In a landmark case, the UK Supreme Court has ruled that supermarket chain Morrisons is not vicariously liable for a deliberate data breach committed by a former rogue employee. The decision shows that an employer is unlikely to be liable for a malicious data breach committed by an employee, where his/her wrongful conduct is not closely connected with his/her tasks at work.
Continue Reading UK Supreme Court finds employer not vicariously liable for data breach

Covid-19 is presenting unique and unprecedented challenges for employers who have to grapple with often complex HR and data protection related issues in a rapidly escalating crisis. Employers are anxious to ensure continuity of their business, the health and safety of their employees and compliance with data protection obligations where these arise.

Our Employment and Data Protection teams have been advising employers on these issues for a number of weeks and have collated responses to a number of frequently asked questions to assist employers at this time.

 
Continue Reading COVID-19: Top 10 Employer FAQs

On 12 November 2019, the EDPB published its finalised Guidelines on Territorial Scope of the GDPR (3/2018). The Guidelines aim to assist companies and supervisory authorities in determining whether a particular processing activity falls within the territorial scope of the GDPR.
Continue Reading EDPB publishes finalised Guidelines on Territorial Scope of the GDPR

The Minister of Finance has passed new Regulations, the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, permitting data subjects’ rights under Articles 12-22 and Article 34, and controllers’ obligations under Article 5 GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank of Ireland (CBI) to carry out certain functions.
Continue Reading New Regulations permitting Central Bank to restrict individuals’ data protection rights

The Minister for Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, have informed the government that provision and use of the Public Services Card (PSC), not just by the Department of Employment Affairs and Social Protection (DEASP), but by other public bodies shall continue. The DEASP has written to the Data Protection Commission (DPC) advising it of this decision. In doing so, the Government accepts that it may be necessary for the matter to be referred to the courts for a definitive decision. The DEASP intend to publish the DPC’s investigation report following further engagement with the DPC.
Continue Reading Government challenges findings of Data Protection Commission about Public Services Cards

On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.
Continue Reading DPC Publishes Statement on the Public Services Card

In the Fashion ID case (C-40/17) , the Court of Justice of the European Union (CJEU) found that the operator of a website that features a plug-in (such as a Facebook ‘Like’ button), can be considered a joint controller with the plug-in provider, in respect of the collection and transmission to that plug-in provider of the personal data of visitors to its website. However the website operator will not be a joint controller or liable for any subsequent processing of the personal data by the plug-in provider.

The CJEU also held that the website operator  is responsible for obtaining consent from website visitors for the collection and transmission of their personal data and providing notice to visitors about the use and disclosure of their personal data.

Although the case was decided under the the Data Protection Directive 95/46/EC (the Directive), it will continue to be relevant under the GDPR, since the relevant definitions and obligations continue to apply under the new regime. The decision will have an impact not only on website operators that embed social plug-ins, but to any website operator that uses cookies to collect and transmit personal data of their visitors to third parties, such as AdTech providers.Continue Reading A website operator embedding a Facebook ‘Like’ button is a joint controller with Facebook