Frequently Asked questions about GDPR
Questions that people are asking about GDPR. To view the articles click title or click on
A fundamental principle of data protection is ‘fair obtaining and processing’. Under Section 2(1)(a) of the Data Protection Acts, 1988 and 2003 “the data, or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly”. In general, the fair obtaining principle requires that every individual about whom information is collected is aware of what is happening.
The list cannot be brought from one company to another as the clients consent would be required in order to comply with the fair processing principle.
The type and amount of personal data you may process depends on the reason you’re processing it (legal reason used) and what you want to do with it. You must respect several key rules, including
- personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing (‘lawfulness, fairness and transparency’).
- you must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes (‘purpose limitation’).
- you must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’).
- you must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not (‘accuracy’).
- you can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
- you must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).
- you must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
You run a travel agency. When you obtain your clients’ personal data, you should explain in clear and plain language why you need the data, how you’ll be using it, and how long you intend to keep it. The processing should be tailored in a way that respects the key data protection principles.
- Article 5(1); Recital 39
- Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203)
Key to compliance with data protection is to inform the potential employee of any potential checks that may be undertaken and seek their specific consent for certain types of checks, e.g. qualification checks, character reference checks.
Any information that is legitimately in the public domain can generally be accessed within the context of data protection requirements without giving rise to concerns. The person should be provided with any such information, however, in order that they can have an opportunity to provide comments on it.
An employer is entitled to ask an employee to declare if they have any previous relevant criminal convictions which might impact of the desirability of them performing a particular task. However, an employer should only be concerned about convictions that relate to the particular job on offer. For example, a job involving driving may justify the employer asking about previous driving convictions. This requirement may be updated shortly via a Spent Convictions Bill which was recently introduced by the Government which will allow potential employees (not where they are dealing with children or vulnerable adults or other sensitive positions) in certain situations the option not to provide such information.
Organisations/employers seeking to access information held by a credit referencing organisation about prospective or current employees could present data protection concerns. Any forced requirement placed upon employees to seek credit history information from the Irish Credit Bureau, for example, for employment screening purposes could be considered a breach of the Data Protection Acts.
Certain sectors, for example where employees have contact with children or vulnerable adults, are permitted to make use of Garda Vetting checks which are carried out with the consent of the person.
An ‘enforced access request’ is where an applicant is obliged by a potential employer or organisation they are dealing with to make an access request under Section 4 of the Data Protection Acts to a data controller. The individual would typically then be asked to subsequently provide this information to their employer/prospective employer/organisation they are dealing with.
An employer who requires an employee or prospective employee to make such an access request commits an offence under the Data Protection Acts.
In the case of An Garda Síochána, it advises that the information released under an access request should not be considered as a formal vetting procedure for employment or other purposes.
You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
Your company/organisation should establish time limits to erase or review the data stored.
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
Your company/organisation must also ensure that the data held is accurate and kept up-to-date.
Data kept for too long without an update
Your company/organisation runs a recruitment office and for that purpose it collects CVs of persons seeking employment and who, in exchange for your intermediary services, pay you a fee. You plan to keep the data for 20 years and you take no measures for updating the CVs. The storage period doesn’t seem proportionate to the purpose of finding employment for a person in the short to medium term. Moreover, the fact you don’t request updates to CVs at regular intervals renders some of the searches useless for the person seeking employment after a certain amount of time (for instance because that person has gained new qualifications).
- Article 5(1)(e) and Recital (39) of the GDPR
Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’). It’s your company/organisation’s responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.
Your company/organisation offers car-sharing services to individuals. For those services it may require the name, address and credit card number of your customers and potentially even information on whether the person has a disability (so health data), but not their racial origin.
- Article 5(1)(c) and Recital (39) of the GDPR
At the time of collecting their data, people must be informed clea rly about at least:
- who your company/organisation is (your contact details, and those of your DPO if any);
- why your company/organisation will be using their personal data (purposes);
- the categories of personal data concerned;
- the legal justification for processing their data;
- for how long the data will be kept;
- who else might receive it;
- whether their personal data will be transferred to a recipient outside the EU;
- that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
- their right to lodge a complaint with a Data Protection Authority (DPA);
- their right to withdraw consent at any time;
- where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
See complete list of information to be provided.
The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.
When data is obtained from another company/organisation, your company/organisation should provide the information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicates with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed.
