As 28 January 2022 marks Data Privacy Day, our Technology and Innovation Group looks back on our key data protection related publications over the past 12 months. 2021 was a significant year for organisations with respect to their data protection obligations, including the impact of Brexit, Covid-19, new Standard Contractual Clauses and a significant decision by the Irish Data Protection Commission (the “DPC”) with respect to transparency measures.

A Survey of the Impact of GDPR and its Effect on Organisations in Ireland 2022

For the 6th year in a row we began the New Year by releasing the results of our annual survey on the impact of the GDPR and its effect on organisations in Ireland.  Our survey highlighted a shift in attitudes to GDPR compliance and the significant work done by organisations in Ireland to seek to achieve compliance. 

When do the GDPR Transfer Rules Apply? The EDPB Provides Insight into the Interplay Between Article 3 and Chapter V of the GDPR

We examine the guidance published by the European Data Protection Board (the “EDPB”) that aims to assist controllers and processors in determining whether processing of personal data constitutes a transfer outside the European Economic Area.  The EDPB considers the interaction between the territorial scope of the GDPR and the provisions of the GDPR relating to international transfers, and aims to increase understanding of international transfers of personal data generally.

Key Takeaways from DPC’s Inquiry into WhatsApp’s Transparency Measures

At €225million, the DPC has imposed its largest administrative fine to date on WhatsApp for breaches of transparency obligations under the GDPR. We consider the DPC’s decision and related findings by the EDPB, which raise a number of points for all organisations to consider, particularly regarding their privacy notices and transparency measures.

Vaccination Status and Office Re-openings: A Match Made in Heaven or a Cloud to a Silver Lining?

Vaccination status information and the data protection implications in an employment context are issues considered in this article published by PDP Journals in the Compliance & Risk journal. We consider the data protection issues for employers seeking vaccination status information from their employees to facilitate a return to office working.

Sharing is Caring (Subject to Strict Conditions): Commencement of the Data Sharing and Governance Act 2019 and its Impact on Data Sharing between Public Bodies

On 7 July 2021, provisions of the Data Sharing and Governance Act 2019 (the “DSGA”) carrying implications for the way in which public bodies may exchange data were commenced. We examine the impact of the DSGA on individuals and public bodies.

Lights, Camera, Action for SCCs! European Commission Adopts New Sets of Standard Contractual Clauses

On 7 June 2021, the European Commission published its decision to adopt new standard contractual clauses (“SCCs”).  These SCCs may be used to facilitate transfers of personal data outside the EEA under Article 46(1) GDPR. In this briefing, we examined the new SCCs and key dates for implementation.

COVID-19: EDPB and EDPS Recommendations for Digital Green Certificate

The EU Digital Covid Certificate has allowed EU citizens to travel freely between Member States during the pandemic on producing a verifiable certificate on vaccination, testing or recovery. We examine the recommendations published by the EDPB and the European Data Protection Supervisor (“EDPS”) regarding the data protection implications of this proposal.

GDPR and Receiverships: How do Data Protection Principles Apply?

Data protection considerations can give rise to legal and practical issues in receiverships and other insolvency events. The DPC included a case study on a data protection complaint made against a receiver in its 2019 Annual Report and, more recently, published detailed guidance on data protection considerations related to receivership. In this briefing, we consider the DPC’s Guidance and what it means in the context of receiverships.

EDPB Adopts Guidelines on Connected Vehicles following Public Consultation

As in-vehicle connectivity becomes increasingly prevalent, the EDPB has adopted guidelines on processing personal data in the context of connected vehicles and mobility related applications. Following a public consultation on a draft version of the Guidelines, we considered how the EDPB has now clarified the precise scope of the guidelines and confirmed the applicability of the ePrivacy Directive in this context.

COVID-19: Employee Monitoring and Remote Working

As remote working is set to remain a permanent feature of the Irish workplace, we examined how employers can strike the right balance when taking steps to monitor their employees. In particular, we reflect on the laws governing employee monitoring in Ireland, practical considerations for employers and the impact on the employer-employee relationship.  

Brexit Trade Deal: Impact on Data Transfers

In advance of the publication of an adequacy decision for the UK by the European Commission, we considered the immediate impact on data transfers from the EEA to the UK under the Trade and Cooperation Agreement between the European Union and the United Kingdom, which brought an end to the Brexit transition period.

Exploring the GDPR’s ‘One-Stop-Shop’ Mechanism – What the Opinion of the CJEU’s Advocate General tells us

On 12 January 2021, Advocate General Michal Bobek delivered his Opinion on a regulatory competence tussle related to the respective roles of a ‘lead supervisory authority’ (“LSA”) under the GDPR and a local supervisory authority. In this briefing, we review the most striking points of the Advocate General’s Opinion.