paul@paulfoleylaw.ie
22 Northumberland Road, Dublin D04 ED73, Ireland, EU
INTRO
INSIGHTS

GDPR: what companies need to do to comply

By
Paul Foley
May 2023 marked the fifth anniversary of the GDPR coming into force in the EU. As fines imposed for breach of the GDPR increase substantially across the EU, this Article takes you through what you need to do as a business to comply with the GDPR.

Compliance with the general data protection regulation (GDPR) (Regulation (EU) 2016/679), requires a controller at a minimum to:

  1. carry out a data protection impact assessment (DPIA) under Article 35 GDPR or where Article 35 does not apply, to identify what personal data it holds using at a minimum Article 30 GDPR as a checklist.

  2. adopt an internal facing data protection policy (Policy), with regard to the handling of personal data of the controller, customers, suppliers, employees, workers and other third parties. Additionally the requirements of the Policy must be integrated into the controller’s practices and procedures. Employees and contractors as relevant, must undertake to comply with the requirements of the Policy;

  3. adopt an external facing privacy notice (Privacy Notice). This Privacy Notice must set out:
    • who is the Controller, its address and provide contact details for it;
    • the personal data that is collected about data subjects;
    • how the personal data is collected;
    • how the personal data is used;
    • the disclosures made of the personal data;
    • the international transfers made of the personal data;
    • how personal data is secured;
    • how long personal data is held for;
    • the data subjects' legal rights as regards personal data;

  4. ensure that where processing is to be carried out on behalf of a controller by a processor, the controller uses only processors who can and will meet the requirements of the GDPR. In essence the controller must have a signed data processing agreement in place with the processor which includes complying with Article 28 GDPR. Typically the need for a data processing agreement arises where personal data is held in the cloud with a cloud services provider;

  5. keep records of the processing activities as required by Article 30 GDPR. This Article is very prescriptive and the Policy and Privacy Notice referred to above must align with them.

  6. ensure as regards data subjects' consent in the context of (i) Article 7 GDPR (conditions for consent), Article 8 GDPR (Conditions applicable to child's consent in relation to information society services) and Article 9 GDPR (Processing of special categories of personal data) that their respective requirements are strictly adhered to and documented. Additionally Article 10 GDPR (Processing of personal data relating to criminal convictions and offences) must be complied with.

What Paul Foley Law provides


We provide clients with legal advice and the documentation necessary to comply with the GDPR including a GDPR checklist, a template for a GDPR Data Protection Impact Assessment, a GDPR Data Protection Policy, a GDPR Privacy Notice, and:
  1. a GDPR-compliant agreement between processor and a controller

  2. an agreement between the controller and DPO (where outsourced) or Representative, a Data Hosting Agreement, any necessary Consents (Articles 7 to 9 GDPR), Cookies Policy (where relevant), and any relevant procedures and Guidance Notes to enable a client bring itself into compliance with the GDPR.
Additionally we provide legal advice on:
  1. anonymisation, pseudonymisation and encryption for personal data under the GDPR and

  2. the requirements applicable to direct marketing under the GDPR and under regulation 13 of the ePrivacy Regulations (SI 336/2011).  
Contact paul@paulfoleylaw.ie for a fees quotation.

Components of the Data Protection Policy

Below are set out, some of the provisions of the GDPR which are required to be dealt with in the Policy.

The GDPR at Article 5(2), requires a controller to (i) comply with the six data protection Principles when processing personal data and also (ii) demonstrate compliance with all six of the Principles set out in Article 5(1) GDPR.

Article 6 GDPR provides that processing shall be lawful only if and to the extent that at least one of the following applies (two only are reproduced here):

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Article 6 GDPR requires detailed review.

Data Protection Impact Assessments

The GDPR (Article 35) mandates a data protection impact assessment (DPIA) where the processing, is likely to result in a high risk to the rights and freedoms of natural persons in using new technologies (amongst other activities referred to in the recitals and as also specified by the DPC (under Article 35(4) GDPR)).

In particular a DPIA is required in the case of:

  1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling;

  2. processing on a large scale of special categories of data referred to in Article 9(1) GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 GDPR; or

  3. a systematic monitoring of a publicly accessible area on a large scale; and

  4. additionally, where specified under Article 35(4) GDPR by the Data Protection Commission. See details https://www.dataprotection.ie/en/dpc-guidance/guide-data-protection-impact-assessments

The controller must seek the advice of the data protection officer, where designated, when carrying out a DPIA. The contents of the DPIA are primarily regulated by Article 35(7) GDPR.

Data Protection Officer (DPO)

The role of DPO is primarily regulated by articles 37 to 39 inclusive GDPR.

A controller or processor must designate a DPO in three specific cases:

  1. where the processing is carried out by a public authority or body; or

  2. where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or

  3. where the core activities of the controller or the processor consist of processing on a large scale of special categories of data (Article 9 GDPR) or personal data relating to criminal convictions and offences (Article 10 GDPR). Note, the appointment of a DPO is also mandatory for competent authorities under Article 32 of Directive (EU) 2016/680.
Examples of large-scale processing include:
  1. processing of patient data in the regular course of business by a hospital; or

  2. processing of customer data in the regular course of business by an insurance company or a bank; or

  3. processing of personal data for behavioural advertising by a search engine; or

  4. processing of data (content, traffic, location) by telephone or internet service providers.

The GDPR at Article 38 requires, the controller and processor, amongst other things, to ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor must support the data protection officer in performing the tasks referred to in Article 39.

It is possible to procure the services of a DPO from an outside consultant. It is also possible to designate a single DPO for several organisations.

Article 37(5) provides that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 (tasks of the data protection officer)'.

Representatives of Controllers or processors not established in the Union

Where Article 3(2) GDPR applies (controller or processor not established in the Union), Article 27 GDPR requires the controller or the processor to designate in writing a representative in the Union.

The representative must be:

  • established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored;

  • mandated by the controller or processor, to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this regulation.

The designation of a representative by the controller or processor must be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Reporting a personal data breach

The GDPR at Article 33 requires in the case of a personal data breach, the controller to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.

The processor (where relevant) must notify the controller without undue delay after becoming aware of a personal data breach.

The notification to the supervisory authority must amongst other things describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Communication of a personal data breach to the data subject

The GDPR at Article 34 requires the controller, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, to communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall not be required if any of the following conditions are met:

  1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

  2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

  3. it would involve disproportionate effort. In such a case, there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Fines

Fines for breaches of data protection laws have been steadily increasing across the EU.

See the May 2023 EDPB Guidance on Administrative Fines under the GDPR HERE >


Copyright © Paul Foley June 2023 - All Rights Reserved.

Owner, Paul Foley Law

For legal advice on and compliance with GDPR, please use the Contact page or Email: paul@paulfoleylaw.ie

Full copyright policy HERE >
map-markerenvelopetagarrow-left linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram