Privacy policy

The Data Protection Commission was established by the Data Protection Acts 1988 to 2018 ('the Data Protection Acts'). You can contact the Commission here

Under the GDPR and the Data Protection Acts, the Commission is responsible for monitoring the application of the GDPR in order to protect the rights and freedoms of individuals in relation to processing.

The tasks of the Commission include promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing, handling complaints lodged by data subjects and cooperating with (which includes sharing information with) other data protection authorities in other EU Member States.

The General Data Protection Regulation ('GDPR') applies from 25 May 2018 and significantly changes data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations. The GDPR is designed to give individuals more control over their personal data. (A copy of the GDPR is available here).

The key principles under the GDPR are lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality, and accountability (Article 5 of the GDPR).

Under GDPR data subjects have increased rights. Guidance on these rights is available here.

The data subject rights are:

  1. The right to be informed (Articles 12 - 14 of the GDPR);
  2. The right to access information (Article 15 of the GDPR);
  3. The right to rectification (Articles 16 & 19 of the GDPR);
  4. The right to erasure (Articles 17 & 19 of the GDPR);
  5. The right to data portability (Article 20 of the GDPR);
  6. The right to object to processing of personal data (Article 21 of the GDPR);
  7. The right of restriction (Article 18 of the GDPR) and,
  8. Rights in relation to automated decision making, including profiling (Article 22 of the GDPR).

Where personal data is kept by the Commission for the performance of its functions, the rights of data subjects and the obligations of the Commission, as a data controller, provided for in Articles 12 to 22 and 34 (which relates to communicating personal data breaches to data subjects) and in Article 5, GDPR (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22) are restricted (Section 60(3)(c)(i), Data Protection Acts).

This means, for example, that the Commission does not have to respond to access requests for personal data under the GDPR where the personal data is kept for the performance of the Commissions' functions (e.g. complaint handling).

If you require further information in relation to your rights and this restriction, you can contact our Data Protection Officer (DPO) here.

This Privacy Policy is currently under review.

Please note:
This Privacy Statement is not intended to be a comprehensive Privacy Policy as required by Articles 13 and 14 of the GDPR, given the restriction for personal data kept by the Commission for the performance of its functions.