1. Flynn O’Driscoll
Business Lawyers Presentation
Legal Considerations: Obligations, Accountability and Enforcement
GDPR Seminar for Sales and Marketing Professionals
27th April 2018 - Galway
2. Legal Considerations: Obligations,
Accountability and Enforcement
• Law, scope and application
• Principles and lawful processing
• Additional controller/processor obligations
• Contract requirements
• Breach reporting, sanctions and penalties
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
3. Law, Scope and Application
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
4. The Law
• General Data Protection Regulation ((EU) 2016/679) (“GDPR”)
➢ Intended to harmonise and modernise laws relating to processing
of personal data
➢ Strengthens data subject’s rights in relation to processing of
personal data
➢ Emphasises transparency, security and accountability
➢ Heavy sanctions for non-compliance
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
5. Scope
• Personal data: any information relating to an identified or
identifiable living individual person (‘data subject’)
• Special category data: race, ethnic origin, political opinions,
religious or philosophical beliefs or trade-union membership …
genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data
concerning a person’s sex life or sexual orientation
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
6. Scope
• Controller: determines purposes and means of processing of
personal data
• Processor: processes personal data on behalf of controller
• Processing: any operation or set of operations which is performed
on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or
destruction
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
7. Scope and Application
• GDPR will apply to:
➢ controllers and processors in the EU; and
➢ controllers and processors established outside EU who offer
goods or services to EU data subjects (irrespective of whether
any payment is required) or who monitor their behaviour.
• Essentially if you process personal data of EU data subjects in this
way (regardless of where the processing takes place), the GDPR
will apply.
• Effective 25th May 2018.
8
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
8. Broader Irish Legal Framework
• In addition to the GDPR:
➢ e-Privacy Directive (Directive on privacy and electronic
communications)
➢ S.I. No. 336 of 2011 (implements e-Privacy Directive)
➢ e-Privacy Regulation (Regulation concerning the respect for
private life and the protection of personal data in electronic
communications)
➢ Data Protection Acts 1988 and 2003
➢ Data Protection Bill 2018
• Codes of Practice (e.g., insurance and financial sectors)
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
10. Principles
1. Process in a lawful, fair and transparent way
2. Collect for specified, explicit and legitimate purposes and not
process in an incompatible way (purpose limitation)
3. Adequate, relevant and limited to what is necessary (data minimisation)
4. Accurate, keep up to date and erase or rectify without delay (accuracy)
5. Keep in a form which permits identification of data subjects and only for
as long as is necessary for the specified purposes
6. Process in a way that ensures appropriate security of personal data,
including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate
technical or organisational measures (integrity and confidentiality).
7. Accountability – demonstrate compliance with principles.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
11. Lawful Processing
• Data subject has given consent to process for one or more specific
purposes;
• Processing is necessary for:
• the performance of a contract with data subject or to take steps at the data
subject’s request before entering into a contract;
• to comply with a legal obligation to which the controller is subject;
• to protect the vital interests of the data subject or another natural person;
• the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
• the legitimate interests pursued by the controller or a third party, except
where overridden by the interests or fundamental rights and freedoms of
the data subject which require protection of personal data, especially where
the data subject is a child.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
12. Consent under the GDPR
www.fod.ie
• Consent:
➢ freely given, specific, informed and unambiguous either by a
statement or by a clear affirmative action.
➢ Pre-ticked boxes or implied consent not enough.
➢ must be able to withdraw consent at any time in a way which
was as easy to grant consent.
➢ Consent to transfer personal data outside the EU must be
explicit.
• Special category data: valid legal basis plus additional conditions
to be satisfied to process lawfully
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
13. Legitimate Interests
www.fod.ie
• “Legitimate interests” not defined
• GDPR example: “the processing of personal data for direct
marketing purposes may be regarded as carried out for a
legitimate interest”
• Assess on a case-by-case basis and document – consider
relationship and reasonable expectations of data subject.
➢ Purpose test: pursuing a legitimate interest?
➢ Necessity test: processing necessary for that purpose?
➢ Balancing test: does the data subject’s interests override that
legitimate interest?
