Data Protection Law (GDPR)

Data Protection law has been a hot topic for some time, but with the introduction of the General Data Protection Regulation (GDPR), it has become a number one priority for the vast majority of organisations. 

As data protection law continues to evolve, it is important both businesses and individuals are aware of how data protection can impact upon them, and more importantly, how to minimise this impact.

When it comes to the use of personal information, consumers are more aware of their rights than ever and the compensation they may be entitled to. Organisations need to be able to demonstrate that they are collecting personal information ethically and treating such data with diligence and care. Under the GDPR, gathering and storing personal data can quickly become a contentious issue for organisations, no matter the size or the industry they are in.

At Clarke Jeffers & Co. Solicitors we understand the complexities involved when dealing with data protection matters. We help clients understand the duties and responsibilities they have when it comes to GDPR compliance. We advise clients in the event of the misuse or mistreatment of personal data and have represented both individuals and companies involved in data breaches and our knowledge and expertise in this area is unrivalled.

“Many companies struggle with data protection compliance and there are many individuals who have experienced the misuse of their personal information at one time of another. With data protection matters growing ever more complex, we have made it a key focus for our firm.”

Victor Clarke, Partner

We advise clients in the following areas:

  • Adhering to Data Protection Compliance
  • Drafting policy and procedural documentation
  • Conducting Data Protection Audits
  • Breach of Confidential Information

To find out more about how we can help you with your obligations under data protection law, please get in touch to arrange an appointment.

New Call-to-action

Glossary of GDPR Terms

If you can think of a “Z” let us know!!

Your Rights

Your rights include:

  1. Right to be informed (transparency in choice).
  2. Right to access.
  3. Right to rectification.
  4. Right to erasure.
  5. Right to restriction of processing.
  6. Right to data portability.
  7. Right to object.

X-rays would be included as personal data (medical data).  X-rays are in a special category of personal data which is subject to increased protection.

WhatsApp Groups

At the time of writing WhatsApp is generally non-compliant for GDPR purposes.  Care should be taken therefore in the creation of WhatsApp groups and particularly of those groups discuss sensitive or important personal information.

Withheld Data

Data withheld on the basis of legitimate exemption (for example legal professional privilege).

Web Browsing History

Refers to a record of web pages visited by an individual and maintained as data by a Controller or Processor.

Victor Clarke

Who you should speak to in the event of a data query or breach… Get in touch

United States

GDPR can affect businesses in the United States (or any other location) if information is held by that business in the EU.  GDPR is concerned with information held within the EU as opposed to the nationality of any citizen it affects.

Unfair Requests

Unfair requests or excessive requests relate to requests by individuals for data which are manifestly unfair or excessive.

Unlikely to Result in Risk

This is a data breach which even though it has occurred is unlikely to result in damage (for example a laptop has been lost containing personal data but is encrypted or is facilitated with remote wiping which has been activated).

Timeframe for Appeals

In the event that a fine is levied by the Data Protection Commissioner then the Processor/Controller has 28 days from the date of that notification to appeal the decision.


Timeframe for provision of requested data.  Data must be provided without delay and in any event within one month of receipt of the request.  (This one month period does not take into account Bank Holidays, Christmas etc.).  The timeline can be extended by a period of up to two further months taking into account complexity, number of requests etc.

Third Party Requests

Refer to requests made by individuals on behalf of other individuals for personal data (examples might include parents, Solicitors, Accountants etc.).  In general there should be some form of written consent by the subject access individual although there is an entitlement to accept the bona fides of a Solicitor.  This can often be a tricky area when it comes to minors.


The tests applied to help decide whether a breach is reportable (the general test is whether the breach is a breach which is likely to result in a risk to the rights and freedoms of natural persons).

Types of Breach

There are various types of breach including:

  1. Confidentiality breach (where there is an unauthorised or accidental disclosure of, or access to personal data).
  2. Integrity breach (where there is an unauthorised or accidental alteration of personal data).
  3. Availability breach (where there is accidental or unauthorised loss of access to, or destruction of, personal data.
Storage Period

Where possible it is the intended or predicted period for which the personal data will be stored.  In the event that it is not possible to predict this term then the criteria used to determine that period should be supplied.


Security measures employed to protect data such as encryption, remote wiping etc.

