All the latest property news from Vincent Finnegan Ltd. estate agents.

New European GDPR Framework

Posted on Thursday, October 25, 2018 by Leon Hayden

A new European Union-wide framework known as the General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018.


A new European Union-wide framework known as the General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018. 

An accompanying Directive establishes data protection standards in the area of criminal offences and penalties. This is known as the law enforcement Directive. The GDPR and the law enforcement Directive provide for significant reforms to current data protection rules. They provide for higher standards of data protection for individuals and impose increased obligations on organisations that process personal data. They also increase the range of possible sanctions for infringements of these rules. 

This document outlines the main elements of the GDPR and links to further information about it. The GDPR and Ireland As an EU regulation, the GDPR did not generally require transposition into Irish law (EU regulations have direct effect), so organisations involved in data processing of any sort need to be aware that the GDPR addresses them directly in terms of the obligations that it imposes.
You can read about these obligations and the concepts and principles involved. The Data Protection Act 2018 was signed into law on 24 May 2018. The Act changes the previous data protection framework, which was established under the Data Protection Acts 1988 and 2003 (pdf). 

Among its provisions, the Act has: 
  • Established a new Data Protection Commission as the State’s data protection authority 
  • Transposed the law enforcement Directive into national law 
  • Given further effect to the GDPR in areas where member states have flexibility (for example, the digital age of consent) 

Types of data
There are two main types of data under the GDPR: personal data and special category personal data. 

Personal data 
Under the GDPR, personal data is data that relates to or can identify a living person, either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history. A data subject is the individual to whom the personal data relates. You can read more in our document Your rights under the GDPR. Organisations that collect or use personal data are known as data controllers and data processors. You can read about the obligations of data controllers and processors and the concepts and principles involved. 

Special category personal data 
Special category personal data (known as sensitive personal data under previous Irish legislation) means personal data relating to any of the following: 
  • The data subject’s racial or ethnic origin, their political opinions or their religious or philosophical beliefs
  • Whether the data subject is a member of a trade union 
  • The data subject’s physical or mental health or condition or sexual life 
  • Whether the data subject has committed or allegedly committed any offence 
  • Any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings 
The processing of special category data is prohibited unless the data subject has given their explicit consent before processing begins or the processing is authorised by law, for example, to protect the interests of a data subject, to comply with employment legislation or for reasons of public interest. Personal data relating to criminal convictions and offences may only be processed under the control of an official authority. 

Where the GDPR applies 
The GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour. 
Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU. Further information Read about the legislation relating to the GDPR. There is further detailed information about the GDPR on dataprotection.ie and on the dedicated website gdprandyou.ie.