Data Protection Statement
This Data Protection Statement provides information about the ways in which the Data Protection Commission (‘the Commission’) collects, stores and uses personal data relating to individuals (data subjects). This Data Protection Statement relates to personal data received by the Commission where data subjects contact, or request information from, the Commission directly, and also personal data received by the Commission indirectly, and as set out below.
THE DATA PROTECTION COMMISSION
Who we are
The Commission was established by the Data Protection Acts 1988 to 2018 (‘the Acts’).
Under the EU General Data Protection Regulation (GDPR) and the Acts, the Commission is responsible for monitoring the application of the GDPR in order to protect the rights and freedoms of individuals in relation to the processing of personal data.
The Commission is also the supervisory authority with responsibility for monitoring the application of the Law Enforcement Directive (Directive (EU) 2016/680).
The tasks of the Commission include promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data; handling complaints lodged by data subjects or organisations; and cooperating with, which includes sharing information with, data protection authorities in other EU Member States.
Controller contact details
The Commission is the controller for the personal data it processes. You can contact the Commission in a number of ways, which are set out on the contact page of our website.
DPO contact details
In accordance with Article 37 of the GDPR, the Commission has appointed a Data Protection Officer. If you wish to contact our Data Protection Officer in relation to the processing of your personal data by the Commission, you can do so by e-mailing email@example.com.
DATA PROTECTION LEGISLATION
The Commission processes personal data in the context of its role in supervising and enforcing a number of legislative frameworks.
The GDPR came into force on 25 May 2018 and significantly changed data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations. The GDPR is designed to give individuals more control over their personal data. (A copy of the GDPR is available here).
The key principles relating to the processing of personal data under the GDPR are lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability (Article 5 of the GDPR).
Although the GDPR is directly applicable as a law in all Member States, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’). (A copy of the 2018 Act is available here).
The Law Enforcement Directive
The Law Enforcement Directive (Directive (EU) 2016/680) is a piece of EU legislation, parallel to the GDPR, which also took effect from May 2018. The Law Enforcement Directive (‘LED’) deals with the processing of personal data by data controllers where the processing is for ‘law enforcement purposes’, which fall outside the scope of the GDPR.
As a Directive, the LED requires transposition into Irish law to take effect. The LED is transposed into Irish law by the 2018 Act, primarily in Part 5 of that Act.
Pursuant to Section 11 of the 2018 Act, the Commission is the supervisory authority for both the GDPR and the LED.
The Commission is also responsible for monitoring and enforcing compliance with the E-Privacy Regulations (S.I. No. 336 of 2011 - the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011). The E-Privacy Regulations relate to the processing of personal data in the context of certain electronic communications. From 25 May 2018, processing of personal data in this context (including, amongst other things, unsolicited electronic communications made by phone, e-mail, and SMS) is subject to both the general laws set out in the GDPR and the specific laws set out in the E-Privacy Regulations.
Further information about the legislative frameworks which the Commission supervises and enforces can be found here.
PROCESSING OF PERSONAL DATA BY THE COMMISSION
The Commission processes personal data for a number of different purposes, which arise from its statutory powers, functions and duties.
The Commission’s statutory powers, functions and duties derive from the data protection legislation set out above, and include the following:
- Handling complaints from individuals in relation to potential infringements of data protection law;
- Conducting inquiries and investigations regarding infringements of data protection legislation;
- Taking enforcement action, where necessary;
- Taking prosecution action, where necessary;
- Promoting awareness amongst members of the public of their rights to have their personal information protected under data protection law;
- Driving improved awareness and compliance with data protection legislation by data controllers and processors through the publication of high-quality guidance, and through proactive engagement with public and private sector organisations;
- Through consultation with organisations, assisting in identifying risks to personal data protection and offering guidance in relation to best practice methods to mitigate against those risks; and
- Cooperating with (which includes sharing information with) other data protection authorities, and acting as Lead Supervisory Authority at EU level for organisations that have their main EU establishment in Ireland.
Some examples of the purposes for which the Commission may collect personal data in accordance with its functions are:
- Complaint handling - including personal data received from a data subject directly (or through his or her legal representatives) where the data subject makes a complaint to the Commission; personal data relating to a data subject received by the Commission from an organisation about which the Commission has received a complaint; and personal data relating to a data subject received by the Commission from a complainant.
