August 2017

Volume 44: Issue 8

Relate
ISSN 0790-4290

Contents The journal of developments in social services,

policy and legislation in Ireland
Page No.

1. General Data General Data Protection Regulation (GDPR)

Protection Regulation
The regulation of data is necessary in order to balance the protection of the
2. Data controllers individual’s privacy rights with the rights of organisations and governments to
and data processors collect and use data for business and administrative purposes.
2. Data protection principles
The regulation of data in Europe is known as data protection. The current data
3. Rights of the data subject
protection framework in Ireland was established under the Data Protection Acts
5. Obligations of controllers 1988 to 2003; the October 2016 issue of Relate discussed this legislation in detail.
and processors This framework will be replaced in 2018 by a new European-wide framework,
7. Oversight called the General Data Protection Regulation (GDPR). The GDPR places an
emphasis on transparency, security and accountability by data controllers and
7. General Data Protection processors, while standardising and strengthening the right of European citizens to
Bill 2017 data privacy.
7. Related legislation
The GDPR was adopted on 27 April 2016, and following a two-year
implementation period, comes into force across the European Union on 25 May
2018. The GDPR is a European regulation, replacing the existing Data Protection
Directive 95/46/EC. The GDPR makes many changes to current European data
protection law.

The GDPR is a primary piece of legislation but it also provides that individual
member states may enact their own legislation to give specific interpretation
to the application of some of the provisions of the Regulation. In Ireland, this is
contained within the Data Protection Bill 2017.

Organisations involved in data controlling and data processing of personal data

INSIDE: T
 ypes of data p2, Extra-territorial application p2, Rights of the data
subject p3, Right of access p4, Right of erasure p4, Security of personal
data p5, Data breach reporting p5, Data protection officers p6, Codes
of conduct and certification p6, Transferring data outside the EU p6,
Independent supervisory authorities p7, Penalties for non-compliance
p7, Data Protection Directive for Police and Criminal Justice Authorities
p7, The Passenger Name Record Directive p8
page 2 Relate – August 2017 Citizens Information Board

will need to be aware of the provisions of the GDPR and the processing takes place in the EU or not. The GDPR will
must comply with those provisions from the date the GDPR also apply to the processing of personal data of individuals
comes into force. The legislation introduces severe financial in the EU by a controller or processor established outside
penalties for non-compliance. the EU, where those processing activities relate to offering
goods or services to EU citizens or the monitoring of
Types of data their behaviour. Non-EU organisations processing the
personal data of EU citizens will also have to appoint a
Personal data representative located in the EU.

Under the current legislation, personal data relates to or

can identify a living person either by itself or together with
other available information. Examples of personal data
Data controllers
include a person’s name, phone number, bank details and
and data processors
medical history.
Data controllers are defined in the GDPR as persons
A data subject is the individual to which the personal data or organisations that, alone or with others, determine
relates. These definitions will not change under the GDPR. the purpose and means of processing of personal data.
Examples of data controllers include medical professionals,
Organisations that collect or use personal data will banks, government departments, and voluntary
continue to be known as data controllers and data organisations. A local hairdresser or supermarket may be a
processors. data controller if that business keeps customer details on
file, for example, to make appointments or to operate a
Sensitive data promotional points system.
Under the current Irish legislation, sensitive personal data Data processors are persons or organisations that process
means personal data relating to any of the following: personal data on behalf of a controller. Examples of data
processors include payroll companies and market research
• The data subject’s racial or ethnic origin, their political companies, all of which may hold or process personal
opinions or their religious or philosophical beliefs information on behalf of a data controller. The GDPR
• Whether the data subject is a member of a trade union defines data processing as any operation(s) performed on
• The data subject’s physical or mental health or personal data, for example, collecting, storing, distributing
condition or sexual life or destroying.

