Photo of Davinia Brennan

The finalised EDPB Guidelines on the concepts of controller and processor (07/2020) in the GDPR were published this week. The Guidelines set out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors, in order to ensure compliance with Article 28 GDPR. We have set out some key highlights of the Guidelines below.

Continue Reading EDPB provides guidance on requirements of data processing contracts

In addition to issuing new Standard Contractual Clauses (SCCs) for international transfers of personal data to a third country outside the EEA, the European Commission has also published the finalised Article 28 SCCs for use between controllers and processors.  The Article 28 SCCs came into force on 27 June 2021. Unlike the SCCs for international data transfers, it will not be mandatory to use the Article 28 SCCs.  Companies may therefore continue to negotiate their own individual contracts addressing the compulsory elements of Article 28(3) and (4) of the GDPR.

Continue Reading European Commission publishes finalised Article 28 SCCs

The Court of Justice of the European Union (CJEU) has confirmed the limited competence of a national supervisory authority, that is not the lead supervisory authority (LSA), to bring legal proceedings in their national courts for alleged infringements of the GDPR. The CJEU concluded that in cases of cross-border data processing, a national supervisory authority that is not the LSA has power to bring legal proceedings in its national courts, only if: (i) that power is exercised in one of the situations where the GDPR confers on that supervisory authority a competence to adopt a decision finding that such processing infringes the rules contained in the GDPR, and (ii) that power is exercised with due regard to the cooperation and consistency procedures laid down by the GDPR.

Continue Reading CJEU confirms limited derogations from the GDPR’s one-stop-shop mechanism

The Data Protection Commission (DPC) has published guidelines addressing the issue of what information employers can process in relation to their employees’ return to the workplace. In particular, the DPC considers the question as to whether employers can lawfully collect and process information about the Covid-19 vaccination status of their employees.

Information about a person’s vaccination status is special category personal data for the purposes of GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The guidelines make it clear that the DPC does not consider there is any general legal basis for employers to request the vaccination status of their employees at this time.


Continue Reading DPC publishes Guidelines on collection of vaccination data of employees

​The EU Commission has formally adopted two UK adequacy decisions, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses.

The adequacy decisions were adopted just two days before the interim solution agreed under the EU-UK Trade and Cooperation Agreement, permitting the free flow of data from the EU to the UK, was due to expire on 30 June 2021.


Continue Reading UK Adequacy Decisions adopted by European Commission

The European Commission has published its final Implementing Decision on new standard contractual clauses (SCCs) for the transfer of personal data to third countries.

The new SCCs have been expected for some time in order to address the entry into force of the GDPR and the requirements of that regime. The delay to the update was due partly to the European Court of Justice’s decision in Schrems II (C-311/18), and the need for the European Commission to reconcile the new SCCs with that decision. They also take into account the Joint Opinion (2/2021) of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the draft SCCs, as well as the EDPB’s draft recommendations on supplementary measures.


Continue Reading European Commission publishes finalised SCCs

The Data Protection Commission (DPC) has completed its ‘own volition’ inquiry into whether the Department of Employment Affairs and Social Protection interfered with the role of its Data Protection Officer (DPO).  The inquiry concerned the process leading to the amendment of the Department’s Privacy Statement on 6 July 2018. The DPC examined whether the Department’s DPO was involved in a proper and timely manner in the process (as required by Article 38(1) of the GDPR); and whether the DPO received instructions regarding the exercise of his tasks (contrary to Article 38(3) of the GDPR). The DPC concluded that the Department had not breached Articles 38(1) or 38(3) of the GDPR.

Continue Reading DPC completes statutory inquiry into suspected interference with role of DPO

The High Court, in a 197-page judgment, has dismissed a legal challenge against a decision by the Data Protection Commission (DPC) to commence an “own volition” inquiry into the applicant’s data transfers to its parent company in the US, and to issue a preliminary draft decision (PDD) proposing to suspend such transfers.

The applicant brought judicial review proceedings against the DPC, alleging that the inquiry and PDD were unlawful on a number of procedural grounds. In particular, the applicant claimed that the DPC had breached its legitimate expectation that the DPC would follow the statutory inquiry procedure set out in its Annual Report for 2018, on its website, and that it had adopted in other inquiries. The applicant also claimed the DPC had breached its right to fair procedures by failing to conduct an investigation/inquiry before reaching a decision. The High Court rejected all of the applicant’s grounds of challenge, finding that the DPC’s decision to commence an inquiry and issue the PDD, along with the associated procedural steps, were lawful.

The proceedings concerned the procedural rights and obligations of the parties in the context of the DPC’s inquiry following Schrems II, rather than the merits of the DPC’s preliminary views in the PDD.


Continue Reading High Court rejects procedural challenge against DPC’s inquiry into EU-US data transfers

The Government has published its legislation programme for Summer 2021. We have set out below the status of key Bills of relevance to the data protection, commercial and technology sector.

Bills expected to undergo pre-legislative scrutiny this Summer Session 

  • Online Safety and Media Regulation (OSMR) Bill – This Bill will provide for the establishment of a multi-person Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle the spread of harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The Heads of Bill were published on 9 January 2020, with additional provisions approved on 8 December 2020. The government also recently approved the integration of the Broadcasting (Amendment) Bill into the OSMR Bill. Member States were due to implement the revised AVMS Directive in national law by 19 September 2020, so Ireland has missed this deadline. Pre-legislative scrutiny is currently underway.


Continue Reading Government publishes Summer Legislation Programme

Last Friday 21 May 2021, MEPs passed a resolution asking the EU Commission to modify its draft UK adequacy decisions, to bring them into line with recent EU court rulings and to address concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB stated that UK law and practice relating to bulk data collection, onward transfers and its international agreements in the field of intelligence sharing, need to be further assessed by the EU Commission.

Continue Reading MEPs ask European Commission to amend draft UK adequacy decisions