Subject’s Rights

Data Protection Regulation and Freedom of Information

The General Data Protection Regulation gives significant rights to individuals in relation to data (information) held by third parties about them.  These rights may be enforced directly against the person or entity who holds or controls the data.

The GDPR (and Data Protection Act) compliment the Freedom of Information Act, which relates to public sector information.    In some cases, a person may be entitled to information under both the Freedom of Information Act and GDPR / the Data Protection Act.

The Freedom of Information Act applies to governmental bodies.  There is no cost to accessing information.  The time limits for the provision of the data are shorter than for data protection. The exemptions to the Data Protection Act rights are narrower than those applicable under the Freedom of Information Act.


Exercise of Rights of the Data Subject must be Facilitated

The data controller must facilitate the exercise of rights by the person the subject of the data.  The data controller must provide the required information to the data subject (the person concerned) in a concise, transparent, intelligible and easily accessible form. He / it must use clear and plain language, in particular for any information, addressed to a child.

The information must be provided in writing, or by other means, including, where appropriate, by electronic means. Where requested by the person whom the data concerns, the information may be provided orally, so long as the identity of the person concerned is proven by other means.

The information to be provided to the persons concerned may be provided in combination with standardised icons in order to give, in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they must be machine-readable. The EU Commission may adopt delegated legislation for the purpose of determining the information to be presented by the icons and procedures for providing standardised icons.

Where the controller has reasonable doubts concerning the identity of the person making the request, he may require additional information which is necessary to confirm the identity of the person concerned. In cases where the data controller cannot identify the person concerned, he must not refuse to act, unless the data controller demonstrates that he is not in a position to identify the person concerned.


Must Act Promptly and Free of Charge I

The data controller must provide the information and act upon a request of the data subject, without undue delay and in any event within one month of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

The data controller must inform the person concerned of any extension within one month of receipt of the request, together with the reasons for the delay.

The right of access should be complied with by supplying the individual with a copy of the information concerned in a permanent form unless the supply of such a copy is not possible or would involve disproportionate efforts.

Where the person concerned makes the request by electronic means, the information should be provided by electronic means where possible, unless otherwise requested by the person, the subject of the data.


Must Act Promptly and Free of Charge II

If the data controller does not take action on the request of the person concerned, the controller must inform that person without delay and at the latest within one month of receipt of the request, of the reasons for not taking action and the possibility of lodging a complaint with the supervisory authority and seeking a judicial remedy.

The information provided below and any communication and actions taken must be provided free of charge. Where the requests from the person concerned are manifestly unfounded or excessive, in particular, because of their repetitive character, the data controller may either charge a reasonable fee taking account of the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request. The data controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.


Information when Personal Data collected I

Where personal data is collected from the person concerned, the data controller shall, at the time when the data is obtained, provide the person with the following information.

  • the identity and contact details of the data controller and where applicable the controller’s representatives.
  • the contact details of the data protection officer, where applicable (larger processors);
  • the purpose of the processing for which the personal data is intended as well as its legal basis for processing.
  • where the processing is based on the legitimate interests of the controller or a third-party, the legitimate interest in question pursued by the controller or third party;
  • the recipients or category of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation, the existence or absence of an adequacy decision by the Commission, or in the case of transfers, reference to the appropriate suitable safeguards and the means by which to obtain a copy, where they may be made available.

Information when Personal Data collected II

In addition to the above information, the data controller must, at the time when the personal data is obtained, provide the person concerned with the following further information necessary to ensure fair and transparent processing.

  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller, access, rectification or erasure of the personal data or the restriction of processing concerning the person concerned or to object to processing and the right to data portability;
  • where processing is based on consent, the existence of the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before withdrawal;
  • the right to lodge a complaint with the supervisory authority;
  • whether the provision of the personal data is a statutory or contractual requirement, or a requirement necessary to enter the contract, as well as whether the person concerned is obliged to provide the personal data and of any personal consequences or failure to provide the data;
  • the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person concerned.

Where the controller intends to further process the personal data for a purpose other than that for which it was collected, the controller must provide the person concerned prior to the further processing, with information relative to that other purpose, of the relevant further information above. The provisions do not apply and so far as the data subject already has the information concerned.


Information provided where data from a third party I

Where the personal data has not been obtained from the person concerned, the controller must provide the person concerned with the following information.

  • the identity and contact details of the data controller and, where applicable, of his representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the data is intended as well as the legal basis for processing;
  • the categories of personal data concerned;
  • recipients or categories of recipients of the data;
  • where applicable, that the controller intends to transfer the data to a third country or international organisation and the existence of the relevant approval or arrangements and reference to the appropriate safeguards and means of obtaining particulars of them.

