Data Protection Statement

Last Updated - August 2023

• Who we are.
• What we do.
• How to contact us.
• What personal data we handle.
• What we do with your data.
• Does the DPC provide information to the National Archives?
• What we do not do with your personal data.
• How long do we keep your data?
• When do we transfer your data to third countries?
• Who we share your data with.
• Your rights on your data.
• Implications of not providing full and factual information to the DPC.
• How to make a complaint.
• Changes to this statement.
• Questions or feedback?

Who we are

The Data Protection Commission (alternatively “the DPC” “we” “us” or “our”) is the national independent authority responsible for upholding the fundamental right of individuals in the European Union (‘EU’) to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (‘GDPR’), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive (‘LED’).The statutory powers, duties and functions of the DPC are as established under the Data Protection Act 2018 (the ‘2018 Act’), which gives further effect to the GDPR, and also gives effect to the LED.

What we do

Where the DPC processes certain information relating to you, such as your name, date of birth, email address, phone number, address, physical characteristics, or location data  (‘personal data’), we are responsible for the protection of such data as “data controller”. (see “Data Protection: the Basics”). Data protection law requires us to provide you with the information contained in this statement to outline what we do, or may do, with your personal data.

If you are an employee or contractor of the DPC, please refer to our internal policy, as this statement is of a general nature and is directed at the wide variety of data subjects who may interact with the DPC.

How to contact us

The DPC is based at 21 Fitzwilliam Square South, Dublin 2 (D02RD28) and Canal House, Station Road, Portarlington, Co. Laois (R32AP23) (Click on the Eircodes to locate us on the map). You can contact the DPC for any queries about our processing of your personal data in our capacity as data controller using our contact details:

• by email at dpo@dataprotection.ie

• by webform  https://forms.dataprotection.ie/contact

• by post addressed to our Dublin office as follows: The Data Protection Commission (c/o Data Protection Officer), 21 Fitzwilliam Square South, Dublin 2, D02 RD28 Ireland.

In order to ensure a timely reply to your query we recommend that you contact our Data Protection Officer (’DPO’). The DPO is an independent person within the DPC who is specifically entrusted with the task of receiving any such queries about our processing of your personal data.  

What personal data we handle

Personal Data provided by you to the DPC

We handle the personal data that you provide to us when you lodge a complaint, submit a request, or simply visit our website. This includes when you do so through a representative, for example through a solicitor or other authorised person. This also includes when you complete a web form, send us an email, exchange information on a phone call with us or allow our website to store cookies (for further detail  on our cookies policy, please see Cookie policy ).

Personal Data not provided by you

The DPC also handles personal data not collected from you. If you have lodged a complaint against a data controller, we may receive personal data related to your complaint from the data controller you have complained about when corresponding with them about your complaint. If you are someone who has made a complaint or someone who has had a complaint made against them, and your personal data (such as your contact details) are already stored in our systems in accordance with our retention policies, we may use that personal data in the context of your request.  If you are an individual, other than the person who has made a complaint or requested information, your personal data may be processed in the context of our enforcement activities (for example in the context of an investigation).

The personal data that the DPC handles includes or refers to the personal data the subject of your complaint, query or request, or refers to the complaint made about you, the content of which will depend on the circumstances of your case. The DPC handles any information falling under the legal definition of personal data, including special category data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and data related to criminal convictions and offences).

Personal Data processed for other functional purposes

We also process personal data not specifically to exercise the DPC’s functions established by law but for other functional purposes. This personal data could include contact details and job application details received from applicants applying  for roles within the DPC; personal data processed when operating our closed-circuit television (CCTV) systems at our Portarlington and Dublin offices; the personal data of visitors to the DPC or people attending our events; the personal data of visitors to the DPC’s website who go through the material of the website and may need to allow cookies in order to use the service; and the personal data of our followers or social media users that leave comments or reactions to our posts on Twitter or LinkedIn.

