Data Protection and the General Data Protection Regulation (GDPR)

We fully respect your right to privacy. Any personal information which you provide to us will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts 1988-2018.

The General Data Protection Regulation EU 2016/679 is a regulation on data protection and privacy for all individuals within the European Union. It came into force across the European Union on 25 May 2018.

It replaces the previous data protection directive which has been in force since 1995 and forms the basis of our new Data Protection Irish laws (Data Protection Acts 1988-2018).

The GDPR and Ireland

As an EU Regulation, the GDPR does not generally require transposition into Irish law, as EU Regulations have “direct effect”. In Ireland, we have introduced new legislation known as the Data Protection Act 2018 which was signed into law on 24 May 2018.

Among its provisions, the Act:

• establishes a new Data Protection Commission as the State’s data protection authority
• gives further effect to the GDPR in areas where Member States have some flexibility (Part 3 of the Act), for example, the digital age of consent

This new Act, together with the previous data protection legislation will be collectively known as the “Data Protection Acts 1988-2018.”

Data Protection legislation

The Data Protection Acts 1988-2018 are designed to protect people’s privacy. The legislation confers rights on individuals in relation to the privacy of their personal data as well as responsibilities on those persons holding and processing such data.

Personal data

Personal data means data relating to a person who is or can be identified either from the data itself or in conjunction with other information that is in, or is likely to come into, the possession of the department. It covers any information that relates to an identified or identifiable living individual. These data can be held on computers or in manual files.

The department’s obligations

Under the GDPR and Data Protection Acts 1988-2018, this department, as a Data Controller, has a legal responsibility to:

• obtain and process personal data lawfully, fairly and in a transparent manner
• keep it only for one or more specified and explicit lawful purpose(s)
• process it only in ways compatible with the purpose of which it was given initially
• keep data accurate, relevant and not excessive
• retain it no longer than is necessary for the specified purpose or purposes
• keep personal data safe and secure

Our Data Protection Officer

Our Data Protection Officer is Celyna Coughlan. She is responsible for all Data Protection matters for our department and its six Offices, including:

• the Workplace Relations Commission (WRC)
• the Labour Court
• Companies Registration Office (CRO)
• Registry of Friendly Societies (RFS)
• the Office of the Director of Corporate Enforcement (ODCE)
• the Intellectual Property Office of Ireland

Contacting our Data Protection Officer

You can contact our Data Protection Officer by emailing dataprotection@enterprise.gov.ie or by telephone at (01) 631 2398.

Data Subjects’ Rights

A data subject (“individual”) has the following rights under the GDPR and Data Protection Acts 1988-2018:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure/right “to be forgotten”
• the right to restrict processing
• the right to data portability
• the right to object
• rights in relation to automated decision making and profiling

Access to personal data

An individual can make a data protection access request by completing a Subject Access Request form and sending it to:

Celyna Coughlan, Data Protection Officer, Department of Enterprise, Trade and Employment, Kildare Street, Dublin 2, D02 TD30.

Applications can also be sent electronically to dataprotection@enterprise.gov.ie

Submitting a Subject Access Request (SAR)

You must complete a Subject Access Request form in order to request a copy of your own personal information from us. This Form must be completed in full and sent to our Data Protection Officer. You will also need to supply us with adequate Proof of Identity as part of this process. You should try to be as specific as possible in identifying the personal information that you are seeking from us. Also, if possible, try to specify the areas of the department where you feel would be most relevant to your request. This will assist us in providing you with an effective and efficient service.

The most efficient way for us to deal with your Subject Access Request (SAR) is to email us with a copy of your completed Subject Access Request (SAR) form and adequate proof of identity to dataprotection@enterprise.gov.ie

If you need assistance with completing the Subject Access Request (SAR) form please contact Celyna Coughlan, Data Protection Officer at: dataprotection@enterprise.gov.ie or by telephone at: 01 631 2398.

In general, there is no charge for individuals who seek access to their personal records under the Data Protection Acts and requests must be completed within one month.

Exceptions to the right of access

In a small number of circumstances your right to access personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand.

Supervision and enforcement

Independent supervisory authorities

Under the GDPR, each EU Member State will have one or more independent public authorities responsible for monitoring the application of the Regulation. In Ireland, under the Data Protection Act 2018, the Data Protection Commissioner has been replaced with a Data Protection Commission.

Each supervisory authority will:

• monitor and the enforce the application of the GDPR
• promote public awareness of the rules and rights around data processing
• advise the government on data protection issues
• promote awareness among controllers and processors of their obligations
• provide information to individuals about their data protection rights
• maintain a list of processing operations requiring data protection impact assessment

Each authority will have the power to order any controller or processor to provide information that the authority requires to assess compliance with the Regulation. The authority may carry out investigations of controllers and processors in the form of data audits, including accessing the premises of a controller or processor. The authority can order a controller or processor to change their processes, comply with data subject requests. The authority can also issue warnings to controllers and processors and can ban processing as well as commence legal proceedings against a controller or processor.

European Data Protection Board

The GDPR will introduce a new European data protection supervisory authority. The European Data Protection Board will be responsible for ensuring that the GDPR is applied consistently across the European Union. The Board will issue guidelines and recommendations on the application of the Regulation. The Board will also advise the EU Commission on the application of the Regulation and any updates that may be required. The Board will be made up of the head of one supervisory authority of each EU Member State and a European Data Protection supervisor.

Further information about an individual’s rights under the Data Protection Acts

The Data Protection Commission website offers an explanation of the rights and responsibilities under the Data Protection Acts.

Information is also available from: