Wednesday, March 6, 2019

Ireland's First Report on GDPR

Last month marks the release of the first annual GDPR report from Ireland’s data protection supervisory authority, the Data Protection Commission (DPC). This is a follow-on from the DPC’s final pre-GDPR annual report and covers May through December of 2018.

The report confirms the DPC’s role as the clearinghouse for cross-border privacy complaints: A new category, termed ‘multinational complaints – others’, makes up 22% of all GDPR complaints in the report. These complaints are second to access rights as the largest category of complaint. 

This document also sets out the DPC’s views on the new complaint-handling mechanism under the Data Protection Act of 2018. When a negotiated resolution is not possible, the DPC is no longer legally obliged to make a formal, statutory decision. Instead, the DPC has a range of options: providing advice to the complainant; issuing statutory notices to controllers or processors; and, opening statutory enquires.

If a non-EU company is offering services over the internet to consumers in the EU, these companies are required to have a  data protection representative due to increased territorial scope. Article 3 of the GDPR applies to any ‘data subject’ in the EU, i.e. a person living in the EU. Notably, Article 3(2) applies to the processing of personal data of any individual “in the EU.” The individual’s nationality or residence is irrelevant. The GDPR protects the personal data of citizens, residents, tourists, and other persons visiting the EU. So as long as an individual is in the EU, any personal information of that person collected by any controller or processor who meets the requirements of Article 3(2) is subject to the GDPR. Learn more about having a data representative here.

No comments:

Post a Comment