Newsletter August 2019

Business Legal is a regulatory compliance firm assisting businesses with general regulatory compliance. All businesses are 
subject to compliance with Employment Law, Data Protection Law and Health and Safety. In addition, businesses may also  be subject to sector specific compliance regulations, such as insurance industry regulations, food standards regulations et 

Business Legal provides expert support and assistance the 3 main compliance areas of Employment Law, Data Protection 
Law and Health and Safety Law, and can provide specialist consultants in more specific areas.  

SMEs often don’t have an in-house legal function, and to assist in ensuring cost – effective, competent advisers are retained  we also provide a General Counsel service to SMEs whereby we source legal services for our clients from niche specialists in  each area. 

The Public Services Card (PSC) 

The Data Protection Commission (DPC) has determined that the PSC may not be used  on a mandatory or compulsory basis by government departments other than the De- partment of Social Protection, which is the Department which issued the card. This 

means that it is not lawful for a PSC to be demanded in a driving licence or passport 
application, or any other application to any department other than the Department of  Social Protection. 

More problematically, the DPC has ordered the destruction of 3.2 million data subjects’ records on the basis that there are no  longer required once the primary purpose for gathering that data was achieved, namely the identification of the individual. 

The government appears to be inclined to try and retrospectively legislate to legitimise its unlawful actions, rather than to 
take on board the criticism of data protection practitioners, and the DPC with regard to its actions over the last number of 
years. There are very strong legal objections to this approach, as Article 5.1.b of the GDPR requires that personal data be 

“collected for specified, explicit and legitimate purposes”, and the data has already been collected. Any attempt to retain the  personal data held in respect of the PSC, or to respectively legitimise its collection would likely be resisted by recourse to liti- gation.  The PSC has put a 21 day stay on its order for the destruction of the personal data, so we will be reporting on further  developments in our September edition of this newsletter.  

Privacy Notices/Policies 

With the prospect of increased GDPR regulatory activity ahead, it is important for organisations to ensure their  Privacy Notices are compliant. 

You must provide clear, intelligible and easily accessible information to individuals about the collection and use  of their personal data. 

This must be provided at the time personal data is obtained from individuals (or within one month when ob-
tained from another source). 

The categories of information to be provided include the purposes of processing, the legal basis for processing,  the legitimate interest of the company which the company claims legitimises the processing (if applicable), any  data sharing, any international transfers, and the data retention periods which apply to each processing. 

Working this out, with documentation to meet the requirements of accountability, can be challenging. You may need to re-
fresh data mapping or review justifications for legal basis. Privacy Notices should also align with your Records of Processing 
Activities (as required by Article 30). You may need more than one Privacy Notice depending on the individuals involved 

(customers, staff, etc.).  Privacy Notices are not a once-off exercise and must be kept under review to reflect processing activi- ties. They are part of your GDPR transparency obligations. It should be transparent to individuals that their personal data is 
being processed and to what extent. 

We can help you with your Privacy Notice which is the shop window for your organisation 

How do you verify the identity of an individual requesting access to their data or that data be deleted?   The Dutch Data Protection Authority, Autoriteitpersoonsgegevens, has provided guidance   

If at all possible, refrain from asking for a copy of a formal ID 

Some alternatives may be: 

1. Via an existing login system.  

2. A form of two-factor authentication. For example:  

• after receiving a request via e-mail request a confirmation by SMS. This mobile number 

must then match the customer data from your administration.  

•     request confirmation of the telephone request by e-mail. This e-mail address must match 

the customer data from your administration.  

• ask for the last 3 digits of the account number, the date of birth and / or the customer 

number for verification. 

• ask someone to come by and show you his/her ID proof without making a copy. Note, 

however, that this cannot be used to set up a threshold to allow access and should only 
offered as an alternative 

GDPR fine in Romania. 

UniCredit Bank was fined €130,000 for not applying adequate technical and organizational measures to protect personal data.  Customers’ ID number and address were exposed in bank statements for payments made to other persons. If a customer was  transferring funds or making a payment to an account the beneficiary would see this data.  

EU Standard Contractual Clauses (SCCs) and EU-US Privacy Shield 

The major case of C-311/18 – Data Protection Commissioner (Ireland) v Facebook Ireland Limited & Schrems has now been 

heard  by the CJEU. At issue is the validity of two key international data transfer mechanisms: the EU Standard Contractual 
Clauses (SCCs) and EU-US Privacy Shield, both widely-used mechanisms by EEA businesses to legitimise the transfer of personal  data to countries outside the EEA (e.g. the US).   A decision is expected on December 19th 2019. 

While we can’t pre-empt the decision of the CJEU, if the SCCs and/or Privacy Shield were invalidated that would mean that 
businesses that have heretofore been relying on these mechanisms would need to consider alternative mechanisms for trans- ferring their personal data to third countries.   

These include: 

•          Binding Corporate Rules (BCRs
•          Derogations 

•          Consent 

Given the lack of any practical alternatives, should the SCCs and/or Privacy shield be struck down, the European Data Protec-
tion Board will come under significant pressure to allow for some kind of moratorium during which no enforcement action will 

Reserved: Businesses would need to:  be taken by a national regulator, as happened previously when the precursor to Privacy 
Shield (Safe Harbour) was deemed invalid.  

Reserved: • consider the extent to which business operations may  
continue without the need to transfer personal data  
outside the EEA;  
• consider alternate mechanisms such as BCRs or one of  
the derogations, or demonstrate data subject consent to  
the transfers; and  
• engage with third party service providers to determine  
what contingency plans they are putting in place to ena- 
ble them to continue to receive data.  
• educate senior management on the implications of a 
declaration of invalidity; 

• analyse data flows outside the EEA, what mechanism(s) 
underpin these transfers and how important these 
transfers are; 

• assess the potential impact of having to stop transferring 
data abroad and how any fall out may be mitigated. E.g 
cease certain data processing activities or cross-border 
transfers, bring the personal data back into the EEA or 
continue processing outside of the EEA; 

How should companies plan for BREXIT? 

If Brexit proceeds on the 31st October next the UK will be-
come a third – country, and it (and by extension its companies  processing data in the UK) will no longer be considered a safe  destination for EU personal data. 

Although the UK has passed a Data Protection Act 2018, with  roughly equivalent provisions to the GDPR, in the absence of a  Withdrawal Agreement being concluded between the EU and  the UK the transition from being a member of the EU, to being  an unsafe third – country destination for EU personal data will  be immediate. 

Existing contractual provisions between controllers based in  the EU, and processors based in the UK. 

Currently, when a controller based in the EU (including in the  UK) proposes to retain a processor based in the UK, they are 
required to put in place an agreement complying with Article  28.3 of the GDPR (often called a controller – processor agree- ment). This requirement will remain, but it will become more  important, as the UK will now be considered an unsafe third –  country destination for EU personal data. 

In addition however, the EU-based controller will have 2 legiti- mise the transfer of personal data from the EU to the UK. 
There are a number of ways of doing this, but the most com-
mon, and most practically useful method is the execution of 
Standard Contractual Clauses (SCCs), often also called Model  Clauses.  

In simple terms, every EU-based controller who has a UK 

based processor, will have to ensure that in addition to a con- troller – processor contract, they also have in place a Model 
Clause contract between themselves and that UK based pro-

This is not as simple as it sounds, as processors often refuse to  sign controller – processor contract, or Model Clause con-
tracts. In the absence of both these agreements being signed,  the controller has no legal option but to sever the relationship  with the processor. This can create contractual difficulties in 
itself, as there can be contractual or statutory consequences  from terminating the contract with the processor. 

Article 27 Representatives  

in circumstances where a UK based company is targeting EU residents for the offering of goods or services, or is monitoring the  behaviour of EU-based residents, such as behavioural advertising, then it will be subject to the EU GDPR, and will have to ap-
point an EU-based representative in accordance with Article 27 of the GDPR. Business Legal can assist with the provision of a 
specialist Article 27 Representative service, with specific Article 27 Representative liability insurance. 

UK arrangements are similar 

The UK has put in place similar provisions with regard to the transfer of UK data to third – countries, and there are require- ments for third – country based controllers and processors to have a UK Representative appointed. 


in circumstances where a UK company is the lead controller for a group of companies, then it will be necessary for an alterna- tive group company in an EU jurisdiction to take over this role.