Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

A guide to your rights

This short guide outlines your data protection rights and the responsibilities of those who hold and process your personal details. It is not a legal document. If you need further information after reading this guide, please contact us or visit our website at www.dataprotection.ie.

What is data protection?

When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. This process is known as data protection. We refer to organisations or individuals who control the contents and use of your personal details as 'data controllers'.

Most of us give information about ourselves to groups such as Government bodies, banks, insurance companies, medical professionals and telephone companies to use their services or meet certain conditions. Organisations or individuals can also get information about us from other sources. Under data protection law, you have rights regarding the use of these personal details and data controllers have certain responsibilities in how they handle this information.

When do these rights apply?

You have the right to data protection when your details are:

  • held on a computer;
  • held on paper or other manual form as part of a filing system; and
  • made up of photographs or video recordings of your image or recordings of your voice.

What is the aim of these rights?

Data protection rights will help you to make sure that the information stored about you is:

  • factually correct;
  • only available to those who should have it;
  • only used for stated purposes.

    • When should I contact the Data Protection Commissioner?

    If you are not happy with how your details are being used, you should contact the organisation in question. If you believe that the organisation or individual is still not respecting your data protection rights, you should contact the Office of the Data Protection Commissioner to ask for help.

    What are my rights?

    You have a range of rights when a person or organisation takes and records your personal details. Please read this section carefully to make sure that you are aware of your rights.

    1. Right to have your details used in line with data protection regulations

    A data controller who holds information about you must:

    •  get and use the information fairly;
    •  keep it for only one or more clearly stated and lawful purposes;
    •  use and make known this information only in ways that are in keeping with these purposes;
    •  keep the information safe;
    •  make sure that the information is factually correct, complete and up-to-date;
    •  make sure that there is enough information – but not too much - and that it is relevant;
    •  keep the information for no longer than is needed for the reason stated; and
    •  give you a copy of your personal information when you ask for it.

    2. Right to information about your personal details

    Data controllers who obtain your personal information must give you:

    •  the name of the organisation or person collecting the information or for whom they are collecting the information;
    •  the reason why they want your details; and
    •  any other information that you may need to make sure that they are handling your details fairly – for example the details of other organisations or people to whom they may give your personal details.

    If an organisation or individual gets your personal details from someone else and not directly from you, they must tell you which details they hold and give you the name of the original data controller.

    3. Right to access your personal details

    You can ask for a copy of all your personal details by writing to any organisation or person holding these details on a computer or in manual form. See the section below on 'How to request access to your details'.

    You can also ask the data controller to inform you of any opinions given about you, unless the data controller considers that the opinions are confidential. Even in such cases, your right to such information will usually be greater than the right of the person who gave this opinion in private. This right does not apply, however, in a small number of cases where it could harm certain interests – for example when someone is investigating an offence.

    You should also be informed of, and given the chance to object to, any decisions about you that are automatically generated by a computer without any human involvement.

    4. Right to know if your personal details are being held

    If you think that an organisation or individual may be holding some of your personal details, you can ask them to confirm this within 21 days. If they do have personal details about you, they must tell you which details they hold and the reason why they are holding this information. You can ask for this information free of charge.

    5. Right to change or remove your details

    If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.

    Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.

    In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so.

    6. Right to prevent use of your personal details

    You can also ask a data controller not to use your personal details for purposes other than their main purpose – for example for marketing.

    You can do this by simply writing to the organisation or person holding your details and outlining your views. Within 40 days, they must do as you ask or explain why they will not do so.

    7. Right to remove your details from a direct marketing list

    If a data controller holds personal details about you for direct marketing purposes, you can ask them to remove your details. You can do this by writing to the organisation or person holding these details. They must let you know within 40 days if they have dealt with your request.

    8. Right to object

    A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you unnecessary damage or distress, you may ask the data controller not to use your personal details.

    This right does not apply if:

    •  you have already agreed that the data controller can use your details;
    •  a data controller needs your details under the terms of a contract to which you have agreed;
    •  election candidates or political parties need your details for electoral purposes; or
    •  a data controller needs your details for legal reasons.

    You can also object to use of your personal details for direct marketing purposes if these details are taken from the electoral register or from information made public by law, such as a shareholders' register. There is no charge for objecting.

    9. Right to freedom from automated decision making

    Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated by a computer, unless you agree to this.  For example, such decisions may be about your work performance, creditworthiness or reliability.

    10. Right to refuse direct marketing calls or mail

    If you do not want to receive direct marketing telephone calls, you should contact your service provider. They will make a note of your request in the National Directory Database (NDD) 'opt-out' register. It is an offence to make direct marketing calls to any phone number listed in the NDD. If you have not included your phone number in this register, you can also refuse such calls by simply asking the caller not to phone you again.

    An organisation must get your permission before they contact you by fax machine or automated dialling for direct marketing purposes.

    An organisation must also get your permission before they send marketing emails to your computer or before they send marketing text messages to your mobile phone.

    How do I request access to my details?

    To request access to your details, send a letter or email to the organisation or person holding your personal details and ask them for a copy of this information. The details should be easy to understand and you should receive them within 40 days of your request. You may have to pay a small fee, but this cannot be higher than €6.35.
    In your request you should:

    •  give any details that will help the person to identify you and find your data – for example a customer account number, any previous address or your date of birth; and
    •  be clear about which details you are looking for if you only want certain information. This will help the organisation or person respond more quickly.

    Some sample wording appears below as a guide.


    Dear Data Protection Officer,

    Under the Data Protection Acts 1988 and 2003, I wish to make an access request for a copy of any information you keep about me, on computer or in manual form.

    [My customer account number is ...]

    [My date of birth is...]


    [My previous address was....]


    Yours faithfully,


    [Name]


    What is the role of the Data Protection Commissioner?

    The Data Protection Commissioner aims to make sure that your rights are being upheld and that data controllers respect data protection rules. If you think that an organisation or person is breaking these rules and you are not satisfied with their response to your concerns, you can complain to the Commissioner.

    How do I make a complaint to the Commissioner?

    Click here to make a complaint to the Commissioner

    Can I claim compensation?

    Organisations or people holding your personal details have a legal duty to handle this data with care. If you suffer damage through the mishandling of your personal details, you may be able to claim compensation through the courts. You should discuss this matter with your solicitor. The Commissioner has no function in these actions and cannot give you legal advice.

    Further information
    If you need further information about your rights, you can contact our office by telephone or email or you can visit our website. We will also send you information on data protection rules, free of charge, when you contact us at:

    The Office of the Data Protection Commissioner
    Canal House
    Station Road
    Portarlington
    Co. Laois
     
    LoCall: 1890 252 231
    Tel: 057 868 4800
    Fax: 057 868 4757
    Email:     info@dataprotection.ie
    Website: www.dataprotection.ie

    Key terms

    The following terms are useful when reading this guide:

    Data – information or facts that are usually stored on a computer or on paper

    Data controllers – a person or group of people who control the contents and use of personal details. Data controllers can either be legal entities such as companies, Government departments or voluntary organisations or they can be individuals such as general practitioners (GPs), pharmacists or sole traders.

    Manual data – information stored on paper as part of a filing system.


Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland.
Phone +353 (0761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 | email info@dataprotection.ie