Irish DPC submits Article 60 draft decision on inquiry into Yahoo!

07th November 2022

The Data Protection Commission (DPC) has submitted a draft decision in an inquiry into Yahoo! EMEA Limited to other Concerned Supervisory Authorities, or fellow regulators, across the EU. The inquiry, which commenced on 1 August, 2019, centred around Yahoo!’s compliance with its obligations under Articles 5(1)(a), 12, 13 and 14 of the GDPR, which deal with the processing of personal data, in the context of its products and services across the EU.

Deputy Commissioner Graham Doyle commented:

“On 27 October, 2022, the DPC submitted a draft decision in an inquiry into Yahoo! EMEA Limited to other Concerned Supervisory Authorities across the EU. The inquiry examined the company’s compliance with the requirements to provide transparent information to data subjects under the provisions of the GDPR. Under the Article 60 GDPR process, Concerned Supervisory Authorities have until 24 November, 2022 to send any ‘relevant and reasoned objections’ to the DPC’s draft decision.”


Irish DPC submits Article 60 draft decision on inquiry into Meta

03rd October 2022

The Data Protection Commission (DPC) has submitted a draft decision in a large scale inquiry into Meta Platforms Ireland Limited (“MPIL”) to other Concerned Supervisory Authorities across the EU. This inquiry was commenced in April 2021 after media reports highlighted that a collated dataset of Facebook user personal data had been made available on the internet. The inquiry concerned the question of MPIL’s compliance with its obligations under Articles 25(1) and 25(2) GDPR (“data protection by design and by default”).

Deputy Commissioner, Graham Doyle commented:

“As the EU Lead Supervisory Authority for Meta Platforms Ireland Limited (“MPIL”), the DPC opened this inquiry in April 2021 following media reports which highlighted that a collated dataset of Facebook user personal data had been made available on the internet. This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide. The Inquiry was scoped to consider a number of features provided by MPIL and whether MPIL had complied with its obligations regarding data protection by design and by default. The DPC submitted its draft decision to its colleagues last Friday, 30 September, for their views on it. This is part of the process under Article 60 of the GDPR, where the DPC sends draft decisions to other Concerned Supervisory Authorities and they have one month to review its draft decision and raise any ‘relevant and reasoned objections’ that they may have.”


Data Protection Commission announces decision in Instagram Inquiry


15th September 2022

The Data Protection Commission (DPC) has today announced a conclusion to an inquiry into Meta Platforms Ireland Limited (Instagram) imposing a fine of €405 million and a range of corrective measures.

The inquiry concerned the processing of personal data relating to child users of the Instagram social networking service. It was initiated by the DPC on 21 September 2020 in response to information provided by David Stier (a US data scientist), and also in connection with issues identified by the DPC itself, following examination of the Instagram user registration process. The inquiry examined, in particular, the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.

Following a comprehensive investigation, the DPC submitted a draft decision to all peer regulators in the EU, also known as Concerned Supervisory Authorities (“CSAs”), under Article 60 of the GDPR in December 2021. Six of these national regulators raised objections to the DPC’s draft decision. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and it therefore referred the case to the European Data Protection Board (“EDPB”), in line with the Article 65 dispute resolution process of the GDPR.

On 28 July 2022, the EDPB adopted its binding decision, which rejected a considerable quantity of the objections but upheld objections requiring the DPC to amend its draft decision to include a finding of infringement of Article 6(1) GDPR and to reassess its proposed administrative fines on the basis of this additional infringement. Having incorporated these amendments, the DPC’s decision was adopted on 2 September, 2022. The decision records findings of infringement of Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24, 25(1), 25(2) and 35(1) of the GDPR.

The DPC’s original draft decision had recommended a fine of up to €405 million and, having taken account of the EDPB’s binding decision, the fine imposed on Meta Platforms Ireland Limited (Instagram) totals €405 million, including a fine of €20 million for the infringement of Article 6(1).

In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.


gdpr Galway

Data Protection and COVID-19

Governments, as well as public, private, and voluntary organisations, are taking necessary steps to contain the spread and mitigate the effects of COVID-19, widely referred to as the ‘coronavirus’. Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).

Data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless, there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.

Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities.

Organisations should also have regard to the following obligations:


There are a number of legal bases for the processing of personal data under Article 6 GDPR, and conditions permitting the processing of Special Categories of personal data, such as health data, under Article 9 that may be applicable in this context. Among these, the following may be relevant.

In circumstances where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities, it is likely that Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.

Employers also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.

It is also permissible to process personal data to protect the vital interests of an individual data subject or other persons where necessary. A person’s health data may be processed in this regard where they are physically or legally incapable of giving their consent. This will typically apply only in emergency situations, where no other legal basis can be identified.


