Slides from Niall Rooney FP Logue presentation at Food & Drink Business Europe event at Citywest Dublin on 05/09/2019 - *For Information Only, Not Legal Advice*

1. GDPR Update for Irish
Food & Drink Businesses
Niall Rooney
05.09.2019
This presentation is for general information
only and is not intended to provide legal advice

2. General Data Protection Regulation (GDPR)
• EU Regulation
• Effective from 25 May 2018 after two year transition period
• Data Protection Act 2018
 Compliance obligations for businesses and organisations
 “Accountability”
 Stronger data subject rights for individuals
 Right to lodge complaint and take legal action
 Increased powers and sanctions of Data Protection Commission

3. GDPR scope: ‘processing’ of ‘personal data’
• ‘processing’
• anything you can do with or to personal data, electronically or in manual
records, e.g. collecting, using, retaining, amending, sharing, deleting…
• ‘personal data’
• any information relating to an identified or identifiable living person
o special category data
• racial or ethnic origin
• political opinions, religious beliefs
• trade union membership
• genetic data
• biometric data
• data concerning health
• data concerning a person's sex life or sexual orientation
o criminal offence data

4. The Data Protection Principles (A 5)
a) You must process personal data lawfully, fairly and transparently
b) You must collect personal data for specified purposes, and not use it for
incompatible purposes
c) The personal data must be limited to what is necessary for the purposes
d) You must keep personal data accurate, and up to date if necessary
e) You must not keep personal data for any longer than is necessary for
the purposes
f) You must ensure security of the personal data, including confidentiality,
integrity and availability
 You (data controller) are responsible for complying with the principles
and you have to be able to demonstrate your compliance

5. What does GDPR “compliance” look like?
1 Maintain a Record of Processing Activities containing specified information A 30
2 Provide individuals with Privacy Notices containing mandatory information A 13-14
3 Appoint a Data Protection Officer, if required A 37
4 Technical and organisational measures to ensure and demonstrate compliance A 5, 24
5 Data security measures appropriate to the risks A 32
6 Facilitate the exercise of data subject rights A 12, 15-22
7 Record and report personal data breaches A 33-34
8 Contracts with data processors (third parties processing on your behalf) A 28
9 International data transfer safeguards, unless adequacy A 44-47
10 Data protection by design and by default approach A 25
11 Data Protection Impact Assessment (DPIA) prior to likely high-risk processing A 35-36
12 Joint controller arrangement, if relevant A 26

6. Data Security & Personal Data Breaches
• Ensure appropriate security of personal data (A 5)
• Implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risks of processing (A 32)
• Identify, report and notify personal data breaches (“a breach of security
leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or processed”)
 Notify breach to DPC within 72 hours of becoming aware if the breach is
likely to result in a risk to individuals (A 33)
 Communicate breach to affected individuals without undue delay if the
breach is likely to result in a high risk to individuals * (A 34)
 Data controller must document every personal data breach, including the
facts, effects, and remedial actions taken (A 33(5))

7. Data Subject Rights
Individuals have rights in relation to their personal data –
• The right to be informed (Privacy Notice)
• The right of access (Subject Access Request)
• The right to erasure (‘right to be forgotten’)
• The right to object to certain processing
• The right to rectification (correction)
• The right to restrict processing
• The right to data portability
• Rights in relation to automated decision making and profiling
• The data controller must facilitate the exercise of data subject rights, and
must be able to demonstrate its compliance in this regard…

8. Right of Access (SAR)
• Individuals have the right to get information about how their personal data is
being processed and to obtain a copy of the personal data
• No formality requirements and requester motive is irrelevant
• Data controller has one month to respond (may extend by two months where
requests are complex or numerous)
• No fee or refusal allowed (unless manifestly unfounded or excessive)
• Limited restrictions, including that disclosure of personal data concerning the
requester would adversely affect the rights and freedoms of others
• Data controller must provide the personal data to the requester securely
• Data controller must be able to demonstrate compliance

9. Third Parties
1. Data Controller + Data Processor
 Third party processing personal data on the data controller’s behalf
 GDPR due diligence
 Written contract with mandatory terms (A 28)
 Liability issues
2. Joint Controllers
 Jointly decide the purposes and means of processing of personal data
 “Arrangement” setting out respective GDPR responsibilities (A 26)
3. Data Controller + Data Controller
 Disclosure or sharing of personal data to or between independent parties
 Separate compliance responsibilities as separate data controllers
 Data Sharing Agreement is recommended
4. Third Party Data Request
 Usually from a law enforcement body
 Section 41 Data Protection Act 2018 – disclosure is “necessary and
proportionate” for purposes specified in the section, e.g. detecting,
investigating or prosecuting criminal offences
 No obligation to comply with a S41 request, data controller bears risk..

10. International Data Transfers
Transfer of personal data to a country outside EEA prohibited unless either –
1. The country is subject of a European Commission adequacy decision
• includes AR, CA*, IL, IOM, JP*, JE, NZ, CH, UY
• EU-US Privacy Shield*
2. Appropriate safeguards are provided
• Standard Contractual Clauses; or
• Binding Corporate Rules (BCRs)
3. An article 49 GDPR specific derogation applies (caution…)
See:
https://www.dataprotection.ie/en/organisations/international-transfers
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-
data-protection_en

11. ‘No-Deal’ Brexit preparation tips
• Even if UK can qualify for adequacy, this will not be in place on exit day, and it would
take some time to negotiate…
• When UK leaves the EU, transfer of personal data from Ireland to UK will be prohibited
unless you have safeguards in place, such as Standard Contractual Clauses (until
there’s a Commission adequacy decision, if that happens).
 Review data flows and identify where you transfer personal data to NI and GB
 Prepare to put SCC contracts in place to ensure that personal data can continue
to flow once the UK is outside the EU
 Review your Privacy Notices and internal compliance documentation to identify
what will need updating when the UK leaves the EU
 Make sure key people in your business are aware of the issues and risks
 Stay up to date on developments, monitor DPC and ICO website updates

13. Questions?
FP Logue Solicitors
Data Protection, Privacy & Information Law
01 531 3510 | info@fplogue.com | www.fplogue.com