A Guide to the

General Data Protection Regulation

GDPR
2019

A Guide by Mason Hayes & Curran

Dublin London New York San Francisco

 Table of Contents

1
What is the GDPR? 1. What is the GDPR? 2

2 2. Executive Summary

3. Does the GDPR Apply to Me?

Territorial scope
3

5
5
Executive Summary
Material scope 7

3
Does the GDPR
4. Have I Taken the Right Steps in Becoming GDPR Compliant? 9

5. How has the GDPR Altered Previous Data Protection Law? 10

Definitions of personal and sensitive data 10
Apply to Me? Data protection principles 13

4
Valid consent 14
Children’s data 16
Additional rights for data subjects 16
Privacy notices 21
Have I Taken the Right Steps in
Data protection by design and default 22
Becoming GDPR Compliant?
Data protection officers 24

5
Security 25
Enforcement, remedies and liability 27
Codes of conduct and certification 31

How has the GDPR Altered

Previous Data Protection Law? 6. What Does the GDPR Mean For ... ? 33

6
Contracting 33
Compliance and risk management 36
Human resource managers 38
Technology-driven businesses 40
Disputes/Litigation 41
What Does the
Public sector bodies 42
GDPR Mean For ... ?

7 7. Our Experts 44

Our Experts

The contents of this publication are to assist access to information and do not constitute legal or other advice.
Readers should obtain their own legal and other advice as may be required.
© Copyright 2019 Mason Hayes & Curran

GENERAL DATA PROTECTION REGULATION • Page 1

1. What is the GDPR?

The EU General Data Protection Regulation (EU) 2016/679 (‘GDPR’), which came into
force on 25 May 2018, marks a significant change in the EU data protection regime. The
GDPR has repealed and replaced the previous Data Protection Directive, Directive 95/46/
EC (the ‘Directive’), which formed the basis for the previous data protection regime.

The GDPR was first published as a draft proposal in In particular, the introduction of the ‘accountability
January 2012 and, after a long legislative process, was principle’ means that affected organisations are now
adopted on 27 April 2016. Since coming into force on working on their internal compliance, including record-
25 May 2018, many of the GDPR’s significant changes keeping and, for some, the appointment of a data
have taken effect. However, some of its more innovative protection officer.
provisions are taking more time since they require
additional codes and guidance to be developed and The GDPR has expanded the territorial scope of EU
approved. data protection law, and applies both to organisations
established in the EU and to non–EU established
As a Regulation, and unlike the preceding Directive, the organisations that target or monitor EU residents. A wider
GDPR was immediately enforceable in Ireland (and the number of organisations are since captured by EU data
other EU Member States) without the need for domestic protection law. New requirements relating to consent,
implementing legislation. This has reduced the level breach notification, transparency, accountability and
of national variation in relation to data protection law the appointment of data protection officers, have been
across the EU. The GDPR also recognised the so-called introduced, meaning all impacted organisations have
‘one-stop-shop’ which enables organisations with pan- needed to revise their policies and operational procedures.
European operations to benefit from primary regulation Changes are especially important due to significant
by a single national supervisory authority in just one EU penalties and fines for non-compliance.
state. This increased level of harmonisation of laws across
the EU and introduction of the one-stop-shop has made Sanctions increase:
it easier for businesses that sell goods or services across Up to 4% of annual revenue or e20 million
the EU to take a more unified approach to data protection
compliance. However, complete EU-wide uniformity The changes brought about by the GDPR, particularly
has not occurred as the GDPR left discretion to Member the increased compliance burden and higher sanctions,
States in a number of areas. Additionally, running to over emphasise the need for organisations to continually
88 pages, the GDPR is not without complexity, leading to review and enhance their existing practices, policies and
the consequent issue of variable national interpretations. record-keeping, especially as organisations must be able to
demonstrate compliance when called upon to do so.
The GDPR has built upon familiar concepts and rules
established previously in the Directive, which is welcome. Finally, for businesses and organisations in Ireland, it is
In many respects it has extended considerably further important to note that the GDPR needs to be read in light
than the Directive. It has wider scope, raises standards, of the Data Protection Act 2018, which was signed into
and introduces higher sanctions; up to the greater of 4% law on 24 May 2018. This is quite an extensive piece
of annual revenue or €20 million. of primary legislation which supplements many parts of
the GDPR while also describing in detail the powers and
functions of the Data Protection Commission.

GENERAL DATA PROTECTION REGULATION • Page 2

2. Executive Summary

Does the GDPR Apply to Me? • The GDPR has tightened the rules on how consent
is obtained. Consent must be freely given, specific,
Section 3 investigates the scope of application of the informed and provided via an unambiguous indication of
GDPR. Some controllers and processors who fell outside the data subject’s wishes. The requirement that some
the Directive are now subject to the GDPR. type of affirmative action is required for valid consent
is a significant change. The onus of proving that proper
• Territorial Scope: The GDPR applies if an entity is consent was obtained lies with the data controller.
established in the EU, and is engaged in the processing Consent may not be rolled in with other contractual
of personal data in the context of that establishment’s terms, and the data subject retains the right to withdraw
activity, even if the processing itself takes place outside their consent at any time.
the EU. The GDPR also applies to entities without an
establishment in the EU if they process personal data • The GDPR has introduced novel rules for the processing
of EU data subjects and the processing relates to (i) of children’s data, governing online consents, privacy
goods or services offered to EU data subjects; or (ii) the notices and the justification of processing by reference
monitoring of behaviour in the EU. to the legitimate interests of the controller or third party,
if the data subject is a child.
• Material Scope: The GDPR applies to the electronic or
automated processing of personal data and to manual • The GDPR has established new rights for data subjects
paper-based processing if the personal data forms part and corresponding duties for controllers and processors.
of, or is intended to form part of, a filing system. The rights of rectification and erasure have been
strengthened, while data subjects have gained a right to
Have I Taken the Right Steps in Becoming GDPR- restriction of processing. A right of data portability gives
Compliant? data subjects the right to receive personal data and
In Section 4 we provide a roadmap to 5 key steps that to transmit that data to another controller. Controllers
organisations should implement in order to ensure their have new obligations to notify third party recipients of
ongoing compliance with the GDPR: Gap and Compliance information of requests for rectification, restriction or
Analysis; Contracting and Policies; Record-Keeping erasure.
and Privacy Governance; Security; and ‘Privacy Impact
Assessment’ and ‘Privacy by Design’. • The GDPR has established new requirements for the
contents of privacy notices.
How Has the GDPR Altered Previous Data
Protection Law? • ‘Privacy by Design’ and ‘Privacy by Default’ are
In Section 5 we identify the most significant changes important new concepts under the GDPR. Privacy
introduced by the GDPR to European data protection law: by Design requires organisations to consider privacy
measures during product design processes, while
• The GDPR has refined the definitions of personal data Privacy by Default requires controllers to ensure that, by
and sensitive data. Personal data now extends to default, only necessary data is processed.
online identifiers such as IP addresses and cookies.
The definition of sensitive personal data is expanded to • The GDPR contains new security requirements, such as
include genetic and biometric data. new rules on data breaches.

• The GDPR contains a tougher ‘data minimisation’

principle than the Directive. It also introduces a new
‘accountability’ principle.

GENERAL DATA PROTECTION REGULATION • Page 3

• The GDPR mandates the appointment of a Data What Does the GDPR Mean For ... ?
Protection Officer in certain instances which will
introduce new compliance costs for organisations. In Section 6 we trace the impact of the GDPR on certain
commercial activities. In contracting, the GDPR increases
• The GDPR has implemented a new regime for the importance of carefully drafted clauses on data
enforcement, remedies and liability. Under the ‘one- export, engagement of joint controllers, processors and
stop-shop,’ the lead regulator for controllers and sub-processors, and the apportionment of liability. In
processors engaged in cross-border processing is the compliance and risk management, the accountability
supervisory authority in the Member State where they principle means that controllers and processors bear
have their main establishment. However, complaints the burden of demonstrating that they comply with the
can be made to any supervisory authority, and in some GDPR. Human resource managers should be aware that
cases, another supervisory authority may carry out the GDPR allows Member States to adopt more specific
an investigation. The GDPR establishes new rules on rules for data processing in the employment context, and
compensation for infringement, which extend to both revises the law on subject access requests. Technology-
material and non-material damage, and provides for driven businesses should note the new, more stringent
the imposition of significant administrative fines by the rules on user consent, and on the enhanced rights
national supervisory authority. of data subjects. In disputes/litigation, the GDPR’s
key changes relate to jurisdiction and the role of the
• Finally, the GDPR encourages the drawing up of codes supervisory authority.
of conduct and the development of data protection
certification mechanisms.

GENERAL DATA PROTECTION REGULATION • Page 4

3. Does the GDPR Apply to Me?

The GDPR applies to all entities established in the EU which process personal data,
regardless of whether the processing takes place in the EU. It also applies to a wide
range of entities established outside the EU, where they collect or process personal
data relating to EU residents. This means a number of controllers and processors which
currently fall outside the Directive will now be subject to EU data protection law.

3.1 Territorial Scope

By applying to controllers and processors within the EU, There is no requirement that the actual data processing
as well as certain controllers and processors outside the occur within the EU. In other words, using servers outside
EU, the GDPR has significantly extended the territorial the EU will not bring an EU company outside of the scope
scope of EU data protection law. We consider how both of the GDPR.
EU-established and non-EU established entities can be
affected. To address situations where a controller or processor has
more than one establishment in the EU (e.g. offices in
A. EU Established a number of Member States), the GDPR introduced the
The GDPR applies to controllers and processors who so-called ‘one-stop-shop’ procedure through the concept
have an EU establishment and who are engaged in of a ‘main establishment’, with a single ‘lead supervisory
the processing of personal data in the context of that authority’.
establishment’s activity. This is the same test that
previously applied under the Directive.

What Constitutes an EU Establishment?

The GDPR states that an establishment implies the effective and real exercise of activity through stable arrangements.
The legal form of such arrangements is not itself the determining factor.

• The Court of Justice of the European Union (‘CJEU’) has considered the term ‘establishment’ within the context of
the Directive in Google Spain SL, Google Inc. v AEPD (C-131/12), Weltimmo (C-230/14) and more recently in VKI v Amazon
EU Sárl (C-191/15). These cases continue to be relevant under the GDPR. In Google Spain, the CJEU held that EU
based sales and advertising operations carried out by a subsidiary of a US company constituted an establishment of
that US company within the EU.

• In Weltimmo, the CJEU held that an establishment does not exist in a Member State merely because an
undertaking’s website is accessible there.

• In VKI v Amazon EU Sárl, the CJEU held that it is for the national court of the relevant Member State to decide
whether data processing was carried out in the context of an establishment situated in a Member State.

GENERAL DATA PROTECTION REGULATION • Page 5

B. Non-EU Established Entities Offering Goods C. Non-EU Established Controllers where EU law
or Services Within the EU or Monitoring EU Data Applies by Virtue of Public International Law
Subjects
As previously under the Directive, the GDPR applies to the
The GDPR also applies to controllers and processors processing of personal data by a controller not established
without an establishment in the EU where they process in the EU, but in a place where Member State law applies
personal data of data subjects and that processing relates by virtue of public international law, such as in a Member
to the: State’s diplomatic mission or consular post. Practically
speaking, the circumstances in which the laws of a
• Offering of goods or services to data subjects within the Member State apply by virtue of public international law
EU, regardless of whether a payment is required, or tend to be very limited. For example, the management of
• Monitoring of the behaviour of data subjects within human resource data in a Member State embassy outside
the EU. the EU might be captured under this rule.

When is an entity offering goods or services to data subjects in the EU?

The test is whether the controller ‘envisages’ offering goods or services to data subjects in the EU, and a number of
factors are relevant:
• This test is not met simply by the mere accessibility of a website in the EU
• A number of factors may suggest that a controller envisages offering goods or services to data subjects in the EU,
including:
- using a language or currency generally used in one or more Member States, or
- mentioning customers or users who are in the EU
• It does not matter whether the good or service is provided with or without charge.