Information provided where data from third party II

In addition to the above information, the data controller must provide the person concerned with the following information necessary to ensure fair and transparent processing

  • the period for which the personal data will be stored, or if that is not possible, the criteria to determine the period concerned;
  • where processing is based on the legitimate interest of the controller, the legitimate interest pursued by that controller or the third party concerned;
  • the existence of a right to request from the data controller, access to, rectification or erasure of the personal data or the restriction of processing concerning the personal information and to object processing, as well as the right to data portability;
  • where the processing is based on consent, the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on the consent before that date;
  • the right to lodge a complaint with a supervisory authority;
  • from which source the personal data originated, and if applicable, whether it came from publicly available accessible sources;
  • the existence of automated decision-making including profiling and at least in those cases meaningful information about the logic involved as well as the significance and envisaged consequences of the processing for the person concerned.

Exceptions

The above obligations in relation to data obtained from a third-party do not apply

  • where the data subject / person concerned already has the information;
  • were the provision of such information proves impossible or would involve a disproportionate effort,(in particular for processing or archiving purposes in the public interest, scientific or historical research purposes or statistical purposes), subject to certain conditions and safeguards or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing; provided that in these cases, the data controller must take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
  • to obtaining data or disclosure expressly provided under State or EU law to which the data controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests;
  • where the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or national law including a statutory obligation of secrecy.

When Provided

The data controller must provide the above information

  • within a reasonable period after obtaining the personal data, but at the latest within one month having regard to the specific circumstances in which the data is processed;
  • if the data is to be used for communication with the person concerned, at the latest at the time of the first communication with that person or if a disclosure to another recipient is envisaged, at the latest when the personal data is first disclosed.

Where the controller intends to further process personal data for a purpose other than that for which it was obtained, the data controller must provide the person concerned prior to that further processing with the information on that other purpose and with any other relevant information referred to above.


Data Request I

The person, the subject of the information has the right to obtain from the data controller, confirmation as to whether or not personal data concerning him are being processed. Where this is the case, the person concerned is entitled to access the personal data and the following information;

  • the purposes of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom it has been or will be disclosed, and in particular, recipients in third countries or international organisations;
  • where possible, the envisaged period for which it will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the data controller, rectification, erasure or the restriction of processing of personal data concerning the person concerned or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from the person concerned, any available information regarding its source;
  • the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequence of such processing for the person concerned;

Where personal data is transferred to a third country or an international organisation, the person concerned has the right to be informed of the appropriate safeguards applicable to such transfer.


Data Request II

An individual who believes any person or entity is keeping personal data about him, shall if he so requests in writing, be informed by the person or entity whether he holds such data. If it does hold such data, the person or entity must give a description of the data and the purposes for which it is kept.

The individual who makes the request must give sufficient evidence to enable him be identified and identify the information concerned.  Where there are separate entries in respect of data kept for different purposes, the request for information is assumed to be a separate request for each data.

The data controller must provide a copy of the personal data undergoing processing. Where any further copies are requested, the controller may charge a reasonable fee based on administrative costs.

The right to discover whether the information is held is broader than the right of disclosure.  The latter right is subject to  exceptions which do not apply to the former right.


Data Request III

The data controller must supply a copy of the information in permanent form unless this would be disproportionate, unless this is not possible or unless the data subject otherwise agrees.

Where the person concerned, the subject of the data makes the request by electronic means, and unless otherwise requested the information must be provided in a commonly used electronic form.The right to obtain a copy of the information is not to affect the rights and freedoms of others.

The request for information may be made at regular intervals.  Where a request has been previously complied with, which is substantially identical or similar, the data controller need not, comply, if he is of the opinion that a reasonable interval has not elapsed between compliance with the previous request and making of the current request.

The data subject (the person the subject of the relevant information) is entitled to have information constituting the personal data, of which he is the subject, communicated to him in an intelligible form together with information known or available to the data controller in relation to its source, unless this is contrary to the public interest.

Where the information is in terms that are not intelligible to an average person, the information must be accompanied by an explanation of the terms concerned. Where the data controller refuses a request, he must communicate setting out the reason for refusal.  He must indicate that the individual may complain to the Data Protection Commission in relation to the refusal.


Right to Rectification

The data subject (the person who is subject of the personal information) has the right to procure from the data controller without undue delay the rectification of inaccurate personal data concerning him.

Taking into account the purposes of the processing, the person concerned has the right to have incomplete personal data completed, including by means of a supplementary statement.