What we do with your data

For the purposes of exercising the DPC’s functions, the DPC performs the following processing operations in accordance with applicable data protection laws (under which your data protection rights might also be restricted). The DPC:

1. Provides online services – the DPC processes personal data such as strictly necessary cookies for any user of our website www.dataprotection.ie and any of its subdomains. We do so in order for you to use the web forms we provide for the purpose of handling complaints and enquiries, and in order for you to consult with, and download, our online resources. To learn more about our cookie policy, which forms part of this data protection statement, please see our Cookie policy . Our lawful basis for processing this data is that the provision of such services online is necessary in order to provide the service requested, to make resources and ways to make complaints or queries accessible to the largest degree possible, in order to perform the tasks the DPC carries out in the public interest or, to exercise the DPC’s  official authority.

2. Deal with hard copy files – although the DPC endeavours to keep the majority of our records digitalised, for the purposes of carrying out our monitoring and enforcement functions established by law, the DPC must deal with hard copy documents containing personal data when queries or complaints are received by post. In these cases, the documents are then digitalised. Hard copy files of our digital archives are necessary for our staff to handle cases. Hard copy files may also be necessary for the production of the document in court, or in certain circumstances on request from other public authorities. Our legal basis for such processing is that it is necessary to do so in order to perform the tasks the DPC carries out in the public interest or, to exercise an official authority vested in the DPC.

3. Interact with you (in general) – The DPC uses your contact details (including but limited to your name, surname, email address, telephone number, postal address) in order to communicate with you and to be able to exercise our monitoring and enforcement functions established by law. Our lawful basis for processing your contact details is the fact that using your contact details to communicate with you is necessary in order to perform the tasks we carry out in the public interest or to exercise an official authority vested in the DPC.

4. Respond to your enquiries – the DPC analyses information provided by you, including personal data, when you submit a request for information concerning the exercise of your rights and we do so in the exercise of our monitoring and enforcement functions established by law, in particular that of providing information to data subjects on their data protection rights. Our lawful basis for processing personal data related to your request is that it is necessary in order to respond to your query, and therefore it is necessary in order to perform the tasks we carry out in the public interest or to exercise an official authority vested in the DPC.

5. Gather information on alleged infringements – The DPC  gathers information, including personal data, from complaints lodged to the DPC and from the DPC’s own enquiries and investigations, breaches notified to the DPC related to alleged infringements of data protection laws, infringement of laws on the protection of personal data in the context of law enforcement and infringements of the e-Privacy Regulations in the exercise of our monitoring and enforcement functions established by law including complaint handling. The gathering of such information may involve the sharing of personal data of a complainant to an individual or to entities involved in the subject matter of the complaint (“concerned parties”). Our lawful basis for gathering information of alleged infringements is that such gathering is necessary in order to assess the infringement and therefore is necessary in order to perform the tasks we carry out in the public interest or to exercise an official authority vested in the DPC.

6. Examine alleged infringements – the DPC analyses collected information on alleged infringements in order to decide whether it is necessary to conduct further examination, to respond to a complaint or in order to decide whether to submit the matter to a formal investigation on our own volition. If we decide to open an investigation  or begin an examination further information (including your personal data) may be  gathered (including, in some circumstances, by using the DPC’s coercive powers under the 2018 Act in the exercise of our monitoring and enforcement function established by law (please see above), in particular our investigative function. In this context, other individuals (and their personal data) may be involved in the investigation. Our lawful basis for such activities is that the DPC decided that an investigation was necessary in order to assess an alleged infringement and the activity is therefore necessary in order to perform the tasks we carry out in the public interest or  exercise of an official authority vested in the DPC.

7. Develop our findings and corrective actions – the DPC establishes the facts of a case in accordance with law and makes its findings in relation to the case. This factual and legal analysis involves dealing with the personal data related to the alleged infringement, for the purposes of the exercise of our monitoring and enforcement functions established by law, in particular the DPC’s decision-making function. Our lawful basis in order to conduct our decision-making analysis, is that it is necessary in order to decide whether an infringement has occurred, to decide what measures should be taken  are necessary in order to perform the tasks we carry out in the public interest and/or to exercise an official authority vested in the DPC.