Organisations processing personal data must be transparent regarding the measures they implement in this context, including the purpose of collecting the personal data and how long it will be retained for. They must provide individuals with information regarding the processing of their personal data in a format that is concise, easily accessible, easy to understand, and in clear and plain language.


Any data processing in the context of preventing the spread of COVID-19 must be carried out in a manner that ensures security of the data, in particular where health data is concerned. The identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.

Data Minimisation

As with any data processing, only the minimum necessary amount of data should be processed to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.


Controllers should also ensure they document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.

Further Information

Further information on COVID-19, including guidance for employers and the general public, can be found on the website

Those seeking more detailed information on Data Protection obligations can consult our guidance on the basics of data protection, ensuring than any processing is in line with the principles of data protection, and identifying the legal basis which justifies the processing of personal data.

The European Data Protection Board (EDPB) has also adopted a statement of the processing of personal data in the context of the Covid-19 outbreak, which provides further guidance on the lawfulness of processing and the special rules regarding the use of location data to monitor, contain, or mitigate the spread of COVID-19.


We have been asked a number of questions by organisations and employers about how they can ensure any measures carried out are compliant with data protection law; some examples include:


Can an employer require all staff and visitors to the building to fill out a questionnaire requesting information on their recent travel history concerning countries affected by the virus, and medical info such as; symptoms of fever, high temperature, etc?

As noted above, employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, and in the current circumstances, employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms.

Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.

There would be no data protection implications in bringing the HSE recommendations to the attention of staff and visitors, if they have recently travelled to an affected area and/or are experiencing symptoms, and requesting that they take any appropriate actions.

Any questions about the appropriate measures that should be implemented to protect against COVID-19 should be addressed to the public health authorities.

Can an employer request more specific details of their employee’s illness on medical certificates in light of the situation in relation to COVID-19?

While employers have a legal obligation to protect the health of their employees, employees also have a duty to take reasonable care to protect their health and the health of any other person in the workplace.  In this regard, employers would be justified in requiring employees to inform them if they have a medical diagnosis of COVID-19 in order to allow the necessary steps to be taken.

However, it is important to keep in mind that the recording of any health information must be justified and factual, and must be limited to what is necessary in order to allow an employer to implement health and safety measures.

Employers should follow the advice and directions of the public health authorities, which may require the disclosure of personal data in the public interest to protect against serious threats to public health.

Employees should follow the advice of their healthcare practitioners and the public health authorities in these circumstances, who will instruct them as to what they need to do if they present symptoms of COVID-19


Can an employer send employees home from work if they are confirmed to have the virus?

Employers have a duty of care to employees to provide a safe place of work, which may require them to exercise discretion regarding access to premises. In a situation where an employee has confirmed that they have COVID-19, advice should be sought as a matter of urgency from the public health authorities as to what steps should be taken.

The decision to send employees home from work is not a data protection matter and may have other consequences for employers relating to employment law e.g. entitlement to sick pay.

Can an employer disclose that an employee has the virus to their colleagues?

This should be avoided, in the interests of maintaining the confidentiality of the employee’s personal data. For example, an employer would be justified in informing staff that there has been a case, or suspected case, of COVID 19 in the organisation and requesting them to work from home. This communication should not name the affected individual.

Disclosure of this information may be required by the public health authorities in order to carry out their functions.

Do the timelines for responding to GDPR data subject requests still apply where an organisation is temporarily closed or capacity to handle requests is curtailed because of COVID-19?

The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests. While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed, we recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19.

For Individuals

Members of the public should appreciate that frontline and critical services organisations such as healthcare providers, government departments, in particular the Department of Employment Affairs and Social Protection, Revenue and local authorities may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. Educational bodies such as schools and universities, and private sector organisations may be closed or have reduced capacity so that responding to requests may be significantly delayed. We ask you to bear this in mind in the event that you experience any such understandable delays when dealing with these organisations or considering making a complaint to the DPC.  We also remind you to please be as specific as possible in relation to the personal data you wish to access. Where a complaint is made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.

For organisations

We appreciate that many organisations, especially frontline and critical services organisations such as healthcare and social services may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. We are very alive to the unprecedented challenges facing organisations and the need for a proportionate regulatory approach in response to these extraordinary circumstances.

Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their request, including any extension to the period for responding and the reasons for the delay in responding. The GDPR provides for an extension of two months to respond to a request where necessary taking into account the complexity and number of requests.

Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage. Again, organisations should communicate clearly with the individuals concerned. Organisations may also want to engage with individuals in order to ensure that the request is as specific as possible in relation to the personal data sought.

Where an organisation, due to the impact of COVID-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines should be documented by the organisation and clearly communicated to the affected individuals.

While the statutory obligations cannot be waived, should a complaint be made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.


What to be aware of When providing information to online services…



What to be aware of when providing information to online services

You may think that the personal data you provide will not be used for anything beyond the process or transaction you are participating in at that particular moment in time. However, this is not always the case. Personal data provided to online services is often used for other purposes. These should be set out in the organisations’ online privacy or data policy. Organisations often describe the immediate purpose or benefit to you at the time you make use of certain features, but also describe other purposes and other processing of your data in their policy documents. For example, you may see ‘pop-up’ notices or ‘help balloons’ describing the feature you are using that involves processing your personal data, and it may include a link to ‘learn more’ or to a section of the organisation’s Privacy Policy that describes potential other related uses of your data.

Often, the personal data you hand over is used to enrich a profile that is created about you, your activities, and your interests. This is then used to tailor and target content that is displayed to you on the website or app, or shared among third party advertising platforms in order to decide what advertisements you are most likely to interact with. These ads may appear on the site or app you are using, or later when you visit a different site or app. Organisations are required by the GDPR to be transparent with you about how your data will be used in a ’clear and plain’ manner and must provide you information about how you can exercise your GDPR rights. What is the risk to you online? Some organisations may not be fully transparent about the personal data they process, how and why they process that personal data, or how their users can exercise their data protection rights. An example of this could be that a website’s privacy policy may say something like “We use your personal data to improve our service”, with no further information to supplement this statement. Such vague descriptions are generally not sufficiently transparent, in that they may not enable you to understand what the controller actually does with your personal data. It is also possible that service providers fail to disclose all of the kinds of processing they undertake in relation to the personal data you provide; don’t provide enough detail about secondary purposes like ‘research and development’; or fail to adequately describe how and when they share personal data with other ‘partners’.

Steps you can take to protect your personal data

You can take steps to try to be informed and to determine that a data controller lives up to their duty to be clear and plain with you. When signing up to an online service where you are providing personal data, or shortly after you sign-up, we recommend that you take the time to read the privacy policy and understand how your data is used by that service. If there is anything that you are uncomfortable with, consider whether you want to use that service or not, or if there are particular features that you may not wish to use because you are not satisfied you understand what processing is going on. As a general rule of thumb, you should not provide personal data to an online service without knowing how the data will be used. As mentioned above, it is the responsibility of organisations to ensure they provide you with complete, easily accessible and understandable explanations of what they will do with your data. If you want to be cautious, only provide the minimum amount of personal data necessary to use the service you wish to use. When you sign up to an app you should also try to understand how the data it will collect from you will be processed after you install it. When you use features in an app or service that ask for your personal data, look for and read any pop-up notices or extra information and ‘learn more’ links. If you are not happy, you may still want to use the service or the feature in question, but you can also follow up with the organisation and ask them questions to explain better what is happening with your data.


gdpr Galway

Are you a Monica, a Joey or a Chandler when it comes to your data privacy…?

Marie Boran from The Irish Times writes…

…Despite the introduction of GDPR, the majority of websites have dark designs on your personal data. Whether it is outright failure to recognise your explicit consent for data collection or tricky interfaces that nudge you towards choices you are not comfortable with, this is an internet-wide problem.

There are Buzzfeed quizzes on everything from “what Disney princess are you?” to “pick your pizza toppings and we’ll guess your age”; there really should be one on “choose your online consent strategy and we’ll tell you what Friends character you are”. Apparently, we all fall into one of four types when faced with a pop-up asking us to choose how our personal data is collected and processed.

Think back on recent consent management pop-ups you have navigated, and you will most likely have come across several offenders

Are you a Joey: “always accept” (goodbye pop-ups, hello sandwiches), a Monica: “always reject” (rules control the fun!), a Ross: “mostly reject” (you have to be able to pivot), or a Chandler: “mixed response” (could there be any more pop-ups)?

Since GDPR – the General Data Protection Regulation – came into effect on May 25th, 2018, we have all experienced the Consent Management Platform (CMP) pop-up, which is required by law within the EU if a website plans to use your personal data for anything other than what is strictly necessary to provide its service, ie, sharing with third parties such as adtech companies.

Worryingly, new research from the Massachusetts Institute of Technology (MIT), University College London (UCL), and Aarhus University in Denmark has found that only 11.8 per cent of websites are meeting the minimal requirements for collecting user consent as set out by European law.

