Irish Businesses, GDPR and Data Breach: Rights and Freedoms of a Natural Person | GDPR
How is a Business, or organisation, responsible for taking a decision based on ‘rights and freedoms’ of an individual, to know whether they should report a data breach or not?
A critical deciding question for arriving at a decisional conclusion is whether the ‘rights and freedoms’ of the subject have been put at risk (GDPR 2016/679. Art. 33 (1))? So what are these ‘rights and freedoms’ which have such a pivotal role in how an individual’s data are to be cared for?
‘Rights and freedoms’ are mentioned 77 times in the GDPR, 39 in the Recitals and 38 in the Articles so one might be forgiven for thinking that such an important and oft-used phrase would receive some definitional coverage in the Article 4 definitions, but sadly I found none! Oh well!
Our neighbouring regulator, the ICO states:
‘It will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms’.
Clearly, the decision maker has an important question to consider. Is the data breach such that the ‘rights and freedoms’ of the individual are sufficiently at risk?
‘Lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data’. Art 1 (1)
Article 1 (2) ‘Subject-matter and objectives’ kicks off by announcing that…
‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data’.
So, what are my (fundamental data protection) rights?
The Irish Data Protection Commissioner’s website outlines a helpful list of rights (10) available when a person or organisation takes and records your personal details and urges (with a disclaimer) careful reading to make sure that you are aware of your rights.
1. Right to have your details used in line with data protection regulations
A data controller who holds information about you must: get and use the information fairly; keep it for only one or more clearly stated and lawful purposes; use and make known this information only in ways that are in keeping with these purposes; keep the information safe; make sure that the information is factually correct, complete and up-to-date; make sure that there is enough information – but not too much – and that it is relevant; keep the information for no longer than is needed for the reason stated; and give you a copy of your personal information when you ask for it.
2. Right to information about your personal details
Data controllers who obtain your personal information must give you: the name of the organisation or person collecting the information or for whom they are collecting the information; the reason why they want your details; and any other information that you may need to make sure that they are handling your details fairly – for example the details of other organisations or people to whom they may give your personal details.
If an organisation or individual gets your personal details from someone else and not directly from you, they must tell you which details they hold and give you the name of the original data controller.
3. Right to access your personal details
You can ask for a copy of all your personal details by writing to any organisation or person holding these details on a computer or in manual form. See the section below on ‘How to request access to your details’.
You can also ask the data controller to inform you of any opinions given about you, unless the data controller considers that the opinions are confidential. Even in such cases, your right to such information will usually be greater than the right of the person who gave this opinion in private. This right does not apply, however, in a small number of cases where it could harm certain interests – for example when someone is investigating an offence.
You should also be informed of, and given the chance to object to, any decisions about you that are automatically generated by a computer without any human involvement.
4. Right to know if your personal details are being held
If you think that an organisation or individual may be holding some of your personal details, you can ask them to confirm this within 21 days. If they do have personal details about you, they must tell you which details they hold and the reason why they are holding this information. You can ask for this information free of charge.
5. Right to change or remove your details
If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.
Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.
In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so.
6. Right to prevent use of your personal details
You can also ask a data controller not to use your personal details for purposes other than their main purpose – for example for marketing.
You can do this by simply writing to the organisation or person holding your details and outlining your views. Within 40 days, they must do as you ask or explain why they will not do so.
7. Right to remove your details from a direct marketing list
If a data controller holds personal details about you for direct marketing purposes, you can ask them to remove your details. You can do this by writing to the organisation or person holding these details. They must let you know within 40 days if they have dealt with your request.
8. Right to object
A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you unnecessary damage or distress, you may ask the data controller not to use your personal details.
This right does not apply if: you have already agreed that the data controller can use your details; a data controller needs your details under the terms of a contract to which you have agreed; election candidates or political parties need your details for electoral purposes; or a data controller needs your details for legal reasons.
You can also object to use of your personal details for direct marketing purposes if these details are taken from the electoral register or from information made public by law, such as a shareholders’ register. There is no charge for objecting.
9. Right to freedom from automated decision making
Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated by a computer, unless you agree to this. For example, such decisions may be about your work performance, creditworthiness or reliability.
10. Right to refuse direct marketing calls or mail
If you do not want to receive direct marketing telephone calls, you should contact your service provider. They will make a note of your request in the National Directory Database (NDD) ‘opt-out’ register. It is an offence to make direct marketing calls to any phone number listed in the NDD. If you have not included your phone number in this register, you can also refuse such calls by simply asking the caller not to phone you again.
So, looking at the Commissioner’s website, fundamental data protection rights appear relatively prescriptive at first glance!
What are my (data protection) freedoms then?
Here, things become a little more complicated. Freedom is a very emotive word, conjuring up a myriad of (negative) images when it is believed to have been removed from the individual. To attempt a detailed description of freedom is to fill many pages with text and then maybe not reach the end point! Freedom (fundamental) in the context of data protection appears to mean that which is set down in The European Convention on Human Rights (ECHR) which defines fundamental freedoms as…
‘Those which are the foundation of justice and peace in the world and are best maintained on the one hand by an effective political democracy and on the other by a common understanding and observance of the Human Rights upon which they depend.’
ECHR Art. 8 Covers: The right to respect for private and family life and received recognition in the context of data processing in Case: Von Hanover v Germany (24 June 2994) ECtHR. Here the Court suggested:
‘Increased vigilance in protecting private life is necessary to contend with the new communication technologies which make it possible to store and reproduce personal data’.
In the EU, the Charter of Fundamental Rights, freedoms receive more amplified consideration. Title II contains 14 articles, one of which (article 8) directly covers personal data…
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority
So, there you have a very brief definitional outline of rights and freedoms as they relate to personal data. Of course there are more legal elements (Acts, S.I.s, Directives, Case Law and so on…) to consider as you drill deeper into the subject but the foundational information above gives some indication of the potential legal complexity attached to uttering the words ‘fundamental rights and freedoms’ (of natural persons) in the context of a decision to report (or not) a personal data breach under the GDPR (Art 33 (1)).
A business or organisation, in essence, is expected to assess the likelihood whether a breach results in a risk to the above rights and freedoms and then affirmatively take action or not. No small matter in my view.
I believe, it is important to be clear on the basic rules of a regulated area relying upon principles based rather than rules based law. Data Protection training is a key element for engaging with the GDPR satisfactorily and I believe it is time now for relevant businesses and organisations (who have not already done so) to check out the options available in preparation for the arrival of this Regulation and other legal developments in data protection, whether it be self-informing or enlisting outside assistance. Time now also for the creation/review and updating of adequate in-house data protection policies/systems to assist business decision-making and compliance.
Martin O’Dwyer is a Data Protection Law Specialist working in North-West Ireland. 00353864169922