Companies Registration Office (CRO) (Register of Users)

Last updated June 2019

Does your organisation use the PPSN at present?

Yes. The CRO is separately prescribed under the Social Welfare (Consolidation) Acts 1998 to 2005 and Social Welfare and Pensions Act 2007 to use the PPSN.

If so, for what purpose?

The Companies Registration Office (CRO) uses the PPSN to verify the identity of an individual when they apply for a PIN to register to use the CRO’s electronic filing facility for submitting annual returns and certain updates to the Registrar for Companies.

Does your organisation exchange the PPSN with any other body? If so, please name the relevant bodies and the purpose(s) of the exchange?

No. The Companies Registration Office does not currently exchange the PPSN with any other external body.

Does your organisation have any other plans involving the use of the PPSN?

The Companies Registration Office anticipates the use of a “hashed” form of the PPSN (i.e. an encrypted or “not visible to the eye” form of the PPSN) for the new Register of Beneficial Ownership (the “RBO”). This will be set up as a separate legal entity. Further information is available in the Privacy Statement and Privacy Notice on the Register of Beneficial Ownership website at: www.rbo.gov.ie.

There is a duty to ensure compliance with the principles of processing personal data which are set out in Article 5(1) and 5(2) of the GDPR. These principles are summarised as follows

• process it lawfully, fairly, and in a transparent manner
• collect it only for one or more specified, explicit and legitimate purposes, and do not otherwise use it in a way that is incompatible with those purposes
• ensure it is adequate, relevant and limited to what is necessary for the purpose it is processed
• keep it accurate and up-to-date and erase or rectify any inaccurate data without delay
• where it is kept in a way that allows you to identify who the data is about, retain it for no longer than is necessary
• keep it secure by using appropriate technical and/or organisational security measures
• be able to demonstrate your compliance with the above principles; and
• respond to requests by individuals seeking to exercise their data protection rights (for example the right of access

Have you measures in place to ensure that the Public Service Identity data you hold/collect whether in electronic or written format is in line with the GDPR Principles described above?

Yes. All personal data are subject to general departmental security provisions for the protection of personal data and office services.

CRO Overview

Staff in the CRO have been provided with training on the compliance requirements of the new General Data Protection Regulation (GDPR) and Data Protection. In addition, a number of Information Sessions on Data Protection have been delivered by the Data Protection Officer (DPO). These sessions continue to be delivered on a regular basis to ensure that all staff are familiar with data protection requirements. A Guidance Booklet was also drafted and provided to all staff. This Guidance Booklet is updated regularly to reflect changes and best administrative practice in relation to data protection. Information about data protection compliance is also posted regularly on a dedicated data protection area on the internal intranet for all staff. A specific module on data protection is provided as part of the Induction training for all new staff joining the CRO. Formal training sessions have also been provided to staff by an external training provider. Regular Communication Bulletins are also issued to all staff reminding them of their compliance obligations in relation to the processing of personal data under the General Data Protection Regulation (GDPR) and Data Protection laws.