Overview of the General Data Protection Regulation (GDPR)
Many organisations, both public and private, hold information about you. This can be as simple as your contact details or may be more detailed information, such as your online browsing history. You may have concerns about privacy, or about the accuracy and the further use of the information by the collecting organisation and any other organisation it decides to share that information with.
Such concerns have led to the development of data protection laws around the world. In the EU, this area is generally governed by the General Data Protection Regulation (GDPR). Specific EU laws also deal with matters such as criminal investigations. There are additional laws in each EU member state. In Ireland, these laws include the Data Protection Acts and other regulations.
These data protection laws mean that your personal data should generally only be stored where there is a lawful basis, such as your consent or a legal obligation. You have a number of rights under data protection laws, like the right to access the personal data held and the right to have it corrected or erased in certain circumstances.
Data protection language
Personal data is information that relates to, or can identify you, either by itself or together with other available information. Personal data can include:
- Your name
- Your address
- Your contact details,
- Identification numbers (for example your PPS number)
- Your IP address (this is your internet address)
- CCTV footage
- Access cards
- Audio-visual or audio recordings of you
- Location data
Under data protection law, if an organisation or company is holding or using your personal data, you are known as a data subject.
The organisation or company holding or using that data, is known as a data controller. However, the data controller can allow another person, organisation or company, known as a data processor, to process your personal data on its behalf. Doing anything with your personal data, including storing it, is known as processing.
General data protection principles
You are entitled to have your personal information:
- Used in a fair and legal way
- Made available to you when you ask for a copy
- Corrected if you ask for the information to be corrected
Lawful reasons for keeping data
Organisations can only use or keep your data where there is a lawful reason. The GDPR sets out six lawful reasons in Article 6:
|You have given your free and informed consent. Your consent cannot be assumed, so silence, pre-ticked boxes or inactivity cannot indicate consent. You must specifically agree to any proposed processing.|
|The processing is necessary to carry out a contract which you are a party to, such as the delivery of a product.|
|The processing is necessary for the data controller to meet with a legal obligation, such as the mandatory collection of details for anti-money laundering or tax purposes.|
|The processing is necessary to protect your vital interests or the vital interests of someone else, such as accessing medical records in an emergency.|
|The processing is necessary to perform a task carried out in the public interest or where the data controller has official authority, such as public security processing.|
|The processing is necessary in the legitimate interests of the processing organisation, if it does not conflict with your rights|
Organisations must give you information
You must be given enough information in simple and clear language to know what an organisation is going to do with your personal data. This is often found in privacy policies on websites or in forms which you can read or sign in person. For instance, you should be told:
- The identity and contact details of the data controller or their EU representative
- The contact details for the organisation or company’s Data Protection Officer
- The reason for the intended processing and its legal basis
- What ‘legitimate interest’ the data controller has in your personal data if they are relying on a ‘legitimate interest’ to process the data
- Who will have access to your personal data
- Whether your personal data may be transferred outside the EU and if so, the data safeguards in that country
- How long your personal data will be stored or how that time period will be decided
- Whether you are required by law or a contract to provide your personal data and the consequences of not providing it
- If your personal data will be subject to any automated decision-making (decisions made by computer with no human input) or profiling processes
The organisation should also tell you about your rights, including your right to:
- Request access to your data
- Ask for your data to be corrected
- Ask for your data to be erased
- Ask for your data to be restricted
- Object to your data being processed
- Right to receive the data held in a form which allows it you to transfer it to another person
- Withdraw consent if consent is the basis for your personal data being processed
- Lodge a complaint
In general, only personal data necessary for those stated purposes for which it is collected should be collected and processed. Your personal data should only be kept for as long as is necessary for the purpose for which it was collected.
While it is being stored or processed, your personal data must be kept safe, and policies and procedures must be in place to make sure that there is no unauthorised access.
You can read about how to access your personal data.
You can read about the obligations of controllers and processors under GDPR.
Special categories of data and limits on processing
Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:
- Personal data revealing racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
- Data concerning health.
- Data concerning a natural person’s sex life or sexual orientation.
Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.
Some types of processing fall outside the GDPR, such as processing by An Garda Síochána in the context of criminal investigations and prosecutions and the processing of passenger name records to prevent terrorist activities.
Where the GDPR applies
The GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.
Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU.
Children’s personal data
Children have the same data protection rights as adults and can make access requests. However, they are given specific protection with regard to their personal data. This is because they may be less aware of the risks and consequences of sharing their personal data. Also, they may be less aware of the safeguards available and their rights in relation to how their personal information is processed.
Parents and guardians may also be able to make access requests or exercise any other data protection right on behalf of their children. If a request is made by a parent or guardian, the data controller must consider the nature and circumstances of the request, including the age, capacity and views of the child and the child’s best interests.
Digital age of consent
Article 8 of the GDPR directs countries to set a minimum age at which online service providers, including social media companies, can rely on a child’s own consent to process their personal data. In Ireland, the Data Protection Act 2018 has set the age of digital consent at 16. This means that if an organisation is relying on consent as the legal basis (justification) for processing a child’s personal data and the child is under 16, then consent must be given or authorised by the child’s parents or guardians.
The Data Protection Commission
The Data Protection Commission (DPC) is responsible for upholding the fundamental right of individuals in the European Union to have their personal data protected. It monitors organisations to make sure that they comply with the GDPR and other data protection legislation. It can also deal with complaints in relation to data protection breaches.
There is further detailed information about the GDPR on dataprotection.ie.