Sensitive Data

Sensitive data is any data that reveals racial or ethnic origin.  Political opinions, religious or philosophical beliefs, Trade Union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.


The Irish governing legislation in relation to data protection in Ireland is the Data Protection Act, 2018.


Defines the right to make representations at a confirmation hearing where a fine has been levied by the Office of Data Protection Commission.  Such representations can be made even in the event that an appeal has not been lodged.


There are three types of risk.  High, medium and low.  These refer to the risk of damage or prejudice arising to an individual (or individuals) in the event of a data breach.


All individuals shall have a right to an effective judicial remedy where one considers their rights under the regulations have been infringed as a result of the processing of their personal data or non-compliance with the regulations.  These rights may be against a Controller or a Processor.  The remedy can be in general format such as compensation, rectification of data, right to be forgotten etc.


Redactions are where information is deleted from data to be provided (usually by way of black marker).  In the event that redactions are required (such as third party personal details information etc.) then a statement should be provided as to the fact that there is redactions and why the Controller / Processor feels that same were necessary.


A refusal to provide data access on foot of a subject access request.  A notification for refusal should issue with a statement of reasons for refusal and an indication that a complaint may be registered to the Data Protection Commission if applicant is not satisfied. 

Regulatory Guidance

Sources of regulatory guidance include (but are not limited to) Data Protection Commission Guidance on Access Rights and Responsibilities (published in April 2017).


Any queries which might be put to the Data Protection Commissioners Office in relation to any issue or aspect arising out of a subject access request.

Public Communication

Where a data breach is significantly large in size the notification may be made by way of public communication (i.e. newspaper advertisement, television advertisement etc.).

Plain Language

All notices relating to personal data breaches issued to identifiable living individuals must be made in plain language (readily understandable etc.).


The correlation of information based on an individual’s profile, trends, buying patterns etc.


Processor processes data on behalf of Controller.

Personal Data

Examples of Personal Data might include employment files, medical records, credit card details, telephone calls, e-mails, CCTV, images, recordings of websites visited etc.

Personal Data Breach

Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  This includes breaches that are the result of both accidental and deliberate causes.


Confidential expressions of opinion may be exempt from being furnished under a data request.  Generally a “but for test” is applied.  (i.e. I would not have expressed this confidential opinion had I known that I would have to provide access to it).  This is quite a subjective test and care needs to be applied.

Oral Requests

Oral requests by a data subject are now permitted.

Organisational Measures

These are measures which are taken in order to protect data such as encryption, remote wiping etc.


The Office of Data Protection Commissioner in Ireland.


Notifications for data breaches to the Office of the Data Protection Commissioner must be made without delay and no later than 72 hours from the date of the breach.  There is no general requirement to notify if the breach is considered “unlikely to result in risk”.

Manual Data

Data kept in manual format, such as files, paperwork etc.


Persons under the age of 18 years.  This is relevant where a data request has been made by somebody under the age of 18 (or in the case of a Data access request being made by a parent on behalf of a child).

Mandatory Reporting

In a case of a personal data breach the Controller shall without undue delay (no later than 72 hours after having become aware of it) notify the personal data breach to the supervisory authority.  If notification comes later than 72 hours then a detailed explanation for the delay must accompany that report.


Data Protection Act, 2018 – signed into law on the 24th May 2018.

Legal Professional Privilege

Means privileged data which is subject to professional secrecy (specific communication providing legal advice between Solicitor and client for example).


Liability rests with the Controller for damage caused by processing which infringes GDPR.  The Processor is only liable where they have not complied with specific processors obligations under GDPR or have acted outside or contrary to instructions of the Controller.

Loss of Confidential or Personal Data

Refers to a situation where a Processor or Controller loses personal data by way of loss, ransom, unauthorised access, destruction etc.

Key Principles

There are seven key principles under GDPR as follows:

  1. Lawful fair and transparent processing.
  2. Purpose Limitation.
  3. Data minimisation.
  4. Accurate and up to date processing.
  5. Limitation of storage in the form that permits identification.
  6. Confidential and secure.
  7. Accountability and liability.
Keeping Data

The keeping of data imposes an obligation on the Controller to keep the data safe, not to keep the data for longer than is necessary for that purpose and to ensure that the appropriate notifications and action steps are taken in the event of a breach.

