Privacy, Data Protection & Information Management

The Practice

We have a market leading reputation in the area of privacy and data protection. We have built our practice over many years by providing solutions-oriented advice across the broadest spectrum of industries and issues. We pride ourselves on understanding our clients’ perspectives and on the responsiveness and practicality of our advice in what is an increasingly challenging area of European and international law.

Led by partner Rob Corbet, our team includes partner Colin Rooney and Consultant Dr. Robert Clark while our strength in depth is supplemented by several associates within our Technology & Innovation team, each of whom has built expertise in the protection and commercial exploitation of data as an intellectual asset.


We work closely with our colleagues in our Employment and Litigation & Dispute Resolution groups in relation to material data security issues and enforcement actions. Our lawyers have advised on some of the highest profile data breach incidents in Ireland and internationally and we have successfully defended clients in many enforcement actions taken by the Office of the Data Protection Commissioner at all levels (including “dawn raids”, defending District Court prosecutions and representing clients in High Court judicial reviews and Supreme Court appeals). We also advise significant multinational companies on an ongoing basis in relation to the global management and commercial exploitation of data within the confines of Europe’s existing and emerging data protection laws.


Within the data privacy sphere, we routinely advise clients in relation to the following areas:

  • Legislative Compliance
    • Compliance with the Data Protection Acts 1988 and 2003 and the EU Data Protection Directive (95/46/EC)
    • The proposal for a new EU General Data Protection Regulation and associated data protection reforms in Europe
    • The right to privacy established by the Irish Constitution
    • The right to private correspondence under Article 8 of the European Convention on Human Rights
    • Data protection registration/notification requirements
    • Codes of Practice and Guidance issued by the Office of the Data Protection Commissioner
  •  International
    • Ireland as a corporate data centre
    • Trans border data flows (including Model Clauses, Binding Corporate Rules, Safe Harbor and other permitted means to legitimise the export and disclosure of personal data)
  • Defending Enforcement Actions
    • Dealing with investigations, Information Notices and Enforcement Notices issued by the Office of the Data Protection Commissioner
    • Legal support for clients subject to “dawn raids” or audits by the Office of the Data Protection Commissioner
    • Disposing of complaints through the “amicable resolution” procedure provided for under s.10 of the Data Protection Acts
  • Commercial Exploitation of Data
    • Protecting against unauthorised infringement of “Image Rights” and advising on celebrity image protection and endorsement
    • Direct marketing regulations, including restrictions under the ePrivacy Regulations (SI 336 of 2011) and the Data Protection Acts 1988 and 2003
    • Cloud strategies and contracts
    • Big data projects, including in internet, healthcare and financial services sectors
    • Implications of caselaw from the European Court of Justice e.g. right to be forgotten, the Data Retention Directive etc
  • Data Security
    • Legal security standards for telecoms/communications/internet companies
    • The Office of the Data Protection Commissioner’s Code of Practice on Data Breach Reporting
    • Mandatory data breach reporting under Commission Regulation (EU) No 611/2013  of 24 June 2013 on the measures applicable to the notification of personal data breaches
    • Data retention and lawful access in the communications and other industries including compliance with lawful access requirements under the Communications (Retention of Data) Act 2011 and prevailing European caselaw on data retention and access by State agencies
    • Surveillance, lawful interception and electronic evidence
    • Cyber-liability and insurance issues
  • Data Protection in the Workplace
    • Handling data subject access requests
    • Lawful use of biometrics, CCTV and other processing equipment
    • Lawfully obtaining and processing data in the context of employment investigations, disciplinary processes and employee disputes

Freedom of Information

The Technology and Innovation Group also advises on all aspects of the Freedom of Information law and practice. Partners Colin Rooney and Rob Corbet work with public bodies designated for the purposes of the FOI Acts and with private sector entities dealing with such public bodies or seeking access to records or information in respect of the operation of the FOI Acts. We advise on the full range of issues relevant to the FOI Acts including:

  • Interaction of the FOI Act with the Data Protection Acts 1988 and 2003 and other relevant legislation
  • The Freedom of Information Bill
  • Guidance for public bodies on compliance with the FOI Acts
  • Application of available exemptions in relation to requests pursuant to the FOI Acts and mechanisms for addressing refusals of access by public bodies
  • Dealing with public bodies in relation to the provision of confidential and commercially sensitive information by commercial entities
  • Procedural advices, review of decisions, including on public body internal review, review by Information Commissioner and appeal to the High Court
  • Appeals of Information Commissioner decisions
  • Freedom of Information training

Conferences and  Publications

We established the annual PDP Data Protection – Practical Compliance conference in Dublin which, over the past decade, has become Ireland’s leading data protection conference. We also provide the expert commentary and regular articles for the bimonthly journal, Data Protection Ireland.