When is an entity monitoring the behaviour of data subjects within the EU?
• The application of the GDPR to non-EU established controllers and processors in these instances is a significant
extension in the territorial scope of EU data protection law. The Directive currently requires compliance by non-EU
established controllers only where controllers make use of equipment situated within the EU.
• In order to determine whether a processing activity monitors the behaviour of data subjects, you need to look at
things like whether individuals are tracked on the internet, or are subject to data processing techniques like profiling
and predictive and other analysis regarding personal preferences, behaviours and attitudes.

CASE STUDY

Red Inc., an e-commerce retailer, is incorporated in Canada with its headquarters in Vancouver, Canada.
It has no offices, personnel or physical presence within the EU. It sells goods to EU residents via its
e website, in its customers’ local languages and currencies, and offers delivery rates to EU countries. While
Red Inc. may not necessarily have been subject to EU data protection law under the Directive, it will be
subject to the GDPR.

Red Inc. will also have to appoint a representative in the EU who will act as a point of contact for
supervisory authorities.

GENERAL DATA PROTECTION REGULATION • Page 6

3.2 Material Scope
• By competent authorities for the purposes of the
As previously under the Directive, the GDPR applies to the prevention, investigation, detection or prosecution of
processing of personal data wholly or partly by automated criminal offences or the execution of criminal penalties,
means (such as a computerised system) and to manual including the safeguarding against, and the prevention
processing if the personal data forms part of a filing of threats to public security
system or are intended to form part of a filing system. • By EU institutions where a unique Regulation for
processing personal data by EU institutions will continue
As under the Directive, certain forms of processing to apply instead of the GDPR
fall outside the scope of the GDPR. The GDPR is not • In the course of an activity which falls outside the scope
applicable to the processing of personal data: of EU law (e.g. activities concerning national security), or
• By a natural person in the course of a purely personal or • Relating to the EU’s common foreign and security policy
household activity (the ‘household exemption’)
• Concerning the personal data of deceased persons

The household exemption: This exemption includes correspondence that includes both personal and
correspondence and the holding of addresses, or social professional content, do not fall within the household
networking and online activity undertaken for those exception.
purposes. For example, having a personal address book
will not be captured by EU data protection law. • The GDPR is, however, applicable to controllers or
processors that provide the means for processing
• In Ryneš (C-212/13), the CJEU held that activities personal data for personal or household activities,
that are only partly personal, for example, sending such as email service providers.

KEY TERMS AND WHERE TO FIND THEM

Establishment – Recital 22: Establishment implies the effective and real exercise of activity through stable
arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal
personality, is not the determining factor in that respect.

Filing System – Article 4(6): Any structured set of personal data which is accessible according to specific criteria,
whether centralised, decentralised or dispersed on a functional or geographical basis.

Material Scope – Article 2, Recitals 15 – 19: the types of activities regulated by the GDPR. See also Recital 27.

Processing – Article 4(2): Any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction.

Territorial Scope – Article 3: the level of connection to the EU necessary to be captured by the GDPR.
See also Recitals 23 – 25.

GENERAL DATA PROTECTION REGULATION • Page 7

 Does the GDPR Apply to My Organisation?

Do you process
NO YES
Personal Data?

Does one of the exemptions from EU law

apply? Does the processing relate to
The GDPR does not apply YES criminal investigation or relate to EU
to your organisation foreign and security policy?

NO

Is it purely personal or
YES household activity?

NO

Are you established

in the EU and is data YES
processed in the context
of that establishment? NO

NO

Are you offering Are you monitoring Does EU law

goods or services NO behaviour of EU NO apply under public
in the EU? residents? international law?

YES YES YES

The GDPR applies

GENERAL DATA PROTECTION REGULATION • Page 8

4. Have I Taken the Right Steps in
Becoming GDPR Compliant?
The checklist highlights 5 key steps that organisations should consider to ensure their ongoing GDPR compliance.

1. GAP AND COMPLIANCE ANALYSIS

• Review of products and services
• Review data sets and management (including data capture, disclosures to third parties and data exports
to outside the European Economic Area)
• Review of current privacy notices and policies (including method for communicating to relevant
individuals and, if applicable, capturing consent)
• Review current suite of privacy compliance documentation
• Review current legal bases relied upon for processing personal data
• Review any uses of children’s data or sensitive personal data
• Identify gaps in your compliance with current EU law and the GDPR and identify compliance actions

2. CONTRACTING AND POLICIES

• Identify third party contracts related to personal data
• Develop templates for:
- Data processing agreements for third party service providers
- Intra-group data processing agreements (where relevant)
- Joint control contracts
- Liability apportionment clauses
- Intra-group data export agreements (where relevant)
• Update public and employee privacy notices and policies
• Review terms and conditions which capture privacy consents

3. GOVERNANCE
• Develop accountability programme and review process
• Draft or amend suite of compliance documentation, including data breach register, data governance
records and privacy impact assessments
• Select and appoint Data Protection Officer (where relevant)
• Update subject access request handling policy
• Update personnel training on data protection
• Develop organisational compliance methodology

4. SECURITY
• Review security protocols, and consider integration of security measures specified under the GDPR
including encryption and pseudonymisation
• Familiarise yourself with the notification obligations for security breaches under the GDPR
• Draft template security breach notifications and security breach response plan

5. PRIVACY IMPACT ASSESSMENT AND PRIVACY BY DESIGN

• Draft privacy impact assessment questionnaire
• Develop privacy impact assessment and privacy by design implementation and review process

GENERAL DATA PROTECTION REGULATION • Page 9

5. How Has the GDPR Altered Previous
Data Protection Law?
The GDPR has extended a number of familiar concepts and rules in the previous Directive. The
key changes made by the GDPR to EU data protection law are described in this section.

DEFINITION OF
PERSONAL DATA

CODES OF CONDUCT & SENSITIVE

CERTIFICATION PERSONAL DATA

ENFORCEMENT DATA PROTECTION

REMEDIES & LIABILITY PRINCIPLES

SECURITY
The CONSENT

GDPR
DPOs CHILDREN’S DATA

DATA PROTECTION BY DATA SUBJECT RIGHTS

DESIGN & DEFAULT

PRIVACY NOTICES

5.1 Definitions of Personal The inclusion of online identifiers is notable. It results in

and Sensitive Data IP addresses and cookies, where they can lead to the
identification or singling out of individuals, falling within
The GDPR has extended the definitions of both personal the scope of the GDPR.
data and sensitive personal data.
In practical terms, the modified definition of personal data
A. Personal Data is unlikely to result in significant change owing to the
broad definition of personal data endorsed by the CJEU in
As under the previous legislation, personal data is any Breyer (C-582/14). In Breyer, the Court held that a dynamic
information relating to an identified or identifiable natural IP address can constitute personal data. In more general
person. The GDPR has expressly added name, location data, terms, the Court held that where an organisation holds
online identifiers and factors specific to the genetic identity data that alone cannot identify an individual, that data
of a natural person to the list of factors by which a natural may constitute personal data if the organisation has the
person may be identified. Under the Directive, the definition legal means which enable it to identify the data subject by
of personal data was less specific, though the general view combining the data with other information held by one or
was that online identifiers were usually already captured more third parties.
(particularly in light of Breyer (C-582/14).

GENERAL DATA PROTECTION REGULATION • Page 10

A related concept of ‘pseudonymisation’ has must be satisfied under the GDPR in order to legitimise
been introduced for the first time by the GDPR. the processing of sensitive data. Sensitive data may
Pseudonymisation concerns the processing of personal be processed where the data subject gives his or her
data in such a way so as to prevent an individual being explicit consent to such processing, or where a specific
directly or indirectly identified from that data without derogation is in place. The derogations include:
the use of additional information. Provided that the • Necessary processing in the fields of employment,
additional information is kept separate and secure, the social security and social protection where authorised by
risks associated with pseudonymous data are likely law or collective agreement
to be lower. Pseudonymous data is still treated as • Processing to protect the vital interests of the data
personal data because it enables the identification of subject or another natural person where the data subject
individuals. However, use of pseudonymous data may is incapable of giving consent
justify processing that would otherwise be deemed • Processing by certain non-profit organisations
‘incompatible’ with the purposes for which the data • Processing of personal data which are manifestly made
was originally collected, and can be adopted as a helpful public by the data subject
security or privacy by design measure. • Processing in relation to legal claims or by courts acting
in their judicial capacity
B. Sensitive Personal Data • Processing necessary for reasons of substantial public
interest, on the basis of compatible and proportionate
The definition of special categories of data, i.e. sensitive law
personal data or sensitive data, has been extended by the • Processing for the purposes of preventative
GDPR, adding genetic and biometric data to this protected occupational medicine
category of data. • Processing for reasons of public interest in the area of
public health, and
Under this expanded definition, the specially protected • Processing necessary for scientific or historical research
categories of data extend to processing of:
Biometric data and photographs
• Data revealing:
• The processing of photographs will not automatically be
- Racial or ethnic origin
considered as the processing of biometric data. However,
- Political opinions
photographs will be covered where they allow the unique
- Religious or philosophical beliefs, or
identification or authentication of an individual as a biometric,
- Trade union membership for example, where they are used as part of an electronic
• Genetic data or biometric data for the purpose of passport or for the purposes of facial recognition.
uniquely identifying a natural person, or
• Data concerning health, a natural person’s sex life, or Notably, Member States are entitled to maintain or impose
sexual orientation further conditions in respect of genetic, biometric or health
As under the previous legislation, more onerous conditions data. Consequently, national variations are likely to persist.

CASE STUDY

Magenta Unlimited Company provides a software app which, among other things, records a user’s
heart rate using the camera of a smartphone. This amounts to the processing of data relating to a user’s
health and, accordingly, requires that user’s explicit consent.

Cyan Ltd is a clothes retailer which requires its employees to submit medical certificates in order to certify
absences from work of more than two days. As this is necessary for employment reasons, and authorised
by the law of the Member State in which Cyan is established, this is acceptable under the GDPR.

GENERAL DATA PROTECTION REGULATION • Page 11

C. Data Concerning Criminal Convictions

The GDPR has not made any material changes in respect of the processing of data concerning criminal convictions,
offences and related security measures. As under the Directive, this category of data is not sensitive data but
nonetheless the processing of this category of data is subject to specific protection. Processing of this type of data
may only be carried out in specific circumstances under the Data Protection Act 2018.

KEY TERMS AND WHERE TO FIND THEM

Biometric data – Article 4(14): Personal data resulting from specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of
that natural person, such as facial images or fingerprint information. See also Recitals 51, 53, 91.

Data concerning health – Article 4(15): Personal data related to the physical or mental health of a natural person,
including the provision of health care services, which reveal information about his or her health status.
See also Recitals 35, 53 – 54.

Data concerning criminal convictions – Article 10. See also Recitals 19, 50, 73, 80, 91, 97.

Genetic data – Article 4(13): Personal data relating to the inherited or acquired genetic characteristics of a natural
person which give unique information about the physiology or the health of that natural person and which result, in
particular, from an analysis of a biological sample from the natural person in question.
See also Recitals 34 – 35, 53, 75.

Personal data – Article 4(1): Any information relating to an identified or identifiable natural person (‘data subject’).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Pseudonymisation – Article 4(5): The processing of personal data in such a manner that the personal data can
no longer be attributed to a specific data subject without the use of additional information, provided that such
additional information is kept separately and is subject to technical and organisational measures to ensure that the
personal data is not attributed to an identified or identifiable natural person.
See also Articles 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1) and Recitals 26, 28 – 29, 75, 78, 156.

Sensitive data – Article 9: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual
orientation. See also Recitals 10, 34, 35, 51.

GENERAL DATA PROTECTION REGULATION • Page 12

5.2 Data Protection Principles
The data protection principles are the fundamental principles relating to how personal data may be processed. The
principles in the GDPR are in broadly similar terms to those contained in previous legislation, with some additions, most
notably the introduction of the accountability principle. The principles are as follows:

Lawfulness, fairness and transparency Accuracy

Personal data must be processed lawfully, Personal data must be accurate, and where
fairly and transparently. Organisations should necessary kept up to date. Reasonable
read this transparency requirement in light steps must be taken to ensure that
of the requirement to provide more detailed inaccurate personal data is erased or
privacy notices to data subjects. rectified without delay.

Storage limitation
Purpose limitation Personal data must be kept in a form that
Personal data must be collected for specified, permits identification of data subjects for no
explicit and legitimate purposes. It cannot be longer than is necessary.
further processed in a manner incompatible
with those purposes. Exceptions: Personal data may be stored for longer
periods for scientific or historical research purposes or
Exceptions: Further processing of personal data for statistical purposes, or archiving purposes in the public
scientific and historical research purposes or statistical interest, provided appropriate technical and organisational
purposes will not be considered incompatible with the measures are implemented.
original processing purposes. The GDPR adds that further
processing of personal data for archiving purposes in the Integrity and confidentiality
public interest will not be considered incompatible with Personal data must be processed in a
the original processing purposes. Further processing is manner that ensures appropriate security
subject to the implementation of appropriate technical and of the personal data, including protection
organisational measures. against unauthorised or unlawful processing
and against accidental loss, destruction or
Data minimisation damage, using appropriate technical or organisational
Personal data must be adequate and relevant, measures. While this requirement existed under the
under the GDPR. However, this standard is Directive, the GDPR now specifically categorises it as a
now tougher under the GDPR. The previous data protection principle.
Directive’s obligation to ensure that personal
data is ‘not excessive’ is replaced by a Accountability
requirement to ensure that personal data is ‘limited to Accountability is a new concept introduced by
what is necessary’. Organisations may have to review the GDPR. It requires controllers to be able to
their data processing operations in order to ascertain demonstrate how they comply with the data
whether they process any personal data which is protection principles listed. This is significant
unnecessary having regard to the relevant purpose for as it shifts the burden of proof to the data controller in the
which processing is carried out. event of a compliance investigation by a data protection
authority. Organisations should view this principle in light of
the record keeping obligation, the requirement to prove that
consent is obtained and the concept of privacy by design
and default.

KEY TERMS AND WHERE TO FIND THEM

Data Protection Principles - Article 5. See also Recitals 29, 39, 50, 71, 85, 156.

GENERAL DATA PROTECTION REGULATION • Page 13

5.3 Valid Consent
A lawful basis is required for the processing of personal 4. An unambiguous indication of the data subject’s
data. The grounds for lawful processing in the GDPR wishes by a statement or clear affirmative action –
replicate those previously in the Directive. One of the Clear affirmative actions which may provide evidence
lawful grounds for processing is the consent of the data of consent include ticking a box when on a webpage,
subject. choosing technical settings on a website, or any other
statement or conduct which clearly indicates the data
The GDPR has tightened the concept of consent. subject’s acceptance of the proposed processing
Accordingly, obtaining the consent of a data subject is of their personal data. Silence, pre-ticked boxes or
now more difficult under the GDPR. In particular, this is inactivity will not suffice.
due to the requirement of separate consents for different
processing operations, the prohibition on including
consent in the terms of service, and the data subject’s
• ONUS OF PROOF
express right to withdraw his or her consent at any time.
• INDEPENDENT CLAUSE

• RIGHT OF WITHDRAWL
• FREELY GIVEN
• VOLUNTARY
• SPECIFIC

• INFORMED
In order for consent to be valid, four additional criteria
• UNAMBIGUOUS
must be complied with:

1. Onus of proof: The controller must be able to

Under the GDPR, in order to provide a lawful basis for demonstrate that the data subject has consented to the
processing, the consent of a data subject must be: processing of his or her personal data. Consequently, a
record should be maintained evidencing a data subject’s
1. Freely given – Consent will not be regarded as freely consent.
given if the data subject has no genuine or free choice
or is unable to refuse or withdraw consent without 2. Independent consent clauses: Where consent is
detriment. provided in a written declaration, such as a contract,
that contains additional matters, the request for consent
2. Specific – When the processing has multiple purposes, must be clearly distinguishable from other matters in
consent should be obtained for each of them. that declaration. It must further be intelligible, easily
accessible and be in clear and plain language. A consent
3. Informed – For consent to be informed, the data clause contained in the middle of a set of general terms
subject should be aware at least of the identity of the and conditions is unlikely to suffice.
controller and the purposes of the processing for which
the personal data is intended. If the data subject’s 3. Right of withdrawal: The data subject is entitled to
consent is to be given following a request by electronic withdraw his or her consent at any time and must be
means, the request must be clear, concise and not informed of the existence of this right. It must be as
unnecessarily disruptive to the use of the service for easy to withdraw as it is to give consent.
which it is provided.

GENERAL DATA PROTECTION REGULATION • Page 14

4. Voluntary: When assessing whether consent is freely In some instances it may be permissible to rely on existing
given, utmost account must be taken of whether the consents secured under the Directive.
performance of a contract is conditional on a data
subject consenting to the processing of personal It is not necessary for the data subject to give his or her
data that is not necessary for the performance of that consent again if the way the consent given under the
contract. Consent in such instances is unlikely to be Directive is in line with the conditions of the GDPR.
regarded as freely given.
In such cases, the data controller may continue processing
There is no change in the law in respect of the on the basis of consent given prior to the date the GDPR
requirement of explicit consent for the processing of came into force. However, in many cases, historic consents
sensitive data. Similar to the previous Directive, no came ot be compliant with the requirements of the GDPR.
definition of explicit consent is provided in the GDPR. Data controllers will accordingly need to review historic
consents to determine their compliance with the GDPR.

KEY TERMS AND WHERE TO FIND THEM

Consent - Article 5. Article 4(11): Any freely given, specific, informed and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
See also Articles 6(1), 7 and Recitals 32, 40, 42, 43, 65, 171.

CASE STUDY

Turquoise plc is a bank. When its customers sign up for new accounts, it requires them to sign the following
consent form, without providing a data protection notice:

‘All customers who sign up for accounts consent to the use of their personal data in perpetuity, for
whatever purposes Turquoise plc sees fit.’

Turquoise plc has failed to obtain a valid consent – the consent is not informed as an explanation of the specific
purposes for which the data may be used was not provided. This consent form also makes the service, in this case
the provision of a bank account, conditional on consent to unspecified uses and those uses may not be necessary
to provide that service. This is prohibited by the GDPR. A valid consent also comes with a right of withdrawal and
the reference to the consent extending ‘in perpetuity’ could be seen to imply that there is no such right.

GENERAL DATA PROTECTION REGULATION • Page 15

5.4 Children’s Data
The GDPR has introduced a number of specific Legitimate Interests
requirements relating to the processing of children’s data. • The pursuit of legitimate interests by the controller or
a third party is a basis for lawful processing instead of
Online Consents consent. Relying on this basis involves a balancing test
• Where information society services, such as online between the competing interests involved. The interests
services, are offered directly to a child under the age of of the controller or third party may be overridden by the
16 and the child is required to consent to the processing interests or fundamental rights and freedoms of the
of his or her personal data, parental consent must be data subject which require protection of personal data.
obtained. However, Member States may specify an age The protection of a child’s interests as a data subject is
limit below 16 years provided that the age restriction particularly important.
does not fall below 13 years.
5.5 Additional Rights for Data
• The controller is required to make ‘reasonable efforts’
Subjects
to verify that consent has been given or authorised
by the parent/guardian of the child, bearing in mind
The GDPR has provided data subjects with additional
available technology. This means specific verification
rights and protections, which equate to new obligations for
measures should be used.
controllers and processors. It has also strengthened the
concepts of rectification, erasure, restriction of processing
• Specific protections must be applied to the use of
that existed under, or were derived from, the Directive.
personal data of children for the purposes of marketing
or creating personality or user profiles and the collection
A. Rectification
of personal data with regard to children when using
A data subject is entitled to have inaccurate personal
services offered directly to a child.
data concerning him or her rectified without undue delay.
Data subjects are also entitled, taking into account the
• The introduction of this age limit will not affect contract
purposes of the processing, to have incomplete personal
law rules on the validity, formation or effect of a contract
data completed.
in relation to a child.

Privacy Notices
• Controllers are required to take appropriate steps
• RECTIFY
to ensure that the provision of information to data
subjects is provided in a concise, transparent, intelligible • ERASE

and easily accessible form, using clear and plain • RESTRICT

language. This is especially important in respect of • PORTABILITY
information addressed specifically to a child. Where
• OBJECT
processing is addressed to a child, any information
and communication should be in such a clear and plain • LIMITED AUTOMATED
PROCESSING
language that the child can easily understand.

KEY TERMS AND WHERE TO FIND THEM

Conditions applicable to children’s consent – Article 8. See also Recital 38, 65.
Privacy Notices – Article 12(1), Article 13, Article 14. See also Recital 58, 71.
Legitimate Interests – Article 6(1)(f). See also Recital 47–50, 69.

GENERAL DATA PROTECTION REGULATION • Page 16

B. Erasure • The data subject objects to the processing and there are
A data subject is entitled to have personal data concerning no overriding legitimate grounds for the processing
him or her erased in specified circumstances. This is • The personal data has been unlawfully processed
known as the right of erasure or ‘the right to be forgotten’.
• The personal data has to be erased for compliance with
This entitlement is an extension of the right protected in
a legal obligation under EU or Member State law, or
the Directive. The Directive gave data subjects a right of
• The personal data has been collected in relation to the
erasure where their data was being processed in breach of
offer of information society services to a child
the data protection principles, in particular because of the
incomplete or inaccurate nature of the data. Importantly,
However, the right to erasure is not available where the
this ‘right to be forgotten’ is distinct from the right of
processing of the relevant personal data is necessary:
the same name set down by the CJEU in Google Spain,
relating to delisting of search results.
• For exercising the right of freedom of expression and
information
Where the controller has made the personal data public
• For compliance with an EU or Member State legal
and is subsequently obliged to erase the personal data,
obligation which requires processing by law to which
the controller may have further obligations. Taking account
the controller is subject or for the performance of a task
of available technology and the cost of implementation,
carried out in the public interest or in the exercise of
the controller is required to take reasonable steps,
official authority vested in the controller
including technical measures, to inform third party
• For reasons of public interest in the area of public
controllers who are processing the data, that the data
health;
subject has requested the erasure by such controllers of
• For certain archiving purposes in the public interest,
any links to, or copies of, those personal data.
scientific or historical research purposes or statistical
purposes
When Is there a Right to Erasure?
• For the establishment, exercise or defence of legal

• The personal data is no longer necessary in relation to claims

the purposes for which they were collected

As the scope of the right to erasure is extended under
• The data subject withdraws consent and there is no
the GDPR, organisations will be required to comply with a
other legal ground for the processing
wider spectrum of erasure requests.

CASE STUDY

Pink GmbH runs an online dating website. Users register in order to create a profile, and respond to
personality questionnaires to provide matches with other users.

Mr Lucky registered with the website, and, after a number of dates, entered into a long-term relationship
and decided to close his account. Upon writing to Pink GmbH, Mr Lucky is entitled to have his personal
data deleted as, after his account is closed and Mr Lucky withdraws his consent to the processing of his
personal data, there is no continuing basis upon which Pink GmbH may continue to process his data.

GENERAL DATA PROTECTION REGULATION • Page 17

C. Restriction of Processing to personal data that a data subject has provided to a
The GDPR has introduced a data subject’s right to restrict controller.
processing. This right replaces the right to block certain
uses as previously contained in the Directive. The data subject may only exercise the right to data
portability where the processing is based on the data
There are four instances in which a data subject is entitled subject’s consent or is for the performance of a contract
to restrict processing of his or her personal data as an and the processing is carried out by automated means.
alternative to erasure: The right to data portability will not apply to processing
necessary for the performance of a task carried out in the
1. The accuracy of the personal data is contested by the public interest or in the exercise of official authority vested
data subject, in which case the processing is restricted in the controller.
for a period enabling the controller to verify the accuracy
of the personal data WP29 Guidance:
The Article 29 Working Party (‘WP29’), now known as
2. The processing is unlawful and the data subject opposes the European Data Protection Board, published a set of
the erasure of the personal data and requests the guidelines and frequently asked questions on the right to
data portability which provide further detail as to extent of
restriction of its use instead
the obligations on controllers and processors.

3. The controller no longer needs the personal data for

WP29 guidance stresses that the right to portability is a
the purposes of the processing, but the personal data
right to both receive and transmit data from one service
is required by the data subject for the establishment,
provider to another. WP29 encourages controllers to
exercise or defence of legal claims, and offer downloading options and a means to directly
transmit the data to another data controller, for example
4. The data subject has objected to processing pending by way of an application programming interface (or API).
the verification whether the legitimate grounds of the WP29 explains that while the receiving organisation
controller override those of the data subject will become the new data controller and must clarify
its processing purposes with the data subject, the
When processing has been restricted, continued transmitting controller may still have obligations to the
processing, with the exception of storage, may only occur data subject, such as compliance with erasure or subject
in the following cases: access requests.

• The data subject consents

WP29 considers the key limitation on the right of data
• The processing is necessary for the exercise or defence
portability, namely that the right extends only to data
of legal claims
‘provided by the data subject’. WP29 takes an expansive
• The processing is necessary for the protection of the
view, suggesting two categories of data are provided by
rights of other individuals or legal persons, or
the data subject: (i) data actively and knowingly provided
• The processing is necessary for public interest reasons and (ii) observed data relating to the data subject’s use
of the service or device. Inferred data or derived data are
A data subject is entitled to be notified by a controller not provided by the data subject and so fall outside of
before a restriction on processing is lifted. the scope of the right.

D. Data Portability The distinction WP29 makes is that data which relate to
The GDPR has introduced a new right of data portability the data subject’s activity or result from the observation of
which enables a data subject to receive personal data an individual’s behaviour are within the scope of the right,
concerning him or her, in a structured, commonly used but that subsequent analysis of that behaviour is not.
and machine-readable format, and to transmit that data to
another controller without hindrance from the controller
which provided the personal data. The right only applies

GENERAL DATA PROTECTION REGULATION • Page 18

 CASE STUDY

Purple plc operates a music streaming service within which users can create playlists of their favourite music. In
observing listening behaviour, Purple plc learns that particular users have preferences for particular artists or music
albums and attributes traits to users to help personalise their experience and make relevant suggestions.

In order to comply with the right to data portability, Purple plc creates a tool which allows users to download their
account information, and copies of their playlists, so they can switch to another service should they wish. Purple
plc does not need to provide a copy of the traits it has attributed to User A as part of the right to data portability,
although it may need to provide such information as part of the right of access.

E. Right to Object to Data Processing

While the GDPR similarly does not contain a general right The Directive contained a similar right not to be subject to
to object, it lists certain instances in respect of which a automated decision making.
data subject is given such a right:
The data subject’s right not to be subject to a decision
• Processing based on legitimate interest grounds or based solely on automated processing will not apply if the
because it is necessary for a public interest task/ decision:
official authority: This includes profiling based on
these grounds. Following a data subject’s objection to • Is necessary for entering into, or performance of, a
processing on either of these grounds, the controller contract between the data subject and a data controller
is required to cease processing unless it demonstrates • Is authorised by law which lays down suitable measures
compelling legitimate grounds for the processing which to safeguard the data subject’s rights and freedoms and
override the rights of the data subject or the processing legitimate interests, or
is necessary for the defence of legal claims. • Is based on the data subject’s explicit consent

• Processing for direct marketing purposes: Following Where this right applies, the data controller is required
an objection by a data subject on this ground, further to implement suitable measures to safeguard the data
processing is precluded. subject’s rights and freedoms and legitimate interests. The
data subject must be afforded at least the right to express
• Processing for scientific or historical research or his or her point of view and to contest the decision.
statistical purposes: Following an objection by a data
subject on this ground, further processing is permitted Data subjects are entitled to be informed at the time
only if the processing is necessary for the performance their data is obtained by the controller of the existence of
of a task carried out for reasons of public interest. automated decision-making, including profiling, meaningful
information about the logic involved, as well as the
The right to object must be brought to the attention significance and the envisaged consequences of such
of the data subject, at the time of first communication processing for the data subject. Organisations should be
with him or her, or before. This right must be presented concerned with protecting their intellectual property and
clearly and separately from other information. The know-how when making disclosures regarding the logic
requirement to notify data subjects of the right in this involved in any automated decision making and profiling.
way may require revisions to privacy notices and policies.

F. Automated Processing, including Profiling

The GDPR provides data subjects with a right not to
be subject to a decision based solely on automated
processing. This is expressly stated to include profiling
which is said to be a form of automated decision making.

GENERAL DATA PROTECTION REGULATION • Page 19

G. Notification Obligations The controller must furnish information on actions taken in
response to the data subject’s request to exercise any of
Following a request for rectification, restriction or erasure these rights without undue delay and in any event within
of personal data, the controller is required to communicate one month of receipt of the request. This period may be
this request to all recipients to whom the personal extended by two further months where necessary, taking
data has been disclosed. This obligation is subject to into account the complexity and number of the requests.
the qualification that communication must not prove
impossible or involve a disproportionate effort on the part These notification obligations are separate and additional
of the controller. to the requirement to make reasonable efforts to inform
others who are processing data which the controller has
The controller is also obliged to inform the data subject made public and the data subject has asked to erase
about those recipients if requested to do so by the data (described in the context of the right to erasure).
subject.

KEY TERMS AND WHERE TO FIND THEM

Data portability – Article 20

See also Recitals 68, 73, WP29 Guidance at http://bit.ly/2iAxsLl; WP29 Frequently asked questions at
http://bit.ly/2kB2h3m

Erasure – Article 17 See also Recitals 65 - 66, 68.

Notification obligations – Articles 12(3), 17(2), 19. See also Recitals 59 and 62.

Objection – Article 21. See also Recitals 50, 59, 69 - 70, 73, 156.

Profiling – Article 4(4): Any form of automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning
that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability,
behaviour, location or movements. See also Recitals 71, 75.

Rectification – Article 16. See also Article 5 and Recitals 39, 59, 65, 73.

Restriction of processing – Article 18 See also Recital 67.

Right not to be subject to a decision based solely on automated processing – Article 22

See also Recitals 71, 75.

GENERAL DATA PROTECTION REGULATION • Page 20

5.6 Privacy Notices • The data subject’s rights regarding restriction of
processing, objection to processing and data portability
One of the key data protection principles relates to • If processing is based on consent, the right to withdraw
transparency. The controller is required to take appropriate consent and
measures to provide information to a data subject in a • Whether there is a statutory or contractual requirement to
concise, transparent, intelligible and easily accessible form, provide personal data and the consequence of failing to
using clear and plain language. comply

Typically, organisations achieve this by preparing privacy This goes significantly beyond the requirements previously
policies or notices, as well as certain ‘just in time’ laid down in the Directive to require more specific and
supplemental notifications. Due to the significant new tailored content in privacy notices than before.
additions in the GDPR, organisations will now need to
ensure their privacy notices and policies are sufficiently Indirectly Obtained Data
updated in light of the additional information required by the
GPDR. Where a controller obtains personal data indirectly (e.g.
from a data broker or business partner), it is required to
Information Obtained Directly from Data Subjects provide the data subject with the information as well as:

The following information must be furnished to a data • The categories of information and
subject where the personal data is obtained directly from • The source of the information, including if it came from
him or her, at the time the personal data is obtained: publicly accessible sources

• The identity and the contact details of the controller and,

In such cases, the controller is required to furnish this
where applicable, of the controller’s representative
information:
• The purposes of the processing for which the personal
data is intended • Within a reasonable period of having obtained the data at
• The recipients or categories of recipients of the personal least within one month
data
• If the data is used to communicate with the individual, at
• The data retention period
the latest, when the first communication takes place, or
• The data subject’s rights to access, rectification and
• If disclosure to another recipient is envisaged, at the
erasure, and
latest, before the data is disclosed
• If there will be automated decision making – together
with information about the logic involved and the
significance and consequences of the processing for the There is no obligation to provide information to a data
data subject subject where:

• The data subject is already in possession of the

To these requirements the GDPR has added:
information
• The contact details of the data protection officer, where • If to do so would be impossible or involve a
applicable disproportionate effort
• The legal basis for the processing including the legitimate • Obtaining or disclosing the data is expressly authorised
interests pursued by the controller or by a third party if by EU or national law and which provides appropriate
this is the legal basis relied upon measures to protect the data subject’s legitimate
• Information in respect of intention to transfer personal interests, or
outside the EU • If the information must remain confidential, because of
• The data subject’s right to complain to the supervisory professional or statutory secrecy obligations, regulated by
authority
EU or national law

KEY TERMS AND WHERE TO FIND THEM

Privacy Notices (data obtained directly) – Article 13. See also Article 12, Recitals 58, 60 – 62.
Privacy Notices (data obtained indirectly) – Article 14. See also Article 12, Recitals 58, 60 – 62.

GENERAL DATA PROTECTION REGULATION • Page 21

5.7 Data Protection by Design and Default
The GDPR contains the new concepts of privacy by design B. Privacy by Default
and by default, intended to strengthen the protection of
privacy by requiring organisations to build consideration Privacy by default requires data controllers to implement
of privacy into their product and service design processes appropriate technical and organisational measures to
in certain cases. The GDPR, unlike the Directive, also ensure that, by default, only personal data which is
requires formal Data Protection Impact Assessments in necessary for each specific purpose of the processing are
relation to higher risk processing activities. processed.

A. Privacy by Design
The privacy by default obligation applies to:

Privacy by design requires data controllers to implement • The amount of personal data collected
appropriate technical and organisational measures, such • The extent of the processing
as pseudonymisation, which are designed to apply the • The period of storage, and
data protection principles in an effective manner and to • The accessibility of the data
integrate the necessary safeguards into the processing in
order to meet the requirements of the GDPR and protect Compliance with the requirements of privacy by default
the rights of data subjects. and design may be demonstrated by an approved
certification mechanism.
In ascertaining the appropriate technical and organisational
measures required to be implemented the controller is
required to have regard to the following: Privacy by default and design will require organisations
to review their processing activities and ensure that
• The state of the art
data protection compliance is embedded within their
• The cost of implementation products and business processes.
• The nature, scope, context and purposes of processing,
and
• The risks of varying likelihood and severity for rights and
freedoms of natural persons posed by the processing

Privacy by default

ACCESSIBILITY AMOUNT OF
PERSONAL DATA

PERIOD OF STORAGE EXTENT OF

PROCESSING

GENERAL DATA PROTECTION REGULATION • Page 22

C. Data Protection Impact Assessments • An assessment of the risks to the rights and freedoms
of data subjects, and
The GDPR also makes provision for Data Protection
Impact Assessments, also known as Privacy Impact • The measures planned to address risks, including
Assessments (‘PIAs’’), which are assessments of safeguards, security measures and mechanisms
the impact of proposed processing operations on the to ensure the data protection and to demonstrate
protection of personal data. While the Directive did not compliance, considering the rights and interests of data
require PIAs to be carried out, the practice had emerged in subjects and other persons concerned.
a number of Member States.
The appropriate form of a PIA will differ to suit each
The controller is required to carry out a PIA where a new organisation. However, entities which routinely process
processing activity is proposed, in particular, where the complex and large-scale personal data sets should prepare
activity involves using new technologies and taking into a PIA questionnaire for the use of engineers, product
account the nature, scope, context and purposes of the teams, compliance team and legal counsel.
processing, it is likely to result in a high risk to the rights of
individuals. The controller is required to consult with a supervisory
authority in advance of processing where a PIA indicates
At a minimum a PIA must include: that processing would result in a high risk to the rights of
individuals in the absence of any measures taken by the
• A systematic description of the envisaged processing
controller to mitigate that risk.
operations and the purposes of the processing,
including, where applicable, the legitimate interest
pursued by the controller

• An assessment of whether the processing operations

are necessary and proportionate in relation to the
purposes

When are processing activities ‘high risk’?

The GDPR does not define ‘high risk’, but relevant factors and on which decisions are based that produce legal
include the nature, scope, context and purposes of the effects or similarly significantly affect the natural person
processing. The GDPR provides that PIAs are required in - Processing on a large scale of special categories of
the following instances: sensitive data or of personal data relating to criminal
- Systematic and extensive evaluation of personal aspects convictions and offences, or
which is based on automated processing, including - Large scale, systematic monitoring of a public area.

KEY TERMS AND WHERE TO FIND THEM

Data Protection by Design and by Default – Article 25. See also Recital 78.
Data Protection Impact Assessment – Article 35 - 36. See also Recitals 84, 90 – 94.

