPC
ā¢ Without undue delay and within 72 hours of becoming aware of it
ā¢ The 72 hours takes no account of weekends, bank holidays or Christmas
ā¢ If notification not made within 72 hours, YOU, not the DPO, must explain why
ā¢ If you become aware of a data breach
ā¢ REPORT IT TO DPO IMMEDIATELY
ā¢ Do not wait until an investigation takes place
ā¢ DPO will notify the DPC if there is a risk to the rights and
freedoms of the Data Subjects involved
ā¢ You must inform Data Subject(s) of a personal data breach
ā¢ Without undue delay
ā¢ Not required where personal data is encrypted
ā¢ A Processor must notify the OPW of a data breach without undue delay
Common Causes of Data Breaches
ā¢ Accidentally published
ā¢ Emailed or posted to wrong
person
ā¢ Hacking
ā¢ Lost or stolen computer or
media
ā¢ Security Vulnerability
41. Transferring Personal
Data Outside the EEA
ā¢ You can transfer data outside the EEA by
ā¢ Putting it on a website
ā¢ Using cloud services
ā¢ Always ask: āWhere is my data?ā
ā¢ Countries outside EEA are third countries
ā¢ UK left EU on 31 Jan 2020. Transition period ended 31 Dec 2020
ā¢ Consult the DPO before transferring personal data to a third country
ā¢ Personal data may be transferred to a third country only
ā¢ Where EU Commission has decided that it provides
an adequate level of protection
ā¢ Easy
ā¢ By using Standard Contractual Clauses
ā¢ Model contracts ā harder
ā¢ By using Binding Corporate Rules
ā¢ Very complex and expensive
ā¢ Only for Multinationals
Andorra
Argentina
Canada*
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Republic of Korea
Switzerland
Uruguay
UK
USA (Privacy Shield) 2021
USA (Safe Harbour) 2015
42. Transferring Personal
Data Outside the EEA
ā¢ You can transfer data outside the EEA by
ā¢ Putting it on a website
ā¢ Using cloud services
ā¢ Always ask: āWhere is my data?ā
ā¢ Countries outside EEA are third countries
ā¢ UK left EU on 31 Jan 2020. Transition period ended 31 Dec 2020
ā¢ Consult the DPO before transferring personal data to a third country
ā¢ Personal data may be transferred to a third country only
ā¢ Where EU Commission has decided that it provides
an adequate level of protection
ā¢ Easy
ā¢ By using Standard Contractual Clauses
ā¢ Model contracts ā harder
ā¢ By using Binding Corporate Rules
ā¢ Very complex and expensive
ā¢ Only for Multinationals
Andorra
Argentina
Canada*
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Republic of Korea
Switzerland
Uruguay
UK
USA (Privacy Shield) 2021
43. Transferring Personal
Data Outside the EEA
ā¢ You can transfer data outside the EEA by
ā¢ Putting it on a website
ā¢ Using cloud services
ā¢ Always ask: āWhere is my data?ā
ā¢ Countries outside EEA are third countries
ā¢ UK became a third country at 11pm on 31 December 2020
ā¢ Consult the DPO before transferring personal data to a third country
ā¢ Personal data may be transferred to a third country only
ā¢ Where EU Commission has decided that it provides
an adequate level of protection
ā¢ Easy
ā¢ By using Standard Contractual Clauses
ā¢ Model contracts ā harder
ā¢ By using Binding Corporate Rules
ā¢ Very complex and expensive
ā¢ Only for Multinationals
Andorra
Argentina
Canada
Faeroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Switzerland
Uruguay
USA (Privacy Shield)
44. When it all Goes Horribly Wrong
ā¢ Penalties: effective, proportionate and dissuasive
ā¢ Fines of up to ā¬1m apply to OPW
ā¢ Person who has suffered material or non-material damage as a result of a
GDPR infringement can sue OPW (and/or our Processors) for compensation
ā¢ Where both OPW and our Processors are responsible for any damage caused
by processing, each shall be held liable for the entire damage
ā¢ Data Protection Commission may:
ā¢ Carry out data protection audits
ā¢ Notify OPW (or our Processors) of alleged GDPR infringements
ā¢ Access all personal data, information and IT equipment it needs
ā¢ Reprimand OPW where processing has infringed the GDPR
ā¢ Order OPW to comply with the GDPR
ā¢ Impose a temporary or permanent ban on processing in the OPW
45. Treat other peoples personal data as it if was your own
Clodagh Murphy, Accounts, Kilkenny
23/02/2023 47
dpo@opw.ie
And Finally ā¦
Editor's Notes
Damage to cars in car parks
Car registrations are personal data
Can only give an individual images of their own car
Complaint of criminal damage should be made by the victim to the GardaĆ
Accidents (e.g. trips and falls)
Data subject may make a Subject Access Request
GDPR applies to processing of personal data
By a Controller/Processor in EU regardless of where the processing takes place
Of Data Subjects in the EU by a Controller/Processor not established in the EU, where processing activities relate to:
Offering goods/services (whether paid for or not) to Data Subjects in the EU
Monitoring of data subjects' behaviour within the EU
By a Controller not established in EU but in a place where Member State law applies by virtue of public international law
Collected for specified, explicit and legitimate purposes
Not further processed in a way incompatible with purposes
Further processing for:
Archiving purposes in the public interest
Scientific or historical research purposes
Statistical purposes
not be considered incompatible with the initial purposes (Per Art. 89(1))
PID attendance list. Name & townland. Recording numbers & where from ā donāt ask for names.
