Application of GDPR / Data Protection Law
Irish Data protection law (including the GDPR) applies to the processing of personal data where that data controller or processor is established in the State (Ireland) and data is processed in the context of the activities of that establishment. This is the case regardless of whether the processing takes place in the European Union or not.
The GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
The GDPR also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. This may be and embassy or consulate.
An establishment is a concept which entails having a certain minimum presence and business operations in the EU. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor.
Not established but Offering Goods and Service in EU
The processing of personal data of data subjects who are in the EU by a controller or a processor not established in the Union is subject to the GDPR where the processing activities are related to offering goods or services to such data subjects, irrespective of whether connected to a payment.
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the EU, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the EU.
The mere accessibility of the controller’s, processor’s or an intermediary’s website in the EU, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU may make it apparent that the controller envisages offering goods or services to data subjects in the EU
The processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU is subject to the GDPR when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the EU.
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes.
Transfer of Data out of EEA (pre GDPR) I
Data may not be transferred out of the EEA (EU plus four countries) unless the country concerned has adequate protection for the privacy of data subjects and data processing. The Data Protection Commission had powers to prohibit the prevention or transfer of files. In order for information to be personal, a person must be capable of being identified.
The EU maintains an approved list of Countries who satisfy the above requirements. The EU Commission took the view that the USA fails to provide adequate data protection for privacy. US companies can voluntarily subscribe to so-called safe harbour scheme.
This involves them voluntarily adapting standards of data protection, equivalent to those in the EU. The US Department of Commerce administers the scheme. If the company breaches the principles, enforcement action may be taken by the US Federal Trade Commission.
In October 2015 the European Court of Justice declared the safe harbour scheme invalid. Soon after this decision the European Commission and the U.S. Government commenced negotiations on a new framework and in February 2016 reached a political agreement. The European Commission published a draft “adequacy decision”, declaring principles to be equivalent to the protections offered by EU law.
Transfer of Data out of EEA (pre GDPR) II
It is possible to export data to an unapproved state using the EU model contract. The model contract clauses should be adapted to ensure the recipient complies with minimum EU standards. A transfer between data controllers requires that the data exporter ensure that prior to the transfer, the processing has been done in accordance with the contract. The data importer must submit their protection facilities for audit by the data exporter or as may be required by the authorities.
If there is a breach of the requirements, the person concerned can recover damages brought against the importer and exporter jointly and severally unless both can prove neither is responsible. The data subject is a third-party beneficiary of the agreement.
The contract between the data controller and data processor require the exporter and controller to ensure the processing of personal data has been done in accordance with the applicable law. The controller must ensure the processor has adequate technical and organisational measures to protect the data. The data controller is solely liable for the breach regardless of who is at fault.
International Transfers of Data (GDPR)
The transfer of personal data which is undergoing processing or is intended to be processed after transfer to a third country (non-EU) or international organization, may take place only if the conditions set out in the GDPR are complied with. Those conditions must be complied with by the controller and processor.
It must cover further onward transfers of personal data from the third country or international organisation. The provisions are to take effect so that the level of protection of persons guaranteed by the GDPR is not undermined by the transfer.
A transfer of data to a third country or international organisation may take place where the Commission has decided that the third country, territory or sector concerned within that third country, or organisation ensures an adequate level of protection. This transfer does not require a specific authorisation.
Factors in EU Approving Third Countries / Sectors
In assessing whether the adequacy of the protection is sufficient, the EU Commission shall, in particular, take into account:
- the relevant rules of law, respect for human rights and fundamental freedoms;
- the relevant legislation, including those concerning public defence, national security, public security and criminal law and
- the access of public authorities to the personal data.
The Commission shall also consider the implementation of the legislation providing the data protection rules, professional rules, and other similar security measures. This is to include the rules and measures for the onward transfer of personal data to other countries. It may consider case-law and other aspects which should provide effective and enforceable rights for persons and effective administrative and judicial redress for persons the subject of the data, where there have been breaches or lapses.