Judicial Review

A form of legal action which can be taken to review the handling or outcome of any complaint.


While the Data Protection Commissioner has jurisdiction to investigate claims and levy fines, those fines can only be confirmed at a confirmation hearing through the Courts.


The Data Protection Commissioner can investigate Data Controller’s handling of any request and has the power to access data relevant to the complaint.

Integrity Breach

An unauthorised or accidental alteration of personal data.

Identifiable Living Person

Data access requests relate to identifiable living persons.

Information to be supplied

The information to be supplied in the event of a data breach to the Office of the Data Protection Commissioner (broken into specific categories such as number of data subjects, type of data, type of individual affected etc.).

Habitual Residence

The member state where the data subject has his or her main residence.

Health Data

Health data is a special category of sensitive data.  The Controller must not release health data without first checking with appropriate Health Practitioner whether release of data would cause serious harm to physical or mental health of data subject.


The collection of personal data on individuals.


The EU General Data Protection Regulations.  Came into force on the 25th May 2018.


There are two tiers of administrative fine that can be levied.

  1. Up to €10million or 2% annual global turnover – whichever is higher.
  2. Up to €20million or 4% annual global turnover – whichever is higher.
Filing Systems

Only relevant to manual data.  Structured by reference to individuals and organised in such a way that specific information relating to a particular individual is readily accessible.  (Such systems cover personal data and the individual’s name appears on the front of the file.)


There is no necessity (unlike the previous Data Protection Acts) to enclose a fee with your request.  Fees will only arise if the request is deemed to be excessive or repetitive.

Format of Request

Requests can be in writing, e-mail or orally made.  There is no set format or template to be used and nor is there an applicable fee (unless the request is deemed repetitive or excessive).

Enforcement Notice

The power to issue reprimands to a Controller or Processor where processing operations have infringed provisions of the GDPR regulations.

Encrypted Data

Encrypted data is data which is protected by an encryption code.  Such encryption can minimise the risk in the event that the data is lost.


Not all data must be supplied in response to a data access request.  Such examples would include data which might give rise to a contempt of Court, data covered by legal professional privilege or litigation privilege etc.

Electronic Request

A request made usually by e-mail.  (In these circumstances and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format).

Data Processor Definition

Data Processor in relation to personal data means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.  Processing in relation to information or data means obtaining, recording or holding the information or data.

Data Controller

The Data Controller determines the purpose for which, and the manner in which, personal data is processed.  It can do this either on its own or jointly or in common with other organisations.  This means that the Data Controller exercises overall control over the “why” and “how” of a data processing activity.

Data Subject Rights

Your rights include:

  1. Right to be informed (transparency in choice).
  2. Right to access.
  3. Right to rectification.
  4. Right to erasure.
  5. Right to restriction of processing.
  6. Right to data portability.
  7. Right to object.

The types of material and non-material damage that could result if a breach of data is not addressed in an appropriate and timely manner.

Data Litigation

The right to take action, to protect one’s own data etc.

Data Protection Commissioner

The Data Protection Commissioner and its Office (ODPC) are the supervising authority in Ireland for matters relating to data protection. (Currently Helen Dixon)

Data Request

A data request can be in writing (e-mail is also sufficient) and can be oral also. There is no need to mention GDPR or any other regulations, nor is there any set format or template that needs to be used.


Data is any information kept manually or electronically or by other means (such as CCTV etc.) relating to an identifiable living individual.

Corrective Power

The power of the supervisory authority to levy fines which shall in each individual case be effective, proportionate and dissuasive.


A right to receive compensation from the Controller or Processor of data if damage suffered as a result of breach (although the GDPR allows any person affected by a data breach to claim compensation, this is limited in Ireland under the Data Protection Act to the subject access individual).

Confirmation Hearing

While the Data Protection Commissioner can levy a fine, the fine itself must be confirmed by the Court. This hearing is known as a Confirmation Hearing.


Once a breach occurs the Controller must seek to contain the incident and asses the risk.


An individual has a right to complain to the Office of the Data Protection Commissioner (ODPC) for example if access to data is refused or not provided correctly/or at all.

Confidentiality Breach

An unauthorised or accidental disclosure of, or access to, personal data.

Computer Files

All files held on computer, electronically, on USB storage devices and including computers not on the main network (phones, laptops, IPAD’s etc.)