Right to Erasure / Right to be forgotten

The person subject of the personal information has the right to procure from the data controller the erasure of personal data relating to him without undue delay. The data controller must erase the personal data without undue delay where one of the following grounds or circumstances applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject concerned withdraws his consent on which the processing is based, and there is no other legal ground for processing;
  • the person concerned objects to the processing and there are no overriding provisions applicable pursuant to GDPR, and there are no overriding legitimate grounds for processing or the data subject objects to the processing;
  • the personal data have been unlawfully processed;
  • the personal data has to be erased for the purpose of compliance with a legal obligation in the State or under EU law to which the person is subject;
  • the personal data has been collected in relation to the offer of information society services pursuant to a consent by or on behalf of a child;

Right to Restrict

The data subject (the person who is subject of the data) has the right to procure from the controller, the restriction of processing where one or more of the following applies:

  • the accuracy of the personal data is contested by the person concerned for a period enabling the controller to verify the accuracy of the data;
  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the processing is unlawful, and the person concerned opposes the erasure of the personal data and requests restriction of their use instead;
  • the controller no longer needs the personal data for the purpose of the processing, but they are required by the person concerned for the establishment, exercise or defence of legal claims;
  • the person concerned has objected to processing (automated processing) pending the verification whether the legitimate grounds of the controller override those of the person concerned;

The person the subject of the data who has obtained the restriction of processing above, must be informed by the controller before the restriction of processing is lifted.

The data controller must communicate any rectification or erasure of personal data or the restriction of processing carried out above to each recipient to whom the personal data has been disclosed unless this proves impossible or involves a disproportionate effort. The data controller must inform the data subject (the person concerned) about those recipients if the person concerned so requests it.


Exceptions

The above provisions as to erasure do not apply to the extent that the processing is necessary.

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by an EU or Member State law to which the data controller is subject
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
  • or reasons of public interest in the area of public health in accordance with provisions as to sensitive personal data processing above.
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erase is likely to render impossible or seriously impair the achievement of the objectives of processing;
  • for the establishment, exercise or defence of legal claims.

Right to be forgotten: children

A controller must, at the request of a data subject, without undue delay erase personal data of a data subject who is child where the data have been collected in relation to the offer to him or her of internet services (so-called information society services).

Where a controller has disclosed the personal data which are the subject of the above request (by or relating to a child) to another controller or controllers, the first-mentioned controller shall, taking account of available technology and the cost of implementation, take all reasonable steps, including technical measures, to inform the other controller or controllers which are processing that personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.

The above provisions do not apply to the extent that the processing of the personal data concerned is necessary for the following purposes

  • or exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by EU or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with the GDPR3);
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the GDPR in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

Data Portability

The person who is the subject of the data has a right to receive the personal data relating to him which he has provided to a controller, in a structured, commonly used and machine-readable format. He has the right to transmit that data to other controllers without hindrance from the controller with whom the data has been provided where the processing is based on consent given or a contract entered, and the processing is carried out by automated means.

In exercising his right to data portability, the person concerned has the right to have the personal data transmitted directly from one controller to another, where this is technically feasible. The exercise of this right is without prejudice to the right of erasure.

The right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. The right does not adversely affect the rights and freedoms of others.


Right to Object to Processing

The person who is the subject of data has the right to object on grounds relating to his particular situation, at any time to processing of personal data concerning him which is based on consent or the legitimate interests of the controller or a third-party, including a profile based on those provisions. The controller must no longer process the data unless the controller demonstrates compelling legitimate interests for the processing which override the interests, rights and freedoms of the person concerned or for the establishment, exercise and defence of legal claims.

Where personal data are processed for direct marketing purposes, the person who is subject of the data has the right to object at any time to the processing of the personal data concerning him for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the person concerned objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.


Exercise of Right to Object

At the latest at the time of the first communication with the person concerned, the above right shall be explicitly brought to the attention of the person concerned. It must be presented clearly and separately from any other information.

In the context of the use of information society services, the person concerned may exercise his right to object by automated means using technical specifications.

Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to the GDPR, the person concerned on grounds relating to his or her particular situation, has the right to object to processing of personal data relating to him, unless the processing is necessary for the performance of a task carried out by reasons of public interest.


Right to Object to Decision based on Automated Processing

The person concerned has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects relating to him or which significantly naffects him. Automatic processing may relate to such matters as the evaluation of performance at work, creditworthiness, liability, and conduct.

The above right does not apply

  • if the decision is necessary for entering or performing a contract between the person concerned and the data controller;
  • is authorised by EU or State law to which the controller is subject and which lays down suitable measures to safeguard the person’s rights and freedoms and legitimate interests; or
  • is based on the person’s explicit consent.

In the first and third cases, the data controller must implement suitable measures to safeguard the person’s rights, freedoms and legitimate interests. This must include at least the right to obtain human intervention on the part of the controller to express his point of view and to contest the decision.

The above type of decision must not be based on special categories of sensitive personal data unless the explicit consent or reasons of substantial public interest ground applies.


Employment Requests

It is not permissible (and it is an offence) to recruit a person or to make it a condition of employment or a contract for services, that the other makes a data access request or supplies information as a result of such request.

A person shall not, in connection with—

  • the recruitment of an individual as an employee, the continued employment of the individual, or
  • a contract for the provision of services to the person by an individual, require that individual to make a data access request or supply the person with data relating to that individual obtained as a result of such a request.

A person who contravenes this obligation is guilty of an offence and is liable—

  • on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or
  • on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008