GENERAL DATA PROTECTION REGULATION • Page 23

5.8 Data Protection Officers
Under the GDPR, it is now mandatory for controllers and B. Appointment and Tasks of the DPO
processors to designate a Data Protection Officer (DPO) in
the following three instances, where: As a first step, businesses should assess whether their
organisation requires such an appointment and, if not,
1. The processing is carried out by a public authority or whether a voluntary appointment is worthwhile.
body, except for courts acting in their judicial capacity
The second step is to select the right person for the
2. The core activities of the controller or the processor role. The DPO should be designated on the basis of
consist of regular and systematic monitoring of data professional qualities and, in particular, expert knowledge
subjects on a large scale, or of data protection law and practices and the ability to fulfil
the tasks assigned to him or her under the legislation.
3. The core activities of the controller or the processor The DPO may be a staff member of the controller or
consist of processing on a large scale of special processor, or fulfil the tasks on the basis of a service
categories of data and personal data relating to criminal contract (providing the potential to outsource the function,
convictions as company secretaries often are).

Even when the GDPR does not specifically require the The controller or the processor must publish the contact
appointment of a DPO, some organisations may appoint details of the DPO and communicate them to the
a DPO on a voluntary basis, particularly to centralise supervisory authority.
responsibility for the new compliance obligations under
the GDPR.
MINIMUM ROLE OF A DPO

A. Relationship between the Organisation and • INFORM & ADVISE

CONTROLLER/PROCESSOR
the DPO
& EMPLOYEES

DPOs are not personally responsible in cases of non- • MONITOR GDPR COMPLIANCE
compliance with the GDPR. Rather, it remains the • PROVIDE ADVICE RE-PIA
responsibility of the controller or the processor to ensure
• CO-OPERATE WITH
and to demonstrate compliance with the GDPR.
SUPERVISORY AUTHORITY

The controller or the processor has a crucial role in • ACT AS CONTACT POINT

enabling the effective performance of the DPO’s tasks.

DPOs must be given sufficient autonomy and resources to
At a minimum a DPO is required to:
carry out their tasks effectively.
• Inform and advise the controller or the processor and
A group of undertakings may appoint a single DPO the employees who carry out processing of their data
provided that a DPO is easily accessible from each protection obligations
establishment. The notion of accessibility refers to the • Monitor compliance with the GDPR and other data
tasks of the DPO as a contact point with respect to data protection provisions
subjects, the supervisory authority but also internally • Provide advice where requested as regards the data
within the organisation. One of the tasks of the DPO is to protection impact assessment
inform and advise the controller and the processor and the • Cooperate with the supervisory authority
employees who carry out processing of their obligations • Act as the contact point for the supervisory authority on
pursuant to the GDPR. issues relating to processing, including prior consultation
and to consult, where appropriate, with regard to any
other matter

GENERAL DATA PROTECTION REGULATION • Page 24

WP29 has published guidelines on DPOs, which provide further detail clarifying the circumstances in which
organisations are obliged to appoint a DPO. WP29 also gives guidance on the level of expertise of the DPO. The level
of expertise should be relative to the nature of data processing carried out by the organisation, and the professional
qualities of a DPO are not prescriptive. WP29 also emphasises the importance of avoiding conflicts of interests and
allocating sufficient resources to the DPO, among other issues.

KEY TERMS AND WHERE TO FIND THEM

Designation of DPO – Article 37. See also Articles 38 - 39 and Recital 97.

WP29 Guidance available at: http://bit.ly/2hNP21M

WP29 Frequently Asked Questions available at: http://bit.ly/2kaZGAt

5.9 Security
The GDPR contains both preventative and reactive Data Breach Notification: Supervisory Authority
requirements in respect of personal data breaches,
introducing harmonised rules around data breach The GDPR adopts a risk-based approach to the
notifications. requirement to notification. The controller is not required
to notify the supervisory authority where the personal
A. Reactive Measures: Notification and Record data breach is unlikely to result in a risk to the rights and
Keeping freedoms of individuals.

The GDPR harmonises breach notification requirements Where such risk exists, controllers are obliged to notify
across the EU. Previously, the rules varied in each the competent supervisory authority of the breach. After
Member State unless one operated in the telecoms becoming aware of the breach, the controller is required,
sector. without undue delay (within 72 hours, where feasible),
to notify the personal data breach to the supervisory
In practice, the notification requirement may not amount authority.
to significant change for some data controllers. This would
include Irish-established controllers. Previously, the Data Where the controller fails to notify the supervisory
Protection Commissioner’s Data Security Breach Code authority within 72 hours, a reason must be furnished
of Practice mandated the reporting of security breaches. for this delay. Where it is not possible to provide the
The corresponding rules under the GDPR are arguably information at the same time, the information may be
less strict. However, the consequences for breaching the provided in phases without undue further delay.
GDPR and particularly the heavy fines are a considerable
deviation from the position under the previous Code of
Practice.

GENERAL DATA PROTECTION REGULATION • Page 25

Data Breach Notification: Processor to Controller Content of Notifications
and Controller to Data Subject
At a minimum, data breach notifications to supervisory
Processor to controller: Upon becoming aware of a authorities and data subjects are required to:
personal data breach, processors are required to notify the • Describe the nature of the personal data breach
controller without undue delay. • Communicate the name and contact details of the data
protection officer or other contact point where more
Controller to data subject: Where a personal data breach information can be obtained
is likely to result in a high risk to the rights and freedoms of • Describe the likely consequences of the personal data
natural persons, the controller is required to notify the data breach
subject of the personal data breach without undue delay. • Describe the measures taken or proposed to be taken by
the controller to address the personal data breach
There is no obligation to communicate a personal data breach
to a data subject if any of the following conditions are met: Record Keeping and Policies

• The controller has implemented appropriate technical The GDPR also imposes record keeping obligations upon
controllers, which will result in the obligation to keep a data
and organisational protection measures, and those
breach register.
measures were applied to the personal data affected by
the personal data breach, in particular those that render
The controller is also required to maintain a record of any
the personal data unintelligible to any person who is not
personal data breaches so as to enable the supervisory
authorised to access it, such as encryption authority to verify compliance with the controller’s
• The controller has taken subsequent measures which notification obligations. Records must document the facts
ensure that the high risk to the rights and freedoms of relating to the personal data breach, its effects and the
data subjects referred is no longer likely to materialise remedial action taken.
• It would involve disproportionate effort. In these cases,
a controller should make a public communication, or Additionally, in order to best position themselves to
similar measure, to inform data subjects in an equally comply with the GDPR, organisations should prepare draft
effective manner template security breach notifications and security breach
plans so as to be in a position to act quickly should a
breach occur.

Data Breach Notification

LIKELY TO RESULT BREACH

IN A RISK TO DATA NO NEED TO NOTIFY
SUBJECTS?
NO

YES

NOTIFY SUPERVISORY
HIGH RISK
AUTHORITY (<72 HR)
NO

YES

NOTIFY DATA
SUBJECT AND
SUPERVISORY
AUTHORITY

GENERAL DATA PROTECTION REGULATION • Page 26

B. Preventative Measures • A process for regularly testing, assessing and evaluating
the effectiveness of technical and organisational
In addition to the requirement to report personal data measures for ensuring the security of the processing
breaches, the GDPR also requires preventative measures.
Controllers and processors must implement ‘appropriate Conforming to an approved code of conduct or an
technical and organisational measures’ to ensure a level of approved certification mechanism may be used
security appropriate to the risk presented by the processing. to demonstrate compliance with these security
requirements. Controllers and processors are also
Technical and organisational measures, which should be required to take steps to ensure that any individual
implemented as appropriate, include: acting under its authority who has access to personal
data does not process that data other than in accordance
• The pseudonymisation and encryption of personal data with instructions from the controller, unless he or she is
• The ability to ensure the on-going confidentiality required to do so by law.
integrity, availability and resilience of processing
systems and services
• The ability to restore the availability and access to
personal data in a timely manner in the event of a
physical or technical incident

KEY TERMS AND WHERE TO FIND THEM

Personal Data Breach - Article 4(12) – A breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
See also Recitals 73, 75, 85 – 88.

5.10 Enforcement, Remedies and Liability

The GDPR contains detailed provisions relating to The GDPR contains an extensive list of tasks for each
enforcement, remedies and liability. National supervisory supervisory authority. Supervisory authorities also have
authorities are granted significant powers. Plaintiffs a broad mandate to fulfil any other tasks related to the
will be able to sue in their national courts and recover protection of personal data. The powers of supervisory
compensation without the need to demonstrate material authorities are correspondingly broad.
damage. As a result, the potential negative consequences
of non-compliance with data protection law are much Each Member State is required to provide, by law,
higher under the GDPR than previously seen. that its supervisory authority shall have the power to
bring infringements of GDPR to the attention of the
A. Role of Supervisory Authorities judicial authorities and where appropriate, to bring legal
proceedings in order to enforce the provisions of the
Similar to the previous requirements under the Directive, Regulation. Member States can also give additional
the enforcement of the GDPR is the responsibility of the powers to supervisory authorities.
supervisory authority (also commonly known as ‘data
protection authorities’). Each Member State is required to In Ireland’s case, the Data Protection Act 2018 contains
appoint at least one supervisory authority for the purposes detailed provisions describing the powers and functions of
of monitoring the application of the GDPR. the Data Protection Commission.

GENERAL DATA PROTECTION REGULATION • Page 27

B. ‘One-Stop-Shop’ relating to the enforcement of data protection law. The
primary obligation of the EDPB is to ensure the consistent
One of the central pillars of the GDPR is the ‘one-stop application of the GDPR throughout the EU.
shop’. This concept aims to facilitate multinational
companies by allowing them to deal with a single The Consistency Mechanism
supervisory authority, even where they have a number
of establishments across the EU. The original European In order to deal with scenarios where more than one

Commission proposal was that the supervisory supervisory authority may be concerned with a complaint/

authority for the country where the controller had their investigation, the GDPR provides for mandatory co-

‘main establishment’ would be the sole authority for operation by supervisory authorities under the consistency

monitoring and ensuring compliance by that controller mechanism. The aim of this mechanism is to ensure the

throughout the EU. However, the GDPR as adopted uniform application of the GDPR across the EU. There are

contains a diluted version of that original one-stop exceptions from this mechanism in cases of urgency.

shop concept.
This co-operation takes the form of the sharing of

The GDPR provides that controllers and processors information by the lead supervisory authority and the

engaged in cross-border processing are to be regulated attempt to come to a decision by consensus, in a process

by the supervisory authority in the Member State where whereby the lead supervisory authority issues a draft

they have their ‘main establishment’. Generally, the main decision to the other concerned authority. In cases where

establishment is the place of central administration of the the lead supervisory authority disagrees with the views of

controller in the EU. However, if data protection decision- the other concerned authorities, the investigation must be

making occurs elsewhere in the Union, the establishment referred to the EDPB.

where such decision-making takes place is the main

establishment. C. Remedies

The GDPR affords data subjects with the following

The authority in the Member State of the main
remedies:
establishment will be the ‘lead supervisory authority’. This
lead supervisory authority has the power to regulate that
Right to lodge a complaint with a supervisory authority
controller or processor across all Member States, to the
• The data subject may lodge a complaint with a
extent that its data processing activities involve cross-
supervisory authority, if he or she considers that his or
border data processing.
her data has been processed unlawfully.
• The supervisory authority is obliged to inform the
Individuals are entitled to lodge a complaint with any
complainant on the progress and the outcome of the
supervisory authority. That authority must inform the lead
complaint including the possibility of a judicial remedy.
supervisory authority, which will in turn determine whether
it will handle the complaint. If the lead supervisory authority
Right to an effective judicial remedy against a
decides not to handle the complaint itself, the supervisory
supervisory authority
authority to whom the complaint was made will handle it.
• Individuals have the right to an effective judicial remedy
in respect of legally binding decisions of supervisory
The European Data Protection Board (‘EDPB’) has been
authorities concerning him or her (e.g. appeal to a
established under the GDPR to replace the WP29. Similar
national court).
to the WP29, it comprises the head or representative of
• Data subjects have the right to an effective judicial
one supervisory authority from each Member State and
remedy for a failure by a supervisory authority to handle
of the European Data Protection Supervisor (‘EDPS’).
a complaint or a failure to inform the data subject within
The European Commission also has a non-voting right to
three months on the progress or outcome of his or her
participate on the Board. The EDPB has a lengthy list of
complaint.
tasks. Unlike the WP29, which was an advisory committee,
the EDPB has a more formal and robust set of tasks