These minimal requirements are threefold: consent must be explicit, e.g. requiring the user to click on a button; accepting all choices should be as easy as rejecting all choices; the boxes shouldn’t be pre-ticked because it’s tipping the odds in the company’s favour. All the Joeys out there will leave them ticked for an easier life.

Think back on recent consent management pop-ups you have navigated, and you will most likely have come across several offenders. While they offer the illusion of consent, it isn’t consented as defined by the GDPR. The study found that one-third of all websites were implementing implicit consent, meaning that the act of merely visiting a website or navigating within it is a proxy for consent.

Similarly, refreshing the webpage or revisiting a website was taken for consent by over 7 percent of companies. And if you thought closing a pop-up or banner would make all this GDPR stuff go away, think again, because a small percentage of companies are using this interaction as an indication of consent.

And if, like me, you aspire to being a Monica and reject all third-party tracking, this is something the vast majority of CMPs make significantly more difficult than accepting all tracking. In fact, half of all the sites analysed in the study didn’t even have a “‘reject all” button and only 12.6 per cent had a “reject all” button that is as accessible as the “accept all” alternative.

When we talk about lack of accessibility, we mean the process of encouraging consent by design – or what is known as “dark design”: when these pop-ups and banners make “accept all” buttons significantly larger than “reject all” or force you to click through to another pop-up or even open another window to reject all tracking, this forces the end user to jump through hoops to access a website on their terms.

Imagine you are patient enough to click through these layers to provide consent but you are curious about what third parties are working with the website. Beyond the usual suspects, you might want to see who is collecting and processing your data and for what purposes. The majority of websites do list these third parties and provide descriptions of what they may do with your personal data, but good luck to anyone who wants to familiarise themselves with this.

The study authors explain: “The mean total length of these descriptions per site is 7,985 words: roughly 31.9 minutes of reading for the average 250 words-per-minute reader, not counting interaction time to, for example, unfold collapsed boxes or navigating to and reading specific privacy policies of a vendor.”

Realistically no-one is going to read through these. So, how is an individual expected to give truly informed consent in the face of such dark designs that nudge the end user towards preferred behaviours of the website owner or third-party advertisers?

If websites cannot or will not adhere to the GDPR consent requirements around the collection and processing of users’ personal data, perhaps they should be forced to by way of EU approved and regulated third-party CMP services.

Until then we must resist the Chandler mindset of consent fatigue and pivot when necessary.


Are you GDPR Ready?

Data Protection and Working Remotely…

Richie Koch, Managing Editor, GDPR EU writes in that the paradigm shift toward remote working began even before the COVID-19 pandemic broke out. Since then, local and national directives have confined large portions of the population to their homes. As a result, many businesses have continued operating using a distributed workforce, and some, like Shopify and Twitter, have made remote working permanent.

These new circumstances demand a different security stance than working from centralized offices. Especially when it comes to maintaining the data security that the GDPR requires.

If you’re suddenly managing remote teams, it can be daunting to think about data security with everything else that’s going on. The GDPR, in general, requires that companies keep personal data private and secure.

Mr Koch’s article will show you how, with a few simple actions, you can help ensure you stay GDPR compliant even as your team is spread out.

Now’s a good time to update your cybersecurity policy

Many employees who are not familiar with data security issues may not grasp how a simple slip-up on their part could lead to a data breach that exposes the personal data you are charged to protect. These data breaches can not only undermine consumer confidence in your company but also lead to costly GDPR fines.

A cybersecurity policy that instructs your employees on how to keep your business’s data safe is an important tool in data protection. If you don’t have one, you should make one. If you have a policy but haven’t updated it since everyone began working from home, this is the time to do so. A good place to start is by reviewing the NIST cybersecurity framework, which provides you with a set of best-practice guidelines for all stages of threat identification and mitigation.

The NIST framework covers five areas, all of which are essential components of a successful cybersecurity framework:

  1. Identify
    You should develop an understanding of your environment in order to assess the level of cybersecurity risk to systems, assets, data, and capabilities.
  2. Protect
    You should develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. This involves controlling access to digital and physical assets, but also the responsibility to provide education and training to all employees.
  3. Detect
    You should have the ability to identify cybersecurity incidents quickly. This means using a system that can undertake continuous monitoring to detect unusual activity and other threats to operational continuity.
  4. Respond
    If a cyberattack occurs, organizations must have the ability to contain the impact. This means you will need to have a response plan in place. Once you have resolved your cybersecurity incident, you will need to update your response plan with any lessons learned.
  5. Recover
    Finally, you should have a plan to restore any capabilities or services that were affected by cybersecurity incidents.

