¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

The rights for data subjects under GDPR are as follows:

1. Data access (Art 15)
2. Data rectification (Art 16)
3. Data deletion (Art 17. ‘Right to be forgotten’)
4. Data processing restriction (Art 18)
5. Data portability (Art.20)
6. Data processing objection (Art 21) and
7. Automated decision-making, including profiling objection (Art 22.).

A further right is the right to be informed about the intended uses of personal data collected from the data subject. The data subject must be informed about the intended uses of their personal data upon its collection where the personal data is collected directly from the data subject, and within one month if the information is obtained indirectly (Article 13 and 14 GDPR).

The rights listed at 1-7 above must be described in your privacy notices (see Guidance 3).

Firms will have to comply with requests to exercise the data subjects’ rights listed at 1-7 above without undue delay and within one month. Where the matter is particularly complex and involves a number of requests, this may be extended by two further months where necessary. If the extension of time is required, the firm must notify the data subject of the delay and the reason for the delay within one month of receipt of the request. If the firm decides that it cannot comply with the request, it must inform the data subject and explain the reason why it cannot comply and inform the data subject that they may make a complaint to the Irish Data Protection Commission..

Restrictions on data subject rights

An important limitation on data subject rights is contained in s.162 of the Data Protection Act 2018, relating to data that is subject to legal advice privilege, litigation privilege and relating to data about which performance of the rights would constitute contempt of court.

Important limitations on these rights are also contained at s.60 of the Data Protection Act 2018 which are restrictions for important objectives of general public interest. Amongst other listed types of processing, these restrictions relate to processing:

• in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure (s.60(3)(a)(iv) Data Protection Act 2018)

• for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim (s.60(3)(a)(v) Data Protection Act 2018)

• for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim (s.60(3)(a)(vi) Data Protection Act 2018) or

• where the personal data relating to the data subject consists of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information (s.60(3)(b) Data Protection Act 2018).

The Data Protection Act 2018 states that additional restrictions may be made by regulations where such restrictions are necessary for the purpose of safeguarding important objectives of general public interest. Examples of the public interest are provided, including ‘avoiding obstructions to any official or legal inquiry’ ((s.60(7)(a) Data Protection Act 2018) or ‘preventing, detecting, investigating or prosecuting breaches of ethics for regulated professions’ (s.60(7)(d) Data Protection Act 2018).

In contrast with the broad limitation contained in section 162, any restriction on data subject rights arising out of s.60 of the Data Protection Act 2018 must be necessary and proportionate. With respect to s.162, however, it must be noted that despite the absence of the ‘necessary and proportionate’ wording, the guidance in the GDPR states that any restrictions on data subject rights should be in accordance with the requirements in the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms (Recital 73 GDPR).

Interestingly, the section 162 legal privilege exception also applies to communicating data breaches to data subjects. We will deal with the data breach issue further in Guidance 9.

Access

We include detail on the right of Access in Guidance 5.

Rectification

Rectification is the right to have inaccurate personal data corrected. In addition, this may include having the right to have an incomplete record completed, including by means of a supplementary statement.

If a firm has shared inaccurate personal data with a third party, they have the obligation to contact the third party to correct this information unless this proves impossible or requires a disproportionate effort (see Articles 16 and 19 GDPR). This obligation to inform third parties with whom personal data has been shared also applies to data affected by erasure or restriction of processing.

‘Right to be forgotten’

A data subject will have the right to obtain the erasure of personal data concerning him or her, and the firm will have the obligation to erase the data subject’s personal data, where one of the following applies:

1. the personal data is no longer necessary for the purposes it was collected or processed;
2. the data subject withdraws their consent to the processing, where the processing is based solely on consent;
3. the data subject objects to the processing which has been undertaken on ‘legitimate interests’, ‘public interests’ or ‘official authority’ grounds and there are no overriding legitimate grounds for the processing;
4. with respect to direct marketing, including profiling, where the data subject objects to such processing;
5. the personal data was unlawfully processed;
6. where required to comply with a legal obligation in EU or member state law to which the firm is subject; or
7. the personal data was collected in relation to the offer of information society services (this ground is unlikely to apply to law firms).

If the data has been made public, the firm will have an obligation to take reasonable steps to inform other data controllers of the data subject’s request.

If, however, the processing falls into one of the following categories, the erasure will not be required to the extent the processing is necessary:

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation, performance of task carried out in the public interest, or the exercise of official authority vested in the firm;
3. for reasons of public interest in the area of public health;
   1. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
   2. for the establishment, exercise or defence of legal claims.

