Data controllers are obliged to process personal data in accordance with the storage limitation principle, meaning that personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner.

The main function of Freedom of Information (FOI) is to enable the public have access to information used, produced or held by public bodies.

The Data Protection Commissioner has a broad range of powers to enforce the data protection rights of individuals and to monitor compliance with data protection obligations of data controllers and data processors.

The General Data Protection Regulation (GDPR) does not apply to the personal data of deceased persons. Therefore, if the issue relates to the personal data of a deceased individual, the DPC will not be in a position to progress this matter for you on your behalf as it falls outside data protection law.

Data protection law does not apply to the processing of personal data where the personal data is kept by an individual and is concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes (Article 2(2)(c) of the General Data Protection Regulation (GDPR)).

Excessive information is information/personal data that is not required for the purpose of processing. Any data controller that requests information/personal data from a data subject should be able to justify the reasons for seeking each piece of personal data.

A data controller is the individual or the legal person (for example a company or public authority) which determines the purposes and means of the processing of personal data; in other words, the controller makes material decisions relating to the processing of personal data, such as determining the purposes for which personal data is collected, stored, used, altered and disclosed.

Unfortunately, it is a myth that data controllers must get consent for ALL purposes of processing and this has led to the confusion and distress of a large number of data subjects.

The Law Enforcement Directive (LED) differs from the General Data Protection Regulation (GDPR) in that the LED is a directive that was transposed into Irish law by way of the Data Protection Act 2018 under Part 5; note also that Part 6 of the Data Protection Act 2018 provides for enforcement of both the LED and the GDPR.

“Processing” under Article 4 (2) of the GDPR means doing something with an individual’s personal data, such as collecting, recording, disclosing, altering, consulting with or simply storing the personal data. A data controller who processes personal data must only process the required data for the specific purpose of fulfilling the objectives for which the data was initially gathered and processed.