GENERAL DATA PROTECTION REGULATION • Page 28

Right to an effective judicial remedy against a responsible for the event giving rise to the damage. This
controller or processor exemption is somewhat narrower than the wording of
• Data subjects have the right to an effective judicial the Directive, which exempts a controller from liability
remedy against a responsible controller or processor upon proof that it is ‘not responsible for the event
where the data subject considers that his or her rights giving rise to the damage’. Under the GDPR, to ensure
under the GDPR have been infringed as a result of the effective compensation, each controller or processor
processing of his or her personal data in non-compliance that is involved in unlawful processing and responsible
with the GDPR. for harm caused to a data subject will be held liable for
the entirety of the harm caused as a result. In other
Right to compensation and liability words, the GDPR provides for joint and several liability
• Any person who has suffered material or non-material against all potentially responsible parties if they are in
damage as a result of an infringement of the GDPR has any way liable for the breach, so a processor which is
the right to receive compensation from the controller or responsible for 1% of the liability could be required to
processor for the damage suffered. The extension of the pay 100% of the damages.
right to compensation to cover non-material damage is
significant, and a departure from some national regimes. • Organisations engaged in joint data control should
contractually determine the apportionment of liability so
• Both controllers and processors may be liable for as to limit the scope for dispute at a later stage.
compensation under the GDPR. Controllers are liable for
the damage caused by processing which infringes the D. Administrative Fines
GDPR. Processors are liable for the damage caused by
processing in breach of their GDPR obligations or where Under the previous legislation, the power to impose fines
processing is carried out outside or contrary to the for breaches of data protection law varied across the EU.
lawful instructions of the controller.
The GDPR has introduced the imposition of fines by a
• In order to ensure effective compensation of the supervisory authority in addition to or instead of other
data subject where more than one data controller corrective measures. Supervisory authorities are required
or processor is responsible for the damages, each to ensure that administrative fines imposed are ‘effective,
controller or processor may be held liable for proportionate and dissuasive’.
the entirety of the damages. However, where a
controller or processor has paid full compensation The GDPR contains two thresholds for administrative
for the damage suffered, it may subsequently bring fines, which depend on the specific data protection
proceedings against the other parties to recover their obligation which has been breached. The lesser threshold
portions of the damages. sees fines of up to €10 million or 2% of the undertaking’s
total worldwide annual turnover of the preceding financial
• The GDPR also regulates joint data control. Where year, whichever is greater, being imposed. The higher
two or more controllers jointly determine the purpose level of fine is up to €20 million or 4% of the undertaking’s
and means of processing they are regarded as joint total worldwide annual turnover of the preceding financial
controllers and data subjects may enforce their rights year, whichever is greater. An ‘undertaking’ should be
against any of the joint controllers. Each joint controller understood in accordance with Articles 101 and 102 of the
is liable for the entirety of the damage. If one joint Treaty on the Functioning of the European Union, which
controller has paid full compensation, it may then bring govern EU competition law. These Articles construe the
proceedings against the other joint controllers to recover term broadly and as such it appears that group revenues
their portions of the damages. may be used by supervisory authorities when calculating
administrative fines.
• A controller or processor is exempt from liability
under the GDPR if it can prove that it is not in any way

GENERAL DATA PROTECTION REGULATION • Page 29

 Administrative Fines

e10 million or 2% e20 million or 4%

Conditions for obtaining a child’s consent The core data protection principles

Processing which does not require identification The lawful processing conditions

Data protection by design and default obligations The conditions for consent

Designating a representative in the State where the The sensitive personal data processing conditions
controller is not established in the EU

Obligations of processors Data subjects’ rights (including information, access,

rectification, erasure, restriction of processing, data
portability, objection, profiling)

Instructions of a controller or processor Transfers of data to third countries

Records of processing Failure to provide access to premises of a controller or

processor

Cooperation with the supervisory authority Compliance with a specific order or limitation on
processing by the supervisory authority or the
suspension of data flows

Security measures Obligations adopted under Member State law in

regard to specific processing situation

Notification of a personal data breach to the

supervisory authority

Communication of a personal data breach to the data

subject

Conducting PIAs and prior consultation

Designation, position and tasks of the DPO

Monitoring of approved codes of conduct

Certification mechanisms

GENERAL DATA PROTECTION REGULATION • Page 30

In ascertaining the level of fine to impose in a given case • Where measures have previously been ordered against
the supervisory authority is obliged to have regard to the the controller or processor concerned with regard to the
following factors: same subject matter, compliance with those measures
• The nature, gravity and duration of the infringement • Adherence to approved codes of conduct or approved
taking into account the nature, scope or purpose of the certification mechanisms, and
processing concerned, as well as the number of data • Any other aggravating or mitigating factors applicable to
subjects affected and the level of damage suffered by the circumstances of the case, such as financial benefits
them gained, or losses avoided, directly or indirectly, from the
• The intentional or negligent character of the infringement
infringement
• Any action taken by the controller or processor to
If a controller or processor intentionally or negligently, for
mitigate the damage suffered by data subjects
the same or linked processing operations, infringes several
• The degree of responsibility of the controller or
provisions, the total amount of the administrative fine may
processor
not exceed the amount specified for the most serious
• Any relevant previous infringements by the controller or
infringement. In other words, if a single wrongful act
processor
• The degree of cooperation with the supervisory amounts to non-compliance with more than one provision
authority of the GDPR, the maximum fine is still e20 million or 4%.
• The categories of personal data affected
• The manner in which the infringement became known
to the supervisory authority

KEY TERMS AND WHERE TO FIND THEM

One-stop-shop – Recitals 124-138 and Chapter VII, Section 182.

5.11 Codes of Conduct and Certification

A. Codes of Conduct B. Certification

The GDPR, in similar language to the Directive, requires Similarly, the GDPR requires Member States, supervisory
Member States, supervisory authorities, the EDPB and authorities, the EDPB and the Commission to encourage
the Commission to encourage the drawing up of codes of the establishment of data protection certification
conduct intended to contribute to the proper application of mechanisms and of data protection seals and marks, for
the GDPR. the purpose of demonstrating compliance with the GDPR.

Such codes of conduct could address the exercise of the Certification processes must be voluntary and available
rights of data subjects, general data protection obligations through a transparent process. Certification will be issued
and notification of data breaches. by certification bodies or by supervisory authorities on the
basis of criteria approved by that supervisory authority.
Adherence to an approved code of conduct can be Where the criteria are approved by the EDPB, this may
evidence of compliance with a controller or processor’s result in a common certification, the European Data
GDPR obligations or provide the basis for cross-border Protection Seal.
data transfers.

GENERAL DATA PROTECTION REGULATION • Page 31

 KEY TERMS AND WHERE TO FIND THEM

Administrative fines – Article 83. See also Recitals 150, 152.

Cross-border processing – Article 4(23) - Either: (a) processing of personal data which takes place in the context
of the activities of establishments in more than one Member State of a controller or processor in the Union where
the controller or processor is established in more than one Member State; or (b) processing of personal data which
takes place in the context of the activities of a single establishment of a controller or processor in the Union but
which substantially affects or is likely to substantially affect data subjects in more than one Member State.

European data protection board – Articles 64, 68. See also Articles 94, 132 – 134.

Exemption from liability – Article 82(3). See also Recital 146.

Joint controllers – Article 26(3) . See also Recitals 82(3) – (5), Recitals 49, 146.

Main establishment (controller) – Recital 36 - The main establishment of a controller in the Union should be
the place of its central administration in the Union, unless the decisions on the purposes and means of the
processing of personal data are taken in another establishment of the controller in the Union, in which case that
other establishment should be considered to be the main establishment. The main establishment of a controller in
the Union should be determined according to objective criteria and should imply the effective and real exercise of
management activities determining the main decisions as to the purposes and means of processing through stable
arrangements.

Main establishment (processor) – Recital 36 - The main establishment of the processor should be the place of
its central administration in the Union or, if it has no central administration in the Union, the place where the main
processing activities take place in the Union.

Right to lodge a complaint with a supervisory authority – Article 77. See also Recital 141.

Right to an effective judicial remedy against a supervisory authority – Article 78. See also Recital 143.

Right to an effective judicial remedy against a controller or processor – Article 79. See also Recital 143.

Right to compensation and liability – Articles 77 – 82. See also Recitals 146 – 147.

Supervisory authority - Article 4(21) - An independent public authority which is established by a Member State
pursuant to Article 51.

Supervisory authority concerned – A supervisory authority which is concerned by the processing of personal
data because: (a) the controller or processor is established on the territory of the Member State of that supervisory
authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or
likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority.

Codes of conduct – Articles 40, 41.

See also Articles 24, 28, 35, 46, 57, 58, 64, 83 and Recitals 77, 81, 98 – 99.
Certification – Articles 42, 43. See also Recitals 77, 81,100.

GENERAL DATA PROTECTION REGULATION • Page 32

6. What Does the GDPR Mean for ... ?

6.1 Contracting Adequacy

• Commission designated or ‘white-listed’ countries

Data protection clauses and addendums have been included
(e.g. Canada, New Zealand)
in commercial contracts for some time, but the GDPR has
significantly increased the importance of incorporating • Commission designated self-certification schemes
(EU-US Privacy Shield)
appropriate data protection language into contracts.

The three aspects of the GDPR of particular importance

for consideration in drafting contracts are: Appropriate Safeguards
• The transfer of data to a third country
• Binding, enforceable instrument between public
• The engagement of processors and sub-processors authorities
• The rules in respect of liability
• Binding corporate rules

A. Data Exports • Standard data protection clauses (know today as

Standard Contractual Clauses and also referred to
as Model Clauses)
Data transfers have caused increasing difficulties for
organisations since the invalidation of Safe Harbor in • Approved code of conduct and enforceable
Schrems v Data Protection Commissioner (C-362/14), commitments

and the uncertainty this has created. The GDPR does not • Approved certification mechanism and enforceable
represent any great salvation from this uncertainty, as it commitments
largely follows the same template as the regime under the
Directive. Contractual solutions are likely to continue to
play a significant role in solving export issues.
Derogation

With regard to the transfer of personal data outside the • Explicit consent to the transfer
European Economic Area, the GDPR, like the Directive,
• Necessity for the performance of a contract
prohibits such transfers unless, one of three types of
measure is in place: • Necessity for reasons of public interest

• That the third country (or a certification mechanism • To establish, exercise or defend legal claims
in that country) has been deemed adequate by the
• To protect vital interests, if the data subject is
European Commission incapable of consenting
• The controller ensures appropriate safeguards are in
• Transfer from certain public registers
place, or
• A specific derogation is in place • Compelling legitimate interests