• Whether the data subject has committed or allegedly Many controllers also process personal data and do not
committed any offence require a separate data processor.
• Any proceedings for an offence committed or alleged
to have been committed by the data subject, the Profiling
disposal of such proceedings or the sentence of any
court in such proceedings Profiling is a specific form of processing described for the
first time under the GDPR. Profiling means any form of
Under the GDPR, this type of data will be called ‘special automated processing of personal data to evaluate certain
category personal data’. The processing of special category personal aspects for any person. For example, the processing
data will be prohibited unless the data subject has given of data to analyse or predict a person’s performance at
their explicit consent before processing begins or the work, economic situation, health, personal preferences,
processing is authorised by law, for example, to protect the interest, behaviour, location or movement.
interests of a data subject, to comply with employment Controllers and processors who carry out profiling will have
legislation or for reasons of public interest. to inform data subjects about how the profiling mechanism
works before processing.
Personal data relating to criminal convictions and offences
may only be processed under the control of an official
authority. Data protection principles
Controller principles
Extra-territorial application
The principles of data protection will be stricter under the
The GDPR will apply to the processing of personal data by
GDPR. Data controllers will be responsible for these principles
controllers and processors in the EU, regardless of whether
and must be able to show that they comply with them.
Citizens Information Board Relate – August 2017 page 3

Personal data must be: If a data subject’s consent is given as part of a written
• Processed lawfully, fairly and in a transparent manner document, the request for consent must be presented
in relation to the data subject clearly and separately from any other matters, using plain
language. Any part of such a document that conflicts with
• Collected for specified, explicit and legitimate
the GDPR will not be enforceable.
purposes and not further processed in a manner
that is incompatible with those purposes A data subject will have the right to withdraw their consent
at any time. Before giving consent, the data subject must
• Adequate, relevant and limited to what is necessary
be informed of their right to withdraw their consent and it
in relation to the purposes for which it is processed
must be as easy to withdraw consent as to give it.
• Accurate and kept up to date; every reasonable
Under the GDPR, a data subject must be at least 16 years
step must be taken to ensure that personal data
old to give valid consent. If the data subject is younger
that is inaccurate is erased or rectified without delay
than 16, the consent of a guardian will need to be given.
• Kept in a form which permits identification of data Individual member states may set the age for consent as
subjects for no longer than is necessary for the purposes low as 13 years but not younger.
for which the personal data is processed
• Processed in a manner that ensures appropriate
security of the personal data, including protection Rights of the data subject
against unauthorised or unlawful processing and against
accidental loss, destruction or damage
As a data subject, you will have more rights under the GDPR
regarding how your data is handled and processed.
Processing principles
Data processing under the GDPR will be lawful only if it Collection of data
satisfies one of the defined legal bases.
Under the GDPR, when your personal data is collected
The legal bases for lawful processing are: either directly or indirectly from you, the controller should
provide you with the following information:
• The data subject has given consent to the processing
of his or her personal data for one or more • Identity and contact details of the controller or their EU
specific purposes representative

• Processing is necessary for the performance of a • Contact details for the data protection officer
contract to which the data subject is party or in order • Purpose of the processing intended and its legal basis
to take steps at the request of the data subject prior to • If the legal basis is a “legitimate interest” of the
entering into a contract controller, what that interest is
• Processing is necessary for compliance with a legal • The intended recipients of the data
obligation to which the controller is subject • Any intention to transfer the data outside the EU and if
• Processing is necessary in order to protect the vital so, the data safeguards in that country
interests of the data subject or of another • The period for which the data will be stored or the basis
natural person for determining that period
• Processing is necessary for the performance of a task • Your right to request access, rectification, erasure,
carried out in the public interest or in the exercise of restriction of use, objection of use and data portability
official authority vested in the controller
• Your right to lodge a complaint to a supervisory
• Processing is necessary for the purposes of the authority
legitimate interests pursued by the controller or by a
• Whether you must provide your data as part of
third party, except where such interests are overridden
a statutory or contractual requirement and the
by the interests or fundamental rights and freedoms of
consequences of not providing the data
the data subject, which require protection of personal
data, in particular where the data subject is a child. This • The existence and logic of any automated decision-
does not apply to processing by public authorities. making or profiling processes