- Inquiries and investigations - including personal data received from data subjects directly; and personal data received from an organisation, which is the subject of an inquiry or investigation. This will also include personal data received by the Commission in its role as a ‘competent authority’ under Part 5 of the 2018 Act (‘Processing of Personal Data for Law Enforcement Purposes’).
- Breach notifications – including personal data contained in breach notifications to the Commission;
- Queries and concerns – including personal data received from individuals who have raised queries or concerns with the Commission;
- Service providers and suppliers – including personal data obtained from service providers or suppliers engaged by the Commission;
- Job applications – including personal data received from persons applying for roles within the Commission; and
- Conferences and events – including personal data relating to attendees at conferences and events organised by the Commission.
WHAT PERSONAL DATA DOES THE COMMISSION PROCESS?
As set out above, the Commission processes personal data. This includes, as set out above, personal data received by the Commission where data subjects contact, or request information from, the Commission directly, and personal data received by the Commission indirectly.
The personal data that we process includes (i) basic personal information, such as a data subject’s name / surname; date of birth; the company or organisation a data subject works for; (ii) contact information, such as a data subject’s postal address, email address and phone number(s); and (iii) any other personal data that is provided to the Commission during the course of the performance of its functions.
Special category data
The Commission also processes special category data. This includes, as set out above, special category data received by the Commission where data subjects contact, or request information from, the Commission directly, and special category data received by the Commission indirectly. Such special category data may include personal data relating to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a natural person's sex life or sexual orientation.
Data relating to criminal convictions and offences
In the course of performing its functions, the Commission also occasionally processes personal data relating to criminal convictions and offences. This includes, as set out above, personal data relating to criminal convictions and offences where data subjects contact, or request information from, the Commission directly, and personal data relating to criminal convictions and offences received by the Commission indirectly.
HOW DOES THE COMMISSION COLLECT PERSONAL DATA?
PHONE CALLS TO THE COMMISSION:
The Commission does not audio record or retain audio recordings of phone conversations.
Where an individual contacts the Commission by phone, caller numbers are automatically stored on the recipient phone in the Commission for a limited period of time in a list of inbound and outbound calls, but no further processing of this data (caller numbers) is carried out by the Commission.
During the course of dealing with a query, complaint or other matter, the Commission may record personal data received by it during the course of phone calls in the form of notes made on the relevant case file.
All emails sent to the Commission are recorded, forwarded to the relevant section of the Commission and are stored for the purposes of the matter/case file to which the email relates. The sender’s email address will remain visible to all staff tasked with dealing with the query.
Please be aware that it is the sender’s responsibility to ensure that the content of their emails does not infringe the law. Unsolicited unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
All post received by the Commission is scanned, forwarded to the relevant section of the Commission and stored for the purpose of the matter to which the post item relates. Original hard copy versions of post items are retained for a period of six weeks and are then confidentially destroyed thereafter.
In addition to the scanned version of post items retained by the relevant section of the Commission, a master scanned copy of all post received is retained for a period of 12 months.
The Commission also receives personal data through its social media interactions on Twitter, LinkedIn and Instagram. The Commission operates social media accounts on these platforms in support of its functions (under Article 57, GDPR) to promote awareness of, and compliance, with data protection legislation. Messages or posts received by the Commission on these social media platforms are viewed by the Commission but the personal data contained in the messages/posts is not logged or stored other than on the relevant social medial platform, and no further processing of such personal data is carried out by the Commission.
We operate closed-circuit television at our Portarlington and Dublin offices.
At our Dublin Office located at 21 Fitzwilliam Square South, Dublin 2, we have CCTV cameras located outside the building to the front and rear points of entry/exit.
At our Portarlington Office, located at Canal House, Station Road, Portarlington, Co. Laois, we have CCTV cameras located outside the building at the front and side entrances to the building.
The purpose for our processing of personal data collected by the CCTV in operation at our offices, as detailed above, is for security and safety. The legal basis of the processing is Article 6(1)(f),GDPR, which allows us to process personal data on the basis that it is necessary for the Commission’s legitimate interests. CCTV footage is retained by the Commission for a period of 14 days.
