New regulations permit the Central Bank of Ireland to limit the rights of data subjects under the GDPR

• Ireland

• Privacy, data protection and cybersecurity

15-01-2020

Precis: In this briefing, we look at the new regulations permitting the Central Bank of Ireland to limit the rights of individuals under the GDPR.

On 30 October 2019 the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019 (the “Regulations”) came into effect.

Scope

The Regulations allow for the limitation of a data subject’s GDPR rights in order for the Central Bank of Ireland (the “CBI”) to carry out “relevant functions” and “relevant objectives” within the public interest. These limitations apply to the personal data (including special category data and GDPR Article 10 data) that the CBI processes as a controller.

“Relevant Functions” and “Relevant Objectives”

“Relevant objectives” are defined as important objectives of general public interest by section 60(7) (b) to (g) and (i) to (m) of the Data Protection Act 2018 (the “DPA”) pursued in order to exercise a “relevant function” of the CBI. A “relevant function” is defined as a function carried out by the CBI under financial services legislation, the Treaty on the Functioning of the EU, or the Statute of the European System of Central Banks and of the European Central Bank.

These functions relate directly or indirectly to one or more of the following:

i. monetary policy;

ii. contributing to the stability of the financial system;

iii. protecting the best interests of consumers of financial services;

iv. regulating financial service providers;

v. regulating financial markets;

vi. supervising compliance with financial services legislation;

vii. enforcing compliance with financial services legislation;

viii. collecting information for analysis or statistical purposes;

ix. resolution of regulated financial service providers;

x. operating a deposit guarantee scheme or other compensation or customer protection scheme; and/or

xi. operating the Central Credit Register.

Restrictions and Safeguards

The Regulations allow for the restriction of rights and obligations outlined in Articles 12-22, 34 and 5 of the GDPR. These rights and obligations may only be restricted when deemed necessary and proportionate to safeguard the relevant objective of the CBI as outlined in Regulation 7(1).

When such rights or obligations are restricted, the CBI shall notify the data subject of:

1) the right or obligation being affected by the restriction;

2) if the right or obligation has been restricted in whole or in part;

3) the reasons for the restriction (unless disclosure would inhibit the achievement of the relevant objective); and

4) the right of the data subject to lodge a complaint to the Data Protection Commission without prejudice to any other rights or remedies available to them.

This includes the judicial review of a CBI decision and the right to appeal a decision of the CBI pursuant to Part VIIA of the Central Bank Act 1942. This notification shall be communicated in a timely manner through clear and plain language in a concise, intelligible and easily accessible form.

The Regulations protect the rights of data subjects as the CBI must implement and regularly review policies and procedures to ensure the fundamental rights and freedoms of data subjects are protected without interfering with the success of the CBI’s relevant objectives.

Conclusion

The Regulations will allow the CBI the freedom to carry out its relevant functions and objectives which are aligned with the interest of the general public while still ensuring necessary protections to a data subject’s fundamental rights and freedoms are maintained.