Data Protection

What is data protection?

The General Data Protection Regulation came into force in May 2018. This regulation places obligations and responsibilities on employers in relation to how they collect data, use and protect it. Employers must have adequate data protection policies and procedures and they must tell their employees about GDPR.


What rights do I have in relation to data protection?

Employees have a number of rights under GDPR, including the right to:

  • Information about the collection and processing of their personal data
  • Access the personal data and supplementary information held about them by the data controller
  • Have their personal data rectified by the data controller if the personal data they have is inaccurate or incomplete
  • Have their personal data erased by the data controller
  • Restrict a data controller from processing their data if they consider it is unlawful or the data is inaccurate
  • Object to their personal data being processed for direct marketing, scientific or historical research


What rights do I have in relation to privacy?

All workers have rights in relation to privacy.  Legislation such as the Data Protection Act 1988, the Irish Data Protection (Amendment) Act 2003 and the General Data Protection Regulation, offers employees certain protections at work in relation to closed circuit television (CCTV) usage, monitoring of emails etc. However, employers are permitted to monitor employees for certain purposes, such as for protection against theft or to protect the employer’s reputation in the case of posts on social media.


Employers must provide workers with a readily accessible, clear, and accurate statement of policy regarding email and internet use, including the use of social media, in the workplace.


What is meant by data?

This includes both automated and manual data. Automated data means data held on computer or stored with the intention that it is processed on computer. Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.


What is personal data?

Personal data is data that relates to or can identify a living person, either by itself or together with other available information. Examples include a person’s name, phone number, bank details and medical history.


The key principles around Personal Data are:

  1. Obtained and processed lawfully, fairly, and transparently
  2. Collected for specific, explicit, and legitimate purpose – not for secondary use
  3. Used and disclosed only in ways compatible with these purposes
  4. Kept safe and secure
  5. Kept accurate, complete, and up to date
  6. Adequate, relevant, and not excessive
  7. Retained for no longer than is necessary for the purpose
  8. Given to the individual on request



What is a data subject?

A ‘data subject’ is defined as: “a natural person whose personal data is processed by a controller or processor” You as a member would be considered as a data subject of the CWU.


A living individual who is the subject of the Personal Data, i.e., to whom the data relates either directly or indirectly.


What is a data processor?

A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of their employment. More likely to be Halligan Insurance etc.


What is a data controller?

A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed  For example the CWU is a data controller as it processes and stores personal data in relation to employees of the union. Members of the Union and third-party service providers engaged by the Union. All data must be acquired and managed fairly


What is a data protection officer?

A person appointed to monitor compliance with the appropriate Data Protection legislation, to deal with Subject Access Requests, and to respond to Data Protection queries from staff members and service recipients

What is a relevant filing system?

This is any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.


How do I request copies of my personal data?

This is known as a subject access request. Any formal, written request by a Data Subject for a copy of their personal data (a Subject Access Request) will be referred, as soon as possible, to the Data Protection Officer, and should be processed as soon as possible.



Where can I find more information?

If you would like to find out more about Data Protection, you can complete our online training programme on Unionlink.