Your IT security policy doesn’t have to be a complicated document. It should cover the reasons it exists in the first place and then layout, in easy-to-understand terms, the exact security protocols your fellow employees should follow. If they’re confused, they can ask questions, but no one is exempt from the policy. You can also use the free templates offered by SANS, a globally recognized cybersecurity training and consultancy organization, as models for your policy.

Get a detailed guide to creating a security policy for your company with ProtonMail’s ebook on IT-security for small businesses.

Data protection: in transit and at rest

Recital 83 essentially stipulates that personal data must be protected both in transit and at rest.  Data is in transit pretty much any time someone accesses it. The data passing from this website’s servers to your device is one example of data in transit. On the other hand, data a rest refers to data in storage, like on your device’s hard drive or a USB flash drive.

The two keys to maintaining data protection when your teams are all working remotely are encryption and controlling access.

Remote security requires encryption

Your company’s sensitive data should be encrypted both in transit and at rest. Both Recital 83 and Article 32 of the GDPR explicitly mention “encryption” when discussing appropriate technical and organizational security measures. Encryption is important because if your data is encrypted and there is a breach, the data will be illegible and useless.

Keeping sensitive personal data encrypted is much easier in an office, where your cybersecurity team can maintain server security and monitor your network. But there are simple steps your organization can take so that data remains encrypted, even if it is stored on a device at your employee’s home.

First, all devices that your employees use for work — including their work phone — should be encrypted. Your employees can encrypt the hard drives of their Android, iOS, macOS and Windows devices. There is also third party hard drive encryption software, like VeraCrypt, that will work on a wide variety of devices.

Much of the software your company likely uses, like Microsoft Office or Adobe Acrobat, also offers you the option to encrypt your saved files. This is another way you can keep your data encrypted at rest. You should follow other basic computer security steps and ensure that all employees follow them too, whether they work remotely or not.

The idea is simple. Hackers from afar aren’t the only danger posed to your data. Laptops and other mobile devices are lost or stolen all the time. Encryption software locks down files and folders so that unauthorized users can’t view the data even if they manage to get into the machine.

Control access, secure connections, no exceptions  

You should revisit who in your company has access to sensitive data. Employees should only have regular access to the data they need to complete their daily tasks. Limiting the amount of data each individual can access mitigates the damage one employee’s security lapse can cause.

Your company should also use a corporate virtual private network (VPN) to limit access to your sensitive data. The VPN will encrypt your employees’ connection to your servers, letting them safely and securely access your company’s network. The corporate VPN’s encrypted tunnel will help keep your data safe in transit. It will also prevent attackers that do not have your corporate VPN from accessing your servers.

As a reminder, using public Wi-Fi without a VPN is unwise, particularly if your work deals with sensitive data. These networks can easily be monitored by others. Your employees should even use a trustworthy VPN if they are working from home, just to be safe.

By encrypting your data, limiting each employee’s access, and using a corporate VPN to control access to your company’s servers, you significantly decrease the likelihood of there being a massive data breach. 

Boring but effective advice: train your employees

Human error is one of the main causes of data breaches. Cybersecurity is difficult enough when everyone is in an office on a network you control. Relying on your employees to immediately pick up and master all the new cybersecurity policies and tools you implement while working from home will not be effective.

Your Data Protection Officer / Data Protection Controller or the team in charge of your cybersecurity should plan to run training sessions on the new policy with the entire company. This team should then train your employees (in small groups) on the new security tools and processes they will use in their day-to-day work.

Your employees will still need help even after they are trained on how to use these new tools. Your cybersecurity team should always have someone on standby to respond to questions. If possible, they should also schedule short follow-up video calls with all your employees to evaluate whether everyone is following your new security policy.

Final thoughts on cybersecurity and working remotely

By putting some of these suggestions into practice, you can relieve some of the stress of remote work. These are the data security steps that can help you avoid costly GDPR fines.

To boil it down to four steps, the most significant things that you, a small business owner, can do to stay GDPR compliant while your team is working from home are:

  1. Update your cybersecurity policy to reflect the new “working from home” reality.
  2. Train your employees and make sure your cybersecurity team is ready to support them.
  3. Keep data encrypted in transit and at rest.
  4. Limit access to sensitive data and keep your connections secure with a corporate VPN.


GDPR General Data Protection Regulation Business Internet Technology Concept.

Data Protection Legislation

Data Protection Legislation

Key Data Protection Legislative Frameworks applicable from 25 May 2018…

GDPR is coming up on its 2nd anniversary (25th May 2018), so it would be prudent to remind you and share with you again what Data Protection is, how GDPR is core to its application and most importantly why you must protect personal data if you store and/or process it.

