ePrivacy meaning

The EU General Data Protection Regulation (EU GDPR) sets out several rights for data subjects, including the right to access their personal data, and rights to rectification, erasure, restriction of processing and data portability. Data subjects may ask an organisation to exercise one or more of these rights at any time, and strict deadlines apply to meeting such requests. For comprehensive guidance on managing data subject access requests, see Practice Note: Ireland-How to handle data subject access requests. This Flowchart outlines a process for dealing with data subject requests made under the EU GDPR. It reflects the Regulation’s requirements alongside guidance issued by the Data Protection Commissioner (DPC), and should be read with Practice Note: Ireland-How to handle data subject access requests and Ireland-Evaluating a data subject access request-flowchart, where relevant. Note 1-data subject requests The EU GDPR grants data subjects a number of rights, including: a right of access to their personal data rights to rectification, erasure and restriction of processing a...

On 19 November 2025, the Commission unveiled its Digital Omnibus proposal. It comprises two principal strands: one delivering ‘quick fixes’ to pain points in Regulation (EU) 2024/1689, the EU AI Act, and another, more intricate, amending the data acquis, most notably Regulation (EU) 2016/679, the EU General Data Protection Regulation (EU GDPR), Directive 2022/58/EC, the ePrivacy Directive, and Regulation (EU) 2023/2854, the EU Data Act. The headline items are delays to the high-risk AI rules under the EU AI Act, and a fresh EU GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (with safeguards). There is much to absorb—just as we get to grips with the new regime, changes are proposed, some bound to be disputed while others will be seen as eminently sensible. Here we outline the key points. EU GDPR The EU’s flagship legislation, the EU GDPR, is poised for its first substantial overhaul, with several significant amendments on the table...

MLex was informed by the Data Protection Commission that it has written to DeepSeek seeking details about how it processes data relating to individuals in Ireland. The watchdog declined to add anything more for now. Ordinarily, the DPC acts as the principal data regulator handling privacy issues involving major technology companies in the EU, since many base their European headquarters there. However, DeepSeek’s operators lack an EU establishment, so any member state authority is able to open a probe into issues impacting its own jurisdiction directly too...

Find the statement below. The agreement is enclosed. Today, the DPC has executed a Cooperation Agreement with Coimisiún na Meán. In addition, the DPC and Coimisiún na Meán have released a joint statement, in which both regulators emphasise their dedication to enhancing child safety and safeguarding children’s personal data online. Cooperation agreement Both the DPC and Coimisiún na Meán reaffirm their intent to build an effective working partnership, by nurturing a culture of cooperation and collaboration across both organisations...

Data security sits at the heart of the EU General Data Protection Regulation (EU GDPR). The sixth data protection principle—integrity and confidentiality—requires you to adopt suitable technical and organisational measures so that personal data is processed with appropriate security, including: protection against unauthorised or unlawful processing accidental loss, destruction, or damage This Practice Note reflects Data Protection Commission (DPC) guidance on personal data breaches under the EU GDPR, and also draws on guidance from the European Data Protection Board (EDPB). Data security requirements Article 32 puts practical detail behind the GDPR’s integrity and confidentiality principle. You must implement appropriate technical and organisational measures to achieve a level of security proportionate to the risk, taking into account: the nature, scope, context, and purpose of processing the risk of varying likelihood and severity for the rights and freedoms of data subjects Where appropriate, your security measures should include: the pseudonymisation and encryption of...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025) and taking partial effect on that same date. Provisions of DUAA 2025 dealing with issues such as handling data subject access requests, and granting the power to make further regulations, commenced immediately on 19 June 2025. Other elements, relating to notices issued by the Information Commissioner and certain facets of law enforcement processing, began to apply on 19 August 2025 (being two months from the date of Royal Assent). The bulk of DUAA 2025’s measures will only commence once additional regulations, by way of statutory instruments, are made and brought into force. Parts 5 and 6 of DUAA 2025 operate to revise and update areas of UK data protection and ePrivacy law within the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations...

This Practice Note This Practice Note explores the use of non-contractual mechanisms by software suppliers to halt or restrict the operation of on-premise software in business-to-business licences, the resulting legal considerations, and the real-world impact on drafting relevant software licences. It introduces a range of disabling tools: Time bombs Logic bombs Back door/trap door Fork locks Remote control and switching off, or ‘deprovisioning’ Where a customer breaches licence terms, or fails to pay licence or support charges, the supplier can pursue legal action. Yet litigation brings expense and uncertainty, and may strain the customer–supplier relationship. As a result, a supplier may favour a more immediate, practical approach: deploying disabling devices to stop the software from running, triggered remotely or automatically by the supplier. For most developers, such features are straightforward to create and embed. Activating (or threatening to activate) these tools can give the supplier significant leverage over customers, especially where the software is critical to the business. That...

This Precedent sets out a broad template for a website privacy policy, informing data subjects about how a site operator gathers personal data, the lawful grounds for processing, subsequent uses and potential recipients. It has been prepared to meet the EU GDPR’s information and transparency obligations, taking account of guidance from the European Data Protection Board (EDPB). The website privacy policy sits within a wider collection covering website terms of use, e‑commerce, privacy and cookies. Where cookies or similar tools are deployed, a distinct cookie policy is required. See Precedent: Ireland—Cookie policy. EU GDPR and UK GDPR Designed for commercial organisations established in Ireland, this Precedent reflects EU GDPR requirements. It also offers optional clauses for Irish organisations that maintain a UK establishment and/or provide goods or services to, or monitor the behaviour of, people in the UK, bringing them within the scope of equivalent UK data protection laws. The UK GDPR and EU GDPR regimes are largely consistent...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025), with partial commencement on that very same day. A number of DUAA 2025 provisions, covering areas like handling data subject access requests and granting powers to make additional regulations, took effect immediately on 19 June 2025. Other related provisions, relating to Information Commissioner notices and certain aspects of law enforcement processing, commenced on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s measures still require further regulations, in the form of statutory instruments, to be made in order to bring them fully into force. Parts 5 and 6 of DUAA 2025 serve to amend several facets of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI...

FORTHCOMING CHANGE On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, thereby transforming into the Data (Use and Access) Act 2025 (DUAA 2025) and taking partial effect immediately on that same day. Parts 5 and 6 modify elements of UK data protection and ePrivacy law across the domestic framework, expressly covering the United Kingdom General Data Protection Regulation, the Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, as relevant measures. Some DUAA 2025 measures, addressing issues like handling data subject access requests and granting authority to make further regulations, also commenced straightaway on 19 June 2025 without delay. Other elements, relating to notices from the Information Commissioner and certain facets of law enforcement processing, take effect on 19 August 2025 (two months after Royal Assent was given). Most DUAA 2025 provisions depend on subsequent regulations (as statutory instruments) being made before they commence and, until then, remain dormant...