Obligations Banner

General Data Protection Regulation

The GDPR (2016/679) was initially published by the European Commission in January 2012.  After four years of negotiation, it was finally adopted on 27 April 2016.  Following a two year implementation period, the GDPR came into force across the European Union on 25 May 2018.  It replaced the existing Data Protection Directive 95/46/EC. The GDPR introduces substantial changes to European data protection law, along with financial penalties for non-compliance. 
The Regulation replaces the current European legislative framework under the 1995 Data Protection Directive (“Directive”) on which the primary Irish data protection law, the Data Protection Acts 1988 to 2018 (the “Acts”), is based. The previous system of various national laws, that transposed the Directive, resulted in a fragmented regulatory system for data controllers operating in the European Union. As the Regulation has direct effect, it should allow for the application and enforcement of a more standardised data protection law across the EU. The reforms will also specifically address some current technological challenges and opportunities in respect of the processing of personal data in the current digital age, including profiling, data portability and the ‘right to be forgotten’.  Please follow the following link which set out the principal changes that arise under the Regulation:

The University adheres to the principles of the Data Protection Acts 1988-2018 (as may be amended) and the European General Data Protection Regulation in its processing of Personal Data and Special Categories of Personal Data.

Article 5 of GDPR provides that:

1. Lawfulness, fairness and transparency Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
2. Purpose limitation Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
3. Data minimisation Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4. Accuracy Personal data shall be accurate and, where necessary, kept up to date
5. Storage limitation Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
6. Integrity and confidentiality Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
7. Accountability The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

Data Subjects (individuals) have a number of additional rights under the GDPR which the University will adhere to.  The availability of the additional GDPR rights largely depends on the legal justification for processing by the University.  The additional rights are as follows:

  • Right to Object – Data Subjects have the right to object to specific types of processing.  The Data Subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right.  In some cases, there may be an exemption to this right for research or statistical purposes done in the public interest.
  • Right to be forgotten (erasure) – Data Subjects have the right to have their data erased in certain situations, such as where the data are no longer required for the purpose for which they were collected, the individual withdraws consent or the information is being processed unlawfully.  There is an exemption to this right for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research.  Data Subjects can ask the controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved or if the processing is unlawful.
  • Rights in relation to automated decision making and profiling – The right relates to automated decisions or profiling that could result in significant affects to the Data Subject.  Profiling is the processing of data to evaluate, analyse or predict behaviour or any feature of their behaviour, preferences or identity.  Data Subjects have the right not to be subject to decisions based solely on automated processing.  When profiling is used, measures must be put in place to ensure security and reliability of services.  Automated decision-taking based on Special Categories of Personal Data can only be done with explicit consent.
  • Right to Rectification - The right to require a Data Controller to rectify inaccuracies in Personal Data or Special Categories of Personal Data held about them.  In some circumstances, if Personal Data or Special Categories of Personal Data are incomplete, a Data Subject can require the controller to complete the data, or to record a supplementary statement.
  • Right to Portability – The Data Subject has the right to request that information about them is provided in a structured, commonly used and machine-readable form so it can be sent to another Data Controller.  This only applies to:
    • Personal Data or Special Categories of Personal Data that is processed by automated means (not paper records)
    • Personal Data or Special Categories of Personal Data which the Data Subject has provided to the Data Controller
    • Where it is being processed on the basis of consent or a contract

The following obligations also apply:

  • The University will keep a record of its data processing activities as a summary of the processing and sharing of personal information and the retention and security measures that are in place.
  • The University will provide Data Subjects with a ‘privacy notice’ to let individuals know what it does with their personal data.   Privacy notices are published on the University website and are therefore available to staff and students and service users from their first point of contact with the University.  Any processing of staff or student data beyond the scope of the standard privacy notice, or processing of the personal information of any other individuals will mean that a separate privacy notice will need to be provided.  
  • The University and all University Members who use Personal Data or Special Categories of Personal Data shall ensure that all data they hold is kept securely.  They shall ensure that it is not disclosed to any unauthorised third party in any form, accidentally or otherwise.  Data Security should be undertaken in line with ISS policies and procedures available on the University website.
  • Personal Data or Special Categories of Personal Data can only be transferred out of the European Union under certain circumstances and the advice of the Data Protection Office should be sought. 
  • Individual Units within the University are responsible and accountable for the Personal Data and Special Categories of Personal Data that they hold.
  • Individual Units within the University are responsible for ensuring the appropriate retention periods for the information they hold and manage, based on University guidance in the University Record Retention Policy which can be obtained by staff members from dataprotection@universityofgalway.ie

Retention periods are set based on:

    • Legal and regulatory requirements
    • Sector
    • Good practice guidance

As a general rule, personal data must only be kept for the length of time necessary to perform the processing for which it was collected.  Once information is no longer needed it should be disposed of securely.  Paper records should be shredded or disposed of in confidential waste and electronic records should be permanently deleted.

  • University Members shall consider the impact on data privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the risk to personal data.
  • University Members shall consider privacy issues when considering new processing activities or setting up new procedures or systems that involve personal data.  The GDPR imposes a specify ‘privacy by design’ requirement emphasising the need to implement appropriate technical and organisational measures during the design stages of a process and throughout the lifecycle of the relevant data processing to ensure that privacy and protection of data is not an afterthought.
  • The University acknowledges that for some projects a Data Protection Impact Assessment (DPIA) should be carried out.  The types of circumstances when this is required include: those involving processing of large amounts of personal data, where there is automatic processing/profiling, processing of special categories of personal data, or monitoring of publicly assessable areas (i.e. CCTV).  The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce risks.
  • The University acknowledges that direct marketing relates to communication (regardless of media) with respect to advertising or marketing material that is directed to individuals e.g. mail shots for fund raising, advertising courses etc.  Individuals shall be given the opportunity to remove themselves from lists or databases used for direct marketing purposes.
  • Direct marketing shall also comply with the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 https://www.irishstatutebook.ie/eli/2011/si/336/