RegSol Blog

GDPR is 4 years old!!

May 2022

25th May 2022 marks the fourth anniversary since the General Data Protection Regulation (EU) 2016/679) (GDPR) became law in Ireland and across Europe. This fundamental piece of legislation has dramatically changed the data protection landscape by applying to all organisations that process personal data to comply with the right to data protection.

Data Protection Commissioner (DPC)

In February 2022, the DPC published their annual report (here). Of note to our SME clients is data subject access requests were the most common category of complaint handled by the DPC.

The DPC noted that individuals when requesting access to their data had communicated with the data controller but either did not receive an acknowledgement/response to their request or was dissatisfied with the response issued and as a result, lodged a complaint with the DPC.

On its investigation of these complaints the DPC found that it often transpires that the data controller has either:

(a) not performed an adequate search for the personal data,

(b) has not advised the individual they are withholding data and the exemption they are relying on for same, or

(c) will not respond within the required timeframe to the access request.

The report highlights the need for our clients to have adequate response procedures in place to be in a position to deal with access requests on a timely basis and avoid complaints of this nature arising in the first instance.

The Office of the Ombudsman (Ombudsman)

As many of you will be aware, the Ombudsman examines complaints from people who feel they have been unfairly treated by certain public bodies, for example, government departments, local authorities, the HSE and publicly funded third level education bodies.

With regard to the Ombudsman’s data protection obligations, the Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022 [S.I. No. 221 of 2022] (the Regulations) have been recently published.

The Regulations provide for restrictions on the rights of data subjects for the purposes of the Ombudsman being able to perform certain functions (e.g. the investigation of a complaint against a public body) while also not prejudicing that data subject’s right to data protection conferred by GDPR that may result from such a restriction.

The Ombudsman however is obliged under the Regulations to ensure that any measure used to restrict the rights of a data subject must be of limited scope and applied in a strictly necessary, proportionate and specific manner.

To keep up to date with all the latest developments in this area, please see our list of upcoming training dates here:

RegSol - Public Training Courses