The Data Protection Commission (DPC) is governed by a number of legislative frameworks.
Details of the key legislation and guidance about how the laws are applied are outlined below.
From 25th May 2018 the key legislative frameworks are:

  •  General Data Protection Regulation (GDPR)
  •  Data Protection Act of 2018
  •  The ‘’Law Enforcement Directive’’ (Directive (EU) 2016/680) which has been transposed into Irish law by way of the Data Protection Act 2018
  •  The Data Protection Acts 1988 and 2003
  •  The 2011 ‘’ePrivacy Regulations’’ (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011)

The General Data Protection Regulation (GDPR) applied from 25th May 2018. It has general application to the processing of personal data in the EU, setting out more extensive obligations on data controllers and processors, and providing strengthened protections for data subjects. Although the GDPR is directly applicable as a law in all Member States, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which, amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018.

However, in some instances, depending on the nature and circumstances of the personal data processing, the type of personal data being processed, or when the data protection issue occurred, the GDPR may not apply and instead, another legal framework concerning the regulation of the processing of personal data may apply. For example, if a data protection complaint or a possible infringement of the law relates to an incident which occurred before the GDPR became applicable on 25th May 2018, then the Data Protection Acts 1988 – 2003, and not the GDPR, will apply. After 25th May 2018, if the processing of personal data is carried out for a law enforcement purpose (in other words the prevention, investigation, detection or prosecution of a criminal offence or the execution of criminal penalties) then the GDPR will not apply and instead, the Law Enforcement Directive, which has been transposed into Irish law by way of the Data Protection Act 2018, will apply.

A very brief summary of the main data protection frameworks, which the DPC have been supervising and enforcing from 25th May 2018, are set out in the table below.
GDPR The GDPR will apply by default to the majority of personal data processing, but in Ireland, further rules on certain issues (for example the reasons for and the extent to which, data subject rights may be restricted) are set out in the Data Protection Act 2018

Law Enforcement Directive (as transposed by provisions in Parts 5 and 6 of the Data Protection Act 2018)
The Law Enforcement Directive is transposed into Irish law by the Data Protection Act 2018, in Part 5 and Part 6 of that Act. Those provisions set out the laws in Ireland which apply concerning the processing of personal data by data controllers who are competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, where personal data is being processed for these purposes

Data Protection Acts 1988 and 2003 (as retained by sections 7(4) and 8 of the Data Protection Act 2018)

Data Protection Acts 1988 and 2003 (as retained by sections 7(4) and 8 of the Data Protection Act 2018). The Data Protection Acts 1988 and 2003 (without the repeals and revocations in section 7 the Data Protection Act 2018) apply to:

• Ongoing investigations by, and complaints to, the Data Protection Commissioner respectively commenced or made before 25th May 2018;

  • New complaints and potential contraventions of the Data Protection Acts 1988 and 2003 which arose prior to the 25th May 2018 but which are made or investigated on or after 25th May 2018;
  •  Processing of personal data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018.

Data Protection Acts 1988 and 2003 (as amended by section 7 of the Data Protection Act 2018)
The Data Protection Acts 1988 and 2003 (as amended by the repeals and revocations in section 7 the Data Protection Act 2018) apply to:

  • Complaints and potential contraventions of data protection law concerning the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State (as per section 8(1)(a) of the Data Protection Act 2018)

ePrivacy Regulations
From 25 May 2018, processing of personal data in the context of certain electronic communications (including, amongst other things, unsolicited electronic communications made by phone, e-mail, and SMS) is subject to both the general laws set out in the GDPR and the specific laws set out in the “ePrivacy Regulations” (S.I. No. 336 of 2011, under which the ePrivacy Directive 2002/58/EC (as amended by Directive 2006/24/EC and 2009/136/EC) was transposed into Irish law)