8. Cooperate with other EU authorities – where your request for information on the exercise of your rights contains international elements, the DPC may have to cooperate with other supervisory authorities in order to respond to your request. When the DPC receives a complaint about, or conducts an investigation into, an infringement that presents some international elements we might also need to request the assistance of other supervisory authorities in order to handle the complaint and/or the investigation. This may require the sending of your data related to the alleged infringement and, a further processing of that data to the other supervisory authorities, including potentially the transfer of competence to another authority. In this respect, the DPC would still act as controller of your personal data and the other supervisory authorities are obliged to deal with the data for the sole purposes outlined by us when asking for their cooperation. Your personal data are transferred to the other EU authorities for the purposes of the exercise of our monitoring and enforcement functions established by law (please see above), in particular the cooperation function. Our lawful basis in order to transmit your data to other EU authorities is that the transmission is required in order to assess an alleged infringement or a query bearing international aspects, and therefore it is necessary in order to perform the tasks we carry out in the public interest or to exercise an official authority vested in the DPC.

9. Keep a Register of infringements – when you are an individual who is the data controller in relation to whom a finding of infringement has been made by the DPC, details concerning you and the infringement, including the recommendations made or the corrective measures imposed, are kept in an internal register for the purposes of fulfilling our task under Article 57(1)(u) GDPR. The lawful basis for this is that the keeping of such a register is necessary in order to fulfil the keeping of such register required under EU law, and therefore it is necessary in order to perform the tasks we carry out in the public interest or to exercise an official authority vested in the DPC. The DPC also keeps such a register to ensure that a repeat infringement does not occur where the DPC have recommended a data controller to make a change.

10. Publish details of exercise of corrective powers – in our annual report or elsewhere we may publish particulars of the exercise of the corrective powers of the DPC that may also contain personal data in relation to individuals the subject of the application of any such powers. We will not publish details of the complainant, unless the information is already in the public domain or the complainant consents to the publication of their identity in such contexts. We publish such details for the purposes of fulfilling our duty to raise public awareness, where such publication is necessary in order to perform the tasks we carry out in the public interest or to exercise an official authority vested in the DPC.

11. Conduct legal proceedings for enforcement reasons – the DPC processes the personal data of individuals when it exercises the power to initiate legal proceedings against individuals for the purposes of enforcement of data protection laws. The initiation of legal proceedings may be necessary in order to enforce data protection laws and therefore in order to perform the tasks we carry out in the public interest or to exercise an official authority vested in the DPC. Our lawful basis for processing personal data in this respect is that it is necessary.

12. Prosecute summary offences – when the DPC exercises the power to initiate proceedings in relation to, and to prosecute summary offences under, the  2018 Act namely the unauthorised disclosure of personal data by a processor (Section 144) and the disclosure of data obtained without authority (Section 145), we process personal data such as the contact details of the accused and details of the alleged commission of offences which could constitute personal data, including sensitive personal data. We process such data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Our lawful basis for doing so is the fact that dealing with personal data such as those of the accused is necessary in order for us to perform our law enforcement functions under Section 147 of the 2018 Act.

13. Publish details of convictions – when we publish particulars of any convictions under the 2018 Act (Section 149) we process personal data of the convicted, including personal data relating to criminal convictions and offences (Article 10 GDPR). We process such data for the purposes of prevention of criminal offences or the execution of criminal penalties and our lawful basis for doing so is the fact that dealing with personal data such as those of the convicted is necessary in order for us to perform our law enforcement functions under Section 149 of the Data Protection Act 2018. The DPC also prosecutes offences under Regulation 13 of Statutory Instrument (S.I.) 336. Arising from these complaints the DPC processes the personal data of complaints during the course of proceedings, the details of which may be shared in open court as part of direct evidence given.

