Schools often take photographs or hire photographers to attend school-related events to capture important occasions. Again, there are six legal bases for processing personal data under the General Data Protection Regulation (GDPR), and schools must ensure they can rely on one of these legal bases before they can process the personal data.

The lawful basis to seek a Personal Public Service Number (PPSN) is provided for under Article 6(1)(c) and (e) of the General Data Protection Regulation (GDPR) where legislation has been enacted under Regulations under S.I. No. 136 of 2008 entitled Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008.

Data controllers are obliged to process personal data in accordance with the storage limitation principle, meaning that personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner.

The main function of Freedom of Information (FOI) is to enable the public have access to information used, produced or held by public bodies.

The Data Protection Commissioner has a broad range of powers to enforce the data protection rights of individuals and to monitor compliance with data protection obligations of data controllers and data processors.

The General Data Protection Regulation (GDPR) does not apply to the personal data of deceased persons. Therefore, if the issue relates to the personal data of a deceased individual, the DPC will not be in a position to progress this matter for you on your behalf as it falls outside data protection law.

Data protection law does not apply to the processing of personal data where the personal data is kept by an individual and is concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes (Article 2(2)(c) of the General Data Protection Regulation (GDPR)).

Excessive information is information/personal data that is not required for the purpose of processing. Any data controller that requests information/personal data from a data subject should be able to justify the reasons for seeking each piece of personal data.

A data controller is the individual or the legal person (for example a company or public authority) which determines the purposes and means of the processing of personal data; in other words, the controller makes material decisions relating to the processing of personal data, such as determining the purposes for which personal data is collected, stored, used, altered and disclosed.

Unfortunately, it is a myth that data controllers must get consent for ALL purposes of processing and this has led to the confusion and distress of a large number of data subjects.