John Nealon, Certified Data Protection Officer, will be holding another one of his very successful Training Courses on how the GDPR and e-Privacy Directive together impacts of various Direct Marketing initiatives.

The session is focused, practical in its content and covers topics such as: 

• The key aspects of the GDPR and E-Privacy regulation impacting on Direct Marketing
• Implications of using Consent and Legitimate basis for direct marketing
• Current fines being imposed by DPC on Direct Marketing infringements
• Business to business marketing
• The “Can Do’s” and “Cannot Do’s” for:
  • Email Direct Marketing
  • Postal direct marketing
  • Telesales
  • Faxes and SMS (texts)

Date: Thursday 20^th June 2019
Time: 10am to 1pm
Location: Castleblayney
Cost: €290 for first attendee, €190 per person thereafter.
(10% Early Bird discount on all bookings made by 12^th June)

To book your place, simply email Info@dataprotectionservice.ie or phone 042 9749515.

A TRAINING COURSE NOT TO BE MISSED!

If Appropriate please pass on to Your Marketing Department
Early booking is advised as places are strictly limited.  Bookings are only secured with full payment.  Full payment must be made prior to course commencing. Course run subject to demand.

Whether it is used to mitigate personal security concerns or having a means to establish liability in the event of an accident, the use of Dashboard mounted CCTV – Dash Cams – in business vehicles has increased over the past number of years. This article details some of the considerations business managers need to consider if they have or are thinking of installing dash cams into their fleet.

Do the images of individuals recorded on our dash cams constitute personal data processing?
Yes. If your dash cam records people on the public road, licence plates or (in relation to inward facing systems) company employees this constitutes the processing of personal data.

I use dash cams in my company vans or lorries in case of an accident, what practical steps should I do to comply with the GDPR?

Personal data needs to be processed in a transparent manner. To ensure this the following actions should be undertaken by the company: a) Have clear signage both on and inside the vehicle, indicating that filming it taking place. b) A policy detailing the purposes of the recording. Note here, that if you only state that the purpose is for use in the event of an accident – it can only be used for this purpose! c) The policy should also contain contact details, the basis of processing and how long you retain the data. d) leave hard copies in your vehicle so that your driver can give a copy out in the event of a query, e) consider issues such as security and who can access the footage.

My dash cam usually rewrites over previous footage every week – can I hold the footage longer if there was an incident like an accident?

Yes. While your normal retention period might be a week, in the event of an accident or other incident, the recording may be kept longer

If the dash Cam records an individual, can that individual request a copy of the footage?

Yes. You should be able to provide a copy of the footage containing the data subject within 30 days. You should also avoid sharing other peoples data, ie other licence plates etc. It is your responsibility that necessary redaction is completed on the footage before it is released.

Can An Garda Siochana view a Dash Cam recording?

Yes, An Garda Siochana can view any footage upon request. However, a copy of the footage should only be released following receipt of a written request as per Section 41 of the Data Protection Act 2018.

Can I pass a Dash Cam recording to an insurance company?

Yes, but you must be satisfied that the insurance company will restrict its use of the data to only what is necessary, keep it secure and hold it only for as long as required. You should request a company’s policy with regarding to submitting recording prior to sending the material.

My insurance company offers discounts if I install dash cams, are there any Data Protection implications?

According to the data Protection Commissioner “If you enter into an arrangement with your insurer that requires you to own or operate a Dash cam to avail of a discount, your insurer may be acting as a joint controller”. As a minimum, you should ask the insurance company for a copy of their policies in relation to personal data that you record and ensure that the policy sets out each other respective responsibilities.

What are the key employee data protection implications for inward facing dashcams?

Many companies now have inward facing dash cams within company vehicles. There are a number of concerns in relation to this a) What is the purpose of the recording; b) have these purposes of processing been put in a written policy document; c) have employees clearly been informed of the existence of the dash cams and the purposes of processing; d) is such processing dealt with by way of Employee contract

What is the situation regarding video and Audio inward facing dashcams within taxis etc?

Audio and Video recording dashcams are usually deployed in buses and taxis for security and other reasons. In addition to the previous answer, such recordings may also capture images of passengers etc. In this situation, passenger need to be informed in a clear and transparent manner.

But, I only have a dash cam for my own personal use, is there any data protection implications?

If your dash cam is inward facing and is in your own car, the domestic use exemptions may apply. However, as a general rule of thumb if your dash cam is outward facing and you are recording the street outside, this is NOT domestic use.

You, should ensure that private Dash Cams are NEVER used within company vehicles.

Parents have you bought a connected toy or device for your child?

The Data Protection Commissioner is continuing to highlight the dangers of buying internet connected devices for children.  Seeing that Santa may have brought some of these devices to the good boys and girls, it is a good idea for parents to look at some of the advice that the Data Protection Commissioner (DPC) has issued.

Some toys are highly interactive and can recognise words and respond accordingly.  They may also connect to apps on smartphones or tablets.  This connection through smart phones or other internet enabled devices “might allow for the collection and recording of ‘conversations’ between the doll and the child, or even act as a walkie-talkie.

The GDPR empowers parents/guardians to have more control of their children’s personal data processing.  The manufacturer of these toys may rely on consent to legally undertake the collection and processing of the child’s Personal data.  If the child is under 16, the Parents or Guardians consent is therefore needed.

So, these are key Take home points for parents/guardians should undertake:

• Ensure that they are asked for authorisation
• Understand who the data controller is, why the personal data is being collected and how it is secured.
• Be able to exercise their right to withdraw their consent, to find out or access the personal data that is retained, and/or how to have it deleted.
• To take extra care when selecting a toy that has a camera or voice-recording ability, connects to the internet, allows remote connection using a smartphone or tablet app, or has a location tracking facility.

If you would like any additional information or advice, contact our Data Protection team on 042 9743040 

The Data Protection Commissioner has issued guidance regarding Personal Data Transfers to and from the UK

https://dataprotection.ie/en/news-media/latest-news/dpc-issues-important-message-personal-data-transfers-and-uk-event-no-deal

, including Northern Ireland, in the event of a ‘no deal’ Brexit. The main
points of her guidance are:

• In the event of a ‘no deal’ Brexit, the UK will become a “third
  country” for the purposes of EU personal data transfers from the 30th
  March
• The EU Commission outlines the legal mechanisms that can be used to
  underpin transfers from an EU member state to a third country,
  including;

1 International data transfers using model contracts

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

2 Binding corporate rules (for transfers within multinationals)

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en

3 Adequacy Rules (and currently EU has not included UK in this section)

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

• Data flows from the UK to the EU after March 2019,
  according to the UK Government, the current practice, which permits
  personal data to flow freely from the UK to the EU member states, will
  continue in the event of a ‘no deal’ Brexit.
  
  https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal
  

In the event of a “No Deal” Brexit, (and that European Commission does not
make an adequacy decision regarding the UK at the point of exit) and where
your organisation has Personal Data Flows from the EU to the UK, you should now consider:

• Mapping the personal data being transferred to the UK (including
  Northern Ireland) currently. Consider outsourced Payroll service
  providers, IT/data servers located in the UK, security monitoring ARCs
  based in the UK, Insurance and HR service providers
• Assess the various transfer mechanisms to decide which ones best suit
  the situation
• Be ready to implement a suitable transfer mechanism in the event of a
  “No Deal” Brexit.

If you would like any additional information or advice as to how to prepare
for this particular challenge, contact our Data Protection team on 042 9743040