Data Protection Law2019-07-09T07:35:11+00:00
Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland

Data Protection Law (GDPR)

Data Protection law has been a hot topic for some time, but with the introduction of the General Data Protection Regulation (GDPR), it has become a number one priority for the vast majority of organisations.

As data protection law continues to evolve, it is important both businesses and individuals are aware of how data protection can impact upon them, and more importantly, how to minimise this impact.

When it comes to the use of personal information, consumers are more aware of their rights than ever and the compensation they may be entitled to. Organisations need to be able to demonstrate that they are collecting personal information ethically and treating such data with diligence and care. Under the GDPR, gathering and storing personal data can quickly become a contentious issue for organisations, no matter the size or the industry they are in.

At Clarke Jeffers & Co. Solicitors we understand the complexities involved when dealing with data protection matters. We help clients understand the duties and responsibilities they have when it comes to GDPR compliance. We advise clients in the event of the misuse or mistreatment of personal data and have represented both individuals and companies involved in data breaches and our knowledge and expertise in this area is unrivalled.

“Many companies struggle with data protection compliance and there are many individuals who have experienced the misuse of their personal information at one time of another. With data protection matters growing ever more complex, we have made it a key focus for our firm.”

  • Victor Clarke, Partner

We advise clients in the following areas:

  • Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland  Adhering to Data Protection Compliance

  • Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland  Drafting policy and procedural documentation

  • Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland  Conducting Data Protection Audits

  • Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland  Breach of Confidential Information

To find out more about how we can help you with your obligations under data protection law, please get in touch to arrange an appointment.

Glossary of GDPR Terms

If you can think of a “Z” let us know!!

Your Rights

Your rights include:

  1. Right to be informed (transparency in choice).
  2. Right to access.
  3. Right to rectification.
  4. Right to erasure.
  5. Right to restriction of processing.
  6. Right to data portability.
  7. Right to object.
X-Rays

X-rays would be included as personal data (medical data).  X-rays are in a special category of personal data which is subject to increased protection.

WhatsApp Groups

At the time of writing WhatsApp is generally non-compliant for GDPR purposes.  Care should be taken therefore in the creation of WhatsApp groups and particularly of those groups discuss sensitive or important personal information.

Withheld Data

Data withheld on the basis of legitimate exemption (for example legal professional privilege).

Web Browsing History

Refers to a record of web pages visited by an individual and maintained as data by a Controller or Processor.

Victor Clarke

Who you should speak to in the event of a data query or breach… Get in touch

United States

GDPR can affect businesses in the United States (or any other location) if information is held by that business in the EU.  GDPR is concerned with information held within the EU as opposed to the nationality of any citizen it affects.

Unfair Requests

Unfair requests or excessive requests relate to requests by individuals for data which are manifestly unfair or excessive.

Unlikely to Result in Risk

This is a data breach which even though it has occurred is unlikely to result in damage (for example a laptop has been lost containing personal data but is encrypted or is facilitated with remote wiping which has been activated).

Timeframe for Appeals

In the event that a fine is levied by the Data Protection Commissioner then the Processor/Controller has 28 days from the date of that notification to appeal the decision.

Timeframes

Timeframe for provision of requested data.  Data must be provided without delay and in any event within one month of receipt of the request.  (This one month period does not take into account Bank Holidays, Christmas etc.).  The timeline can be extended by a period of up to two further months taking into account complexity, number of requests etc.

Third Party Requests

Refer to requests made by individuals on behalf of other individuals for personal data (examples might include parents, Solicitors, Accountants etc.).  In general there should be some form of written consent by the subject access individual although there is an entitlement to accept the bona fides of a Solicitor.  This can often be a tricky area when it comes to minors.

Tests

The tests applied to help decide whether a breach is reportable (the general test is whether the breach is a breach which is likely to result in a risk to the rights and freedoms of natural persons).

Types of Breach

There are various types of breach including:

  1. Confidentiality breach (where there is an unauthorised or accidental disclosure of, or access to personal data).
  2. Integrity breach (where there is an unauthorised or accidental alteration of personal data).
  3. Availability breach (where there is accidental or unauthorised loss of access to, or destruction of, personal data.
Storage Period

Where possible it is the intended or predicted period for which the personal data will be stored.  In the event that it is not possible to predict this term then the criteria used to determine that period should be supplied.

Security

Security measures employed to protect data such as encryption, remote wiping etc.

