Data Protection Law Notes PDF

Topic 1: EU Law **[Primary EU Law]**: It is the supreme source of law in the European Union. It comes mainly from treaties e.g. Treaties of Rome, Treaty of Amsterdam **[Secondary EU law]**: The body of law that comes from the principles and objectives of the treaties. EU Regulations, EU Directives, EU Decisions **[EU Regulation]**: An EU Regulation is legally binding. It is directly applicable/directly effective. This means that the contents of an EU Regulation apply automatically and uniformly to all EU27 as soon as the Regulation enters into force There is no need for the EU Regulation to be transposed into domestic law by the national parliament **[EU Directive:]** An EU Directive is legally binding It sets out the objectives that all 27 EU Member States must achieve However, individual Member States must decide how they will achieve the objectives through the use of a national law e.g. An Act or, a Statutory Instrument Member States must transpose the provisions of the Directive into national law by a certain deadline Ireland was fined 2.5 million by the European Commission over delay. **[EU Decision:]** [ ] A \"decision\" is a legally binding act that may be of general application or may have a specific addressee The European Commission frequently issues decisions in the field of Competition Law Topic 2: 7 Key Data Protection Principles 1. **[Lawfulness, Fairness & Transparency]** 1. It is based on the consent of the data subject - The consent must be freely given and be a specific, informed and unambiguous indication of the data subject's wishes - An opt-in by the data subject is necessary -- this is an affirmative act 2. It is necessary for the performance of a contract - Processing of employee data by an employer for payroll purposes - Processing of a (new) tenant's data when he/she is entering into a residential lease agreement 3. It is required for compliance with a legal obligation - For example, the Garda National Immigration Bureau (GNIB) requires Irish Universities to process international student lecture attendance to ensure that they are compliant with the terms of their student visa 2. **[Purpose Limitation]** - This principle requires that data be only kept for one or more specified, explicit and lawful purposes - The data cannot be processed in a manner that is incompatible with those purposes Example: In Case Study No. 22 / 2021 - This case concerned a statutory body regulating professional conduct and competence - It inadvertently sent an e-mail concerning a complaint against a specialist to an incorrect address -- the complaint was an attachment to the email - The attachment contained personal data of several persons, including health data, and was encrypted - However, the password for the encrypted letter was issued in a separate e-mail to the same incorrect address - The DPC determined that this was a breach of the data controller's disclosure obligations 3. **[Data minimisation]** - The data controller must ensure that the data is sufficient for the purpose required and is not more than is needed - The data must be limited to what is necessary in relation to the purposes for which it is processed - The principle of data minimisation also requires the data controller to establish an appropriate time limit for the erasure of data Examples: Case Study No. 17/2022 - Vodafone was requesting customers to provide them with their employment details and a work phone number to obtain Vodafone services - Vodafone was investigated by the DPC - Following the investigation, the DPC required Vodafone to immediately remediate the problem and to publish on its website details of what had occurred, so that customers would be aware of the 4. **[Accuracy]** - This principle is contained in Article 5 (1) (d), GDPR - This principle requires that a data controller takes reasonable steps to ensure the accuracy of the data, as well as its currency. - Accuracy and currency can be achieved by ensuring that the data is obtained from a legitimate source and by undertaking a systematic review of the data on a regular basis - In addition, where data is inaccurate, the data controller must ensure that it is erased or rectified without delay Example: Case Study No 12/2016 - The complainant had historically provided PTSB with an address - This particular address was supplied to the bank when the complainant and her (now) ex-husband applied for a joint mortgage from the bank - But, after the marriage broke down, PTSB continued to use the old address for the complainant's new sole mortgage - Meaning, that PTSB were sending out (hard copy) correspondence to the wrong address! - This was deemed to be in breach of PTSB's obligation to ensure that the customer's personal data was accurate and up to date 5. **[Storage Limitation]** - This principle requires that a data controller has a data retention policy. - Under the terms of the policy, there should be a stated period for the retention of data. - There should be a related policy obligation to review the period of retention and determine whether such retention is still necessary in the circumstances. - Where it is no longer appropriate to retain data or where the data becomes obsolete, the data controller should ensure that the data is securely deleted Example: Case Study 3 (2020) : - The complainants involved had previously requested that an Irish state agency erase a file pertaining to an incident at school involving their young child which had originally been notified to the agency. - While the agency decided that the incident did not warrant further investigation, it had refused to erase the minor's personal data, indicating that such files are retained until the minor in question reaches the age of 25 years. - The DPC requested that the state agency outline its lawful basis for the retention of the minor's personal data. - The State agency did this, but the DPC did not consider a blanket retention period applicable in the particular circumstances. - Ultimately, the State Agency confirmed to the complainants that the file containing their child's personal data would be deleted. 6. **[Integrity and Confidentiality]** - This principle is contained in Article 5 (1) (f) - It requires that all data be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. - To comply with this principle, data controllers must ensure that they are employing appropriate technical and/or organisational measures - Article 32 (1), GDPR, these 'appropriate technical and/or organisational measures' may include: The pseudonymisation and encryption of personal data \'Pseudonymisation\' of data means replacing any information which could be used to identify an individual with a pseudonym (A value which does not allow the individual to be directly identified) Example: Student Name. Student Number. **[7. Accountability]** \- it requires that data [ ] controllers be responsible for and must be able to [ ] demonstrate compliance with the other principles of data protection. \- Controllers need to ensure that they comply with the principles but they also need to have appropriate processes and records in place to demonstrate compliance -Evidence of compliance with the other data protection principles would include: -- Implementing appropriate technical and organisational measures -- Adopting internal policies Topic 3: Data Breaches **[What is a data breach?]** - A data breach is a security incident that negatively impacts the confidentiality, integrity or availability of personal data. - Personal data breaches can include: -- access by an unauthorised third party (Cybercriminals) -- deliberate or accidental action by a controller or processor **[Controllers' notification obligations in cases of data breaches]** - A controller is obliged to notify the DPC of any personal data breach that has occurred unless\ they are able to demonstrate that the personal breach is 'unlikely to result in a risk to the\ rights/freedoms of natural persons' - The default situation is that a controller must notify a data breach to the DPC unless it can\ demonstrate that the data breach is unlikely to result in a risk to data subjects' rights/freedoms - But, even if a controller decides not to notify a data breach to the DPC, it must still record at least the following basic details of the breach:\ -- The assessment of the data breach\ -- The effects of the data breach\ -- The steps taken to remedy the data breach Topic 4: Data Protection Law **[Personal Data: ]** data relating to a person who is or can be identified either from the data itself or in conjunction with other information. It covers any information that relates to an identified or identifiable living\ individual. This data can be held on computers or in manual files. Examples: Your name; your date of birth, PPSN **[Data Controller: ]** - A data controller is a natural or legal person, public authority, agency that determines the purposes and means of the processing of personal data - In other words, the data controller decides the how and why of a data processing operation Examples of Data Controllers\ Social Media Hosts, e.g. Meta\ Online Marketplaces, e.g. Amazon Government bodies or agencies -- HSE **[Data Processor: ]** -A data processor is a natural or legal person, public authority, agency which processes personal data on behalf of the data controller Example of a data processor: a financial institution that would process an employer's payroll data for the purpose of paying employees' salaries E.G., Mazars HR & Payroll Services **[Processing:]** means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation

Data Protection Law Notes PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue