+353 1 6722233
James Latham acquisition of Abbey Wood Agencies Ltd

James Latham acquisition of Abbey Wood Agencies Ltd

James Latham acquisition of Abbey Wood Agencies Ltd



Sarah Reynolds of Kane Tuohy acted for James Latham Plc. in its recent acquisition of Abbey Wood Agencies Limited (“Abbey Woods”).

James Latham Plc. is based in the UK and is a leading importer and distributor of wood based panel products, natural acrylic stone, door blanks, hardwoods, high grade softwoods, cladding, decking and plastics.

Abbey Woods is a leading timber merchant company in Ireland with depots in Dublin and Cork.

This is the first acquisition by James Latham Plc. outside of the UK since its inception over 200 years ago.







Fields marked with an * are required
New Commercial Court Practice Direction

New Commercial Court Practice Direction

New Commercial Court Practice Direction –

Data collection undertaking


A new Commercial Court Practice Direction was introduced on 12 April 2019.

A new Commercial Court practice direction – Practice Direction HC85 – Commercial list (PD HC 85) replaces Practice Direction HC50 of May, 2009. While PD HC85 reiterates the provisions of its predecessor, it adds a new requirement for solicitors, which is designed to assist the Court in data collection. In addition to the usual undertaking to use his/her best endeavours to ensure that the court’s directions will be complied with in full, the solicitor is required to undertake:

“that within 14 days of the conclusion of the case in the High Court, whether by agreement, discontinuance, strike out, dismiss or other court order, and whether before or after entry to the Commercial List, such solicitor will use his/her best endeavours to submit by electronic means to the Courts Service at commercialdata@courts.ie a Case Report in the format published in the High Court section on the Courts Service website www.courts.ie on the date of publication of this Practice Direction.”

The “Case Report” is in the form of an excel sheet. This includes an Explanatory Memorandum. The data sought is:

  • Commercial Court Case ID
  • Party seeking entry
  • Type of matter
  • Type of issuing proceedings
  • Value of Claim
  • Origin of Parties
  • Interim Motions
  • Date of fixing of trial hearing date
  • Trial date
  • Anticipated trial duration
  • Actual trial duration
  • Hearing end date
  • Date of judgment
  • Outcome
  • Costs
  • Follow-up
  • Enforcement action
  • Appeal lodged

Separate information is also sought for interim motions.

The Solicitor’s certificate seeking entry into the commercial list should also state the section(s) of O.63A r.(1) RSC under which the application is being made.

Source: The Law Society of Ireland





“He’s making a list, He’s checking it twice,
He’s gonna find out who’s naughty or nice,
Santa Claus is in contravention of the
General Data Protection Regulation (EU) 2016/679”

A collective sigh of relief was exhaled when the General Data Protection Regulation (“the GDPR”) came into force on 25th May last. However, for those impacted by the GDPR the challenge is only beginning, and 25th May 2018 only marked the start of GDPR compliance not the finish! Even the most benevolent of operators, such as Santa Claus, cannot escape the clutches of the GDPR.

Organisations are now operating in a new landscape of data control and management where the “new norm” requires a heightened awareness both amongst senior management and employees of their GDPR obligations with the implementation of stringent controls to appropriately process and manage personal data.

By now, organisations should be familiar with their GDPR obligations and should have implemented appropriate processes and procedures to comply with those obligations and ensure the appropriate management of personal data.
However, this is not the time for organisations to put their feet up and survey a “job well done” on implementing GDPR processes and controls. Vigilance and ongoing monitoring are critical to building a culture of understanding of, and compliance with, the GDPR.
Although the most stringent security measures can be put in place to prevent data protection breaches, human error can circumvent the best in class processes and is the main cause of data breaches in organisations, and the most difficult to prevent.
The consequences of failure to comply can be significant from both a reputational and financial perspective which can include the imposition of significant fines by the Data Protection Commission (“DPC”) and organisations may also be exposed to civil actions by data subjects.


  • The DPC has significant powers to ensure compliance with the GDPR and take enforcement action as required.
  • The DPC can impose fines on organisations for non-compliance up to €20 million or 4% of the total worldwide annual turnover of the controller or processor in the preceding financial year (whichever is higher).
  • The higher tier of fines may be imposed for infringements of obligations relating to the core data protection principles such as transparency and accountability, the processing of sensitive personal data and breaches of data subjects’ rights.
  • The lower tier of fines (up to the higher of €10 million or 2% of the total worldwide annual turnover of the controller or processor in the preceding financial year) may be imposed for infringements of obligations relating to obtaining a child’s consent, to the communication of a personal data breach to the supervisory authority or the data subject or to the designation, position and tasks of the data protection officers.

Article 83 of the GDPR sets out what the DPC must consider before imposing a fine which includes: –

1. Nature and type of infringement: Consider the number of people affected, the damage they have suffered, duration of infringement, and purpose of processing;
2. Intention Was the infringement intentional or negligent
3. Mitigating factors What actions have been taken to mitigate damage to data subjects
4. Preventative measures How much technical and organisational measures the organisation had previously implemented to prevent the non-compliance
5. Categories of personal data What types of data the infringement impacts (e.g. special categories of personal data)

The Court must approve the quantum of any fines and the affected organisations have the entitlement to appeal the imposition of fines by the DPC.

Since the 25th May 2018 (and as at 16th November 2018) the DPC has logged 3,111 data breach notifications. Of these, the GDPR applied in 2,734. The DPC has also logged 2,168 complaints, of which the GDPR applied in 1,321 cases. The DPC has received complaints and breach notifications that relate to issues that occurred both post and pre-GDPR (25th May) and the pre-GDPR cases are dealt with under the old Data Protection legislation.

On average, approximately 230 data breaches and 220 complaints were received per month last year (2017) and the increased figures since 25th May 2018 are indicative of the greater awareness and focus of organisations on their GDPR obligations.
We have yet to see how the DPC will exercise its powers and the parameters of any fines that issue but it is only a matter of time before we see the imposition of the first fines in Ireland for breaches of the GDPR.

The Data Protection Commissioner, Helen Dixon, speaking at the recent PDP Data Protection Conference in Dublin noted that the volume of complaints has been high since the GDPR came into effect and the DPC will prioritise the more important cases affecting the largest number of data subjects. To assist in the carrying out their statutory duties, staff in the DPC (which is currently at 117), is due to increase to 130 by the end of 2018.

As a sign of what may come to pass in this jurisdiction the Portuguese Data Protection Authority has issued two separate fines totalling €400,000 on a Portuguese hospital in July last for two breaches of the GDPR which related to the unauthorised access to patients’ clinical data. The first fine of €300,000 was issued for failing to respect patient confidentiality and limit access to patient data, and the second was issued for failing to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services, was for €100,000.

Civil action

An impacted data subject can also take a civil claim for damages against an organisation (being either a data controller or processor) under Section 128 of the Data Protection Act 2018 without lodging a complaint with the DPC although it is likely that, in most cases, an aggrieved data subject will lodge a complaint in parallel to taking any civil action and will await the outcome of the DPC investigation prior to progressing any civil action.

Recently, more than 5,000 employees of Morrisons UK Supermarket claimed damages against their employer, including an allegation of breach of statutory duty under the UK Data Protection Act 1998 which predated GDPR implementation. This related to the malicious sharing (from his personal PC) by a disgruntled Morrisons’ employee of personal financial data of approximately 100,000 employees of Morrisons.

The UK High Court held that there was a sufficient connection between the position held by the disgruntled employee and his wrongful act as to make Morrisons vicariously liable. The Court of Appeal upheld the High Court’s decision.

This decision, although of persuasive authority only in this jurisdiction, will be of concern to employers where they may now find themselves liable for the wrongful actions of their employees and face liability from affected data subjects as a result of the malicious actions of their employees, even where the organisation is compliant with data protection laws

Corrective action and criminal prosecution

The DPC may direct corrective action under Article 58 of the GDPR requiring a non- compliant organisation, for example, to cease processing personal data, to comply with a data access request, and/or bring processing activities into compliance in a specified manner and within a specified time frame.

A non-compliant organisation (and a director, manager, secretary or other officer of that organisation) may also be convicted on indictment to a period of up to five years imprisonment (in addition to a fine) for failure to comply with the GPDR.


It is important for organisations to realise that 25th May 2018 represents the start of their GDPR obligations and not the end. Organisations should ensure that they regularly review their GDPR compliance processes to protect themselves against the reputational and financial risks of non-compliance, where even the best processes and controls can be impacted by human error. Organisations should put appropriate insurance is in place, where possible, to cover liability as well as implementing strong data security and protection measures and ensure appropriate staff training to protect themselves against such actions.
By taking the steps now to understand, evaluate and address current and future GDPR obligations, organisations will be best placed to deal with the various challenges that can come with the broad international scope of the GDPR.