• Data subject right to object
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
14. e-Privacy Directive / S.I. No. 336 (2011)
www.fod.ie
• Consent to process for unsolicited direct marketing communications
• Exception to market similar products or services to existing
customers or customers within the last 12 months who have
not already opted out of receiving marketing communications (and
provided the customer was clearly and distinctly given an
opportunity to object at the outset and in each subsequent marketing
communication)
• Additional restrictions for automated calling and National Directory
Database listings
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
15. e-Privacy Regulation
www.fod.ie
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
• Consent to process
• May use customer email address received within the context of
sale of a product, in accordance with the GDPR, to direct market
its own similar products or services
• Provided the customer clearly and distinctly given the
opportunity to object, free of charge and in an easy way.
• Right to object given at the time of collection and in each
subsequent marketing communication.
16. GDPR
www.fod.ie
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
• Acknowledges the processing of personal data for direct
marketing purposes may be regarded as carried out for a
legitimate interest.
• Where personal data is processed for direct marketing purposes,
the data subject will have the right to object at any time to the
processing of his personal data for marketing purposes, including
profiling to the extent related to direct marketing.
• Where the data subject objects, his personal data may no longer
be processed for marketing purposes.
18. Transparency and Information
• Principle of transparency concerns the information to be
provided to data subjects about the processing of their personal
data
• Must be easily accessible and easy to understand using
clear and plain language
• Relevant for Privacy Policies and Employee Handbooks
• Transparency requirements apply irrespective of the legal basis
for processing and continue for the life cycle of processing
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
19. Information to Data Subjects
Where personal data obtained from data subject:
1. Controller identity and contact details
2. DPO contact details (if applicable)
3. Purpose and legal basis for processing
4. Categories of personal data
5. Details of legitimate interests pursued (where processing based
on legitimate interests);
6. Recipients or category of recipients
7. Data transfers (e.g., outside EEA) and how to obtain more
information
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
20. Information to Data Subjects
8. Data processing and retention periods
9. Data subject rights
10. Ability to withdraw consent (where processing based on
consent)
11. Right to lodge a complaint
12. Automated decision making and right to object
13. Details of further processing (if different to original purpose)
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
21. Information to be Provided
• When to provide: Where personal data obtained from data subject,
the above information must be provided to data subject at the time
their personal data is first collected.
• Exception: To the extent the data subject already has the
information the above will not apply.
• Demonstrate and document.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
22. Information to Data Subjects
Where personal data obtained from another source:
• All of the above information; plus
• Categories of personal data. Required in the interest of
transparency as the personal data not obtained directly from the
data subject and data subject otherwise unaware.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
23. Information to Data Subjects
When to provide where personal data obtained from another
source:
• within a reasonable period after obtaining it, but at the latest within
one month, depending on the specific circumstances and nature of
processing;
• if personal data will be used for communications with that data
subject, at the latest at the time of the first communication to the
data subject;
• if disclosing to another recipient, at the latest when personal data is
first disclosed to that other recipient.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
24. Information to Data Subjects
Exceptions:
• the data subject already has the information;
• providing the information proves impossible or would involve a
disproportionate effort or is likely to render impossible or seriously
impair the achievement of the objectives of that processing;
• the personal data is required to be obtained or disclosed by law
which makes provision for the appropriate measures to protect the
data subject’s legitimate interests;
• the personal data must remain confidential due to a statutory or
other valid professional obligation of secrecy.