The DPC also undertakes administrative activities, which are not specifically linked to any of the statutory functions of the DPC. We perform the following processing operations in accordance with applicable data protection laws, when carrying out such administrative activities:

14. Analyse data from the website – we may process personal data such as essential cookies in order for any user of our website www.dataprotection.ie and any of its subdomains to use the services we provide when requested. The lawful basis for this is your consent to access to terminal equipment storage, as set out in our processing of online identifiers (to learn more about our cookies policy, which forms part of this data protection statement, please see our Cookie policy).

15. Record CCTV footage – at our Dublin and Portarlington premises we record footage through the operation of a CCTV system for the purpose of security and safety of such premises. Our legal basis for doing so is that the implementation of such recording system is necessary for the DPC’s legitimate interests; that integrity of our premises is maintained in consideration of the confidentiality obligation of the DPC under the 2018 Act in respect of the material stored therein. 

16. Conduct legal proceedings not for enforcement reasons – when we commence legal proceedings which do not relate specifically to the performance of our statutory functions, but in order defend a claim or for other reasons, the DPC may process any personal data related to the subject matter of the legal proceedings. The DPC would rely on the lawful basis of our legitimate interest to defend the DPC’s rights.

17. Process job applications – we use information provided to us by the Public Appointments Service on a candidate’s application for any vacancy within the DPC for the purposes of recruiting the DPC’s staff. The legal basis for such processing is the provisions of Section 21 of the 2018 Act.

18. Comply with legal obligations – we share information with other public authorities as required by law, in particular other government departments. The legal basis for doing so is Article 6(1)(e) GDPR which sets out that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We may also be compelled to share information, which includes personal data, with other public authorities both within and outside the State for the purposes of cooperation. The legal basis for doing so is that the DPC must comply with a legal obligation to cooperate as is stated in Section 26(2)(c) of the 2018 Act.

19. Perform a contract – when we deal with service providers and suppliers in their individual capacity or otherwise deal with personal data from third parties with whom we are dealing by contract, we deal with such data for the purposes of fulfilling our obligations pursuant to the contract as our legal basis for so doing. For a complete data protection policy, please refer to the specific contract to which you are party with the DPC and its annexed data protection policy.

20. Allow participation in events – as event organisers, in the context of our public relations activities or our institutional activities, we may collect personal data for inclusion in contact lists arising from contact with media practitioners (journalists, PR representatives) and at conferences or events – both online and onsite – for the purposes of developing the DPC’s network and for public relations purposes in general. The legal basis for doing so is obtaining a valid consent from the data subject. For a complete data protection policy, please refer to the specific event and the related data protection policy.

21. Manage social media accounts – Clicks on links we provide on our website to social media accounts may be counted in aggregate based on the URL and not on any personally identifiable information. We also process personal data when managing our Twitter and LinkedIn social media accounts as individuals interact with our pages on those platforms. We view comments/reactions on our accounts, and these are retained by the social media platform in question. This is done in accordance with our social media policy for the purposes of developing the DPC’s network and for public relations purposes in general. Our lawful basis for processing is that such processing it is in the DPC’s legitimate interest to develop its network.

The DPC will provide you with specific information such as that outlined in this data protection notice in relation to any further activities (further processing) that we may need to undertake with your data. We will do so before we commence such activities, and only insofar as the purposes of those activities are compatible with the purposes of processing outlined in this section (for more in relation to compatibility of further processing please see “Data Protection Basics”).

In certain instances, however, we may not be able to furnish you with the information in advance of our activities when your right to receive that information is restricted in accordance with law (see Guidance on Limiting Data Subject Rights). For example, if the information collected from you, (including any personal data of yours), is of assistance for the prevention of a terrorism-related offence, we may be obliged by law to report it to An Garda Síochána. Or, where the DPC is sent an email containing unlawful material, it may be necessary for the DPC to report the information to the relevant authorities without any prior information furnished to the sender.

Does the DPC provide information to the National Archives?

The DPC is not governed by the National Archives Act, and therefore is currently not required to transfer records to the National Archive.

What we do not do with your personal data

Automated decision making – the DPC and the third parties which process personal data on our behalf (“processors” – see below) do not undertake any profiling or automated decision making within the meaning of those activities under data protection laws.