Data subject consent If the controller intends to process your data for a purpose
other than the purpose for which it was collected, the
Where data processing is based on consent, the controller controller must provide you with information about this
must be able to show that consent was given by the data purpose before processing begins.
subject.
page 4 Relate – August 2017 Citizens Information Board

Right of access • There is no lawful basis for the processing

• The data must be erased to comply with law
Both the current Irish legislation and the GDPR provide you
• The data was collected in relation to the offer
with a right to see a copy of any personal data held by a
of online services
controller about you. If you believe a person or organisation
is processing personal data about you, you can request that
The right of erasure will also include the right to have
they tell you whether they are processing this data. If your
publicly available personal data erased or as far as
data is being processed you will be able to request a copy
technologically possible, removed from public availability.
of that data to be sent to you. The controller will be able to
charge a reasonable administrative fee for this. Under the
The GDPR will also give legislative effect to the recently
current legislation, the fee cannot be more than €6.35.
established ‘right to be forgotten’ procedure. Right to be
You are entitled to the following information: forgotten is a right to have search engine results that relate
to you or to a certain incident concerning you removed
• The purposes of the processing from internet search listings once that information is no
• The categories of data being held longer relevant. For example, if an online search for your
• The identity of any recipients who may see this data name turned up a link to a photograph of you that you
believe is no longer relevant for the purpose for which
• The period for which it will be stored
it was collected, you can request that the search engine
• Your right to lodge a complaint with a supervisory
remove that link from their search results. The right to be
authority
forgotten is not an absolute right and requests under the
• Where the information was not collected from you, procedure are assessed on a case-by-case basis.
information about the source
• The use of any automated decision-making processing The right of erasure will not apply where processing is
and information about that process necessary because of an overriding freedom of expression,
• If the data is being transferred to a country outside legal or public interest.
the EU, the data safeguards in that country
Right to data portability
Right of rectification, The GDPR will introduce the right to data portability. This
restriction and erasure means you can request and receive personal data that you
Both the current Irish legislation and the GDPR provide you have previously provided to a controller in a commonly
with the right to request controllers to rectify inaccurate or used and machine-readable format. The right also means
incomplete personal data they hold about you. you can request one controller to transfer your personal
data to another controller.
You currently have a right to restrict a controller from
processing your personal data where:
Right to object and automated
• The accuracy of the data is in question decision making
• The processing of the data is unlawful
The right to object means you have the right to object
• The controller no longer needs the data for the purpose to the processing of your data at any time, for example
but it is required by you for other reasons to prevent your data being used for marketing purposes,
• You have challenged the legal basis for the processing including profiling. The controller must stop processing your
data unless the controller can show there are legitimate
Once the processing has been restricted, the controller grounds or legal reasons for such processing that override
must inform you before that restriction is lifted. your interests.
Under the GDPR you will have a strengthened right of
erasure. You can request a controller to erase your data and Your right to not be affected by a decision based on
a controller will have an obligation to erase your data if one automated processing will also be strengthened under
of the following applies: the GDPR. Where a decision is to be made about you that
will have significant legal effects, you will have the right
• The data is no longer necessary for the purpose to avoid any automated decision-making processing, for
it was collected example, the decision being made by a bank’s loan approval
• You have withdrawn your consent to the processing software. A controller must provide human intervention in
of your data the decision-making process if you request it.
• You object to the processing of your data
Citizens Information Board Relate – August 2017 page 5

Privacy notices Processing record

Data controllers must have appropriate measures to comply Under the GDPR, any controller with more than 250
with your rights and must provide information to you in a employees or who processes sensitive information will
concise, transparent, intelligible and easily accessible form, have to keep a record of the processing activities under
using clear and plain language. their responsibility.

