Fox Rothschild LLP (LexBlog Ireland)

Ireland’s Data Protection Commission has fined Meta €1.2 billion. What, however, did the commission say in the case about using Art 49 derogations for transfers to the U.S.? An overview: I will discuss the Meta decision further on Thursday, June 1 in a OneTrust webinar titled, EU-US Data Transfers: Breaking Down DPC’s Meta Decision.

With enforcement on children’s data privacy ramping up around the world, Ireland’s Data Protection Commission has issued a detailed report on the fundamental principles of such data privacy, as well as some helpful suggestions to controllers on how to improve. The key principles: FLOOR OF PROTECTION: Online service providers should provide a “floor” of protection...

Data Protection Commission Ireland has issued a report on the responses it received to its public consultation on its guidance on children’s rights. Of particular note is the careful consideration the commission gave the public input, as well as the time it took to thoughtfully respond. Some key points: On children as unique population: “The...

Helen Dixon, Ireland’s Data Protection Commissioner, gave the keynote speech during the closing session of the International Association of Privacy Professionals’ Data Protection Congress in Brussels. Here are a few of the key takeaways. No jurisdiction has all the answers to the challenges posed by the complex digital environment. We need to learn. Ubiquitous is...

Ireland’s Data Protection Commission has imposed a fine of €225 million (more than $267 million) on WhatsApp, a popular messaging app owned by Facebook. Here are some key takeaways for companies subject to GDPR: Drafting privacy notice disclosures When providing disclosures in your privacy notice, make them easy to understand. It is important to keep...

“I worry that we are caught in a DPA (Data Protection Authority) beauty contest of who issues the bigger fine,” said Ireland Data Protection Commissioner Helen Dixon in her keynote for Daniel Solove’s Privacy+Security Academy Fall Forum Keynote. Additional Key Takeaways I am hesitant to list our enforcement priorities because I don’t feel that we...

Due to the importance of data protection law for employee monitoring practices, a careful and considered approach must be taken when potentially highly intrusive methods, such as tracking employee vehicles, are used. Employees must be informed of the existence of tracking and how it operates, as well as being clearly informed of all the purposes...

Ireland’s Data Protection Commission has issued advice on protecting data privacy when using videoconferencing. Organizations should: Use contracted service providers for work-related communications. Ensure you are happy with the privacy and security features of the services you ask employees to use. Ensure that employees use work accounts, email addresses, phone numbers, etc., where possible,...

Ireland’s Data Protection Commission weighs in on the issue of COVID-19 and data access requests: “The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests. While the statutory obligations cannot be waived, should a complaint be made...

Luxembourg Employers should NOT: require that employees communicate to them daily a statement of their body temperature or fill out medical sheets or questionnaires have visitors or other external persons sign a declaration by which they certify that they have no symptoms of the coronavirus or that they have not recently traveled to a risk...

Don’t miss our annual Privacy Summit, scheduled for April 16. This information-packed, daylong event will bring you fully up to date on the latest, emerging issues in cybersecurity and data privacy.  The program kicks off with keynote speaker Leslie Ireland — former Assistant Secretary for Intelligence and Analysis, U.S. Department of the Treasury, and National...

European Union Data Protection Authorities discussed enforcement priorities at the International Association of Privacy Professionals (IAPP) Data Protection Intensive. Key takeaways: CNIL: Online advertising and cookies are a focus right now. Ireland DPC: currently handling 10,000 complaints with 23 investigations into so-called big tech companies, and two investigations at the decision-making...

Ireland’s Data Protection Commission has published guidance on data security. Key Takeaways The most effective means of mitigating the risk of lost or stolen personal data is not to hold the data in the first place. A data controller should always know what personal data they hold, where it is held and how it flows...

Are opinions about someone personal data? Ireland’s Data Protection Commission explains. Key takeaways: An opinion can include personal data. If the opinion is not recorded — GDPR does not apply. If made or recorded for someone’s “purely personal or household” activities, with no connection to a professional or commercial activity, GDPR doesn’t apply. GDPR may...

Ireland’s Data Protection Commission has issued a guidance note on the right of access under the General Data Protection Regulation. Key takeaways: Requests to access data are the majority of complaints received. If reasonably necessary to clarify the request, you may request that the requester specify the information or processing activities they want access to....

The Irish Data Protection Commission has issued guidance on data breach notification under GDPR. Key takeaways: A personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data, with the consequence that the controller is unable to ensure compliance with the principles for processing personal data as outlined...

We heard recently from French Data Protection Authority CNIL on the topic of Data Protection Impact Assessments (DPIAs). Now, Ireland’s Data Protection Commission has issued its own Guidance Note on DPIAs under The General Data Protection Regulation. It describes the process in detail and provides lists of risks and mitigation methods. Key takeaways: If you...

The Irish Data Protection Commission and Polish Data Protection Authority have issued guidance on data breach notification under GDPR in which they address the following questions, and more: When do you “become aware”​ of a data breach? What should a data breach notification include? How do you communicate a data breach notification? The guidance offers...

A Facebook “like” is actually more like “in a [Joint Controller] relationship” status, says the Court of Justice of the EU in a long awaited decision in the Fashion ID matter. At issue: The legal framework surrounding embedding a Facebook “Like” button on your website. When a user visits a website on which a Facebook...

“Some of Ireland’s best known heritage sites – such as Kilmainham Gaol, Dublin Castle and Muckross House – have been ordered to remove visitor books due to concerns they breach EU privacy and data protection rules. The Office of Public Works (OPW) believes the books, in which visitors leave brief remarks along with their names...

The GDPR that stole communion… Some schools in Ireland have been banning photographs at communion, citing GDPR. The Irish Data Protection Commission clarified in a guidance titled “Taking Photos at School Events: Where Common Sense Comes Into Play” that this is not mandated by GDPR. Taking a photo in public is generally fine; it’s what...

Lately we have been consumed by urine; that is, we have written a lot about drug testing, urine testing, paruresis and the ADA.  Heady stuff. So now we feel it is time to turn 180 degrees and discuss a medical secretary who suffered “a debilitating and embarrassing bowel condition” and asked for an accommodation –...