In a landmark case, the UK Supreme Court has ruled that supermarket chain Morrisons is not vicariously liable for a deliberate data breach committed by a former rogue employee. The decision shows that an employer is unlikely to be liable for a malicious data breach committed by an employee, where his/her wrongful conduct is not closely connected with his/her tasks at work.
Continue Reading
Covid-19 is presenting unique and unprecedented challenges for employers who have to grapple with often complex HR and data protection related issues in a rapidly escalating crisis. Employers are anxious to ensure continuity of their business, the health and safety of their employees and compliance with data protection obligations where these arise.
Our Employment and
On 12 November 2019, the EDPB published its finalised Guidelines on Territorial Scope of the GDPR (3/2018). The Guidelines aim to assist companies and supervisory authorities in determining whether a particular processing activity falls within the territorial scope of the GDPR.
Continue Reading
The Minister of Finance has passed new Regulations, the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, permitting data subjects’ rights under Articles 12-22 and Article 34, and controllers’ obligations under Article 5 GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank of Ireland (CBI) to carry out certain functions.
Continue Reading
The Data Protection Commission (DPC) has published guidance which seeks to answer some of the most frequently asked questions in relation to Data Subject Access Requests (DSARs). Some of the key issues addressed in the guidance are set out below:
Continue Reading
The Government Chief Whip, Seán Kyne TD, has published the Government’s Legislation Programme for Autumn 2019. The Programme lists 32 priority Bills; 27 Bills currently before the Houses of the Oireachtas, and 69 Bills where preparatory work is underway.
Continue Reading
The Minister for Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, have informed the government that provision and use of the Public Services Card (PSC), not just by the Department of Employment Affairs and Social Protection (DEASP), but by other public bodies shall continue. The DEASP has written to the Data Protection Commission (DPC) advising it of this decision. In doing so, the Government accepts that it may be necessary for the matter to be referred to the courts for a definitive decision. The DEASP intend to publish the DPC’s investigation report following further engagement with the DPC.
Continue Reading
On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.
Continue Reading
In the Fashion ID case (C-40/17) , the Court of Justice of the European Union (CJEU) found that the operator of a website that features a plug-in (such as a Facebook ‘Like’ button), can be considered a joint controller with the plug-in provider, in respect of the collection and transmission to that plug-in provider of the personal data of visitors to its website. However the website operator will not be a joint controller or liable for any subsequent processing of the personal data by the plug-in provider.
The CJEU also held that the website operator is responsible for obtaining consent from website visitors for the collection and transmission of their personal data and providing notice to visitors about the use and disclosure of their personal data.
Although the case was decided under the the Data Protection Directive 95/46/EC (the Directive), it will continue to be relevant under the GDPR, since the relevant definitions and obligations continue to apply under the new regime. The decision will have an impact not only on website operators that embed social plug-ins, but to any website operator that uses cookies to collect and transmit personal data of their visitors to third parties, such as AdTech providers.
The European Data Protection Board (EDPB) has published its Annual Report covering the period from 25 May – 31 December 2018. It provides an overview of the EDPB’s activities last year, and discusses the areas it intends to focus on in 2019-2020.
Continue Reading