The General Data Protection Regulation (GDPR)
The GDPR took direct effect Europe wide on 25 May 2018, replacing the earlier data protection framework under the EU Data Protection Directive.
- Read the EU GDPR at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
Key Principles
Article 5 of the GDPR sets out key principles which lie at the heart of general data protection.
- Lawfulness, fairness, and transparency
- Purpose Limitation
- Data Minimisation
- Data Accuracy
- Storage Limitation
- Integrity and Confidentiality
- Accountability
To further understand each of these principles see https://www.dataprotection.ie/en/individuals/principles-data-protection.
Legal Bases for processing
A valid legal basis – which is most appropriate in the specific circumstances of the processing – is required in all cases if a data subject’s personal data are to be lawfully processed in line with data protection law. Data Controllers should be aware of the different legal bases applicable to different types of processing of the same personal data set out in Article 6 of the GDPR.
- Under the consent of the individual concerned.
- Under contractual obligation between you and the individual.
- To comply with a legal obligation.
- Protection of the vital interests of the individual.
- In the public interest.
- For legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted. Should the person’s rights override your interests, then you cannot process the data.
Data Subject Rights
Under the GDPR (in Articles 12-23) data subjects rights include:
- Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
- Section 2 Information and access to personal data
- Article 13 Information to be provided where personal data are collected from the data subject
- Article 14 Information to be provided where personal data have not been obtained from the data subject
- Article 15 Right of access by the data subject
- Section 3Rectification and erasure
- Article 16 Right to rectification
- Article 17 Right to erasure (‘right to be forgotten’)
- Article 18 Right to restriction of processing
- Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20 Right to data portability
- Section 4 Right to object and automated individual decision-making
- Article 21 Right to object
- Article 22Automated individual decision-making, including profiling
- Section 5 Restrictions
- Article 23 Restrictions
Health Research Regulations 2018
- The GDPR based Health Research Regulations 2018 were signed off by Minister Simon Harris TD on Tuesday, August 7th 2018. Researchers were given nine months to ensure that the consent that they hold is GDPR compliant. See http://www.hrb.ie/funding/gdpr-guidance-for-researchers/health-research-regulations-2018-faq/
- Please see HRB Video – GDPR and the new Health Research Regulations 2018 http://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/
- RCSI Researchers Roadmap to compliance