Page 74 - EQA Employee Handbook Feb 2020 v1

P. 74

Where it is not possible to provide all relevant information at the time of initial notification, EQA
(Ireland) shall communicate the same to the Data Protection Commissioner and shall endeavour to
provide all necessary information in phases without undue further delay.

Where the data subject is to be notified, the communication shall be in clear and plan language and
shall, at least:
• Describe the nature of the personal data breach;
• Communicate the name and contact details of the contact point where more information can
be obtained;
• Describe the likely consequences of the personal data breach;
• Describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible adverse
effects.

While completing the ‘Data Breach Risk Assessment Form’, EQA (Ireland) senior management shall
determine if further investigation is required towards identifying opportunities for improvement in its
data protection management, including staff training and the adequacy of security measures.

Records of data breaches shall be retained at the following server location:
\\SERVER\Administration\Data Protection Act\Data Breaches

7.8 Data Protection Impact Assessments

Towards ensuring the appropriate management of the process of triggering and carrying out Data
Protection Impact Assessments, EQA (Ireland) refer to the relevant Guidelines on Data Protection Impact
Assessment as adopted by the Article 29 Data Protection Working Party.

When carrying out a Data Protection Impact Assessment, EQA (Ireland) shall make appropriate reference
to the ‘Data Protection Impact Assessment Form’, as well as Appendices 2 and 3 to this policy.

Where data processing (existing or prospective) is likely to result in a high risk to the rights and freedoms of
natural persons, a Data Protection Impact Assessment shall be carried out. In evaluating the likelihood of a
high risk, the following criteria should be considered:
• Evaluation or scoring, including profiling and predicting, especially from aspects concerning
the data subject’s performance at work, economic situation, health, personal preferences or
interests, reliability or behaviour, location, or movements;
• Automated decision-making with legal or similar significant effect;
• System monitoring, such as the systematic monitoring of a publicly accessible area;
• Sensitive personal data or personal data of a highly personal nature, as well as personal data
relating to criminal convictions or offences;
• Personal data processed on a large scale, where a large scale is determined based on…
• Matching or combining datasets;
• Data concerning vulnerable data subjects, where the individual data subjects may be unable
to easily consent to or oppose the processing of their personal data, or otherwise exercise
their rights;
• Innovative use or applying new technological or organisational solutions;
• When the data processing in itself prevents data subjects from exercising a right or using a
service of a contract.

Where any of the above criteria are met, but EQA (Ireland) do not determine it likely to result in a high risk,
Page 73 of 85

69 70 71 72 73 74 75 76 77 78 79