The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive. As a regulation, it will not generally require transposition into Irish law (regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. The GDPR emphasises transparency, security and accountability by data protection controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy. Raising awareness among organisations and the public aware of the new law will be a combined effort of the Data Protection Commissioner (DPC), the Government, practitioners, and industry and professional representative bodies. The DPC will be proactively undertaking a wide range of initiatives to build awareness of the GDPR, in particular providing guidance to help organisations prepare for the new law which comes into force on 25 May 2018. The DPC is also an active participant in the Article 29 Working Party (WP29) comprising representatives from each EU member state’s Data Protection authority. The WP29 has a central role in providing further explanatory and practical guidance on key provisions of the GDPR. The DPC has launched a GDPR-specific website with guidance to help individuals and organisations become more aware of their enhanced rights and responsibilities under the General Data Protection Regulation. The DPC has also prepared an introductory document for organisations to help them as they transition to GDPR: “The GDPR and You”. This document lists 12 steps which organisations should take in order to be GDPR ready by 25 May 2018. It should be noted that the guide is not an exhaustive list and organisations should ensure that their preparations take account of all actions required to bring them into compliance with the new law. For guidance on whether your organisation needs to appoint a Data Protection Officer, and how to ensure that your DPO is adequately resourced for the role, see the DPC’s Guidance on appropriate Qualifications for Data Protection Officers (GDPR). GDPR for individuals The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data. Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. The GDPR is based on the core principles of data protection which exist under the current law. These principles require organisations and businesses to: • collect no more data than is necessary from an individual for the purpose for which it will be used; • obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose; • retain the data for no longer than is necessary for that specified purpose; • to keep data safe and secure; and • provide an individual with a copy of his or her personal data if they request it. Under the GDPR individuals have the significantly strengthened rights to: • obtain details about how their data is processed by an organisation or business; • obtain copies of personal data that an organisation holds on them; • have incorrect or incomplete data corrected; • have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data; • obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability); • object to the processing of their data by an organisation in certain circumstances; • not to be subject to (with some exceptions) automated decision making, including profiling. Organisations and businesses collecting and processing personal data will be required to meet a very high standard in how they collect, use and protect data. Very importantly, organisations must always be fully transparent to individuals about how they are using and safeguarding personal data, including by providing this information in easily accessible, concise, easy to understand and clear language. For organisations and businesses who breach the law, the Data Protection Commissioner is being given more robust powers to impose very substantial sanctions including the power to impose fines. Under the new law, the DPC will be able to fine organisations up to €20 million (or 4% of total global turnover) for the most serious infringements. The GDPR will also permit individuals to seek compensation through the courts for breaches of their data privacy rights, including in circumstances where no material damage or financial loss has been suffered. GDPR for organisations GDPR very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities. There are 12 GDPR Steps that organizations can follow to build awareness and help them prepare for GDPR compliance. 1. Becoming aware It is imperative that key personnel in your organisation are aware that the law is changing to the GDPR, and start to factor this into their future planning. They should start to identify areas that could cause compliance problems under the GDPR. Initially, data controllers should review and enhance their organisation’s risk management processes, as implementing the GDPR could have significant implications for resources; especially for more complex organisations. Any delay in preparations may leave your organisation susceptible to compliance issues following the GDPR’s introduction. 2. Becoming accountable Make an inventory of all personal data you hold and examine it under the following headings: • Why are you holding it? • How did you obtain it? • Why was it originally gathered? • How long will you retain it? • How secure is it, both in terms of encryption and accessibility? • Do you ever share it with third parties and on what basis might you do so? This is the first step towards compliance with the GDPR’s accountability principle, which requires organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business. The inventory will also enable organisations to amend incorrect data or track third-party disclosures in the future, which is something that they may be required to do. 3. Communicating with staff and service users Review all current data privacy notices alerting individuals to the collection of their data. Identify any gaps that exist between the level of data collection and processing your organisation engages in, and how aware you have made your customers, staff and services users of this fact. If gaps exist, set about redressing them using the criteria laid out in ‘2: Becoming Accountable’ as your guide. Before gathering any personal data, current legislation requires that you notify your customers of your identity, your reasons for gathering the data, the use(s) it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the EU. Under the GDPR, additional information must be communicated to individuals in advance of processing, such as the legal basis for processing the data, retention periods, the right of complaint where customers are unhappy with your implementation of any of these criteria, whether their data will be subject to automated decision making and their individual rights under the GDPR. The GDPR also requires that the information be provided in concise, easy to understand and clear language. 4. Personal privacy rights You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. Rights for individuals under the GDPR include: • subject access • to have inaccuracies corrected • to have information erased • to object to direct marketing • to restrict the processing of their information, including automated decision-making • data portability On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Acts, but with some significant enhancements. Organisations who already apply these principles will find the transition to the GDPR less difficult. Review your current procedures. How would your organisation react if it received a request from a data subject wishing to exercise their rights under the GDPR? • How long to locate (and correct or delete) the data from all locations where it is stored? • Who will make the decisions about deletion? • Can your systems respond to the data portability provision of the GDPR, if applicable where you have to provide the data electronically and in a commonly used format? 5. How will access requests change You should review and update your procedures and plan how you will handle requests within the new timescales. (There should be no undue delay in processing an Access Request and, at the latest, they must be concluded within one month). The rules for dealing with subject access requests will change under the GDPR. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also shorten, dropping significantly from the current 40 day period. Organisations will have some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive, it can be refused. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable. The logistical implications of having to deal with requests in a shorter timeframe and provide additional information will need to be factored into future planning for organisations. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online. 6. What we mean when we talk about a legal basis You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. This is particularly important where consent is relied upon as the sole legal basis for processing data. Under the GDPR, individuals will have a stronger right to have their data deleted where customer consent is the only justification for processing. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. For government departments and agencies, there has been a significant reduction in the number of legal bases they may rely on when processing data. It will no longer be possible to cite legitimate interests. Instead, there will be a general necessity to have specific legislative provisions underpinning one or more of the methods organisations use to process data. All organisations need to carefully consider how much personal data they gather, and why. If any categories can be discontinued, do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymisation and pseudonymisation. 7. Using customer consent as a grounds to process personal data If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous’. Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. If consent is the legal basis relied upon to process personal data, you must make sure it will meet the standards required by the GDPR. If it does not, then you should amend your consent mechanisms or find an alternative legal basis. Note that consent has to be verifiable, that individuals must be informed in advance of their right to withdraw consent and that individuals generally have stronger rights where you rely on consent to process their data. The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail. 8. Processing children’s data If the work of your organisation involves the processing of data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians. The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial internet services. The state will define the age up to which an organisation must obtain consent from a guardian before processing a child’s data. It should be noted that consent needs to be verifiable, and therefore communicated to your underage customers in language they can understand. 9. Data Privacy Impact Statements (DPIA) Data protection by default A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. Ultimately such an assessment may prove invaluable in determining the viability of future projects and initiatives. The GDPR introduces mandatory DPIAs for those oganisations involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area. Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers will be required to consult the DPC before engaging in the process. Organisations should now start to assess whether future projects will require a DPIA and, if the project calls for a DPIA, consider: • Who will do it? • Who else needs to be involved? • Will the process be run centrally or locally? It has always been good practice to adopt privacy by design as a default approach; privacy by design and the minimisation of data have always been implicit requirements of the data protection principles. However, the GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law. This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset. 10. Reporting data breaches You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the DPC when they incur a personal data breach. However, the GDPR will bring in mandatory breach notifications, which will be new to many organisations. All breaches must be reported to the DPC, typically within 72 hours, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. Now is the time to assess the types of data you hold and document which ones which fall within the notification requirement in the event of a breach. Larger organisations will need to develop policies and procedures for managing data breaches, both at central or local level. It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself. 11. Data Protection Officers (DPO) The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements. 12. Cross border processing and one stop shop The GDPR includes the one stop shop (OSS) mechanism, which will be in place for data controllers and data processors that are engaged in cross-border processing of personal data. The OSS will allow your organisation to deal with a single lead supervisory authority (LSA) for most of your processing activities. Your LSA will be the supervisory authority of the country in which you have your main establishment. For the OSS to apply to your organisation, you must be engaged in cross-border processing and be established in the European Union. The way you will identify your main establishment depends on whether you are a data controller or a data processor, but in general it will be helpful for you to map out where your organisation makes its decisions about data processing.

