Eoin Cannon BL

Data Protection Consultant

Eoin Cannon

About Eoin

Eoin is a practising barrister-at-law as well as being a valued member of the Castlebridge advisory team. He is an accomplished legal researcher and advocate with experience in both the private and public sector.

Eoin works with a range of Castlebridge clients on advisory projects, training delivery, and providing ClouDPO outsource Data Protection Officer services.

He is a regular contributor to legal journals and publications on data protection and other topics. He is also a frequent presenter at conferences and events in person and on-line.


  • Diploma in Legal Studies, Kings Inns
  • Advanced Diploma in Employment Law, Kings Inns
  • Certificate in Data Protection Law and Practice, Law Society of Ireland
  • QQI Level 6 Accredited Trainer

Blog Posts by Eoin

The new Standard Contractual Clauses ‘SCC’s’ are well embedded by now, or at least they should be, boys and girls, and for those of you who have been implementing this contractual piece properly well done to you. For those, who have not, well then you are very bold indeed, and I’m assuming you have not done your Transfer Impact Assessment ‘TIA’ either. Brat!

The key aspect which these clauses have brought for those who wish to

Aha the year and what a wonderful year it was. The garden is neat, all the hedges carefully cut, with not a speck of dirt to be found in the yard either. So much time has been spent outside one could wonder has there been any time allocated for all that industriousness which Castlebridge specialises in? Probably not, but sure let us look back on our diary anyway in order to see what we have

New EDPB guidelines on controllers/processors/joint-controllers
The terminology gets thrown around quite a bit. The point is always missed. It is seen as a contractual thing, with the onus put on the defensible position from the start. Conversations start with ‘Well we are a processor because x,y & z, so blah, blah, blah…..’ and one could sit back and take it for what it is. But when really delving in there, or maybe not, just asking the

At Castlebridge we work with organisations in projecting the future consequences of their uses of data. A lot of the time this comes in the form of a DPIA ‘Data Protection Impact Assessment’, which organisations are obliged to undertake in certain situations under GDPR. The nucleus of the idea is to analyse the environment in order to mitigate against any unintended consequences before they arise rather than as they arise. This of course can apply

If you do. Then you will be surprised to know that a recent judgement handed down by the European Court of Justice, is of direct interest to your business. I’ll bet you didn’t think that would happen when you woke up this morning. But it’s true.

The Judgement is generally known as the ‘Fashion ID’ judgement as it relates to a German company called Fashion ID who had a Facebook ‘like’ button embedded on their website.

I read the news today oh boy! BA got told they’ll have a fine to pay.
Willie Walsh is ragin’. A fine of how much? Damn you ICO.
The strange thing about this is that what we are dealing with at present is just a ‘proposed’ fine. The very direct impatient man in me thinks that this is such a waste of time. Why not just get the job done and fine them….? The more rational patient

Last week we dealt with outlining the basics of a Data Subject Access Request  (DSAR) and the data which may be considered ‘personal’ in this context (See Part 01). This week we deal with the second stage of responding to the request; Redaction, minimisation and agreeing the scope.
While we will not go through all the exemptions which may be applied to a DSAR reply here in any great detail, there are a number of key

Here is Part 1 of our two-part guide to dealing with Data Subject Access Requests (DSAR). While much of what is outlined will apply to responding to all requests, the main focus is receiving a request in an employment context. Part 1 outlines the general guidance on what to consider in the context of receiving the request. Part 2 deals with redaction, minimisation and agreeing the scope.

Data Subject Access Requests are a feature of data

Take your mind back to May 2018 and you are at a training event.  The presenter has outlined all the boring rules that you are going to have to follow and now have arrived at the part where it must be impressed on the audience how important it is to actually follow them. But you have heard this before in the last 12 months many times. Over and over it has been repeated. Once you

The starting gun has been fired for the campaigning in the forthcoming EU elections which are to be held in May, Macron has espoused the need to renew and the leader of liberal MEPS has stated that they represent a last chance to fight populism. What will the trends be in relation to social media and their use of personal data in these elections? Will the vote be swung by chatbots in dating apps?

An increasing feature of recent