Data Protection Commissioner
Data Protection Commissioner

Frequently Asked Questions - FAQ

7. Responsibilities of data controllers

7.1 Is my business covered by the Irish Data Protection Acts?

If your business is resident, incorporated or maintains a presence in the State -  including, in some cases,  solely by the use of equipment here -  then all processing of personal data either gathered or processed in that context is required to comply with the requirements of the Data Protection Acts.

More information on the applicability of data protection law in the European Union is available here


7.2 How long should personal data be held to meet the obligations imposed by the Acts?

The Data Protection Acts state that personal information held by Data Controllers (an organisation) should be retained for no longer than is necessary for the purpose or purposes for which it was obtained.  If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner. However, the Acts do not stipulate specific retention periods for different types of data, and so organisations must have regard for any statutory obligations imposed on them as a data controller when determining appropriate retention periods.

More detailed guidance is available on this issue here.

7.3 How do I make a privacy policy?

The general approach of this Office in relation to privacy policies is that they should reflect a detailed examination of an organisation's processing of personal data and the application of data protection law to these practices.  The privacy policy should be a dynamic document, regularly reviewed and updated to reflect changes in the way the organisation processes personal data.

We suggest that a privacy policy should be built around the eight data protection principles, to ensure that all aspects of data protection are covered.  Detailed guidance is available here

We also provide guidance on the application of the rules to direct marketing, including the particular restrictions that apply to marketing by electronic means (phone, email, SMS, MMS, fax).  This guidance is available here
We also provide a Data Protection Self-Assessment Checklist which can help to identify any gaps in an organisation's data protection practices.  This is available here


7.4 What security measures should I have in place to protect personal data from unauthorised access?

The Acts require that appropriate security measures be in place which take account of the harm that would result from unauthorised access to the information.  This should take account of available technology and the cost of installation.  In addition to technical security measures, due regard should be had for physical security measures such as access control for central IT servers and local PCs. 

More extensive guidance here

7.5 What do I do if there is a security breach?

A Data Controller is required to have in place appropriate security measures to prevent both internal and external unauthorised access to personal data that it is responsible for. The Data Protection Commissioner has issued a  Code of Practice  and Guidelines on what to do if personal data is put at risk of disclosure, loss etc  Data controllers are advised to  notify affected data subjects in  most such cases and also to notify the Office of the Data Protection Commissioner.

7.6 What should be contained in a contract between a Data Controller and a Data Processor?

Sometimes, an organisation will need to engage the services of a sub-contractor or agent to process personal data on its behalf.  Such an agent is termed a 'data processor' under the Data Protection Acts.  An example would be a payroll company.  Where a data controller engages the services of a data processor, it must take certain steps to ensure that the data protection standards are maintained.    A data controller can do business with a data processor only on the basis of a written contract (or a contract in equivalent form) which includes appropriate security and other data protection safeguards.  Informal and ad-hoc arrangements will not be acceptable, where personal data is involved.

This Office does not provide a specific template on the content of such contracts as a case by case approach needs to be taken to all such contracts depending on the particular circumstances arising.  As a general guide, the key points for consideration are:

  • The Data Protection Acts place responsibility for the duty of care owed to personal data on the Data Controller and accordingly when drawing up the contract the Data Controller should be very specific in the instructions given as to what the Data Processor can do with the personal data provided.  In particular, the contract should specifically provide that the data processor will process personal data only on the basis of the authorisation and instructions received from the data controller.   This provision ensures that personal data passed on to a data processor may not be retained or used by the data processor for its own purposes.
  • the contract must commit the data processor to apply appropriate security measures to the personal data to protect it from unauthorised access or disclosure.  This provision ensures that the standard of security must be maintained when the personal data is passed from the data controller to its agent.
  • The deletion or return of the data upon termination or ending of the contract.
  • Any penalties in place should the terms of the contract be broken.
  • It would also be expected that the Data Controller or their agents would have a right to inspect the premises of the Data Processor as to ensure compliance with the provisions of the contract.
  • The contract should detail a retention period for the categories of personal data held on the Data Processor's systems.
  • The contract should contain a requirement on the Data Processor to notify the Data Controller, without undue delay, in the event of a data security breach affecting the personal data being processed on behalf of the Data Controller.
  • The contract should contain a requriement on the Data Processor to notify the Data Controller, without undue delay, in the event the Data Processor receives a subject access request from a relevant data subject.
  • If the Data Controller is required to register with this Office, the Data Processor must also register with this Office for the duration of the contract

7.7  Can I use a "cloud" service to process my data?

The "cloud" provider will usually be acting as a data processor for you. This means that you remain responsible for how the data is processed and that this must be spelled out in a contract that complies with the terms of Section 2C (3) of the Data Protection Acts. The contract must provide that the "cloud" provider only processes your data in accordance with your instructions and takes measures to keep the data secure. Your are responsible for taking "reasonable steps" to ensure compliance by the "cloud" provider. If the "cloud" provider is storing your data outside of the European Economic Area, you must take additional steps  to ensure that the data remains protected. It is therefore important that you establish precisely where and how the data you provide to a cloud provider will be handled.
 

More Guidance here.