The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Unsolicited direct mail from abroad - mutual assistance between parties to the 1981 Council of Europe Convention on Data Protection

A number of people complained to me of having received unsolicited mail from a direct mailing company. They wished to establish how the company concerned had obtained their names and addresses and also wished to have their personal data deleted from the company's database. On investigating the case, I noted that the direct mailing company in question was operating in another jurisdiction. I contacted the data protection authority in that jurisdiction in order to have the matter investigated and appropriate action taken.

The 1981 Council of Europe Convention 108 on data protection provides for mutual assistance between States that are parties to the Convention. In particular, Article 14 of the Convention provides as follows:

1. Each Party shall assist any person resident abroad to exercise the rights conferred by its domestic law giving effect to the principles set out in Article 8 of this convention.

2. When such a person resides in the territory of another Party he shall be given the option of submitting his request through the intermediary of the authority designated by that Party.

3. The request for assistance shall contain all the necessary particulars, relating inter alia to:

(a) the name, address and any other relevant particulars identifying the person making the request;

(b) the automated personal data file to which the request pertains, or its controller;

(c) the purpose of the request.

The foreign data protection authority readily agreed to investigate the case on my behalf. The investigation revealed that the direct mailing company concerned had breached the data protection laws in that jurisdiction. The outcome is that the names of the complainants have been removed from the direct mailing company's database, and the data protection authority is proceeding to take action against the company concerned in accordance with the data protection laws in that jurisdiction. In my opinion, it is likely that international cooperation among data protection authorities will have an increasing role in the future in ensuring that people's privacy rights are respected. My experience to date of securing such cooperation has been most encouraging.