PS: Of course, if Santa has the Data Subjects’ consent for his list, Christmas might be saved!

For further information on any of the issues raised in this article please contact

Sarah Reynolds  

Associate in Data Protection & Commercial Litigation,
Kane Tuohy Solicitors
Phone: 01-6722233
Email: sreynolds@kanetuohy.ie

Overview of The Mediation Act 2017

Overview of the Mediation Act 2017 (“the Act”) The Purpose of the Act The key policy objectives of the Mediation Act 2017 ("the Act") are to promote increased awareness and use of a particular alternative dispute resolution (“ADR”) mechanism known as...

Basic Legal Provisions in Ireland for Lease of Business Premises

Basic Legal Provisions in Ireland for Lease of Business Premises Legal Regulations in Ireland (excluding Northern Ireland) In relation to the basic legal provisions in Ireland for lease of business premises, in general terms the law of landlord and tenant...

Workplace Relations Commission one year on

THE WORKPLACE RELATIONS COMMISSION ONE YEAR ON The Workplace Relations Act 2015 (“the 2015 Act”) came into effect on the 1 October 2015. The 2015 Act transformed the manner in which employment and equality disputes are heard – it was one of the biggest...
A Brief Summary to the Planning and Development (Amendment) (No. 2) Regulations 2018 (S.I. No. 30 of 2018)

A Brief Summary to the Planning and Development (Amendment) (No. 2) Regulations 2018 (S.I. No. 30 of 2018)

A Brief Summary to the Planning and Development (Amendment) (No. 2) Regulations 2018 (S.I. No. 30 of 2018)

The Aim of the Regulations

The aim of the Planning and Development (Amendment) (No. 2) Regulations 2018 (S.I. No. 30 of 2018) (the “Regulations”) is to facilitate the re-use of existing and vacant commercial buildings for residential purposes by providing an exemption for the change of use, and any related works, of certain vacant commercial premises to residential use, without the need to obtain planning permission.

They form part of the Government’s action plan to increase much needed housing supply, maximise the use of vacant underutilised spaces and assist in the rejuvenation of inner-core urban areas.

When the Exemption applies

The exemption applies to existing buildings that have a current commercial use with reference to Classes 1, 2, 3, and 6 of Part 4 to Schedule 2 of the Planning and Development Regulations 2001 (S.I. No. 600 of 2001) (referred to in the Regulations as the “Principal Regulations”), the definition of which Classes are set out below:

  • Class 1: Use as a shop.
  • Class 2: Use for the provision of (a) financial services, (b) professional services (other than health or medical services), (c) any other services (including use as a betting office), where the services are provided principally to visiting members of the public.
  • Class 3: Use as an office, other than a use to which class 2 of this Part of this Schedule applies.
  • Class 6: Use as a residential club, a guest house or a hostel (other than a hostel where care is provided).


There are certain limitations on the nature and type of buildings that may benefit from the exemption, as follows:

  • The building must have been completed prior to the making of the Regulations (on 8 February 2018);
  • The building must have been used for one of the 4 classes of use referred to above at some time in the past;
  • The structure or part of the structure which is to be developed must have been vacant for 2 years or more immediately prior to the commencement of the development.

The change of use, and any related works, must occur between 8 February 2018 and 31 December 2021, so while the exempted development permitted is permanent in nature once the criteria are satisfied, the exemption can only be availed of during this period.

A number of other conditions and limitations apply, relating to works, the detail of which are set out more particularly at section 2 (Sub-Article (6)(d)) of the Regulations in the link below.

Notifying the Planning Authority

A developer must notify the Planning Authority in writing of the details of the development at least two weeks prior to the commencement of the proposed change of use and related works, and the notification shall include information on the location and number of residential units involved, including the unit sizes and number of bedrooms in each unit.

Compliance with the Building Regulations 1997 to 2017 must still be achieved, and Building Control procedures will still apply.


See relevant links below:

1. Planning and Development (Amendment) (No. 2) Regulations 2018 (S.I. No. 30 of 2018) 

2. Circular Letter PL 01/2018 issued by the Department of Housing, Planning and Local Government, on the Planning and Development (Amendment) (No. 2) Regulations 2018




Vicky Pigot – Senior Associate

5 June 2018