If a controller does not comply with a request from you, the That record will consist of:
controller must give you reasons for this and should inform • The name and contact details of the controller
you of your right to make a complaint to the supervisory
• The purposes of the processing
authority.These rights will not apply where the data can no
longer identify you. • A description of the categories of data subjects
and personal data
• Categories of recipients of the data
Obligations of controllers • Any transfers of data to third countries and that
and processors country’s data safeguards
• Time limits for erasure of data
Data privacy by design • A description of the data security measures in place
The GDPR will introduce the concept of privacy by design.
This will mean the inclusion of data protection measures Processors will have to keep similar records. These records
from the outset of designing a processing system. The can be inspected by the supervisory authority on request.
controller must implement appropriate technical and
organisational measures in order to meet the requirements Security of personal data
of the Regulation and protect the rights of data subjects.
Controllers and processors have an obligation to keep
For example, controllers should design their processes personal data secure. Under the GDPR, controllers and
so that they collect only the data absolutely necessary processors will have to consider implementing modern
for their purposes, and access to personal data should be security measures appropriate for the risks involved in their
limited to only those necessary for processing. Controllers activities. For example, risks may come from accidental
may also temporarily anonymise personal data. or unlawful destruction of stored data or unauthorised
Controllers will be able to apply for certification from a disclosure, access or alteration.
supervisory authority, which will demonstrate that their The security measures may include anonymisation or
processes are designed to comply with the Regulation. encryption of data and restoring or backing up stored
data. Controllers and processors will need to review and
Relationship between controller evaluate their security measures to comply with any code
and processor of conduct that may be published in the future.

Where processing is to be carried out by a processor

Data breach reporting
and not the controller, the controller must use only those
processors who guarantee that their systems of processing Under the GDPR, a controller must notify the supervisory
meet the requirements of the Regulation. authority of a personal data breach without delay where
that breach is a likely to result in a risk to the rights and
The controller must have a contract with the processor
freedoms of the data subject. Notification should be made
setting out the scope of the processing required
within 72 hours of the controller becoming aware of the
by the controller and the processor’s obligations under
breach. Data processors will be required to notify the
the Regulation. A processor cannot outsource this
respective controllers if the processor becomes aware of a
processing to another processor without the controller’s
breach. The controller should also notify the data subject
consent and a similar contract agreed with that second
without delay.
processor.

Processors should follow any relevant code of conduct that Data protection impact assessment
may be prepared by a supervisory authority. Processors
may also receive certification demonstrating their Under the GDPR, when a controller intends to carry out
compliance with the Regulation. high-risk processing they will have to first carry out a data
protection impact assessment. The supervisory authority
page 6 Relate – August 2017 Citizens Information Board

will prescribe a list of the kind of processing operations The tasks of the DPO will be to:
that may be high risk. These processes may include
processing using new technology, profiling and automated • Inform and advise their organisation about its data
decision-making processing, processing large amounts protection obligations
of sensitive personal data or systematically monitoring • Monitor their organisation’s compliance with the GDPR
a publicly accessible area. and any national data protection legislation
• Advise on data protection impact assessments and
The data protection impact assessment should include: monitoring performance
• Liaise with the supervisory authority
• A description of the processing and the purpose
• An assessment of the necessity of the processing Codes of conduct and certification
• An assessment of the risks to the rights and freedoms Associations and other bodies representing controllers and
of the data subjects processors may prepare codes of practice that will specify
• The measures to be used to address the risks how the GDPR should be specifically applied. These bodies
must submit their draft codes of conduct to the relevant
The controller may consult with the supervisory authority supervisory authority for approval.
who may provide advice to the controller.
In order to enhance transparency and compliance with
The controller should carry out a review after the this Regulation, the GDPR will introduce certification
processing has begun to ensure it is being performed in line mechanisms and data protection marks, allowing data
with the data impact assessment that was carried out. subjects to quickly assess the level of data protection
of relevant products and services.A list of certified
The controller should also seek the advice of their data organisations will be publicly available.
protection officer.
Codes of conduct and approved certification mechanisms
Data protection officers will also assist controllers in identifying the risks related to
their type of processing and in adhering to best practice.
Under the GDPR, data protection officers must be
appointed by controllers and processors whose core For processors seeking to process information on behalf of
activities consist of processing operations that require controllers, the adherence of a processor to an approved
regular and systematic monitoring of data subjects on a code of conduct or an approved certification mechanism
large scale or of special categories of personal data or data may be used as an element to demonstrate compliance with
relating to criminal convictions and offences. the obligations of the controller.