GENERAL DATA PROTECTION REGULATION • Page 33

Notably, in relation to the consent derogation, the GDPR is also specifically regulated by the GDPR. The GDPR
replaces the requirement of unambiguous consent, provides that a processor may not engage another
which prevailed under the Directive, with a requirement processor without prior specific or general written
for explicit consent. Binding corporate rules are put on authorisation of the controller. In the case of general
express legislative footing, after having developed under written authorisation, the processor is required to inform
the Directive in accordance with a national supervisory the controller of any intended changes concerning the
authority’s ability to authorise transfers. The ability to addition or replacement of other processors, giving the
transfer data on the basis of an organisation’s legitimate controller the opportunity to object to such changes.
interests is also a significant addition but instances when Sub-processors are subject to the same requirements that
this derogation can be used are quite curtailed. the GDPR imposes on the original processor and they are
bound by any contracts with the controller.
The GDPR further provides that any judgment of a third
country requiring a controller or processor to transfer In a digital world, where certain functions are commonly
or disclose personal data may only be recognised and outsourced to third party providers, involving many
enforceable if based on an international agreement, such sub-processors, contracting has just become more
as a mutual legal assistance treaty. This would seem to challenging. Many existing agreements may need to
be targeting the Microsoft v USA warrant case scenario, be renegotiated, in order to accommodate the GDPR’s
where a national court in the US ordered the disclosure of requirements.
personal data held in an Irish data centre.
C. Joint Controllership Contracts
B. Engagement of Processors and Sub-
processors It is required by the GDPR that contracts are put in place
between joint controllers. The arrangement between
Organisations who engage service providers to process the controllers should reflect the respective roles and
personal data on their behalf (e.g. outsourcing payroll relationships of the joint controllers, in particular relating to
processing or engaging with a third party for data the allocation of responsibility for compliance obligations
storage) may be familiar with the requirement to enter under the GDPR (including providing notice to data
into processing agreements as existed under the subjects and ensuring data subjects’ rights are met).
Directive. The scope of obligations to be included in
such data processing agreements has been significantly D. Liability
expanded under the GDPR.
The GDPR provides for joint and several liability between
Where processing is carried out on behalf of a controller, controllers and processors, and between joint controllers.
the controller may only engage processors who provide As a consequence, it is important that contracts contain
sufficient guarantees to implement appropriate technical an appropriate apportionment clause and indemnities to
and organisational measures to comply with the GDPR protect a party from being left out of pocket in relation to
and ensure the protection of the rights of the data subject. damage caused by a contracting party, and to provide for
The GDPR expressly requires that a large number of dispute resolution mechanisms.
clauses be included in a processing contract between the
controller and the processor, including obligations relating Where a sub-processor fails to fulfil its data protection
to confidentiality, security, sub-processing, security breach obligations, the initial processor remains fully liable to the
notification and deletion. controller. Therefore processors who sub-contract their
obligations must be similarly cautious and include appropriate
When it comes to sub-processing, these obligations must contractual provisions to safeguard their position.
be flowed down to that contractor in a sub-processing
agreement. The appointment of sub-processors, a topic
which was not expressly addressed by the Directive,

GENERAL DATA PROTECTION REGULATION • Page 34

 Sub-Processing Structure

CONTROLLER

PROCESSOR

SUB-PROCESSOR SUB-PROCESSOR

KEY TERMS AND WHERE TO FIND THEM

General principle for transfer – Article 44. See also Recital 101 – 116
Adequacy decisions – Article 45. See also Recital 103 – 107
Appropriate safeguards – Article 46
Derogations – Article 49. See also Recitals 111 – 112
Joint controllers – Article 26
Processor – Article 28
Transfers and disclosures not authorised by EU law – Article 48. See also Recital 115

CASE STUDY

Green White & Orange is an accountancy firm established in Ireland. It engages a Canadian company, Maple Inc.,
to deliver cloud-based storage services. Green White & Orange is the controller in this instance as it controls what
data is sent to the cloud and for what purpose, and Maple Inc. is a processor.

As Maple Inc. is located outside the European Economic Area, the transfer of data to them will be a data export.
Consequently, the transfer can only take place where appropriate safeguards are in place, where the transfer is
permitted owing to an adequacy decision of the Commission or a derogation (such as consent) is available.

Should the current Commission adequacy decision for Canada be renewed under the GDPR, Green
White & Orange may be able to avail of that basis for the transfer. Alternatively, it could choose to put
in place standard contractual clauses to provide appropriate safeguards.

At the same time as relying on the Commission’s Canadian adequacy decision, a processing contract
must be put in place between both parties, setting out the obligations to which Maple Inc. will be
subject as a processor. The parties should also assess an appropriate division of liability between the
parties and reflect this position in a liability clause.

GENERAL DATA PROTECTION REGULATION • Page 35

6.2 Compliance & Risk Management
One of the biggest changes for organisations under by senior management, and should report to the highest
the GDPR is the compliance burden it imposed with level of management within the organisation, to ensure
the introduction of the ‘accountability’ principle. that the rights of data subjects are part of all strategic risk
Controllers and processors are now required to be able to conversations in the boardroom.
demonstrate their own compliance. Organisations need
to implement accountability processes, appropriate record Record Keeping
keeping and may need to appoint a DPO.
The GDPR requires controllers and processors to maintain
Evolution of Data Protection Compliance a record of processing activities. The records maintained
must be in writing (electronic is sufficient). Such records
The GDPR demonstrates that data protection legislation must be made available to the supervisory authority
is evolving in the same way that financial services upon request. Records maintained by the controller must
regulation has over the recent years. ‘Conduct risk’ is a contain the following information:
newer category of risk for financial services firms and
a focus of both Irish and UK regulators. In essence, • The name and contact details of the controller and,
regulators expect to see evidence of firms embedding where applicable, the joint controller, the controller’s
a consumer-centred culture from the top of the representative and the data protection officer
organisation right through to the staff delivering products • The purposes of the processing
and services, going beyond ‘tick-box’ compliance. • A description of the categories of data subjects and of
the categories of personal data
The GDPR is similar in this regard. The concepts of • The categories of recipients to whom the personal data
data protection by design and default, along with the has been or will be disclosed including recipients in third
requirement to conduct a PIA in certain cases, suggest countries or international organisations
that data protection should be central to all change • Details of transfers of personal data to a third country
management projects in an organisation. Data protection and the appropriate safeguards
risk and compliance must be part of business-as-usual, in • The envisaged time limits for erasure of the different
much the same way as general risk and compliance has categories of data
become. In particular, for both new and existing products • A general description of the technical and organisational
or services which involve the processing of personal security measures in place
data, organisations must ensure that the relevant product
or service is designed with data protection compliance in
mind. SME exemption
• Controllers and processors employing less than 250 employees
The Role of the DPO
are not required to maintain such records, unless the processing
is likely to result in a risk to rights and freedoms of data subjects,
The DPO must be able to act in an independent manner.
the processing is not occasional, or the processing includes
The GDPR has introduced safeguard provisions for the
sensitive data or personal data relating to criminal convictions
role of the DPO (where one is required), similar in nature
and offences.
to provisions protecting the independence and autonomy
of the role of the Chief Risk Officer or Chief Compliance
Officer. In particular, DPOs cannot be directed by
organisations on how to perform their duties or what
the outcome of their decisions may be, nor can they be
penalised for such performance. While DPOs can also be
responsible for other functions in an organisation, a DPO
may not be assigned tasks or duties which would result in
a conflict of interest. DPOs should be actively supported

GENERAL DATA PROTECTION REGULATION • Page 36

The records maintained by the processor must contain the An Integrated Approach to Compliance
following information:
As most of the requirements of the GDPR are interlinked
• The name and contact details of the processor or and interdependent, the changes they bring cannot
processors and of each controller on behalf of which and should not be effected in a piecemeal fashion.
the processor is acting, and, where applicable, of the Organisations will have to undertake a gap analysis of their
controller’s or the processor’s representative, and the existing data protection control environment against the
data protection officer new requirements. This document should, in detail,
understand what personal data they have, why they have
• The categories of processing carried out on behalf of it, and who and where they transfer it to, particularly given
each controller the extraterritorial scope of the GDPR. Most organisations
will likely, at this stage, at a minimum, have refreshed
• The details of transfers of personal data to a third their fair processing notices and rethought their consent
country and the appropriate safeguards capture mechanisms. For many organisations, this will
have resulted in the revision of data protection wording
• A general description of the technical and organisational on websites, online application forms, interactive voice
security measures in place. recordings, call centre scripts, proposal and application
forms, renewal notices and annual account statements.
With regard to security, the GDPR imposes additional
record-keeping obligations on the controller. Controllers Where changes are required, organisations should have
are required to document any personal data breaches, ring-fenced old data (data obtained pre-GDPR) and new
comprising the facts relating to the personal data breach, data (GDPR-compliant data), in order to determine the
its effects and the remedial action taken. extent of permissible processing activities for data sets.

KEY TERMS AND WHERE TO FIND THEM

Records of processing activities – Article 30. See also Recital 82.

GENERAL DATA PROTECTION REGULATION • Page 37

6.3 Human Resource Managers
Under the GDPR, the ability of Member States to legislate As a result, national variations in practices are going to
more specific rules in respect of the processing of continue, and organisations are likely to face varying
personal data, as well as the changes implemented in requirements with respect to the processing of personal
respect of data subject requests, will be of particular note data of employees between one Member State and
to Human Resource Managers. another, rather than being able to adopt one uniform
approach.
National Variations
Obtaining Employee Consents and Updating
Unlike the harmonisation seen in many other areas of the Policies
GDPR, in the employment sphere we may continue to see
considerable differences in the employment sphere. This Obtaining valid consents from employees has always
is because the GDPR allows Member States to, by law or been challenging due to the imbalance of power between
by collective agreements, provide for more specific rules the parties, leading to a suspicion by some national
in respect of the processing of employees’ personal data supervisory authorities that such consents are not freely
in the employment context. given. The conditions for obtaining consent have now
become stricter, as has been described elsewhere in
This is particularly the case for the purposes of the
this guide. Consequently, employee consent forms and
recruitment and the performance of the employment
processes will need to be updated.
contract, including:

• Discharge of obligations laid down by law or by In light of new transparency obligations, employee data
collective agreements protection notices will also need to be updated, and IT /
• Management, planning and organisation of work Acceptable Use Policies may also need revisiting.
• Equality and diversity in the workplace
• Health and safety at work Subject Access Requests
• Protection of employer’s or customer’s property
• For the purposes of the exercise and enjoyment of The changes in the law in respect of subject access
rights and benefits related to employment requests will also be of note to HR Managers as subject
• For the purpose of the termination of the employment access requests are frequently used as a pre-litigation tool
relationship in employment disputes. Changes are made in respect of
the content of the information required to be furnished,
the response time and the ability to charge a fee.

CASE STUDY

Organisation Yellow is a professional services firm. An employee, John Doe, is involved in a grievance
procedure and requests all data that Organisation Yellow holds in respect of him. Organisation Yellow has
employed John Doe for over ten years, and holds a large volume of personal data about him. Organisation
Yellow, owing to this large volume, is entitled to respond to this request requiring him to specify the
information to which the request relates.

Organisation Yellow is also permitted, owing to the large volume of personal data retained,
to extend the one month time period in respect of which it is required to reply, provided this
is communicated to John Doe within one month of Organisation Yellow having received the
request. When furnishing the data subject with the information sought, Organisation Yellow is
required to provide this information in a written format. Upon receipt of this information, John
Doe requests a further copy. Organisation Yellow is entitled to charge a reasonable fee only in respect of the
further copy sought by him.

GENERAL DATA PROTECTION REGULATION • Page 38

Limitations • Public security
• The prevention, investigation, detection or prosecution of
As previously legislated for under the Directive, the GDPR criminal offences or the execution of criminal penalties
provides that the right of access should not adversely affect • Other important objectives of general public interest
the rights of others. The GDPR therefore still envisages • The protection of judicial independence and judicial
limitations to the rights of access. The GDPR expressly proceedings
provides that such limitations could extend to protection of • The prevention, investigation, detection and prosecution
trade secrets or intellectual property and, in particular, the of breaches of ethics for regulated professions
copyright protecting the software. Nonetheless, the result of • A monitoring, inspection or regulatory function
those considerations should not be a refusal to provide any connected, even occasionally, to the exercise of official
information at all to the data subject. authority
• The protection of the data subject or the rights and
In addition, the rights of data subjects – including the right freedoms of others
of access – may be restricted by legislative measures, • The enforcement of civil law claims
where such restriction respects fundamental rights and
freedoms and is a necessary and proportionate measure in Until we see the exemptions which each Member State
a democratic society to safeguard: chooses to implement, however, there will be continued
• National security uncertainty as to the scope of these exemptions.
• Defence

How will subject access requests change under the GDPR?

Change Directive GDPR

Content • The purposes of the processing In addition to the information required by the Directive:
• The categories of personal data concerned • The data retention period
• The recipients or categories of recipient to whom • The data subject’s right to rectification, erasure,
the personal data has been or will be disclosed, in restriction or objection to processing
particular recipients in third countries or international • The right to lodge a complaint with a supervisory
organisations authority
• Where the personal data is not collected from the • The significance and the envisaged consequences
data subject, any available information as to their of automated decision-making for the data subject
source • Where personal data is transferred to a third country
• The existence of automated decision-making, or to an international organisation, the appropriate
including profiling, and the logic involved safeguards

Response Time 40 Days One Month (may be extended by two months where necessary)

Fees • Permissible to charge a fee of e6.35 • Generally no fee may be charged

• A reasonable fee may be charged for further copies
• A reasonable fee may be charged where a request
is manifestly unfounded or excessive

KEY TERMS AND WHERE TO FIND THEM

Processing in the context of employment – Article 88. See also Recital 155.
Subject access requests – Articles 12(5), 15. See also Article 23, Recitals 59, 63.