Determines the purpose and means of the processing.


A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed.


It is possible to appeal against an administrative fine being levied by the ODPC. Such appeals are made to the Courts and must be made within 28 days from the date of notification of the decision to fine.

Availability Breach

An accidental or unauthorised loss of access to/or destruction of personal data.

Automated individual decision making

Making a decision solely by automated means without any human involvement); and. profiling (automated processing of personal data to evaluate certain things about an individual).

Access Requests

A request made by an identifiable living individual for data held on that individual in any relevant format.


(General Data Protection Regulations and Protection Act 2018) GDPR

Contact One Of Our Key People

What Our Clients Say

  • Costa Coffee Logo

    Clarke Jeffers & Co provide Costa Coffee Ireland with bespoke property and conveyancing advice.  They understand Costa’s business and requirements and they offer sound legal advice with an excellent knowledge of the retail property market and the general business climate, Clarke Jeffers add value

    Director, Costa Coffee Ireland

  • Saladbox Logo

    Introducing a new franchise into the country gets a whole lot easier when you hire a firm who know exactly what they are doing. Clarke Jeffers excelled in their industry knowledge and insight.

    Michael Kelly, CEO Saladbox Ireland

  • Gordon Darcy

    As an Irish international rugby player I am used to having people I can rely on, both on the pitch and off. Clarke Jeffers to me is a safe pair of hands whose integrity cannot be questioned. They provide me with advice I can trust. That to me is what is important.

    Gordon Darcy, Rugby International, Leinster & Ireland

  • Planning & Design Solutions

    Over the past number years our Company has used Clarke Jeffers Solicitors to handle our business needs. When dealing with matters on our behalf we have always been delighted to know that Clarke Jeffers is acting for us and they have clearly demonstrated a principle of “pro-activity” rather than “reactivity”. The turnaround of paperwork is swift and sure footed and their engaging and unflappable manner when dealing with difficult issues has only helped us grow as a company.

    Giles Lloyd, Director

  • Irish Pony Club

    The Irish Pony Club has for several generations enjoyed the comfort of the professional services of Clarke Jeffers & Co. Solicitors, Carlow. We very much look forward to the continuation of this association into the future.

    Chairman & Director, I.P.C

  • P&A Group

    P&A Insolvency Services is a market leader in the provision of insolvency services in Ireland. We demand that all our professionals have the highest form of expertise and experience in the commercial sector. We have employed Clarke Jeffers & Co. in Liquidations, Company restructures and Examinerships. Their knowledge of the sector and expertise in insolvency matters is hugely impressive. Most impressive however is their ability to turn problems into solutions. Victor and his team are an easy choice for us.

    Jason Sheehy, Director

  • Glenda Gilson

    Victor and his team are fantastically reliable to deal with. They “get” commercial contracts and understand the need to be practical. Without question they are serious operators.

    Glenda Gilson, Model & TV Presenter

  • Trust Matters Logo

    Clarke Jeffers provide solutions to complicated commercial issues for our clients on a weekly basis.  Their knowledge of the tightly regulated pensions sector is exceptional and the ease at which they go about their business is very impressive.

    Andrew O’Loughlin, Managing Director

  • Kilkea Castle Hotel & Golf Resort

    When it comes to food and beverage we have a one stop shop in Clarke Jeffers. They know the industry, they know what’s required and most importantly, they know how to provide it quickly.  For a luxury hotel and golf resort, that is priceless.

    Aidan O’Sullivan, General Manager

  • Prestige vehicle Logistics Ltd

    We have been with Clarke Jeffers for many years now. They have a great attitude. Dare I say very commercial and not typically Solicitor like. They always exceed what we expect.

    Erik Holstein, Managing Director

  • 12 acres brewing Co

    12 acres brewing retains the services of Victor Clarke of Clarke Jeffers & Co Solicitors for commercial legal advice. We find his advice clear thinking and very practical.

    Paddy McDonald, Director

  • Codd Mushrooms

    Codd Mushrooms is a large horticultural company based in Carlow. We have been clients of Clarke Jeffers for many years, and we have a very good working relationship with Victor, William and their team. Their knowledge of our industry, and the professional manner that they conduct business is exemplary. Their ‘can do attitude’ to difficult business situations is certainly a breath of fresh air.

    Leslie Codd, CEO

  • Dominos Pizza

    We need a firm of lawyers that know how to help us expand our business. They need to have in-depth industry knowledge and understand how a modern food and beverage business works in the real world. Clarke Jeffers fit this brief perfectly. Simply put we trust them not only to keep up with our business but to keep it right.

    Serghei Jolondcovschi, Director CSJ Master t/a Domino’s Pizza

  • KFC Logo

    Clarke Jeffers provide us with insightful and practical advice that we feel adds value to our business. Their understanding and knowledge of the fast food industry is top class.

    MBBC Foods (Ireland) Ltd

  • DNG Logo

    I found Victor and Staff very professional to deal with but in a friendly and relaxed fashion, the advice and confidence I gained from this team was second to none and I am very grateful to all at Clarke Jeffers for their help over the past 12 months. I would recommend them without hesitation for all aspects of Legal Advice.

    Marcus McCormack, Managing Director

  • Blacknight Hosting

    We’ve worked closely with Clarke Jeffers over the last 8 years and I cannot recommend their services highly enough. We’ve always found their staff to be highly professional, responsive and they have helped us resolve issues quickly.

    Michele Neylon, Managing Director

  • Aspray

    Victor has an excellent understanding of the business of franchising, I found his advice invaluable when I was starting my own business and negotiating my contract, I would have no hesitation in recommending Clarke Jeffers for sound business and legal advice’.

    Paddy McDonald, Managing Director

  • Energie Fitness Clubs

    As Ireland’s largest chain of fitness clubs and a key player in the Irish franchising sector, we have been involved in numerous commercial transactions, negotiations and of course the odd conflict along the way! Victor and the team at Clarke Jeffers has been an invaluable asset to us on this journey. From when we started in 2005 with our first club and our first member to a membership today of over 25,000 in Ireland alone, Clarke Jeffers has been there every step of the way.

    John Hannaford, Director

  • Watchie

    We have always been very happy with the representation and advice from Clarke Jeffers. Firstly they are proactive and on the ball, secondly they have a “what we can do as opposed to what we can’t do approach. They possess the type of forward thinking that a progressive business such as ours demands.

    Erik Holstein

  • OToole Composting

    We have worked with Clarke Jeffers & Co solicitors for many years. They have consistently given us clear and easy to understand advice. Most importantly, they have give us effective advice. A very professional outfit.

    Patrick O’Toole, Director

  • Finance Business

    Clarke Jeffers understand our business. The speed and accuracy of their responses to our needs is testament to their awareness of the commercial issues we face. We have absolute confidence in their ability to advise us on an ongoing basis.

    Paddy Kavanagh, Managing Director

New Call-to-action

Latest News & Advice View All News

29 November 2018

Guide To Opening Your Dream Coffee Shop Now Available

Whilst on first impressions it may appear odd that a firm of solicitors has produced a Guide To Opening Your Dream Coffee Shop, on the other hand, owing to our regular dealings with business owners opening new coffee shops, cafes and restaurants across the length and breadth of Ireland, we thought this would be a useful document for those interested in setting up a coffee shop of their own.

Read More

22 November 2018

A Quick Look At The Global Construction Disputes Report 2018

For the last eight years Arcadis, one the leading global asset design & consultancy firms, has produced the Global Construction Disputes Report, which looks at trends across the world in terms of the nature and scale of Construction Disputes.

Read More

8 November 2018

Why Should You Speak To A Solicitor When Opening Your New Coffee Shop?

Many people dream about opening a coffee shop although in reality very few actually do anything about it.

Read More

1 November 2018

Lifeline or Party Time? The Intoxicating Liquor Act 2018

Ireland has seen a huge increase in breweries and distilleries over the last decade. High end Gin, high end Whisky and craft beer all dominate our off-licence and supermarket shelves. Despite the apparent popularity however, small distilleries and breweries still struggle. While they get to produce the final product, often tight squeezing from large multi-national retailers and off-licences can see margins compressed to a minimum.

Read More
New call-to-action


Clarke Jeffers Solicitors
The Mews, Fitzwilliam Hall
Fitzwilliam Place
Dublin 2

Tel: +353 1567 5938



Clarke Jeffers Solicitors
30 Dublin Street

Tel: +353 59 913 1656