Privacy & GDPR services

We have extensive specialist experience advising a range of clients on privacy, data protection and GDPR issues.

Privacy has never been so newsworthy, due to the combination of ever-increasing use of personal information by large organisations, high-profile data breaches and the commencement of the General Data Protection Regulation in 2018 . There has been a welcome increase in public knowledge about data protection rights and laws, but it is important to know that data protection law did not start with the GDPR. In fact, Irish data protection law goes back to 1988, and the constitutional right to privacy pre-dates that.

Much of the news coverage of data protection, however, is focussed on the organisational side of law and practice rather than on the rights of individual data subjects. Writing on our blog last year in advance of the GDPR coming into effect, Rossa McMahon said:

The GDPR is rarely out of the news at the moment and many news stories, from Facebook and Cambridge Analytica to the alleged data breach at Independent News and Media, have a data protection aspect. Like the Millennium Bug preparations twenty years ago, organisations around much of the world are working feverishly to be ready for this new privacy law. A lot of the coverage therefore is aimed at businesses – but what does the GDPR mean for ordinary people?

The most significant change that the GDPR represents for individuals (known as data subjects in the law) is that the consequences for breach of data privacy rights have been strengthened. This has implications for regulatory investigations and complaints by the Data Protection Commission and for the rights of individuals to take personal action against organisations (data controllers) who breach their rights.

If you require advice or representation in relation to your rights under the GDPR or other privacy laws or in relation to a breach of them, please contact us.

Our experience

We have experience advising data subjects and data controllers about data protection law for many years before the GDPR was introduced, including:

  • general advice as to rights of individuals and obligations of organisations;
  • advising on and drafting contractual arrangements;
  • dealing with complaints to the Data Protection Commission;
  • acting for clients in court proceedings involving data protection;
  • drafting data protection & privacy notices;
  • drafting data protection website statements;
  • advising data protection professionals and data protection officers on their role, services and contractual arrangements.

Rossa McMahon has over 15 years’ experience in data protection and privacy law as well as experience in academic research on the topic. He served as an intern at the Electronic Privacy Information Centre (EPIC), an influential and respected privacy NGO in Washington DC which engages in the US legislative process, public interest litigation and government oversight. Rossa subsequently spent six years at two of the top five law firms in Ireland where his work included advising large and multinational business, government departments and state agencies on data protection.

Rossa regularly comments about privacy issues in the media (Irish Times, Limerick Leader, Irish ExaminerLive95 and others). He has delivered lectures about data protection at University College Cork and the Law Society of Ireland and has spoken about data protection at Trinity College Dublin. He was co-author of the Irish chapters of the Privacy International Global Surveillance Monitor (2011), the Electronic Privacy Information Center’s Privacy & Human Rights (2004) and Privacy Law Sourcebook (2002) and data protection and privacy chapters of the Law Society of Ireland Technology & IP Law Manual (2008).

Read more about data protection

Sample work

  • Acting for a pensioner whose pension was discontinued for failure to obtain a Public Services Card, resulting in the restoration of pension payments and arrears.
  • Acting for passport applicants who were refused passports for failure to obtain a Public Services Card.
  • Acting for victims of serious data breaches by financial institutions.
  • Acting for businesses in responding to and dealing with subject access requests made by data subjects.
  • Acting for data subjects in complaints to the Data Protection Commission.
  • Acting for employees in accessing personal data held by employers and former employers, including complaints to the Data Protection Commission.
  • Acting for data controllers in responding to ePrivacy Regulation/spam complaints to the Data Protection Commission.
  • Acting for data protection professionals and data protection officers in advising on and drafting service contracts.
  • Acting for a child benefit recipient who objected to excessive data collection by the Department of Employment Affairs and Social Protection, resulting in a favourable decision by the Data Protection Commission which led to the first ever High Court challenge brought against the DPC by a government department.
  • Acting for individuals affected by incorrect PULSE records.
  • Acting for adopted persons in obtaining personal information and records.
  • Acting for individuals in having personal information removed from public website posts, including on Facebook, Twitter and other platforms.
  • Acting for victims of “revenge pornography” who discovered intimate videos and photographs posted online without their knowledge.