Data protection officers (DPOs):

Transferring data outside the EU
• Must be appointed on the basis of professional qualities Any transfer of personal data outside the EU or to an
and, in particular, expert knowledge on data protection international organisation will be strictly regulated under
law and practices the GDPR. The Regulation will also apply to any onward
• May be a staff member or an external service provider transfer of personal data from one non-EU member state
• Must provide contact details to the relevant to another.
supervisory authority
• Must be provided with appropriate resources to carry Such a transfer of personal data may only take place where
out their tasks and maintain their expert knowledge the European Commission has decided that the non-EU
• Must report directly to the highest level of member state or business sector within that country has
management in their organisation an adequate level of data protection in place. In deciding if
• Must not carry out any other tasks that could result there is adequate protection, the Commission will look at
in a conflict of interest that country’s laws, respect for human rights, the existence
of any data protection authority and the international
DPOs must be involved in all issues of data protection and commitments that country has made relating to personal
must be given the resources to carry out their tasks. You data. After deciding if a country or sector has adequate data
will be able to contact the DPO of an organisation about protection, the Commission will continue to monitor that
any issues relating to your personal data held by that country in terms of its data protection practices.
organisation.
Citizens Information Board Relate – August 2017 page 7

The Commission will publish a list of all such approved application of the Regulation and any updates that may
countries, sectors and international organisations. be required. The Board will be made up of the head of one
If a controller or processor wants to transfer data to an supervisory authority of each member state and a European
unapproved country, sector or international organisation, Data Protection supervisor.
that controller or processor must provide the appropriate
safeguards and ensure that any data subjects will still be Penalties
able to exercise their rights.
Under the GDPR, organisations in breach of the Regulations
can be fined up to 2% of their annual global turnover or
Oversight
€10 million, whichever is greater, for lesser breaches, for
example, not having their records in order, not notifying
Independent supervisory authorities
the supervisory authority and data subject about a breach
Under the current Irish legislation, the Data Protection or not conducting impact assessment. For the most serious
Commissioner is responsible for supervising data protection infringements, for example, not having sufficient customer
in Ireland. Under the GDPR, each member state will have consent to process data or violating the core of privacy by
one or more independent public authorities responsible for design concepts, organisations can be fined up to 4% of
monitoring the application of the Regulation. In Ireland, their annual global turnover or €20 million, whichever is
under the Data Protection Bill 2017, the Data Protection greater.
Commissioner will be replaced with a Data Protection
Penalties will apply to both controllers and processors.
Commission.
Member states may introduce further fines legislation,
Each supervisory authority will: which will be enforceable within that state only.

