Data Protection Commissioner
Data Protection Commissioner
Privacy Statement
How we use your information
This privacy notice provides information about the ways in which the office of the Data Protection Commissioner (the DPC) collects, stores, shares or keeps personal information provided by our customers.
Using our website:
Our website ( does not use cookies to track user information, with the exception of the registration process, when session cookies are gathered for financial security purposes. We will not record the IP address of anyone who is searching for information on data protection.
Search engine:
The search facility on our website is an internal search function and only returns information that appears on the website. We do not track or retain user activity when customers use this facility.
Online registration:
Some businesses are required by law to register with the ODPC. To facilitate this, the ODPC offers an online registration system. This is the only occasion where we track customer usage, and this is to ensure that customers supplying payment information can do so in a safe and secure manner.
When a customer uses our Online Registration function, a session cookie is created. This creates a unique identifier, ensuring that your payment details can only be attached to your application, guarding against fraudulent activity. The session cookies have a short lifespan and ‘time-out’ after a short period of time. The cookies are not logged by the ODPC and we do not retain a record.
Calling our Helpdesk:
The ODPC does not collect Calling Landline Identification (CIL) or any other information on the origins of a call. We do not record or retain phone conversations.
Emailing us:
Any emails sent to us are recorded and forwarded to the relevant section. The sender’s email address will remain visible to all staff tasked with dealing with the query. Please be aware that it is the sender’s responsibility to ensure that the content of their emails is within the bounds of the law. Unsolicited material of a criminal nature will be reported to the relevant authorities and blocked.
Making a complaint to us:
When we take on a complaint, a file is generated. This will usually contain personal information about the complainant and any other individuals involved in the complaint.
We will only collect personal information that is necessary to investigate the complaint. We do gather and publish case studies and statistical information on the number and type of cases we process, but all information is annonymised and does not identify any individual.
We will usually have to disclose the complainant’s identity to whomever the case is against. We will try to facilitate a complainant who wishes to remain anonymous, but if a case proceeds it is generally inevitable that the identities of both parties are revealed. This is to ensure fairness in the legal process.
If sensitive personal data is collected for the purposes of a complaint, appropriate measures will be taken to ensure that it is safely processed.    
The information contained in complaint files will be kept in line with our retention policy. This means that information will be held for six years from the last date of action on the file. It will be kept in a secure environment and available only to those who need to access it.
When we take enforcement action, we may publish the identity of the defendant in our Annual Report or elsewhere. We will not identify the complainant, unless the information is already in the public domain.
Registering as a Data Controller or Data Processor:
When a business or individual is required to register with the Data Protection Commissioner, an online record of their registration is created. We do not retain manual registration records. Except in the case of sole traders, registration files do not generally contain personal data, as they relate to commercial bodies.
The Register is a live document, and is viewable online by the public. When the DPC records a registration, only commercial information is made visible to the public.
Reporting a Breach of Data Protection:
We take Breach Notifications from organisations who are self-reporting a lapse in Data Protection, or from individuals whose own personal data has been disclosed without their consent. We only gather such information as is necessary to investigate and take action in a case.
Breach report material is stored in electronic format for six years from the last date of action on the file. It will be securely stored and available only to those who need to access it.
Access to personal information:
The ODPC will respond to Section 3 requests (confirmation of the existence of data) made under the Data Protection Acts, but we are not required to comply with Section 4 requests (release of data). This is to ensure fairness and privacy in the investigation process.
As far as possible, we will not disclose personal data without consent. However, when we investigate a complaint we may need to share personal information with the other parties concerned. We will consider any request for anonymity in respect of a case, but we cannot guarantee that it will be possible to enforce it. We will not disclose your personal data to third parties except in instances where an individual has consented to the disclosure, or we are obliged by law to disclose the data. Third parties to whom we may disclose information include organisations such as An Garda Síochána.
Changes to our Privacy Statement:
This is a live document, under regular review. This policy was last updated in October 2016.
How to contact us:
If you require further information regarding our Privacy Statement, you can contact us at or write to us at: The Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois.