GDPR Use of Data
Data Controllers and Processing
The GDPR and Data Protection Act provids key principles for the holding and use of personal data, which are binding on data controllers and data processors. A data controller is anybody who alone or in conjunction with others, controls personal data. Personal data means any data relating to a living individual who can be identified from the data or in conjunction with other information in the data controller’s possession or which may come into their possession.
“Processing” covers keeping, collecting, storing, altering, adopting, retrieving, consulting, using, transmitting, disseminating or otherwise making available, the data. It includes combining, blocking, erasing and destroying data.
A data processor is a person who processes personal data on behalf of a data controller. A data processor is subject to most of the same obligation to which the data controller is subject. Their relationship should be structured by a contract or other arrangements. It should specify the conditions under which data may be processed, minimum security requirements, procedures and provisions to procure compliance, risk management and rights of verification.
In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in the GDPR or in other EU or national law including the necessity for compliance with a legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Data Processing Principles
The GDPR restates the basic data protection principles
Personal data must be
- processed fairly, lawfully and in a transparent manner
- collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed
- accurate and where necessary kept up to date
- kept in a form that permits identification of data subjects
- necessary for the purpose for which the data are processed
- processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing accidental loss destruction or damage using appropriate technical and organisational measures
The most important basis for legitimate processing of data is the consent of the data subject. The consent must be freely given, informed specific and unambiguous. The GDPR goes further than the previous legislation in this regard.
Children
In the case of children, special protections apply in respect of the use of the personal data. The personal data of the child under 16 which is used to provide information society services (online businesses and services) must be the subject of consent from the person holding parental responsibility. States may reduce the age to 13 years.
More is expected in relation to the processing of children’s personal data. Clear explanations are required. The consent of a parent or guardian may be required unless it is reasonable to believe that the child clearly understands what is involved and is making an informed decision.
Fair Collection
Fair processing requires that the data subject be given certain information before his data is collected. He should be given information about the identity of the data controller, to whom it may be disclosed to and the purposes for which it is to be used. The information should be furnished before the data controller first processes the data.
The information must be made available to the person affected. In some cases, the furnishing of information on a website could suffice. The GDPR requires that it be given more directly. Consent should be informed consent in all cases. In the case of a minor, the consent of a parent or guardian should be obtained.
Data must be collected for a particular specified, explicit and legitimate purpose. It must not be processed in a manner which is incompatible with that purposes. The relevant purpose must be specified at the time of collection.
Data must not be collected which is irrelevant to the purposes for which it is required. The controller must assess the adequacy, relevancy and nexus of the data in an objective way. He must act fairly bearing in mind the purpose of the data collected and acquisition.
Processing and Security
Personal data must be accurate and kept up-to-date. It must be adequate, relevant and not excessive in relation to the purposes for which it is collected. It must be accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate or incomplete having regard to its purposes, is erased or corrected. Data is inaccurate if it is incorrect or misleading in relation to the factual position.
Data processing must be objectively necessary. Data must not be retained for any longer than necessary. Data processing must be relevant to the purpose for which it is collected. It must not be excessive in the context of the purposes for which it is collected.
Data controllers must take security measures to prevent unauthorised access to, unauthorised alterations of, unauthorised disclosures and destruction of personal data. Appropriate security must be provided for personal data subject to the current state of technology, the costs, the nature of the data and the harm that might result from loss or unauthorised use.
Territorial Scope
Data protection law applies to be processing of personal data where that data controller is established in the State and data is processed in the context of that establishment. It also applies where the data controller is established neither in the State nor in another EU state, but uses equipment in the State for processing data, other than for transit purposes.
An establishment is a concept which entails having a certain minimum presence and business operations in the State. Accordingly, a transient presence or the presence of small elements of a business would usually suffice in order to bring the entity within the control of Irish data protection, if the entity is established in another EEA state. The latter states will have equivalent data protection rights and laws, deriving from the EU legislation.
An individual resident in the state is deemed established. A company incorporated in the state is deemed established. A partnership formed in Ireland under the laws of Ireland is deemed established. Outside of these categories, a person or entity is established if he or it has an office, branch or agency in the State, through which he or it carries out a regular practice. See the sections on tax, which use similar concepts in defining the degree of presence necessary to bring an entity within the charge to Irish tax.
Personal data kept by an individual in the management of his personal family and household affairs or kept only for recreational purposes is exempt. The Act does not apply at all to information that must otherwise be made public or under separate legislation.
The GDPR reforms the provisions in relation to the international transfer of data. The former US EU privacy shield was found to be inadequate by the European Court of Justice. The GDPR provide for a new framework for transfers of personal data outside the EU. Where there is no adequacy decision in respect of the third country, transfers may be allowed pursuant to binding corporate rules contractual provisions and in certain other cases.