Photo of Davinia Brennan

In recent weeks, employers have been busy implementing the recommendations set out in the Government’s Return to Work Safely Protocol, in preparation for employees returning to the workplace.  Somewhat surprisingly, the Protocol makes no reference to the need to comply with data protection law, yet the measures recommended by the Protocol involve the processing personal data, in particular health data.

There has been a growing concern amongst employers in regard to how to ensure compliance with data protection law when implementing the protocol, in particular in relation to the issue and retention of pre-return to work questionnaires; use of contact tracing logs; and temperature testing.  The Department of Business, Enterprise and Innovation (DBEI) and the Data Protection Commission (DPC) have now published guidelines clarifying how employers can implement the Protocol in a manner that complies with their data protection obligations.

The Guidelines clarify that:

  • Temperature testing should not yet be considered a requirement under the Protocol. If employers are carrying out such testing, for instance in high risk workplaces, then they should consider conducting a DPIA and ensure the testing is necessary and proportionate.
  • Pre-return to work questionnaires completed by employees should collect the minimum information necessary and should not be retained once employees return to the workplace.
  • Where contact tracing logs are kept by an employer in respect of employees who are in close contact for extended periods of time, where social distancing is difficult to maintain,  such logs should generally only be retained for the purpose of facilitating the HSE’s official contact-tracing procedures and to act as a memory aid for employees regarding close contacts. The data should only be retained for as long as necessary for this purpose. Employers should avoid disclosing information relating to a particular employee’s Covid-19 diagnosis to other employees.

The DPC’s Guidance is available here.

The DBEI Guidance is available here.

Photo of Davinia Brennan

​The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.

Continue Reading EDPB’s register of one-stop-shop decisions now live

Photo of Davinia Brennan

The Data Protection Commission (DPC) has published a two year Regulatory Activities Report, which reviews the range of its regulatory tasks from 25 May 2018 to 25 May 2020.

​The Report notes that the purpose of the two-year assessment is “to provide a wider-angled lens through which to assess the work of the DPC since the implementation of the GDPR; in particular, to examine wider datasets and annual trends to see what patterns can be identified.” 

Continue Reading DPC publishes Regulatory Activities Report for 2018-2020

Photo of Grace Moore

The European Data Protection Board (EDPB) has adopted a statement on restrictions on data subject rights in connection with the state of emergency in Member States. The EDPB emphasises that, despite the international crisis, the GDPR remains applicable and allows an efficient response to the pandemic, while still protecting fundamental rights and freedoms.

The EDPB’s statement was made in response to a Hungarian government decree dated 4 May 2020. The decree sets out certain derogations from the GDPR and, in particular, allows data controllers involved in Covid-19 related data processing to suspend the fulfilment of data subjects’ requests under Articles 15-22 GDPR (such as the right of access or erasure) until the state of emergency is revoked in Hungary. The decree does not indicate any time limit in respect of the state of emergency.

Continue Reading EDPB issues statement on restrictions on data subject rights during the Covid-19 crisis

Photo of John Cahir

As part of their lockdown exit strategy, governments around the world are launching Apps with contact tracing functions. The idea behind these Apps is that users will be alerted when another App user has tested positive to Covid-19, thereby enabling them to take appropriate action, such as self-isolating or undergoing testing.

It remains to be seen how effective contact tracing Apps will be in the fight against Covid-19, but it is clear that in order for the Apps to work, they need to be widely downloaded and used. The popularity, acceptance, and use of the Apps will undoubtedly depend on the extent to which the Apps enable individuals to control the collection and use of their personal data.

This briefing note considers the key data protection and privacy law issues arising in relation to contact tracing apps.

Go to publication

Photo of Grace Moore

The Belgian Data Protection Authority (Belgian DPA) recently imposed a €50,000 fine on a large telecommunications operator (the company), for failing to comply with the GDPR in relation to the appointment of their Data Protection Officer (DPO).  The Belgian DPA decided that the DPO’s tasks and duties under the GDPR conflicted with its role as Head of Audit, Risk and Compliance.

Continue Reading Belgian DPA issues €50,000 fine for DPO’s conflicting company roles

Photo of Steven Craig

The European Data Protection Board (EDPB), the body tasked with ensuring consistent application of the GDPR across Europe, has published its annual report for 2019. As we approach the two year anniversary of the GDPR, the EDPB Chair refers to a “common data protection culture” emerging as a result of the continued cooperation between European Data Protection Authorities (DPAs).

The following are some of the key points from the EDPB’s activities in 2019.

Continue Reading EDPB publishes Annual Report for 2019

Photo of Davinia Brennan

The threat to global health caused by Covid-19 has led to unprecedented collaboration from the global scientific research community to urgently develop a vaccine. Given the prevalence of data sharing and open science, combined with the sensitive nature of the data involved, data protection concerns have quickly emerged.

The GDPR provides special rules for processing health data for scientific research purposes that are also applicable in the context of the Covid-19 pandemic. The European Data Protection Board (EDPB) recently published Guidelines 03/2020 on the processing of data concerning health for scientific research purposes in the context of Covid-19. The EDPB acknowledges the challenges faced by researchers operating with urgency, and using health data that is not always obtained directly from the data subject for the specific purpose of scientific research. The guidelines provide clarity on issues such as: the legal basis for processing health data; data subjects’ rights, and how health data can be lawfully transferred to a third country outside the EEA for scientific research purposes connected to the Covid-19 pandemic.

Continue Reading EDPB publishes guidelines on processing health data for Covid-19 research

Photo of Davinia Brennan

The Data Protection Commission (DPC) has issued its first fine under the GDPR.  Tusla, the child and family state agency, has been fined €75,000 for three data breaches.  It has been reported that the DPC has filed papers in the Circuit Court, in order for the court to confirm the fine. The purpose of this confirmation mechanism, which is required by the Data Protection Act (DPA) 2018, is to ensure that the DPC’s decision to impose a fine has due regard to fair procedures and constitutional justice.

Continue Reading Irish Data Protection Commission issues first GDPR fine

Photo of Davinia Brennan

The Annual Report of the Data Protection Commission (DPC) for 2019 reveals some interesting trends and statistics. The DPC received a record 7,215 complaints in 2019 (75% more than in 2018).  At least 40% of the DPC’s resources were devoted to the handling of individual complaints (as opposed to large-scale and more systemic investigations). Larger-scale inquiries also consumed considerable resources.

Disputes between employees and employers or former employers remain a significant theme of the complaints, with the battle often staged around a disputed access request. Telcos and banks remain among the most complained about sectors. Complaints against internet platforms have also grown in volume. This briefing note considers some of the key highlights of the report.

Go to publication