• Monitor and the enforce the application of the GDPR

General Data Protection Bill 2017
• Promote public awareness of the rules and rights
around data processing
• Advise the government on data protection issues The Department of Justice and Equality is currently
• Promote awareness among controllers and processors preparing the Data Protection Bill 2017. The Bill will
of their obligations transpose the Regulation into national law and will
• Provide information to individuals about their replace the Data Protection Commissioner with a Data
data protection rights Protection Commission with the possibility of up to three
• Maintain a list of processing operations requiring Commissioners depending on future workload.
data protection impact assessment The Bill will also give further effect to the Regulation, for
example, it will provide for the imposition of fines on public
Each authority will have the power to order any controller authorities for breaches of data protection law where such
or processor to provide information that the authority authorities are acting in competition with private operators.
requires to assess compliance with the Regulation. The
authority may carry out investigations of controllers and
processors in the form of data audits, including accessing Related legislation
the premises of a controller or processor. The authority can
order a controller or processor to change their processes, Data Protection Directive for Police and
comply with data subject requests. The authority can also Criminal Justice Authorities
issue warnings to controllers and processors and can ban
The Data Protection Directive for Police and Criminal Justice
processing as well as commence legal proceedings against
Authorities has applied since 5 May 2016. As this legislation
a controller or processor.
is a Directive and not a Regulation, EU member states must
introduce national legislation to ensure compliance with
the Directive before 6 May 2018.
European Data Protection Board
The Directive specifically regulates the processing of data
The GDPR will introduce a new European data protection
by police and criminal justice authorities in the EU.
supervisory authority. The European Data Protection
The Directive requires that the data collected by law
Board will be responsible for ensuring the GDPR is applied
enforcement authorities is:
consistently across Europe. The Board will issue guidelines
and recommendations on the application of the Regulation.
The Board will also advise the EU Commission on the
The Citizens Information Board provides independent Head Office t 0761 07 9000
information, advice and advocacy on public and social services Ground Floor f 01 605 9099
through citizensinformation.ie, the Citizens Information Phone George’s Quay House e [email protected]
Service and the network of Citizens Information Services. It is 43 Townsend Street w citizensinformationboard.ie
responsible for the Money Advice and Budgeting Service and Dublin 2
provides advocacy services for people with disabilities. D02 VK65

• Processed lawfully and fairly PNR data includes:

• Collected for specified, explicit and legitimate purposes
and processed only in line with these purposes • Travel dates
• Adequate, relevant and not excessive in relation to the • Travel itinerary
purpose in which they are processed • Ticket information
• Accurate and updated where necessary • Contact details
• Kept in a form that allows identification of the • Means of payment used
individual for no longer than is necessary for the
• Baggage information
purpose of the processing
• Appropriately secured, including protection against Each EU member state must establish a Passenger
unauthorised or unlawful processing Information Unit (PIU). A PIU is responsible for collecting,
storing and processing PNR data, as well as transferring
EU member states must establish time limits for erasing the that data or the results of its processing to the competent
personal data or for a regular review of the need to store such national authorities. A PIU may exchange PNR data and the
data. results of its processing with other EU member states and
Europol.
The Directive requires that the law enforcement authorities
make a clear distinction between the data of different Airlines must provide PIUs in EU member states with the
categories of persons including: PNR data for flights entering or departing from the EU. It also
allows, but does not require, EU member states to collect PNR
• Those for whom there are serious grounds to believe data concerning selected internal EU flights.
they have committed or are about to commit a criminal
offence Data provided by airlines will be stored in a database by a PIU
• Those who have been convicted of a criminal offence for five years. After six months storage, the PNR data must be
de-personalised. The data collected may only be processed to
• Victims of criminal offences or persons whom it is
prevent, detect, investigate and prosecute terrorist offences
reasonably believed could be victims of criminal offences
and serious crime.
• Those who are parties to a criminal offence, including
potential witnesses Data should only be processed in the following cases:

National authorities must implement measures to ensure a • For a pre-arrival assessment of passengers against pre-
level of security for personal data, for example, preventing determined risk criteria and relevant law enforcement
unauthorised persons access processing equipment; databases
preventing the unauthorised reading, copying, changing or
• For use in specific investigations or prosecutions
removal of data; and preventing the unauthorised input,
viewing, changing or deleting of stored personal data. • As input in the development of risk assessment criteria

The Passenger Name Record Directive

The Passenger Name Record Directive (PNRD) has applied
since 21 April 2016. EU member states must introduce The information in Relate is intended as a general guide
national legislation to ensure compliance with the PNRD only and is not a legal interpretation.
before 24 May 2018.

The PNRD regulates the use of passenger name records (PNR)

data in the EU for the prevention, detection, investigation and
prosecution of terrorist offences and serious crimes.