Obviously, the last ground will be relevant in particular to law firms, such as in a situation where an opposing party in litigation requests the erasure of personal data held about him or her.

This is a complex area and to a large degree a new data subject right under GDPR (Article 17 GDPR).

Restriction of processing

Restriction of processing means marking a data subject’s stored personal data with the aim of limiting future processing.

Where a data subject requests restriction of the processing of their personal data, with the exception of storage, it can only be processed for the following reasons:

1. with the data subject’s consent;

2. for the establishment, exercise or defence of legal claims;

3. for the protection of the rights of another natural or legal person; or

4. for reasons of important public interest of the EU or a member state.

In addition, the personal data can only be processed for the above purposes where the firm has notified the data subject before the restriction has been lifted.

The data subject can request restriction if:

1. the accuracy of the personal data is contested;

2. the processing is unlawful and the data subject objects to the erasure of the personal data and requests restriction instead;

3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

4. the data subject has objected to the processing on the grounds of the controller’s legitimate interest, prior to verification of whether the legitimate interest grounds of the controller override those of the data subject.

Restriction could include updating access controls so that the data is available to few within the firm and read-only, removing data published on a website, etc.

Restriction is a new right under GDPR (Article 18 GDPR).

Data Portability

The right to data portability applies to processing a) carried out pursuant to a contract or on the basis of the consent of the data subject and b) where that processing is carried out by automated means.

It is the right to i) receive personal data provided to the firm in a structured, commonly used and machine-readable format and ii) to transmit that data to another controller without hindrance from the controller to which the personal data was provided.

The issue of the solicitor’s lien on the client file will come to the mind of many solicitors on reading of this new right under GDPR. As under current law, the solicitor’s lien does not override the data subject’s rights relating to their personal data. It is worth pointing out, that this right of data portability applies to the personal data concerning the data subject which the data subject has provided to the firm. It does not relate to all personal data about a data subject held by a firm. In many situations, this may be an academic distinction, but in others, it may be an important distinction.

In order to comply with this right, firms may consider the approach of many technology companies that are pre-empting portability requests by providing an easy access portability mechanism to their service users. For a law firm, this may take the form of a client portal solution, where the client is able to securely view, access and download their client file to their own system at any time.

Data portability is a new right under GDPR (Article 20 GDPR).

Right to object

A data subject has the right to object to processing of their personal data when processed on the grounds of ‘public interest’ or ‘legitimate interests’, including profiling based on those grounds. The controller must cease to process the data unless there are compelling legitimate grounds which override the interests, rights and freedoms of the data subject or, importantly, for the establishment, exercise or defence of legal claims.

The data subject also has the right to object to processing for direct marketing purposes. There is no balancing test to consider where the processing is related to direct marketing. Where the data subject objects to direct marketing, the processing for direct marketing purposes must cease.

The data subject must be provided with information on the right to object under the grounds above at the latest at the time the first communication is sent to the data subject and this must be presented clearly and separately from other information.

In addition, there is a right to object to the processing of personal data for scientific, historical research or statistical purposes and such processing must cease unless the processing is necessary for the performance of a task carried out for the public interest.

The right to object is largely a new right under GDPR (Article 21 GDPR).

Automated decision-making, including profiling

A data subject has the right not to be subject to decisions which produce legal effects on the data subject or otherwise similarly significantly affects the data subject that are based solely on automated decision-making, including profiling (Art. 22 GDPR).

There are exemptions to this rule, where the decision is:

• necessary for the performance of a contract between data subject and controller;

• authorised by European Union or Irish law which contain suitable safeguards;

• based on the data subject’s consent.

For the first and third exemptions, the controller must still implement suitable safeguards (e.g. human review of decisions). There are extra provisions where the automated decision-making or profiling includes sensitive categories of data.

Resources

Data Protection Commission:

European Data Protection Board:

• Guidelines 01/2022 on data subject rights - Right of access:

• Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) -

• Right to Data Portability:

Data subject rights checklist

• Is your firm aware of the rights for data subjects under GDPR?

• Can you comply with data subject rights without undue delay and within the required time limits?

• Have you analysed your systems and procedures to see if they help you to comply with obligations related to data subject rights?

• Who in the firm is responsible for managing responses to requests from data subjects to exercise their rights?

Return to GDPR Guidance and templates >