The Commission shall consider the existence and effective functioning of an independent supervisory authority in the relevant countries, responsible for ensuring data protection compliance. It shall include consideration of its enforcement powers for assisting and advising persons concerned in exercising their rights and for cooperation with the supervisory authority. It shall also consider the international commitments to third countries and organisations and other obligations arising from legally binding conventions or instruments as well as participation in multi-national and regional systems.
Approval and Review
The Commission, after assessing the adequacy of the level of protection, may decide by means of an implementing act, that the third country territory or sectors within it have an adequate level of protection for purpose of the GDPR. The Commission is to publish a list of the third countries and territories in its Journal which are accepted as providing an adequate level of protection and any changes or alterations to this list.
The implementing legislation shall provide for a mechanism for periodic review, at least every four years, to take into account the developments in the third country or international organisation. The Commission must keep the relevant developments in the third country or organisation under review for this purpose.
Where the available information reveals, whether initially or after a review that a third country or organisation no longer ensures an adequate level of protection, the Commission may repeal, amend or suspend its approval. On duly justified imperative grounds of urgency, the Commission may adopt immediately applicable acts in accordance with the procedure in the legislation in this regard.
The Commission shall enter consultations with the third country with a view to remedying any situation giving rise to such acts. A decision suspending or removing the consent to transfer does not prejudice transfers of data to the third country or territory in compliance with the below provisions.
Where No General Consent
In the absence of a general consent or a determination by the Commission in relation to the transfer to the third country or organisation, a data controller or processor may transfer personal data to such a country or organisation only if it has provided appropriate safeguards. It must also be on the conditions that enforceable data rights are provided for the persons concerned and that effective legal remedies are available.
The appropriate safeguards may be provided, without requiring any specific authorisation from a supervisory body, by:
- a legally and binding enforceable instrument between the bodies;
- binding corporate rules (as below);
- standard data protection clauses adopted by the Commission in accordance with the procedure in the legislation;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure;
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards rights of the data subjects; or
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country.
Subject to authorisation from the supervisory authority, the appropriate safeguards may also, in particular, be provided for by way of:
- contractual clauses between the controller and processor and the equivalent in the third country; and
- provisions in administrative arrangements between public authorities and bodies which include enforceable and effective rights for the data subjects.
Binding Corporate Rules I
The competent supervisory authority may approve binding corporate rules in accordance with a mechanism set out in the legislation for cooperation and consistency between EU Member States. The rules must be:
- legally binding and apply to and be enforced by every member concerned of the group of undertakings, or enterprises engaged in a joint economic activity, including their employees;
- expressly confer enforceable rights on data subjects with regard to the processing of their personal data;
- fulfil the below mentioned requirements.
The binding corporate rules must specify at least:
- the structure and contact details of the undertakings or groups of enterprises engaged in a joint activity or of each of its members;
- the data transfers or sets of transfers, including categories of personal data, type of processing and its purposes, type of data subjects affected and the identification of the third countries in question;
- their legally binding nature, both internally and externally;
Binding Corporate Rules II
The binding corporate rules must also specify at least:
- the application of the general data protection principles, including purpose limitation, data minimisation, limited storage period, data quality, data protection by design and default, a legal basis for processing, the processing of special categories of personal data, measures to ensure data security, and requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
- the rights of data subjects as regard data processing and the means of exercising those rights, including the right not to be subjected to automated decisions including profiling, the right to lodge a complaint before the supervisory or judicial authority and to obtain redress and compensation;
- the acceptance by the controller or processor established in the territory of a State of liability for any breaches of the binding corporate rules by a member not established in the EU; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that the member is not responsible for the event giving rise to the damage.