WHAT IS THE LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA BY THE COMMISSION?
The legal basis for the processing of personal data by the Commission will depend on the legislative framework that applies and the purpose for which the processing is being carried out.
Under the GDPR, the tasks which the Commission, as the supervisory authority, is responsible for carrying out are, inter alia, set out in Article 57.
Where the Commission is processing personal data for the purpose of the performance of its functions, the primary legal bases under the GDPR are:
(i) where the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR);
(ii) where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) GDPR);
Other applicable legal bases under the GDPR which may apply to processing carried out by the Commission include:
(iii) where the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) GDPR). (An example of where this legal basis may apply is where the Commission collects personal data for inclusion in contact lists arising from contact with media practitioners (journalists, PR representatives) and at conferences or events;
(iv) where the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR). (An example of where this legal basis may apply is in the case of the Commission’s engagement with third party service providers); and
(v) where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6(1)(f) GDPR). Article 6(1)(f) will only apply to processing by the Commission that is not carried out in the performance of its tasks.
Law Enforcement Directive (‘LED’)
The LED deals with the processing of personal data for ‘law enforcement purposes’ by data controllers which fall within the definition of being a ‘competent authority’ for the purposes of the LED, as transposed into Irish law by, inter alia, Part 5 of the 2018 Act.
Section 70 of the 2018 Act defines the scope of processing of personal data which falls within that part of the Act. It states that Part 5 of the Act applies to processing of personal data carried out “for the purposes of (i) the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of threats to public security, or (ii) the execution of criminal penalties…”
The term ‘competent authority’ is defined in Section 69 of the Data Protection Act 2018 as being, inter alia, “a public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security”.
For certain processing activities which it carries out, the Commission is a ‘competent authority’ for the purposes of Part 5 of the 2018 Act.
In terms of the legal basis for processing of personal data by the Commission as a ‘competent authority’, Section 71(2) of the 2018 Act provides that the processing of personal data (for the purposes of the LED) shall be lawful where, and to the extent that:
(a) it is necessary for the performance of a function of a controller for one of the purposes specified in Section 70 (as referred to above); or
(b) the data subject has, subject to certain requirements set out in Section 71(3), given his or her consent to the processing.
WHO ARE THE RECIPIENTS OF PERSONAL DATA PROCESSED BY THE COMMISSION?
Disclosure to third parties
Personal data collected by the Commission is held confidentially and is not shared by the Commission with any third parties, with the following exceptions:
- Where the sharing of the personal data is necessary for the performance by the Commission of its functions. This may arise, for example, in the context of complaints handling, where the Commission will usually disclose the complainant’s identity and the subject matter of the complaint to the data controller or processor against whom the complaint is made. This is required both for practicality (because without disclosing the identity of the complainant in this manner, it will likely be impossible for the Commission to investigate the complaint) as well as to ensure procedural fairness.
- In the case of cross border processing or for the purpose of co-operation with other supervisory authorities. In certain circumstances, the Commission must cooperate with and assist other supervisory authorities in the EEA in handing complaints and investigations. This may arise, for example, where the matter involves cross border processing or where the data protection supervisory authority of another EU Member State acts as the lead regulator in a complaint or investigation. In such circumstances, in accordance with the law, we may share some or all of the content of the Commission’s file with relevant supervisory authorities in other EU Member States and with the European Data Protection Board, which may have a role to play in the handling of the matter under the cooperation and consistency mechanisms of the GDPR.
- For the purpose of legal proceedings. In the event that the matter or complaint in question is brought before the Courts (whether the Irish Courts, the Court in the Member State of any other data protection supervisory authority or the Court of Justice of the EU), the materials, including any information, documents or submissions provided by an individual, may be made public in open court.
- In the case of service providers or suppliers to the Commission. The Commission uses data processors to provide certain services to the Commission. The Commission requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing the service, in accordance with the requirements set out at Article 28(3) of the GDPR.
Publication of information
Will we publish details of complainants?
We gather and publish case studies and statistical information on the number and type of cases we process, but this information is usually anonymised and does not identify any individual.
Will we publish particulars of enforcement actions?
The Acts provide that the Commission must publish particulars of:
- Any conviction of a person for a contravention of the GDPR or the Acts;
- Any administrative fine imposed;
- The suspension of data transfers to a recipient in a third country or to an international organisation; or
- An order made by the High Court for the suspension, restriction or prohibition of processing of personal data or the transfer of personal data to a recipient in a third country or to an international organisation.
Further, the Acts provide that the Commission may also publish:
- The particulars of the exercise by it of its corrective powers, apart from those listed above, conferred on the Commission by the Acts or the GDPR; or
- If it considers it to be in the public interest to do so, the particulars of any report by the Commission of any investigation or audit carried out, or other function performed, or any other matter relating to or arising in the course of such an investigation, audit, or performance.
What happens in cases of enforcement under the e-Privacy Regulations?
When we take prosecution action under the e-Privacy Regulations, personal data contained in materials, including any information, documents or submissions, received by the Commission in the context of the complaint and/or prosecution proceedings, may be made public in open court.
We may publish the identity of the defendant in our Annual Report or elsewhere. We will not publish details of the complainant, unless the information is already in the public domain or the complainant consents to the publication of their identity in such contexts.
HOW LONG DOES THE COMMISSION RETAIN PERSONAL DATA?
The retention periods for personal data held by the Commission are based on the requirements of the data protection legislation set out above at Section 2 of this Data Protection Statement and on the purpose for which the personal data is collected and processed. For example, in the case of complaints, the Commission will retain personal data (as contained on its case file) for as long as is necessary for the handling of the complaint and for any subsequent action that is required.
The retention periods applied by the Commission to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.
YOUR DATA PROTECTION RIGHTS
Under data protection law, data subjects have certain rights.
Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by the Commission.
The data subject rights are:
- The right to be informed about the processing of your personal data;
- The right to access your personal data;
- The right to rectification of your personal data;
- The right to erasure of your personal data;
- The right to data portability;
- The right to object to processing of your personal data;
- The right to restrict processing of your personal data;
- Rights in relation to automated decision making, including profiling.
Restriction of data subject rights in certain circumstances
Article 23 of the GDPR allows for data subject rights to be restricted in certain circumstances. In addition, the 2018 Act contains certain provisions dealing with the restriction of rights of data subjects, in particular Sections 59, 60 and 61, which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the Data Protection Act 2018 is available here.
Personal data kept by the Commission for the performance of its functions
Section 60 of the 2018 Act provides for restrictions on the obligations of controllers and on the rights of data subjects for important objectives of general public interest. One of the restrictions in Section 60, that at Section 60(3)(c)(i), applies to personal data that is processed by the Commission for the performance of its functions.
Section 60(3)(c)(i) provides that where personal data is kept by the Commission for the performance of its functions, the rights of data subjects, and the obligations of the Commission as a data controller, provided for in Articles 12 to 22, Article 34 (which relates to communicating personal data breaches to data subjects) and Article 5, GDPR (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22) are restricted.
This means, for example, that your right of access under Article 15, GDPR, will not apply where your personal data is kept by the Commission for the performance of its functions. However, upon receipt of a request by a data subject seeking to exercise his or her rights, the Commission will consider the application of the restriction under Section 60(3)(c)(i) and will review all relevant personal data relating to the data subject who has made the request in order to establish whether any or all of the personal data is kept by the Commission for the performance of its functions such that the restriction at Section 60(3)(c)(i) applies.
If you require further information in relation to your data subjects rights regarding your personal data that is held by the Commission, or in relation to the restriction at Section 60(3)(c)(i), you can contact our Data Protection Officer (DPO) at firstname.lastname@example.org
YOUR RIGHT TO COMPLAIN
If you have any concerns in relation to the manner in which we process your personal data, you can contact us on email@example.com.
If you are dissatisfied with how we process your personal data, you have the right to complain to the Commission as the Irish supervisory authority. Complaints about the Commission are dealt with in the same way as the Commission deals with complaints about other organisations. General guidance as to how the Commission handles complaints can be accessed here.
CHANGES TO OUR DATA PROTECTION STATEMENT
This Data Protection Statement is kept under regular review and is therefore subject to change.
If you have any comments or queries in relation to this Data Protection Statement, please forward same to our DPO on firstname.lastname@example.org.