GDPR: New exceptions to data protection rules for Central Bank

21-11-2019

Authors: Rob Corbet and Eoghan Clogher.

Click here to view the briefing in PDF format.

Under the new Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, a data subject’s rights may be restricted to the extent necessary to allow the Central Bank of Ireland (CBI) to carry out certain of its central functions.

What is the legislative basis for the Regulations?

Under section 60(6) Data Protection Act 2018 (DPA), a Minister may, following a consultation process, make regulations that restrict the obligations of controllers and rights of data subjects, where such restrictions are “necessary to safeguard important objectives of general public interest”.

What types of personal data come within the scope of the Regulations?

The Regulations apply to personal data, in respect of which the CBI is the controller, processed by the CBI in pursuit of a “relevant objective”. Personal data in this context also includes special categories of personal data, and ‘Article 10 data’; personal data relating to criminal convictions and offences or related security measures based on Article 6(1) of the General Data Protection Regulation (GDPR), as further defined in the DPA.

What is a relevant objective of the CBI?

A relevant objective is one of a number of important objectives of general public interest, as described in paragraphs (b) to (g) or (i) to (m) of section 60(7) of the Data Protection Act 2018, and pursued by the CBI in exercising a “relevant function”.

Important objectives of general public interest

Paragraphs (a) to (o) of section 60(7) of the Data Protection Act 2018 set out a non-exhaustive list of important objectives of general public interest that may necessitate the need for additional regulations, such as the Regulations. Some of those objectives set out in paragraphs (b) to (g) and (i) to (m) (and relevant to the CBI under the Regulations) include:

  • avoiding obstructions to any official or legal inquiry, investigation or process;
  • preventing, detecting, investigating or prosecuting breaches of ethics for regulated professions;
  • preventing, detecting, investigating or prosecuting breaches of the law subject to civil or administrative sanctions;
  • identification of assets derived from criminal conduct;
  • safeguarding the economic or financial interests of the European Union or the State;
  • protecting the public against financial loss/ detriment due to dishonesty, malpractice or improper conduct in provision of banking, insurance, investment or other financial services;
  • the keeping of public registers for reasons of general public interest, whether the registers are accessible to the public on a general or restricted basis.

What is a relevant function of the CBI?

A function of the CBI under financial services legislation, the Treaty on the Functioning of the European Union or the Statute of the European System of Central Banks and of the European Central Bank, which relates directly or indirectly to a finite set of typical central bank duties, such as monetary policy, contributing to the stability of the financial system or protecting the best interests of consumers of financial services, is a relevant function.

Which rights and obligations are affected?

The rights and obligations set out in Articles 12 to 22 and Article 34, and Article 5 (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22), of the GDPR, may be restricted in respect of processing to which the Regulations apply. These include, for example; the data subject’s right to information (including the right to receive it in a transparent form), right of access, rights of rectification and erasure, right to object and the right to be told about a data breach in certain circumstances.

What limits are imposed on the CBI?

The restriction of a right or obligation must be; (i) necessary to safeguard a relevant objective; and (ii) proportionate to the need to safeguard that relevant objective. A non-exhaustive set of circumstances where this might occur are set out in the Regulations, for example, where the exercise of the right or obligation may interfere with the prevention, detection or investigation of breaches of, or enforcement of, financial services legislation. Those assessing the parameters above must take into account:

  • the extent to which the exercise of the right or compliance with the obligation would prejudice the achievement by the CBI of the relevant objective,
  • the essence of the right to data protection of the data subject, and
  • the risks to the rights and freedoms of the data subject which may result from such a restriction.

Will data subjects be informed where their rights are restricted?

Yes. Where a right or obligation is restricted, the CBI must notify an affected data subject in writing, in a timely manner, unless such notification may prejudice the achievement of a relevant objective. In addition, affected data subjects must be explicitly informed that they have a right to lodge a complaint with the Data Protection Commission which will not prejudice any other of their remedies in relation to the CBI, including judicial review of a decision of the CBI, and the right to appeal a decision.

Must the communication to data subjects be in a prescribed form?

No. It must simply be in a concise, intelligible and easily accessible form, using clear and plain language.

Are there any safeguards required by law with respect to these restrictions?

Yes. The CBI must implement (and regulaly review and update) policies and procedures in relation to:

  • use of secure store, passwords, and encryption;
  • use of controls to ensure personal data is only sent to intended recipients;
  • determination of appropriate storage periods and treatment of data upon expiry of those periods; and
  • data minimisation, including anonymisation and pseudoanonymisation.

Comment

These Regulations came into operation on 30 October 2019 and like many other aspects of the GDPR, the CBI will need to come to its own decision on how to operationalise them, striking an acceptable balance between safeguarding a relevant objective and preserving the right of the data subject to data protection.

The authors wish to thank Sam O’Connell for his contribution to this article.

Download PDF