Direct marketing – the DPC and the third parties which process personal data on its behalf (“data processors” – see below) do not undertake any activity with your data for the purposes of direct marketing, within the meaning of data protection laws.

Registration of telephone conversations – The DPC does not audio record or retain audio recordings of phone conversations. Where an individual contacts us by phone, caller numbers are automatically stored on the recipient phone in the DPC for a limited time in a list of inbound and outbound calls, but no further processing of this data (caller numbers) is carried out. We may only record personal data in the form of notes made on the relevant case file for the purposes outlined.

Processing personal data when promoting public awareness – the DPC endeavours to fulfil our function of raising public awareness about data protection without processing personal data. We gather and publish case studies and statistical information on the number and type of cases we process, but this information is anonymised and does not identify any individual. We have not embedded plug-ins (such as social media “like buttons”) on our website. Although links to our social media channels are present on our website, we do not collect data related to any usage of such links.

We are the administrators of two social media accounts (Twitter, LinkedIn). Although the DPC’s personnel view messages or posts received on these social media accounts, the personal data contained in the messages/posts and any identifier of the user is not logged or stored other than on the relevant social medial platform, and no further processing of such personal data is carried out by us other than what is necessary for providing the social media account (see above).

Processing personal data when delivering consultation – when we interact with data controllers in relation to their obligation to consult with the DPC prior to processing, in cases where a data protection impact assessment conducted by them under Article 35 GDPR indicates that the processing activities they intend to commence would result in a high risk in the absence of measures taken by the controller to mitigate the risk, we are committed to do so without processing any personal data and will not further process any personal data that a controller may nonetheless forward to us.

Requesting privileged legal material – In the exercise of our functions under law, we do not have the power to compel any controller or processor to furnish information that would be exempt from disclosure in court proceedings on the grounds of legal professional privilege, including any personal data that would qualify as privileged legal material.

How long do we keep your data?

The length of time in respect of which we keep personal data depends on the processing operation carried out with the data.

• When the processing activity is the provision of online services, the length of time for which personal data such as cookies and other online identifiers are retained by the DPC depends on the online service for which the data are processed. When accessing the website, the retention of cookies is in accordance with our Cookie policy , whereas when the website is accessed for the completion a web form, online identifiers will be retained until the web form is submitted. If the web form is not submitted and the session is terminated, no personal data will be retained.

• When the processing activity is the answering of a query or request, the length of time for which personal data related to that query/request are retained after that query/request is answered is for a period of 12 months from the time of last correspondence. After that time, the case will be automatically moved to the DPC’s archive system where it can be reactivated is further correspondence is received.

• When the processing activity is the assessment of an infringement of data protection laws, infringement of laws on the protection of personal data in the context of law enforcement and infringements of the e-Privacy Regulations.  The length of time for which personal data related to that assessment are retained after the assessment of the infringement is for a period of 12 months from the time of last correspondence. After that time, the case will be automatically moved to the DPC’s archive system where it can be reactivated is further correspondence is received.

• Personal data, as contained on a case file, are kept by the DPC for the duration of the investigation process and then kept until the statutory time limit prescribed for legal action against the DPC’s decision can be initiated. Therefore, the retention period applied depends on the particular circumstances of the case, the duration of the investigation and the legal and regulatory requirements to retain such information for a specified period, and finally on the relevant limitation periods for taking legal action. If legal action is taken in respect of a decision of the DPC the retention period would extend to the duration of the legal proceedings and for a period of six months thereafter, in line with our retention schedule.

• When the processing activity is cooperation with other EEA supervisory authorities, the retention period of personal data coincides with the length of time necessary for such cooperation activity to be fully carried out, which varies dependent on the circumstances of the case.

• When the DPC conducts its law enforcement functions, the retention of the personal data related to the prosecution of the offences and related proceedings will be kept for as long as is necessary to bring the said prosecution or proceedings to an end. In relation to the prosecution of offences, if the DPC decides not to prosecute, personal data will be retained for the time until which any legal action contesting our decision may be filed and then deleted in line with our Retention Policy.

