privacy and data protection

Photo of Steven Craig

The Minister for Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, have informed the government that provision and use of the Public Services Card (PSC), not just by the Department of Employment Affairs and Social Protection (DEASP), but by other public bodies shall continue. The DEASP has written to the Data Protection Commission (DPC) advising it of this decision. In doing so, the Government accepts that it may be necessary for the matter to be referred to the courts for a definitive decision. The DEASP intend to publish the DPC’s investigation report following further engagement with the DPC.

Continue Reading

Photo of Charlotte Turk

The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).

Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.

The ICO’s previous guidance on SARs noted that the one month time limit should be calculated from the day after the SAR is received until the corresponding calendar date in the next month. This meant that if the SAR was received on 19 August 2019, the response deadline would be 20 September 2019.

The ICO’s guidance has been amended to state that the time limit for a response starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 19 August 2019, the data controller should respond by 19 September 2019.


Continue Reading

Photo of ewallace

On 25 February 2015, the Department for Culture, Media and Sport announced that it is changing the laws with regard to nuisance calls. 

The Information Commissioner’s Office (ICO) currently has the power to impose heavy fines of up to £500,000 on companies that make marketing calls or messages if the ICO can prove that these unwanted calls or messages caused, or had the potential to cause, ‘substantial damage or distress’. However, from 6 April 2015, this requirement will be removed, allowing the ICO to intervene in more cases and penalise those companies that are breaching the Privacy and Electronic Communications Regulations but fall below the current legal threshold. 


Continue Reading

Photo of Davinia Brennan

Bray District Court, yesterday, fined a firm of private investigators, and its two directors, €10,500 for unlawfully obtaining personal data.  The court found that the directors had used ‘subterfuge’ to unlawfully obtain the addresses of credit union clients in arrears. The directors posed as a VEC and hospital worker to obtain the information, via telephone calls, from employees at the Department of Social Protection (seven cases), and the Health Services Authority (HSE) (sixteen cases).


Continue Reading

Photo of Davinia Brennan

The Office of the Data Protection Commissioner (ODPC) recently released the results of the second Global Privacy Sweep. Twenty-six privacy enforcement authorities, including Ireland, participated in the Sweep, which examined 1,211 apps. The theme of the Sweep, Mobile Privacy, was chosen due to many privacy enforcement authorities having identified mobile apps as a key area of focus in light of the privacy implications for customers.


Continue Reading

Photo of Davinia Brennan

The Office of the Data Protection Commissioner (ODPC) recently released the results of the second Global Privacy Sweep. Twenty-six privacy enforcement authorities, including Ireland, participated in the Sweep, which examined 1,211 apps. The theme of the Sweep, Mobile Privacy, was chosen due to many privacy enforcement authorities having identified mobile apps as a key area

Photo of Davinia Brennan

The Article 29 Working Party (WP29), an independent European advisory on data protection and privacy, has published a statement in which it welcomes the ruling of the CJEU, of 8 April 2014, which invalidates the Data Retention Directive (2006/24/EC).  The CJEU found that the Directive entails a wide-ranging and particularly serious interference with

Photo of Davinia Brennan

The CJEU in Joined Cases C-141/12 and C-372/12 has clarified the scope of a data subject’s right of access to a copy of their personal data.  The CJEU’s ruling may serve to lighten the burden of access requests on organisations. It confirms that the Data Protection Directive 1995 (the Directive) does not establish a right of access to any specific document or file in which personal data are listed or used, nor does it specify the material form in which personal data must be made accessible.  Member States enjoy a margin of discretion to determine the form in which to make personal data accessible, so long as it is intelligible. Accordingly, the CJEU found that the Dutch authorities, in this case, had met their legal obligations under data protection law by extracting from the relevant documents the personal data relating to the data subject.


Continue Reading

Photo of John Cahir

Following the recent Court of Justice decision in the Costeja case, Google launched a service last Friday that will allow European data subjects to request the removal of search results for queries that include their name where those results are "inadequate, irrelevant, or no longer relevant, or excessive in relation to the purpose for which they were processed". The request form is available online.


Continue Reading