Mother and Baby Homes Project


Presentation 28.10.2020

Lydia F de la Torre, ‘What is “Convention 108”?’, June 2019

Gabriela Zanfir-Fortuna, ’10 Reasons Why the GDPR Is the Opposite of a ‘Notice and Consent’ Type of Law’, Future of Privacy Forum, September 2019

Chris Hoofnagle, Bart van der Sloot and Frederik Borgesius, ‘The European Union General Data Protection Regulation: What It Is And What It Means’, September 2018

‘If you mean Data Protection, don’t say Privacy’, FP Logue blog, January 2020


Clann Project

Home | Report [direct link to PDF]


Article 15 GDPRRight of Access by the data subject

Recital 63 GDPRRight of Access

Article 18 GDPRRight to restriction of processing 1The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: … (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

Article 23 GDPRRestrictions

Recital 158 GDPRProcessing for Archiving Purposes

Section 39 of Commissions of Investigation Act 2004

Section 198 of Data Protection Act 2018 – Amendment of section 39 of Commissions of Investigation Act 2004


Data Protection Commission, ‘Limiting Data Subject Rights and the Application of Article 23 of the GDPR Guidance Note’

“The essence of a fundamental right means that interference with the right should not be such that the right is in effect emptied of its basic content and the individual cannot exercise the right. In other words the limitation may not go so far as to completely reduce the right of its core elements and thus prevent the exercise of the right. If the essence of the right is adversely affected by the measure, then the restriction is likely to be unlawful. As such legislation not providing for any possibility for an individual to pursue legal remedies in order to uphold their data protection rights may not be permissible if it does not respect the essence of the fundamental right to effective protection. Similarly,a legal provision may prove unlawful if it fails to apply certain principles of data protection or inadequately addresses data security by not ensuring that appropriate technical and organisational measures are adopted against, for example accidental or unlawful destruction, accidental loss or alteration of the data.”

European Data Protection Board, ‘Statement on restrictions on data subject rights in connection to the state of emergency in Member States’, June 2020

“The processing of personal data should be designed to serve humankind and, within this context, one of the main objectives of data protection law is to enhance data subjects’ control over their data.”

European Data Protection Supervisor‘The EDPS quick-guide to necessity and proportionality’, January 2020

“Processing of personal data – be it collection, storage, use or disclosure – constitutes a limitation on the right to the protection of personal data and must comply with EU law. This requires ensuring that it is both necessary and proportional.”

Commentary & Reporting

Further Reading

Chris Hoofnagle, Bart van der Sloot and Frederik Borgesius, ‘The European Union General Data Protection Regulation: What It Is And What It Means’, September 2018

René Mahieu, Hadi Asghari and Michael van Eeten, ‘Collectively exercising the right of access: individual effort, societal effect’, July 2018

Jef Ausloos, René Mahieu and Michael Veale, ‘Getting Data Subject Rights Right’, November 2019

European Court of Human Rights, ‘Factsheet – Personal data protection (September 2020 edition)’, Access rights cases start on page 23