Data Protection

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) from 25th May, 2018 will replace current data protection laws in the European Union. The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR will also impose corresponding and greatly increased obligations on organisations that collect this data.

You may find more information on the Data Protection Commissioner’s micro website

What is the Data Protection Act 2018?

The purpose of the Data protection Act 2018 is to give further effect to the GDPR, to transpose the separate Law Enforce Directive into national law and to establish the Data Protection Commission with the means to supervise and enforce enhanced data protection standards in an efficient manner. The GDPR which as an EU Regulation has direct effect does allow national governments a limited margin of flexibility which are provided for in Part 3 of the Act.

What is personal data?

The term “personal data” means any information relating to a living person who is identified or identifiable (such a person is referred to as a “data subject”).

A person is identifiable if they can be identified directly or indirectly using an “identifier”. The GDPR gives examples of identifiers, including names, identification numbers, and location data. A person may also be identifiable by reference to factors which are specific to their identity, such as physical, genetic or cultural factors.

What is processing?

The term “processing” refers to any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.

What is special categories data?

Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation. Processing of these special categories is prohibited, except in limited circumstances set out in Article 9.

What is Article 10 data?

This is data in respect of criminal convictions or alleged offences.

What is a data subject?

The Data Subject is a living individual to whom personal data relates

What is a data controller?

A data controller refers to a person, company, or other body which determines the purposes and means of processing of personal data.

What is a data processor?

A data processor refers to a person, company, or other body which processes personal data on behalf of a data controller

What are the legal bases for processing personal data?

There are six different legal bases on which personal data may be processed: -

  • Consent
  • Contract
  • Legal obligation
  • To protect the vital interests of the data subject or of another
  • Task carried out in the public interest or in the exercise of official authority vested in the controller
  • Legitimate interest (this doesn’t apply to the performance of public tasks but may apply to organisational specific tasks such as operation of CCTV for security or for the safety of our staff)

Many of the Department’s processing activities are carried out as tasks in the public interest or in the exercise of official authority to the extent that such processing is necessary and proportionate for:

  • the performance of a function of the Minister conferred by or under an enactment or the Constitution, or
  • an administration by or on behalf of the Minister of any non-statutory scheme, programme or funds where the legal basis for such administration is a function of the Minister conferred by or under an enactment or by the Constitution.

What is a retention or storage period?

Personal data should be retained/stored for no longer than is necessary for the purposes or purpose for which it is being processed. As the Department is subject to the National Archives Act, 1986 records with personal data may have to be retained for archiving where there is no disposal order from the National Archives in place with respect to that category of record.

What is meant by data-sharing?

It is where personal data may be shared between two data controllers. The sharing of data is required to have a legal basis and to be transparent.

What is a Privacy Statement?

The policy of the Department is to include a privacy statement on any forms which we may use to collect personal data as part of a processing activity. The statement will provide information on the main purposes for collecting the personal data and whether the data is being shared with any other organisation. The statement will include a link to a more detailed privacy notice and provide more details on the processing activity.

What is a Privacy Notice?

A Privacy Notice is used by the Department to provide details on each processing activity undertaken which involves personal data. It will provide you with information on the purpose; legal basis; source of the personal data where it has not been obtained from you directly (often the department as part of its functions will have received the data via a school or other educational organisation); storage period; persons or organisation to whom the data or part of the data may be disclosed to and why. The Privacy Notice will also provide you with information on your Data Subject Rights and how you can exercise these. It will include relevant contact details. For large processing activities it may provide links to further information or a more detailed Fair Processing Notice for the processing activity.

Where can I get more information about my rights under the Data Protection Act?

The Data Protection Commissioner's Website offers an explanation of the rights and responsibilities under the Data Protection Acts and information is also available from

The Data Protection Commissioner's Office
Canal House,
Station Road,
Co. Laois. R32 AP23

You can contact the Data Protection Commissioner's Office by email ( or by phone 1890 252231.

Related Links: