Covid-19 – GDPR Series – Part 1 – A refresher

This article is Part 1 of a series of 4 articles that the lawyers of Reddy Charlton will issue during May to mark the two year anniversary of the introduction of the GDPR.  Our intent is to refresh some of the measures introduced and also to consider them in the current Covid-19 related business environment.

In this introductory article, we summarise GDPR and identify some key considerations for businesses.

What is Data Protection?

Everyone has a right to privacy and a right to have their personal data protected. Data Protection law tries to achieve a balance between a person’s rights, society’s needs and the legitimate needs of businesses to process data.  The General Data Protection Regulation (the GDPR) was developed and introduced to enhance and safeguard the data protection rights of EU citizens.

The Introduction of the GDPR

The GDPR came into effects across the EU on 25 May 2018.  The GDPR and the supporting Law Enforcement Directive (LED) provided for significant reforms to the then current data protection rules.  They provided for higher standards of data protection for individuals and imposed increased obligations on organisations that process personal data.  They also increased the range of possible sanctions for infringements of these rules.

As an EU regulation, the GDPR did not generally require transposition into Irish law (as EU regulations have direct effect), so organisations involved in data processing of any sort need to be aware that the GDPR addresses them directly in terms of the obligations that it imposes.  The Data Protection Act 2018 (the Act) was signed into law on 24 May 2018.  The Act changed the previous data protection framework, which was established under the Data Protection Acts 1988 and 2003.  Among its provisions, the Act has:

• established a new Data Protection Commission (DPC) as the State’s data protection authority;
• transposed the LED into national law;
• given further effect to the GDPR in areas where member states have flexibility (for example, the digital age of consent).

Some key definitions

• A data subject is the individual to whom the personal data relates.

• Types of Data:-

– Personal data
Personal data is data that relates to or can identify a living person, either by itself or together with other available information.  Examples of personal data include a person’s name, phone number, bank details and address.

– Special category personal data
Special category personal data (often referred to as sensitive personal data) is ‘sensitive’ personal data which may include such areas as their racial or ethnic origin, Political opinion or their religious or philosophical beliefs; whether the data subject is a member of a trade union; the data subject’s physical or mental health or condition or sexual life; whether the data subject has committed or allegedly committed any offence or any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

• Organisations that collect or use personal data are known as data controllers and data processors.  A Data Controller is a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing whilst a Data Processor is a person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Data Processing

The processing of special category data is prohibited unless the data subject has given their explicit consent before processing begins or the processing is authorised by law, for example, to protect the interests of a data subject, to comply with employment legislation or for reasons of public interest.

What are the Main Principles of Data Processing?

Under Article 5, data must be processed under the following principles:-
• That it is Lawful, Fair & transparent
• It is done for specific purpose(s)
• Data minimisation (relevant and limited)
• Data is accurate and up to date
• That it is conducted for no longer than is necessary for the purpose it was collected
• That it is and remains Confidential and Secure

Lawful Reasons for Data Processing

Under Article 6, an organisation must have a legitimate basis for the processing of data, which may be:-
• The Data Subject has given consent for the processing
• The processing is necessary for the performance of a Contract or to enter a contract
• The processing is necessary for compliance with a Legal Obligation
• The processing is In order to protect vital interest of a person
• It is necessary for public interest or official authority
• It is in the legitimate interests of data controller/third party

Where does GDPR apply?

The GDPR applies to the processing of personal data by controllers and processors established in the EU, regardless of whether the processing takes place in the EU or not.  The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.  Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU.

The Role of the Data Protection Commission

The DPC is the national independent supervisory authority in Ireland with responsibility for upholding the fundamental right of the individual to have their personal data protected. The DPC’s statutory powers, functions and duties derive from the Data Protection Act 2018, General Data Protection Regulation, Law Enforcement Directive, as well as from the Data Protection Acts 1988 to 2003 which, inter alia, gives effect to Council of Europe Convention 108.

Looking Forward

In our upcoming GDPR articles in May we will discuss:-
• Part 2 – What Data Protection Policies and Procedures businesses and organisations need to have in place
• Part 3 – How to respond to Data Access Requests during Covid -19
• Part 4 – Key Data Protection challenges during this Covid-19 crisis

How can Reddy Charlton help?

During this Covid 19 crisis, Reddy Charlton Solicitors are eager to support, encourage and guide your business. If you have any queries or seek further information on Data Protection or any other area of commercial law, please contact Elaine McGrath at emcgrath@reddycharlton.ie