The General Data Protection Regulation
(GDPR) is a European Union Regulation that has been designed to strengthen and unify Data Protection within the EU. It also provides a number of rights to data subjects.
The department will comply with its responsibilities under the legislation in accordance with the data protection principles as follows:
personal data shall be processed lawfully and fairly
personal data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with such purposes
personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed
personal data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
personal data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed
personal data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against
unauthorised or unlawful processing
accidental loss, destruction or damage
Under the GDPR, personal data is data that relates to or can identify a living person, either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history.
Special category personal data
Special category personal data means personal data relating to any of the following:
the data subject’s racial or ethnic origin, their political opinions or their religious or philosophical beliefs
whether the data subject is a member of a trade union
the data subject’s physical or mental health or condition or sexual life
whether the data subject has committed or allegedly committed any offence
any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings
a data subject is the individual to whom the personal data relates. You can read more in our document
A data subject is the individual to whom the personal data relates. You can read more in our document
Organisations that collect or use personal data are known as data controllers and data processors.
The rights individuals enjoy under the GDPR are the same as those under the Data Protection Acts, but with some changes.
Individual rights include:
the right to obtain access to personal data. Data subjects have the right to be provided with copies of their personal data along with certain details in relation to the processing of their personal data
the right to information. Data subjects have the right to be provided with certain information, generally at the time at which their personal data is obtained. We comply with this obligation through our privacy notice(s)
the right to rectification. Data subjects have the right to have inaccurate personal data that a controller holds in relation to them rectified
the right to object and restrict processing. Data subjects have the right to require that a controller restricts its processing of their data in some circumstances, and have the right to object to the processing of their personal data in certain circumstances
rights in relation to automated decision making. Data subjects have the right not to be subjected to processing which is wholly automated and which produces legal effects or otherwise which significantly affects them, and which is intended to evaluate certain personal matters, such as creditworthiness or performance at work, unless one of a number of limited exceptions applies
the right to request erasure of personal data. Under certain circumstances a data subject has the right to request the erasure of their personal data.
To exercise any of your data protection rights contact the Data Protection Office in the relevant organisation directly.
If you are unhappy with the decision of the Data Protection Officer you have the right to complain to the Data Protection Commissioner who will investigate the matter for you. The Commissioner has legal powers to ensure that your rights are upheld.
Further details on your rights under the Data Protection Acts are available at the Data Protection Commissioners website here.