Data protection rights

Everyone has the right to have their personal information processed in a fair and transparent manner. The General Data Protection Regulation, the GDPR, strengthens everyone’s rights in relation to how their personal information can be processed. A lot of publicity surrounded the implementation of the GDPR and the difficulties faced by some businesses in trying to comply with new obligations. But what steps can someone take if his data protection rights are breached?

What to do if personal data rights have been breached

The first step is to make a complaint to the Data Protection Commission. The Commission is the national watchdog, charged with investigating data protection related complaints from the public. A complaint can be lodged by letter or email.

Once a complaint has been made, a case officer will investigate and issue a decision. If it is found that there was a breach of the complainant’s data protection rights, the Commission has the power to issue warnings, order compliance, imposing a ban on the organisation having personal information or impose fines. The fines received the most publicity in and around the time the GDPR was commenced because the Commission has the power to issue fines of up to 2% of annual global turnover or €10 million, whichever is greater. Recently, for example, Google was fined €50 million by the French data protection watchdog. However, the Commission has no power to compensate the individual whose rights have been breached.

How can someone be compensated if harm is suffered?

Since the Commission has not been given the power to award compensation, if someone has suffered harm as a result of their data protection rights being breached, a case, called a data protection action, can be brought through the courts.

The harm suffered can be financial or pain and suffering. The GDPR gives examples of potential harm such as loss of control over personal data, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality, or any other significant economic or social disadvantage.

Although complaints to the Commission increased sharply after the commencement of the GDPR in May 2018, the courts have not, as yet, seen the same increase in the number of data protection actions. That may change as the public becomes more aware of their rights under the new law.