Accurate and, where necessary, kept up to date
Every reasonable effort must be taken to ensure that personal data that are inaccurate, having regard for the purposes for which they are processed, are erased or rectified without delay.
Not retained in identifiable form for longer than necessary
Form which permits identification of Data Subjects.
May be stored for longer periods where processed solely for:
Archiving purposes in the public interest
Scientific or historical research purposes
Statistical purposes
In accordance with Art. 89(1) and appropriate security
Cannot transfer data for law enforcement purposes
Canada ā businesses only
Safe Harbour July 2000 (Seaham Harbour on North Sea, South of Sunderland)
7 Principles
Voluntary signup by US companies
USA PATRIOT Act October 2001
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Allows US to inspect data, including personal data, in the US or under the control of US companies, regardless of where it is in the world and can be invoked without a court order e.g. Gmail, Facebook, WhatsApp, Hotmail, etc.
Max Schrems
Austrian lawyer. 2011 student in US. Facebookās unawareness of EU DP law
SAR ā Got CD with over 1200 pages of data
Complaint in DPC in 21012. Facebook forced to disable its facial recognition s/w
Global Surveillance programmes - ECHELON, PRISM, Tempora
2013 complaint to DPC that Facebook violating DP law due to its role in PRISM
DPC regard this as vexatious and frivolous. Judicial review due to DPC inaction
Referred to ECJ. ECJ 6 Oct 2015 ruled Safe Harbour invalid
Privacy Shield Feb. 2016
Cannot transfer data for law enforcement purposes
Canada ā businesses only
Safe Harbour July 2000 (Seaham Harbour on North Sea, South of Sunderland)
7 Principles
Voluntary signup by US companies
USA PATRIOT Act October 2001
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Allows US to inspect data, including personal data, in the US or under the control of US companies, regardless of where it is in the world and can be invoked without a court order e.g. Gmail, Facebook, WhatsApp, Hotmail, etc.
Max Schrems
Austrian lawyer. 2011 student in US. Facebookās unawareness of EU DP law
SAR ā Got CD with over 1200 pages of data
Complaint in DPC in 21012. Facebook forced to disable its facial recognition s/w
Global Surveillance programmes - ECHELON, PRISM, Tempora
2013 complaint to DPC that Facebook violating DP law due to its role in PRISM
DPC regard this as vexatious and frivolous. Judicial review due to DPC inaction
Referred to ECJ. ECJ 6 Oct 2015 ruled Safe Harbour invalid
Privacy Shield Feb. 2016
Cannot transfer data for law enforcement purposes
Canada ā businesses only
Safe Harbour July 2000 (Seaham Harbour on North Sea, South of Sunderland)
7 Principles
Voluntary signup by US companies
USA PATRIOT Act October 2001
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Allows US to inspect data, including personal data, in the US or under the control of US companies, regardless of where it is in the world and can be invoked without a court order e.g. Gmail, Facebook, WhatsApp, Hotmail, etc.
Max Schrems
Austrian lawyer. 2011 student in US. Facebookās unawareness of EU DP law
SAR ā Got CD with over 1200 pages of data
Complaint in DPC in 21012. Facebook forced to disable its facial recognition s/w
Global Surveillance programmes - ECHELON, PRISM, Tempora
2013 complaint to DPC that Facebook violating DP law due to its role in PRISM
DPC regard this as vexatious and frivolous. Judicial review due to DPC inaction
Referred to ECJ. ECJ 6 Oct 2015 ruled Safe Harbour invalid
Privacy Shield Feb. 2016