Binding Corporate Rules III
The binding corporate rules must also provide
- how the information on the binding corporate rules, in particular, the above provisions is provided to the data subjects;
- the tasks of the data protection officer designated or any other person or entity in charge of the monitoring of compliance with the binding corporate rules within the group of undertakings, or enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
- the complaint procedures;
- the mechanisms within the group for ensuring verification of compliance with the corporate rules; these mechanisms must include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject; the results of the verification must be communicated to the person or entity above, the data protection officer and to the board of the controlling undertaking of the group. It must be available on request to the competent supervisory authority;
- the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
- the cooperation mechanism with the supervisory authority in order to ensure compliance by any member of the group, in particular by making available to the supervisory authority the results of the above verification measures;
- the mechanisms for reporting to the competent supervisory authority, any legal requirements to which a member of the group or group of enterprises, is subject in a third country, which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules;
- the appropriate data protection training for personnel having permanent or regular access to personal data.
Exchange of Information and Recognition
The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for the purpose of binding corporate rules. The implementation acts are to be adopted in accordance with the procedure in the GDPR.
Any judgment of a court or tribunal or decision of an administrative authority of a third country requiring a processor or controller to transfer or disclose personal data shall be recognised and enforceable if based on an international agreement, such as a legal assistance treaty in force between the requesting third country and the EU or a Member State. This is without prejudice to other lawful grounds of transfer in the GDPR.
No Adequacy Decision and Above Safeguards Absent I
In the absence of an adequacy decision by the Commission in relation to the data or territory concerned or of appropriate safeguards above including binding corporate rules, the transfer or a set of transfers of personal data to a third country or international organisation, shall only take place on one of the following conditions:
- the data subject, the person the subject of the data, has explicitly consented to the proposed transfer, after having been informed of the possible risks of the transfers due to the absence of an adequacy decision or appropriate safeguards;
- the transfer is necessary for the performance of a contract between the person concerned and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the data transfer is necessary for the conclusion or performance of a contract concluded in the interests of the person, the subject of the data, between the controller or another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which according to EU or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or any person who can demonstrate a legitimate interest, but only to the extent the conditions laid down by EU or State law for consultation are fulfilled in the particular case.
No Adequacy Decision and Above Safeguards Absent II
Where a transfer cannot be based on above rules (earlier mentioned), including the provisions on binding corporate rules, and none of the above derogations apply, a transfer to a third country or an international organisation may take place only if the transfer
- is not repetitive;
- concerns only a limited number of persons;
- is necessary for the purpose of a compelling legitimate interest pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and
- the controller has assessed all the circumstances surrounding the transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
The controller must inform the supervisory authority of the transfer. In addition to providing the information to the subject as required under the standard position, it shall inform the data subject of the transfer and of the compelling legitimate interests pursued.
No Adequacy Decision and Above Safeguards Absent III
The above transfer shall not involve the entirety of the personal data or entire categories of personal data in the register, mentioned above. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of persons or if they are to be the recipients.
The first three above mentioned provisions (consent necessary for contract, necessary pre-contract and the last-mentioned exemption) do not apply to activities carried out by public authorities in the exercise of their public powers.
In the absence of an adequacy decision, the EU or States may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or international organisation. The public interest referred to above shall be recognised in EU law or State law. Member States shall notify the provisions to the Commission.
The controller or processor must document the assessment as well as the suitable safeguards above in its records.
In relation to third countries and international organisations, the Commission and supervisory authorities shall take steps to develop international cooperation mechanisms to facilitate the effective enforcement of the legislation for the protection of personal data.
They shall provide international mutual assistance on the enforcement of legislation for the protection of personal data. This shall include through notification, complaint referral, investigative assistance, information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms.
The Commission shall engage relevant stakeholders in discussions and activities aimed at furthering international cooperation in the enforcement of the legislation. They shall promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
EU-US Privacy Shield
The EU-US Privacy Shield decision was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on
- transatlantic data transfers.
- The new arrangement includes
- data protection obligations on companies receiving personal data from the EU
- safeguards on US government access to data
- effective protection and redress for individuals
- an annual joint review by EU and US to monitor the correct application of the arrangement.
The first annual review took place in September 2017 and, on that basis, the Commission published on 18 October 2017 a report on the functioning of the Privacy Shield.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008