Information that must be given to your employee (Data Subject) when Personal Data about them is collected by you, the Data Protection Controller…

Article 13 (Information to be provided where personal data are collected from the data subject) in Section 2 (Information and access to personal data) tells us the following:

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; L 119/40 EN Official Journal of the European Union 4.5.2016

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

  1. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  1. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.


REGULATIONS REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Don’t ignore GDPR…

With technology having transformed our lives in a manner that no one could have envisaged, a complete review was required on how to protect people’s personal data. GDPR replaces the 1995 Directive, which was adopted at a time when Social Media and The Internet were only developing. GDPR is now recognised as law across the European Union and every member state has to have documented policies and procedures in place so as to be compliant with GDPR’s Six Personal Data Principles, where personal data must be:

Businesses & SME’s need to meet these personal data protection and data privacy documentation obligations and verify their requirements and needs ensuring that they are compliant with the new mandatory regulations and be compliant against GDPR that was proposed on 1st January 2012, adopted on 27th April 2016 and became law in May of 2018 as The Data Protection Act 2018.

Business’s needs, products and services for GDPR include:

  • Initial Consultations
  • Personal Data Information/Category Inventory
  • Existing Data Protection Systems Analysis
  • Guidance Consultations (working towards GDPR Compliance)
  • Inspections
  • Audits
  • Data Privacy Impact Assessments (DPIA)

Responsiveness to GDPR customer issues should be a core and important part of any business. Being able to respond to GDPR enquiries through your Data Protection Controller or GDPR Champions is critical to being compliant. Businesses need to work with internal / external Certified Data Protection Officers who are trained, have experience and understand your business.

GDPR is now alive and kicking, and part of our working day!

Don’t ignore it…