Data Protection legislation controls the use to which personal information can be put. The legislation refers to the “processing” of personal data. Processing means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means. It includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction;
Data Protection legislation applies to “personal information” which means information about living, identified or identifiable persons. It includes information such as names, addresses, bank details, and opinions about an individual. It may be in electronic form or in a manual filing system.
Personal data means any information relating to an identified or identifiable natural person (a data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Nature of Personal Data
Personal data is data relating to a living individual who is or can be identified either by the data or by the data in conjunction with other information that is likely to come into the possession of the data controller. The Irish Data Protection Commission indicates that consideration should be given to the following factors in determining whether data is personal data;
- whether it concerns the data subject;
- whether he is the subject or focus of the data;
- whether it fits into a continuum of relevance or proximity to the data subject;
- whether the data is such that it is required by the data subject to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy;
- whether the data differs in some respect because of the data subject’s involvement (i.e. if the data would be the same if any other person was the subject, then it may not be personal data);
Data retrievable by a person’s name or another identifier may not be personal data by itself. Data arising in the course of an employment or public function concerning persons performing those roles are not by themselves, personal data. An e-mail sent by an employee in an official capacity is not personal data. This is in contrast to a personal e-mail sent by the same person.
Scope of GDPR
This General Data Protection Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria, do not fall within the scope of this Regulation.
The GDPR does not apply to the processing of personal data:
- by a natural person in the course of a purely personal or household activity;
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out asylum and immigration functions
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
The second, third and fourth category of data is covered by the domestic Data Protection Act.
Sound and Images
Image and sound data is potentially subject to data protection legislation if it is electronic / automated or contained or intended to be contained in a filing system, structured according to specific criteria relating to individuals, so as to permit easy access to the data in question. Images by themselves are not generally data unless they are automated or arranged in the above sense.
Images on Closed Circuit TV may be data, even if they are not associated with a person’s particulars and even if they do not concern individuals whose faces have been shown. This is irrespective of the media used for processing.
Identification and identifiability may result from linking data held by third parties such as databases of registrations, registration plates or passwords.
The Data Protection Commissions takes the view that CCTV images may be personal data where they would allow an individual to be identified. This may arise from the correlation of an image and a PIN number. It is the data controller who must have the linking information for this purpose. Where the individual provides the information for the purpose of an access request, then the image will be personal data, if the data controller can correlate both sets of information
A data controller is a person company public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The use of personal data/information must comply with the Data Protection principles. The controller of personal data is responsible for and must be able to demonstrate compliance with, the below data protection principles.
They require that personal information be processed fairly for one or more lawful purposes (and not otherwise) in a way that is consistent with the original purpose for which it is collected, that it is accurate, relevant, up to date and not excessive.
Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.The measures shall be reviewed and updated where necessary.
Where proportionate in relation to processing activities, the measures shall include the implementation of appropriate data protection policies by the controller. Adherence to approved codes of conduct and approved certification mechanisms may be used as an element by which to demonstrate compliance with the obligations.
A data processor is a person or entity which undertakes work in processing data on behalf of a data controller. It does not include an employee of a data controller who does so in the course of his employment. It includes outsourced processors of data.
Data may be processed lawfully, only if the data controller complies with the data protection principles. The data controller must ensure that the data processor complies with data protection legislation.
Where processing is to be carried out on behalf of a controller, the controller shall use only processors who provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of a general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Processing by a processor must be governed by a contract or other legal act under EU or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature, and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Data Processing Principles I
Personal data must be acquired and processed lawfully. The general and key principle is that data may not be processed unless the person concerned has given his or her consent. There are other bases for processing which are set out below and in other chapters. However, the consent of the data the preeminent and default requirement.
The consent of the data subject must be unambiguous, freely given and informed. A positive consent, as opposed to a consent by inertia, is required. It cannot be usually inferred or implied.
In the case of “sensitive” personal data, explicit consent is required. Sensitive personal data is that relating to racial or ethnic origin, political opinion, religious beliefs, trade union membership, mental, physical health, sexual life, data relating to the commission of an offence or proceedings in relation to an offence.
In order to be processed lawfully, the person controlling the data must insofar as practicable, provide and make available to the subject, the identity of the person who will control the data, the name of the person nominated by the data controller for the purpose of the legislation and the purpose which it is intended to be processed.
Data Processing Principles II
Personal data must be accurate and kept up-to-date. It must not be misleading. Personal data may only be held for a number of specified legitimate purposes. Personal data must be processed only in a manner compatible with the purpose concerned. Therefore, if the information is collected for one purpose, it is likely to constitute unfair processing, to use it for another purpose.
Personal data must be relevant, adequate and not excessive in relation to the purpose for which it is collected or processed. No more information than necessary should be collected. Personal data must not be kept any longer than necessary for the purpose concerned.
Data must be obtained for one or more specified explicit and legitimate purposes. It must not be processed in a manner incompatible with that purpose. It must be adequate, relevant and not excessive. it must be kept for no longer than necessary. The person concerned must be given details of the data controller or its representative, the purpose and the other information that is required to process it fairly. This may include the identity of the ultimate recipient.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. It must transparent/clear to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
In particular, information must be given to the data subjects
- on the identity of the controller and the purposes of the processing;
- information to ensure fair and transparent processing in respect of the natural persons concerned and
- their right to obtain confirmation and communication of personal data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards, and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
Limited Purpose Only
Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Under the transparency requirement, the specific purposes for which personal data are proceLssed should be explicit, legitimate and determined at the time of the collection of the personal data.
The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are, in accordance with the criteria in the legislation not considered to be incompatible with the initial purposes.
Necessary Amount of Retention Only
The personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. (‘storage limitation’).
In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Personal data may be stored for longer periods for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to protections
Security, and Integrity
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
The (EU Wide) GDPR provides that processing (use) of personal data is permitted, provided that the processor complies with one or more of the following conditions;
- the data subject (the person whose personal information it is) has unambiguously given his consent; to the processing for one or more specific purposes
- the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject, prior to entering a contract;
- the processing is necessary for compliance with a legal obligation to which the controller is subject;
- the processing is necessary to protect the vital interests of the data subject;
- the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller (data holder) or in a third party to whom the data are disclosed;
- the processing is necessary for the purpose of the legitimate interests pursued by the controller or the third party to whom they are disclosed, except where such interests or overridden by the fundamental rights and freedoms of the data subject.
Legal Obligations / Government
The GDPR criteria are set out above. EU Member States may maintain or introduce more specific provisions to adapt the application of the GDPR rules in the context of legal obligations, public interest or the exercise of public authority. There are criteria in the GDPR in relation to such rules.
See the separate chapter in relation to the Irish rules in this context. Most of the areas concerned relate to governmental and public interest activities. The processing must usually comply with modified broad data protection principles. The member State law must meet an objective of public interest and be proportionate to the legitimate aim pursued.
The national rules may contain specific provisions to adapt the GDPR rules to the public and other function concerned including
- the general conditions governing the processing by the controller;
- the types of data which are subject to the processing;
- the data subjects concerned;
- the entities to, and the purposes for which, the personal data may be disclosed;
- the purpose limitation; storage periods; and
- processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008