GENERAL DATA PROTECTION REGULATION • Page 39

6.4 Technology-Driven Businesses
Technology-driven businesses, particularly those that may also need to consider developing innovative means of
routinely process large personal data sets, should be capturing consent on a per-purpose basis.
aware of a number of changes to data protection law in
light of the GDPR. Two points of particular relevance are B. Rights of Data Subjects
the challenges faced by businesses in obtaining consent
and the extension in the rights afforded to data subjects
For technology-driven businesses, a data subject’s right to
under the GDPR.
data portability and erasure are of particular importance.

A. Consent
Data portability

Processing is lawful only where one of the legal bases for

processing is present, including on the basis of consent. Data subjects have a right to receive – in a commonly
used, machine-readable format – a copy of the personal
For some technology businesses, the increased data they provided to a controller and a right to transfer
standards applicable to consent will make obtaining their personal data from one controller to another or to
consent more challenging. have the data transmitted directly between controllers.

For example, providers of internet of things or smart In order to facilitate the exercise of this right by data
devices may not always have an online sign-up process subjects, controllers and processors are required to
with all data subjects whose data they process. The develop procedures and tools so as to comply with
lack of a direct relationship can make capturing and
the requests of data subjects. Given the expansive
demonstrating an adequate consent challenging.
interpretation the WP29 had of the data in scope
(extending both to data directly provided, and data
In order to comply with the GDPR, it will be necessary
generated in relation to the data subject’s activity),
to demonstrate that consent is specific, freely given,
controllers should consider developing special tools. The
informed and an unambiguous indication of the data
subject’s wishes by a statement or clear affirmative WP29 has suggested that APIs should be developed to

action. Compliance with this requirement will be fact- facilitate the transmission of relevant data to another
specific. data controller. This will be challenging due to the lack
of inter-operability of competing services, however, the
Difficulties may be encountered where processing WP29 recommended co-operation on a common set of
has multiple purposes. For software app providers, for interoperable standards.
example, personal data may be processed for multiple
purposes such as advertising, provision of the service, Importantly, businesses are not obliged to respond to data
and research and development purposes. The GDPR portability requests where to do so would compromise
requires that consent should be obtained for each of these
their own trade secrets or intellectual property.
individual purposes and a single combined consent will
present challenges.
Erasure

Providers of information society services routinely used by

It is important for technology-driven businesses to ensure
children between 13-18 years of age may need to develop
that their database architecture facilitates erasure. Data
special ‘child-friendly’ privacy policies. Due to the potential
controllers are also required to make reasonable efforts
for variation across Member States in relation to the age
to erase that information relating to a data subject, not
of consent, different terms of use (or at least variations to
only on their systems, but also from third-party systems,
terms of use) may be needed in different Member States.
that have copied, replicated or linked to the original
information. Building in processes for notifying third
Together with the need to amend standard terms of
parties should also be considered.
service and privacy policies, technology driven businesses

GENERAL DATA PROTECTION REGULATION • Page 40

6.5 Disputes/Litigation
A number of provisions of the GDPR are of note from a • Right to an effective judicial remedy against a controller
litigation perspective. The in-house lawyer, in particular, or processor
must understand the procedural rules introduced by the • Right to compensation
GDPR in respect of jurisdiction and parallel proceedings as
Each right is exercisable subject to specific rules that
well as the role of the competent supervisory authority.
determine which Member State’s courts have jurisdiction
over a given dispute. Of particular note from a civil
Engaging with the Supervisory Authority litigation perspective are the rights to an effective judicial
remedy against a controller or processor and the right to
Supervisory authorities are responsible for the enforcement compensation. These rights entitle a data subject to initiate
of the GDPR. proceedings against a controller or processor, in cases
where non-compliant processing of personal data has led
In respect of processing that does not have a cross-border
to an infringement of his or her rights, and potentially to
element, the roles and responsibilities of supervisory
recover compensation for material or non-material damage
authorities remain largely the same as under the Directive.
due to the breach.
Consequently, controllers and processors may continue
to rely upon their existing experience of interactions with In terms of the forum, proceedings against a controller
supervisory authorities. Where there is a cross-border or a processor can be brought before the courts of the
element to an organisation’s processing activities, the Member State where the controller or processor has an
controller or processor is subject to regulation by the establishment. Alternatively, such proceedings may be
supervisory authority in the Member State in which brought before the courts of the Member State where the
the controller or processor has its main establishment. data subject has his or her habitual residence, unless the
Relationship-building efforts should therefore focus on controller or processor is a public authority of a Member
the jurisdiction in which a controller or processor’s lead State acting in the exercise of its public powers.
supervisory authority is based. Nonetheless, engagement
Consequently, controllers and processors may be required
with local supervisory authorities remains important,
to attend court in the country where a data subject has
owing to the co-operative relationship between lead and
his or her habitual residence, as opposed to the country
concerned supervisory authorities.
where the controller or processor has its establishment.
Organisations that provide services to data subjects across
Jurisdiction Issues in Civil Litigation the EU could expect to be sued in any of the Member
States. These rules are similar to the EU rules in relation to
The GDPR affords a data subject the following remedies: consumer law claims.
• Right to lodge a complaint with a supervisory authority
• Right to an effective judicial remedy against a supervisory Set out below is a summary of the main rules in respect of
authority forum:

RIGHT FORUM
Lodge a complaint with a supervisory authority Member State of the data subject’s habitual residence, place
of work or place of the alleged infringement

An effective judicial remedy against a supervisory authority Courts of the Member State where the supervisory authority
is established

An effective judicial remedy against a controller or processor Courts of the Member State where the controller or
(including compensation) processor has an establishment or courts of the Member
State where the data subject has his or her habitual
residence, unless the controller or processor is a public
authority of a Member State acting in the exercise of its
public powers

GENERAL DATA PROTECTION REGULATION • Page 41

6.6 Public Sector Bodies
The GDPR affects how public bodies use personal data in There is also an express basis for allowing the disclosure
a number of key ways. Four points of particular relevance of data contained in official documents, held by a public
are: body for the performance of a task carried out in the public
• the grounds on which public bodies may process interest. Such personal data may be disclosed by the body
personal data in accordance with Irish or EU law to which the body
• the requirement to appoint a DPO is subject. This is in order to reconcile public access to
• the introduction of PIAs, and official documents with data protection rights.
• the applicability of the rules regarding the lead
supervisory authority
B. Data Protection Officers
A. Grounds for Processing Personal Data
Under the GDPR, public sector bodies, other than courts
Under the Directive, public bodies could process personal acting in their judicial capacities, are obliged to appoint a
data where the processing was necessary for the DPO. Public sector bodies are permitted to share DPOs,
purposes of the data controller’s legitimate interests, taking account of their size and organisational structure.
as well as other lawful grounds. Now, under the GDPR,
the ‘legitimate interests’ ground is no longer available
to public authorities to justify the processing of personal
data. Instead, public authorities now have to establish an
alternative legal ground for processing personal data.

As was the case under the Directive, public authorities

continue to be allowed to process personal data where
the processing is necessary for the performance of a
task carried out in the public interest or in the exercise of
official authority vested in the data controller.

It is now more difficult for public bodies to rely on consent

as a legal basis for data processing under the GDPR. The
GDPR is clear that consent does not provide a valid legal
ground for the processing of personal data in cases where
there is a clear imbalance between the data subject and
the data controller, in particular where the data controller
is a public authority.

GENERAL DATA PROTECTION REGULATION • Page 42

C. Data Protection Impact Assessments D. Lead Supervisory Authority

Data controllers are required to carry out PIAs where data The rules on the lead supervisory authority and the one-
processing activities are likely to result in a ‘high risk’ to stop-shop mechanism do not apply where the processing
the rights and freedoms of natural persons. Such risks is carried out by Irish public bodies in the public interest.
may arise for public bodies, due to their processing of In such cases, the only supervisory authority competent
large amounts of personal data that is often sensitive in to exercise the powers conferred to it in accordance
nature. PIAs will assist public bodies in identifying and with the GDPR is the supervisory authority of the
understanding current and new risks in their processing of same Member State. For example, only the Irish Data
personal data. Protection Commission would be competent to supervise
an Irish public body’s data processing activities in cases
PIAs are obligatory in the following circumstances, which of public interest.
are particularly relevant to public authorities:

• Where a systematic and extensive evaluation of

personal aspects relating to data subjects which is
based on automated processing, including profiling, and
on which decisions are made about data subjects that
legally affect them or significantly affect them
• Processing on a large scale of sensitive personal data or
data on criminal convictions and offences, and
• Systematic monitoring of publicly accessible areas ‘on a
large scale’

The GDPR recognises that there are circumstances in

which it may be reasonable and economical for the subject
of a PIA to be broader than a single project, for example
where public bodies intend to establish a common
application or processing platform.

KEY TERMS AND WHERE TO FIND THEM

Consent – Recital 43.

Data protection impact assessment – Article 35(3). See also Recital 92.

Data protection officer – Article 37(1)(a), 37(3). See also Recital 97.

Lead supervisory authority – Article 41. See also Recital 128.

Grounds for processing personal data – Article 6 (1) para. 2, (6)(1)(e), 86. See also Recitals 10, 45, 69, 154.

GENERAL DATA PROTECTION REGULATION • Page 43

7. Our Experts
Privacy & Data Security

Philip Nolan Mark Adair Wendy Hederman Robert McDonagh Oisín Tobin
Partner Partner Partner Partner Partner
pnolan@mhc.ie madair@mhc.ie whederman@mhc.ie rmcdonagh@mhc.ie otobin@mhc.ie
+353 1 614 5078 +353 1 614 2345 +353 1 614 5857 +353 1 614 5077 +1 650 515 3868

Jevan Neilan Áine Cadogan John Farrell Kate Higgs Brian Johnston
Senior Associate Senior Associate Senior Associate Senior Associate Senior Associate
jneilan@mhc.ie acadogan@mhc.ie jfarrell@mhc.ie khiggs@mhc.ie bjohnston@mhc.ie
+353 1 614 5875 +353 1 614 7728 +353 1 614 2323 +353 1 614 2168 +353 1 614 7746

Maebh Earlie Emily Mahoney Áine Quirke Liam Walsh Dmytro Aponte
Associate Associate Associate Associate Associate
mearlie@mhc.ie emahoney@mhc.ie aquirke@mhc.ie lwalsh@mhc.ie daponte@mhc.ie
+353 1 614 7731 +353 1 614 2396 +353 1 614 2495 +353 1 614 5086 +353 1 614 2439

Jeffrey Hirschey Micheál McCarthy Ciarán Noonan

Associate Associate Associate
jhirschey@mhc.ie michealmcarthy@mhc.ie cnoonan@mhc.ie
+1 415 655 6856 +353 1 614 7700 +353 1 614 2351

GENERAL DATA PROTECTION REGULATION • Page 44

Privacy Litigation

Richard Woulfe Colin Monaghan Lucy Craze Eimear O’Brien Ciaran O’Neill
Partner Partner Senior Associate Associate Associate
rwoulfe@mhc.ie cmonaghan@mhc.ie lcraze@mhc.ie eobrien@mhc.ie ciaranoneill@mhc.ie
+353 1 614 5070 +353 1 614 2149 +353 1 614 2316 +353 1 614 5052 +353 1 614 2456

Public Sector Privacy

Catherine Allen Niall Michel Lisa Joyce

Partner Partner Partner
callen@mhc.ie nmichel@mhc.ie ljoyce@mhc.ie
+353 1 614 5254 +353 1 614 5014 +353 1 614 5228

The contents of this publication are to assist access to information and do not constitute legal or other advice.
Readers should obtain their own legal and other advice as may be required.
© Copyright 2019 Mason Hayes & Curran
Dublin London New York San Francisco