Sensitive Data

Sensitive data is any data that reveals racial or ethnic origin.  Political opinions, religious or philosophical beliefs, Trade Union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Statute

The Irish governing legislation in relation to data protection in Ireland is the Data Protection Act, 2018.

Representations

Defines the right to make representations at a confirmation hearing where a fine has been levied by the Office of Data Protection Commission.  Such representations can be made even in the event that an appeal has not been lodged.

Risk

There are three types of risk.  High, medium and low.  These refer to the risk of damage or prejudice arising to an individual (or individuals) in the event of a data breach.

Remedies

All individuals shall have a right to an effective judicial remedy where one considers their rights under the regulations have been infringed as a result of the processing of their personal data or non-compliance with the regulations.  These rights may be against a Controller or a Processor.  The remedy can be in general format such as compensation, rectification of data, right to be forgotten etc.

Redactions

Redactions are where information is deleted from data to be provided (usually by way of black marker).  In the event that redactions are required (such as third party personal details information etc.) then a statement should be provided as to the fact that there is redactions and why the Controller / Processor feels that same were necessary.

Refusal

A refusal to provide data access on foot of a subject access request.  A notification for refusal should issue with a statement of reasons for refusal and an indication that a complaint may be registered to the Data Protection Commission if applicant is not satisfied. 

Regulatory Guidance

Sources of regulatory guidance include (but are not limited to) Data Protection Commission Guidance on Access Rights and Responsibilities (published in April 2017).

Queries

Any queries which might be put to the Data Protection Commissioners Office in relation to any issue or aspect arising out of a subject access request.

Public Communication

Where a data breach is significantly large in size the notification may be made by way of public communication (i.e. newspaper advertisement, television advertisement etc.).

Plain Language

All notices relating to personal data breaches issued to identifiable living individuals must be made in plain language (readily understandable etc.).

Profiling

The correlation of information based on an individual’s profile, trends, buying patterns etc.

Processor

Processor processes data on behalf of Controller.

Personal Data

Examples of Personal Data might include employment files, medical records, credit card details, telephone calls, e-mails, CCTV, images, recordings of websites visited etc.

Personal Data Breach

Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  This includes breaches that are the result of both accidental and deliberate causes.

Opinions

Confidential expressions of opinion may be exempt from being furnished under a data request.  Generally a “but for test” is applied.  (i.e. I would not have expressed this confidential opinion had I known that I would have to provide access to it).  This is quite a subjective test and care needs to be applied.

Oral Requests

Oral requests by a data subject are now permitted.

Organisational Measures

These are measures which are taken in order to protect data such as encryption, remote wiping etc.

ODPC

The Office of Data Protection Commissioner in Ireland.

Notifications

Notifications for data breaches to the Office of the Data Protection Commissioner must be made without delay and no later than 72 hours from the date of the breach.  There is no general requirement to notify if the breach is considered “unlikely to result in risk”.

Manual Data

Data kept in manual format, such as files, paperwork etc.

Minors

Persons under the age of 18 years.  This is relevant where a data request has been made by somebody under the age of 18 (or in the case of a Data access request being made by a parent on behalf of a child).

Mandatory Reporting

In a case of a personal data breach the Controller shall without undue delay (no later than 72 hours after having become aware of it) notify the personal data breach to the supervisory authority.  If notification comes later than 72 hours then a detailed explanation for the delay must accompany that report.

Legislation

Data Protection Act, 2018 – signed into law on the 24th May 2018.

Legal Professional Privilege

Means privileged data which is subject to professional secrecy (specific communication providing legal advice between Solicitor and client for example).

Liability

Liability rests with the Controller for damage caused by processing which infringes GDPR.  The Processor is only liable where they have not complied with specific processors obligations under GDPR or have acted outside or contrary to instructions of the Controller.

Loss of Confidential or Personal Data

Refers to a situation where a Processor or Controller loses personal data by way of loss, ransom, unauthorised access, destruction etc.

Key Principles

There are seven key principles under GDPR as follows:

  1. Lawful fair and transparent processing.
  2. Purpose Limitation.
  3. Data minimisation.
  4. Accurate and up to date processing.
  5. Limitation of storage in the form that permits identification.
  6. Confidential and secure.
  7. Accountability and liability.
Keeping Data

The keeping of data imposes an obligation on the Controller to keep the data safe, not to keep the data for longer than is necessary for that purpose and to ensure that the appropriate notifications and action steps are taken in the event of a breach.