• When the processing activity is the publication of details of the exercise of the DPC’s corrective powers and the details of convictions, the retention period of the personal data that may be contained therein coincides with the duration of the publication.

• When the processing activity is recordings by CCTV systems, personal data are retained by the DPC for a period of 14 days.

When do we transfer your data to third countries?

In the event that the DPC is required by law to disclose information to public authorities of countries outside the European Economic Area (‘EEA’) (’third countries’) (the EEA encompasses all the EU Member States plus Liechtenstein, Norway and Iceland) for facilitating cooperation in the performance of the respective functions (Section 26(2)(c) of the 2018 Act), the DPC endeavours not to transfer personal data.

If the transfer of personal data is necessary and proportionate, and/or to comply with a legal obligation of the DPC, we will transfer the data on the basis of an adequacy decision of the European Commission in accordance with Article 45 GDPR. This certifies that the country where your data are being transferred guarantees a level of protection of personal data equivalent to that in the European Economic Area. In the absence of such decision by the European Commission, we will rely on appropriate safeguards including the assessment of need for supplementary measures, in accordance with Article 46 GDPR (for example, a legally binding instrument between public authorities or a non-legally binding agreement between public authorities approved by us). In the alternative, we will transfer the personal data only when a derogation under Article 49 GDPR is applicable (for example, when the transfer is necessary for important reasons of public interest such as national security). At present, none of the day-to-day processing carried out by the DPC involves international transfers. This Privacy Policy is kept under review and will be updated if this changes in the future.

Your personal data may be transferred to the United Kingdom (the ’UK’) in the context of cooperation and mutual assistance with the authorities responsible for the protection of personal data in that jurisdiction (see link to the Information Commissioner Office (the ‘ICO’). This may be the case when the circumstances of your case involve trans-border elements with the UK and such transfer is necessary and proportionate for the exercise of the functions of the DPC. The transfer is possible because, in accordance with Article 45 GDPR, the European Commission has issued an Adequacy Decision which found that the legal system of the UK provides an adequate level of protection of personal data of individuals, including when the data are processed by public bodies or authorities such as the ICO.

The adequacy of the UK standards for the protection of personal data is kept under review in compliance with EU law.

Who we share your data with

Personal data processed by the DPC is held confidentially and is not shared with any third parties, with exceptions outlined below.

Depending on the circumstances of the case, the third parties listed below may process personal data on behalf of the DPC (’data processors’) and are therefore under the legal obligation to ensure the same level of security and confidentiality  in carrying out their processing operations as the DPC does.  The DPC have in place legally binding agreements with data processors that detail these obligations and respective responsibilities.

Depending on the circumstances of the case, the third parties listed below may be a controller of personal data in their own right, where they determine the purposes and means of processing. In that case they are legally responsible for the protection of your personal data in respect of the processing activities that they carry out with your data. Where the purposes and means of processing are jointly determined with the DPC, we have in place legally binding agreements which outline these obligations and respective responsibilities.

• Concerned parties – for the purposes of compliance with fair procedures and the right to be heard and in order to gather information in relation to an alleged infringement of data protection laws, infringement of laws on the protection of personal data in the context of law enforcement and infringements of the e-Privacy Regulations in the exercise of our monitoring and enforcement functions established by law including complaint handling, the DPC might share any personal data related to the complaint/request to concerned parties.

• Other EEA supervisory authorities – in order to perform the DPC’s monitoring and enforcement purposes and to be able to issue a decision on alleged infringements, the DPC might share personal data related to that infringement with other EEA Supervisory Authorities, where such cooperation is necessary. Such data may be analysed by the other Supervisory Authorities and shared back to us.

• Other public authorities outside of the State – In order to resolve cases of a cross-border nature with the UK and/or to ensure effective enforcement and monitoring in relation to an alleged infringement of data protection laws, infringement of laws on the protection of personal data in the context of law enforcement and infringements of the e-Privacy Regulations  the DPC might share any personal data related to alleged infringement bearing cross-border elements with the UK supervisory authority in the form of an international data transfer, as further outlined above.