Demonstrate and document.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
25. Data Subject Rights and Controller Obligations
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
Data Subject’s Rights Controller’s Obligations*
Information Obligation to provide relevant information
Access Obligation to provide relevant information within 30 days
Rectification or erasure Obligation to correct or delete relevant personal data
Restriction Obligation to restrict processing of personal data
Data portability Obligation to provide machine-readable copy of relevant
automated personal data
Right to object
(automated-decision
making / marketing)
Obligation not to further process for that purpose
Not to be subject to
profiling
Obligation not to process personal data for profiling purpose
*Subject to conditions and exceptions
26. Additional Obligations
• Security: Implement appropriate technical and organisational
measures to ensure appropriate safeguards are in place
• Privacy by Design/Default: consider privacy at the earliest
possible design stage and build in appropriate measures to
safeguard personal data
• Minimise risk to data subjects – PIA/DPIA
• Data Protection Officer (DPO) – responsible person to monitor
GDPR compliance (appointment mandatory in some cases)
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
27. Additional Obligations
• Record-keeping – create and maintain records of data processing
activities (controller and processor)
• Processor guarantees – ensure appropriate technical and
organisation measures in place – agree minimum security
requirements
• Contract requirements – GDPR required clauses
• Report personal data breaches – notify DPC within 72 hours of
becoming aware (unless valid exception applies)
• Cooperate and assist DPC in performing its functions
Demonstrate and document.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
29. Contract Requirements
Specific contract terms must be stipulated in an agreement between a
controller and processor (GDPR, Article 28):
• Documented instructions to process (data transfers outside EEA)
• Confidentiality
• Security measures
• Appointing sub-processors
– consent or general written authorisation
– liability
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
30. Contract Requirements
• Assist the controller in complying with its obligations and
demonstrating compliance (including in respect to data subject
requests) or where responding to a supervisory authority complaint,
investigation or audit
• Cooperate and provide information to controller
• Delete or return personal data
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
31. Processor’s Obligations
• Statutory obligation to comply
• Process under the authority of and in accordance with the
documented instructions of the controller
• Record keeping and compliance
• Special requirements for contracts
• May be subject to direct enforcement by the DPC, fines or claims
made directly by data subjects for compensation
• Liability limited to the extent it has not complied with its statutory (or
contractual) obligations
32
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
33. Personal Data Breach
www.fod.ie
• Personal data breach: “a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed.”
➢ Confidentiality breach: where there is an unauthorised or
accidental disclosure of, or access to, personal data.
➢ Integrity breach: where there is an unauthorised or accidental
alteration of personal data.
➢ Availability breach: where there is an accidental or
unauthorised loss of access to, or destruction of, personal data
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
34. Breach Reporting
www.fod.ie
• Controllers must notify the relevant Data Protection authorities
within 72 hours of becoming aware of the breach, unless it is
unlikely to result in a risk to the rights of data subjects.
• Must notify the affected data subjects without undue delay where
the breach is likely to result in a “high risk” to their rights.
• Processor reports breach to controller
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
35. Sanctions and Penalties
www.fod.ie
• Audits
• Inspections
• Corrective actions
• Penalties and fines:
• Serious breaches: up to €20m or 4% of global annual turnover,
whichever is greater.
• Less severe breaches: up to €10m or 2% of global annual
turnover, whichever is greater.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
36. Administrative Fines
www.fod.ie
• Effective, proportionate and dissuasive
• Each case to be assessed individually taking into account:
➢ Nature, gravity and duration of breach;
➢ Number of data subjects involved;
➢ Scope and purpose of processing;
➢ Damage suffered by data subjects (and any action taken by the
organisation to mitigate damage);
➢ Degree of responsibility of the organisation including the technical and
organisational measures implemented by it;
➢ Intentional or negligent character of breach; and
➢ Degree of cooperation with DPC to remedy breach.
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
37. DPC / Commission Approach
www.fod.ie
• Increased budget for 2018 (€11.7m)
• Additional staff
• 1 Commissioner and 5 Deputy Commissioners currently
• “the Irish DPC will be in a strong position to supervise rigorously and fairly
while maximising the outcomes for data subjects under the GDPR”
• “robust data processing regime through continued strengthening of the
DPC in Ireland”
(DPC, Annual Report 2017)
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
38. Should you have any queries arising out of the foregoing please
contact the undersigned who will be happy to assist.
Head of Intellectual Property and Technology
E: lauramyles@fod.ie
P: +353 91 396541
@TradeSecretsFOD
@StartupatFOD
www.fod.ie
Laura Myles
39. Dublin:
1 Grants Row
Lower Mount Street
Dublin 2
Ireland
Phone: +353 1 6424220
Fax: +353 1 6618918
Galway:
Unit 16 Galway Technology Centre
Mervue Business Park
Galway H91 KV80
Ireland
Phone: +353 91 396540
Fax: +353 91 792649
Contact UsContact Us
@TradeSecretsFOD
@StartupatFOD
www.fod.ie