The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission
Restrictions on the use of publicly available data for marketing purposes

Section 1 (4) (b) of the Data Protection Acts provides that  the Acts do not apply to  personal data consisting of information that the person keeping the data is required by law to make available to the public. This provision covers the publication of personal data by data controllers such  the Companies Registration Office and local  planning authorities. It does not extend to other data controllers who may wish to use this information for marketing or other purposes.  Such data controllers are subject to the  "fair processing" requirements of the Acts in their use of such personal data. 

The published information contains "personal data" and each living individual is a "data subject" within the meaning of the Data Protection Acts, 1988 & 2003. Accordingly, the recipients of this information are "data controllers" within the meaning of those Acts.  If those data controllers intend to use or further process this personal data in any way, they should be aware of the following Data Protection requirements:

Section 2D (1) (b) of the  Acts obliges a data controller to ensure, as far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the following information not later than the time when the data controller first processes the data or, if disclosure of the data to a third party is envisaged, no later than the time of such disclosure:


·        the identity of the data controller

·        if he/she has nominated a representative for the purposes of the Act, the identity of the representative

·        the purpose(s) for which the data are intended to be processed

·        any other information which is necessary to enable processing in respect of the data to be fair to the data subject

·        the categories of data concerned

·        the name of the original data controller.


In addition, Section 2(8) of the Acts provides that:
"Where a data controller anticipates that personal data, including personal data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the data controller shall inform the persons to whom the data relates that they may object, by means of a request in writing to the data controller and free of charge, to such processing." .  This applies both to data controllers who intend to use the personal data for direct marketing potential customers and to data controllers who intend to process the personal data for distribution to third parties for direct marketing by the third parties.


These provisions of the Acts place clear limits on the use of publicly available data for marketing or other purposes – including the re-publication of such data on websites.


Data Controllers who fail to comply with all of the requirements set out above may be deemed to have breached the Data Protection Acts.  Breaches of Data Protection legislation may be reported to, and investigated by, the Data Protection Commissioner. Where the Commissioner forms the opinion that a data controller has contravened or is contravening a provision of the Acts, he may use the enforcement powers conferred on him under the Acts. This includes the power to require a data controller to destroy the database concerned.