• Members of the public – We share with members of the public personal data related to the publication of particulars of enforcement powers exercise or, in relation to the publication of details of convicted individuals in relation to offences under the 2018 Act.

• Courts and court audience – when the DPC is involved in legal proceedings it may, of its own volition or where it is  legally obliged to share, information including any personal data which relate to the subject matter of the proceedings at issue. Personal data which are opened to the Court become a matter of court record and may be accessed by members of the public, including journalists, in accordance with the open justice principle.

• Service providers/suppliers - The DPC use third parties such as service providers and suppliers in order to perform our functions as outlined above. These third parties in particular process personal data on our behalf and we have in place specific arrangements which are mandated by applicable data protection laws.

Your rights on your data

Subject to certain restrictions, which are set out below, you can exercise your rights in relation to your personal data that is processed by the DPC (for more on your data protection rights, see our Guidance on Data Protection Basics):

1. The right to be informed about the processing of your personal data;

2. The right to access your personal data;

3. The right to rectification of your personal data;

4. The right to erasure of your personal data;

5. The right to data portability;

6. The right to object to processing of your personal data and the right to withdraw consent;

7. The right to restrict processing of your personal data.

In relation to the personal data kept by the DPC in relation to the processing activities listed above, your rights as data subject and the obligations of the DPC as a data controller, provided for in Articles 12 to 22, Article 34 (which relates to communicating personal data breaches to data subjects) and Article 5, GDPR (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22) are subject to certain restrictions.  This means, for example, that your right of access under Article 15, GDPR, is limited in circumstances where your personal data is kept by the Commission for the performance of its functions. However, upon receipt of a request by a data subject seeking to exercise his or her rights, the DPC will consider the application of the restriction under Section 60(3)(c)(i) of the 2018 Act and will review all relevant personal data relating to the data subject in order to establish whether any or all of the personal data is kept by the Commission for the performance of its functions such that the restriction at Section 60(3)(c)(i) applies.

Other restrictions to your rights as data subject may apply in other circumstances, for example when the DPC processes personal data in the context of legal proceedings. Please refer to our guidance on restrictions of data subject rights here.

Implications of not providing full and factual information to the DPC

If you do not provide the DPC with all of the information that is required for the completion of a web form, or do not answer all of our questions  in the course of the handling of your complaint this may mean that the DPC may not be able to assess your complaint further or, if the information is incomplete, this may have an effect on the outcome of your complaint.

If you are responding to a complaint made against you, failing to provide all information necessary, (which may consist of your personal data,) may also have an effect on the outcome of a complaint made about you. If you are issued with an enforcement notice requiring you to provide information (that includes your personal data), or you are the subject of a notice which requires  a report from you which includes furnishing information which includes your personal data, or you are asked by an authorised officer or an employee of the DPC for information that also constitutes your personal data, refusing to provide this information may also mean that you will be subject to criminal prosecution for committing an offence under the 2018 Act.

How to make a complaint

You have the right to lodge a complaint about how we handle your personal data to the competent supervisory authority, which is the DPC itself.

Complaints lodged against the DPC are handled by us in the same way as complaints lodged against other data controllers. The DPC have adopted comprehensive internal guidance in order to make sure that any officer or agent of the DPC to whom the complaint may be related will not be involved in the investigation and/or decision-making process, and that the investigator and/or decision-maker dealing with your complaint against the DPC will not be biased in any way. You also have the right to a judicial remedy against the decision of the DPC in respect to your complaint.

Guidance as to how we handle complaints in general can be accessed here.

Changes to this statement

This statement is kept under review and is subject to change. We recommend that you regularly visit the DPC’s website to ensure that you are consulting the latest version of the statement. You can find a reference to the date of the last update on the top of this statement.

Questions or feedback?

We hope you have a clearer understanding of our activities concerning your personal data and of how you can exercise your rights in relation to the DPC as data controller of whatever of your personal data we may hold. If you have any questions or comments on this notice, please contact us or our Data Protection Officer using the contact details outlined above.