Judicial Review

A form of legal action which can be taken to review the handling or outcome of any complaint.

Jurisdiction

While the Data Protection Commissioner has jurisdiction to investigate claims and levy fines, those fines can only be confirmed at a confirmation hearing through the Courts.

Investigations

The Data Protection Commissioner can investigate Data Controller’s handling of any request and has the power to access data relevant to the complaint.

Integrity Breach

An unauthorised or accidental alteration of personal data.

Identifiable Living Person

Data access requests relate to identifiable living persons.

Information to be supplied

The information to be supplied in the event of a data breach to the Office of the Data Protection Commissioner (broken into specific categories such as number of data subjects, type of data, type of individual affected etc.).

Habitual Residence

The member state where the data subject has his or her main residence.

Health Data

Health data is a special category of sensitive data.  The Controller must not release health data without first checking with appropriate Health Practitioner whether release of data would cause serious harm to physical or mental health of data subject.

Harvesting

The collection of personal data on individuals.

GDPR

The EU General Data Protection Regulations.  Came into force on the 25th May 2018.

Fines

There are two tiers of administrative fine that can be levied.

  1. Up to €10million or 2% annual global turnover – whichever is higher.
  2. Up to €20million or 4% annual global turnover – whichever is higher.
Filing Systems

Only relevant to manual data.  Structured by reference to individuals and organised in such a way that specific information relating to a particular individual is readily accessible.  (Such systems cover personal data and the individual’s name appears on the front of the file.)

Fees

There is no necessity (unlike the previous Data Protection Acts) to enclose a fee with your request.  Fees will only arise if the request is deemed to be excessive or repetitive.

Format of Request

Requests can be in writing, e-mail or orally made.  There is no set format or template to be used and nor is there an applicable fee (unless the request is deemed repetitive or excessive).

Enforcement Notice

The power to issue reprimands to a Controller or Processor where processing operations have infringed provisions of the GDPR regulations.

Encrypted Data

Encrypted data is data which is protected by an encryption code.  Such encryption can minimise the risk in the event that the data is lost.

Exceptions

Not all data must be supplied in response to a data access request.  Such examples would include data which might give rise to a contempt of Court, data covered by legal professional privilege or litigation privilege etc.

Electronic Request

A request made usually by e-mail.  (In these circumstances and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format).

Data Processor Definition

Data Processor in relation to personal data means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.  Processing in relation to information or data means obtaining, recording or holding the information or data.

Data Controller

The Data Controller determines the purpose for which, and the manner in which, personal data is processed.  It can do this either on its own or jointly or in common with other organisations.  This means that the Data Controller exercises overall control over the “why” and “how” of a data processing activity.

Data Subject Rights

Your rights include:

  1. Right to be informed (transparency in choice).
  2. Right to access.
  3. Right to rectification.
  4. Right to erasure.
  5. Right to restriction of processing.
  6. Right to data portability.
  7. Right to object.
Damage

The types of material and non-material damage that could result if a breach of data is not addressed in an appropriate and timely manner.

Data Litigation

The right to take action, to protect one’s own data etc.

Data Protection Commissioner

The Data Protection Commissioner and its Office (ODPC) are the supervising authority in Ireland for matters relating to data protection. (Currently Helen Dixon)

Data Request

A data request can be in writing (e-mail is also sufficient) and can be oral also. There is no need to mention GDPR or any other regulations, nor is there any set format or template that needs to be used.

Data

Data is any information kept manually or electronically or by other means (such as CCTV etc.) relating to an identifiable living individual.

Corrective Power

The power of the supervisory authority to levy fines which shall in each individual case be effective, proportionate and dissuasive.

Compensation

A right to receive compensation from the Controller or Processor of data if damage suffered as a result of breach (although the GDPR allows any person affected by a data breach to claim compensation, this is limited in Ireland under the Data Protection Act to the subject access individual).

Confirmation Hearing

While the Data Protection Commissioner can levy a fine, the fine itself must be confirmed by the Court. This hearing is known as a Confirmation Hearing.

Containment

Once a breach occurs the Controller must seek to contain the incident and asses the risk.

Complaints

An individual has a right to complain to the Office of the Data Protection Commissioner (ODPC) for example if access to data is refused or not provided correctly/or at all.

Confidentiality Breach

An unauthorised or accidental disclosure of, or access to, personal data.

Computer Files

All files held on computer, electronically, on USB storage devices and including computers not on the main network (phones, laptops, IPAD’s etc.)

Controller

Determines the purpose and means of the processing.

Breach

A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed.

Appeals

It is possible to appeal against an administrative fine being levied by the ODPC. Such appeals are made to the Courts and must be made within 28 days from the date of notification of the decision to fine.

Availability Breach

An accidental or unauthorised loss of access to/or destruction of personal data.

Automated individual decision making

Making a decision solely by automated means without any human involvement); and. profiling (automated processing of personal data to evaluate certain things about an individual).

Access Requests

A request made by an identifiable living individual for data held on that individual in any relevant format.

Acts

(General Data Protection Regulations and Protection Act 2018) GDPR

Frequently Asked Questions

View All FAQ’s

Contact One Of Our Key People

What Our Clients Say

Costa Coffee Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland

Clarke Jeffers & Co provide Costa Coffee Ireland with bespoke property and conveyancing advice.  They understand Costa’s business and requirements and they offer sound legal advice with an excellent knowledge of the retail property market and the general business climate, Clarke Jeffers add value

P&A Insolvency services is a market leader in the provision of insolvency services in Ireland. We demand that all our professionals have the highest form of expertise and experience in the commercial sector. We have employed Clarke Jeffers & Co in Liquidations, Company restructures and Examinerships. Their knowledge of the sector and expertise in insolvency matters is hugely impressive. Most impressive however is their ability to turn problems into solutions. Victor and his team are an easy choice for us.

Jason Sheehy - Director, The P&A Partnership

The Irish Pony Club has for several generations enjoyed the comfort of the professional services of Clarke Jeffers & Co. Solicitors, Carlow. We very much look forward to the continuation of this association into the future.

Chairman & Director, I.P.C
Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland

Over the past number years our Company has used Clarke Jeffers Solicitors to handle our business needs. When dealing with matters on our behalf we have always been delighted to know that Clark Jeffers is acting for us and they have clearly demonstrated a principle of “pro-activity” rather than “reactivity”. The turnaround of paperwork is swift and sure footed and their engaging and unflappable manner when dealing with difficult issues has only helped us grow as a company.

Giles Lloyd - Director, Planning & Design Solutions
Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland
We have always been very happy with the representation and advice from Clarke Jeffers. Firstly they are proactive and on the ball, secondly they have a “what we can do as opposed to what we can’t do approach.  They possess the type of forward thinking that a progressive business such as ours demands
Erik Holstein , Watchie
Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland

As Ireland’s largest chain of fitness clubs and a key player in the Irish franchising sector, we have been involved in numerous commercial transactions, negotiations and of course the odd conflict along the way!  Victor and the team at Clarke Jeffers has been an invaluable asset to us on this journey.  From when we started in 2005 with our first club and our first member to a membership today of over 25,000 in Ireland alone, Clarke Jeffers has been there every step of the way.

John Hannaford - Director, Energie Fitness Clubs Ireland
Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland

As an Irish international rugby player I am used to having people I can rely on, both on the pitch and off.  Clarke Jeffers, to me is a safe pair of hands whose integrity cannot be questioned. They provide me with advice I can trust. That to me is what is important.

Gordon Darcy - Rugby International, Leinster & Ireland
Blacknight solutions logo Clarke Jeffers | Professional Commercial Individual Personal Solicitors in Carlow and Dublin Ireland

We’ve worked closely with Clarke Jeffers over the last 8 years and I cannot recommend their services highly enough. We’ve always found their staff to be highly professional, responsive and they have helped us resolve issues quickly

Michele Neylon - Managing Director, Blacknight Solutions

Download Your Free Guide To Help Your Construction Project From Ending In Dispute

Get the guide

Latest News & Advice

View All News
Clarke Jeffers & Co | Commercial Solicitors Dublin

Join Our Newsletter

Sign Up To Be Kept Up To Date With The Latest News And Advice From Clarke Jeffers




This form collects your Name and E-mail address. Feel free to refresh yourself with our Privacy Policy and if you have any other queries you can call or e-mail us at any time.

Clarke Jeffers & Co | Commercial Solicitors Dublin

Your Dream Coffee Shop

Download your free guide
to setting up and running
the café of your dreams!

Get Your FREE Guide