The Data Protection Act 2018 came into force on 24 May and this article will briefly look at those changes in relation to how they will handle complaints, investigations and their enforcement powers under the Act.
The new Act gives the Data Protection Commission (DPC) more scope in how they handle complaints from data subjects or from not for profit bodies who act on the data subject’s behalf. The DPC is required to investigate all complaints and a complaint can only be rejected if it is found to be frivolous or vexatious.
Outlined below are the ways that the DPC will handle or investigate a complaint depending on the nature and circumstances of the complaint or issue:
- Amicable resolution
If the DPC considers that there is a “reasonable likelihood” of both parties reaching an amicable solution of the complaint, the DPC may arrange or facilitate that resolution. Once it has been reached the complaint will have been deemed to be withdrawn and no formal statutory decision will be required.
If an amicable resolution cannot be reached the DPC must take one or more of the following actions as detailed under section 109 of the Act:
- Reject the complaint
- Dismiss the complaint
- Provide advice to the data subject in relation to the complaint
- Serve an enforcement notice requiring the data controller or processor to take certain actions in line with data protection law
- Conduct an inquiry into the complaint
- Take other such actions as the DPC considers to be appropriate
2.Conducting an inquiry / investigation
The DPC may conduct an inquiry based on a complaint they have received or if they decide to conduct an inquiry of their own. They do not need to establish a reason or cause to conduct their own inquiry.
Under the Act the DPC can appoint an authorised officer with broad powers to enter a business premises without any warning or notice to conduct an investigation. In addition, they do not need to provide a search warrant for this. It is an offence to stop or impede an officer, to refuse to comply with a request from the officer and to alter, suppress or destroy any information that the officer may reasonably require.
The officer may search and inspect the premises and any information found in the premises. They can secure and take away information or equipment for later inspection. This also includes documentation as well. Employees of the business may be required to produce documents that relate to the processing of personal data that they deal with and they are required to supply the officer with any passwords to enable them to access and examine the documents.
Businesses may also receive an information and enforcement notice which may require them to either provide the information required or take specified steps. Again it is an offence to refuse to comply with these notices. However, a business has the right to appeal any notice and this must be made to the High Court within 28 days of receipt of the notice.
In addition, the DPC may carry out an investigation in the form of a data protection audit to ensure that the practices and procedures of the controller or processor complies with GDPR. Businesses will be given seven days’ notice that the DPC intends to start a data protection audit.
Once the investigation is complete the officer will make a report to the DPC on whether an infringement has taken place or not. The officer is not empowered to make any recommendations, their role is one of fact finding and producing a report based on their findings. The DPC will consider the report, they may request additional information from the data controller or data processor and, having carefully assessed all the evidence, they will make a decision whereby they could impose an administrative sanction. Businesses have the right to appeal the sanction through the Circuit Court if the fine does not exceed €75,000 or the High Court if it is a higher amount. Appeals must be lodged within 28 days.
We will continue to provide updates on the enforcements powers of the DPC, however, our recommendation is that if you co-operate with the DPC in any compliant or request they will take a proportionate view. You can read the Data Protection Act 2018 here
If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at firstname.lastname@example.org or visit our GDPR section on www.sfa.ie/advice