Q&As

What General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 issues arise when instructing a third party expert in criminal proceedings? What practical steps should instructing solicitors take to ensure they comply with GDPR?

read titleRead full title
Produced in partnership with Professor Dan Hyde of Harrison Clark Rickerbys
Published on LexisPSL on 29/08/2018

The following Corporate Crime Q&A produced in partnership with Professor Dan Hyde of Harrison Clark Rickerbys provides comprehensive and up to date legal information covering:

  • What General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 issues arise when instructing a third party expert in criminal proceedings? What practical steps should instructing solicitors take to ensure they comply with GDPR?

There will be situations where a third party expert may need to be instructed by lawyers acting on behalf of a client. This could be an expert in the traditional sense, such as a handwriting or other forensic expert, counsel, accountant or any other third party to whom the information is being transferred. When instructing any third party, regardless of the stage reached, the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 will be engaged and a number of issues will arise. This will apply to both investigations and proceedings and to any third party as the GDPR will apply regardless of the circumstances or the stage reached and there are no exemptions within the GDPR that will remove or reduce the obligations on the parties as set out below.

The primary question to be answered will be whether the third party who is to be instructed constitutes a processor or controller as defined by the regulations. In most situations, the instructing firm will be the data controller as it is the data controller that exercises ultimate control over the use and purpose of the personal information, that has the legitimate lawful bases for data collection and which makes all the key overarching decisions such as the length of storage, deletion, transfer, disclosure and so on. These big picture decisions fall to the data controller.

Popular documents