Your company/organisation is also required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained from publicly accessible sources. Under specific circumstances listed in Articles 13(4) and 14(5) of the GDPR your company/organisation may be exempted from the obligation to inform the individual. Please check whether that exemption applies to your company/organisation.
- Article 12(1), (5) and (7), Articles 13 and 14 and Recitals (58) to (62) of the GDPR
- Article 29 Working Party guidelines on transparency
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
Under the Data Protection Acts information about the commission or the alleged commission of an offence by a person falls within the definition of sensitive personal data.
Currently, there is no comprehensive statutory basis which underpins the vetting process. The Vetting Bill currently before the Oireachtas will provide that basis when enacted. The Office of the Data Protection Commissioner supports the current procedure for managing requests for vetting in this jurisdiction. The procedure is based on the consent of the person to the release of certain types of information held by An Garda Síochána in respect of that person.
At present the only garda vetting services on offer concern the vetting of persons in contact with children or vulnerable adults. Vetting also takes place in relation to certain State employees working in sensitive areas. Vetting has also been extended to employees covered by the Private Security Services Act 2004 (bouncers, nightclub security staff etc).
DPOs must be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Art. 37). If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO.
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.
The law applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
If your company is a small and medium-sized enterprise (‘SME’) that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer (‘DPO’)). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.
When the regulation applies
Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrolment form.
When the regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
The Data Protection Acts state that personal information held by Data Controllers (an organisation) should be retained for no longer than is necessary for the purpose or purposes for which it was obtained. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner. However, the Acts do not stipulate specific retention periods for different types of data, and so organisations must have regard for any statutory obligations imposed on them as a data controller when determining appropriate retention periods.
In relation to HR records, it is our understanding that, in accordance with the Organisation of Working Time Act 1997, employers are required to keep records of holidays, public holidays, special leave, rest breaks, start and finish times of each employee for each day and sick leave for a period of 3 years.
There are also requirements in relation to the retention of financial/tax records, as well as obligations to retain certain categories of information for superannuation/pension purposes.
In relation to the retention of recruitment records for unsuccessful candidates, we would consider a retention period of 12 months to be appropriate.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
Using tracking systems in general can give rise to data protection issues if not deployed in a manner that takes account of the legitimate privacy expectations of individuals.
Staff monitoring, including a GPS system, must comply with the transparency requirements of data protection law. Staff must be informed of the existence of the surveillance and also clearly informed of all the purposes for which the personal data will be used.
We expect any organisation deploying vehicle tracking devices to abide by the following rules:
· The data controller must inform drivers of the purpose(s) for which the personal information processed by the tracking device will be used.
· The personal information processed by the tracking device may not be used for a purpose other than the stated purpose(s).
· Data controllers should devise and make available to drivers a policy on the use of tracking devices. This document should also set out the data controller’s policy on the use of company vehicles for private use.
· If a company vehicle is permitted to be driven for personal use outside of working hours, a privacy switch must be fitted and should be trained on its operation.
· New employees should be made aware of the existence of tracking devices on company vehicles and should be trained on the operation of the privacy switch.
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
As part of a due diligence process, it is understood that certain personal data may be transferred. Ideally the possibility of this should be envisaged in the company data protection policy. In so far as possible aggregate data should be provided. Sensitive personal data should never be transferred in advance of a formal legal take-over. Once the take-over is completed the new legal entity will take on the obligations of the data controller and will be responsible for all data.
Personal data may not be retained for longer than is necessary for the purpose for which it’s processed. We’ve helped a number of organizations implement policy enablement and monitoring tools to manage data. Such tools can copy, move, and delete data based on rules and conditions such as content age, owner, or keyword. Leveraging such tools will enable organizations to proactively manage personal data within the necessary parameterss
A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it. We strongly suggest implementing technology to monitor and alert on abnormal data access patterns as well as a Standard Operating Procedure to provide guidance to staff and supervisors who manage IT resources to enable a quick and efficient notification process.
Aimed to provide consumers rights over their personal data, GDPR also simplifies the regulatory environment by unifying the regulation for the entire EU. It is consistent across all 28 EU member states, so companies have just one standard to meet within the EU. Unfortunately, though the law is consistent, it’s also quite rigorous and will no doubt require companies to make large investments to become compliant.