All personal data processed by the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media will take place in accordance with the law on data protection and will only be for the purposes connected to the functions of this department.
Department staff are also considered customers of the department from a data protection perspective and may exercise their data protection rights in the same way.
The department is fully committed to keeping all personal data submitted by its customers, fully safe and secure during administrative processes. All necessary technical measures have been put in place to ensure the safety and security of the systems which hold this data.
Data protection information will be updated on this page from time to time.
The current legislation for Data Protection in Ireland is the Data Protection Act 1988 as amended by the 2003 Data Protection Act, The Data Protection Act 2018 and The General Data Protection Regulations (EU 2016/679) which came into effect on 25 May 2018. (It should be noted that the 1988 Data Protection Act as amended in 2003 will likely be repealed in full, in due course).
If the department receives any information which leads it to believe that a criminal offence may have taken place it will use all data available, including personal data, to pursue any necessary investigation and/or prosecution as provided for under the terms of the Law Enforcement Directive (EU 2016/680).
Under Data Protection Legislation, the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media as a data controller is responsible for the collection and processing of all personal data under its administration.
The Data Protection Officer can be contacted as follows:
Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media, 23 Kildare Street, Dublin 2, D02 TD30
The department’s Data Protection Policy is a statement of the department’s commitment to protect the data protection rights of individuals in accordance with all relevant legislative requirements.
Data Protection Policy
Download link for Download View the file ViewWhen you, as a customer, provide personal data to the department, you have certain rights available to you in relation to that data. However, it should be noted that not all rights listed shall be applicable in every circumstance. These rights are outlined below and can be exercised by contacting the Data Protection Officer, as detailed above, indicating which right(s) you wish to exercise:
Under Data Protection legislation, individuals have a right to obtain from the department, a copy of any personal information held on them on computer or structured filing system. This is commonly referred to as a Subject Access Request.
In order to obtain copies of personal data held by the department, a request must be made in writing seeking the information.
Requesters can be asked to provide additional details that may be necessary to locate the records, such as their personnel number or PPSN. It will be necessary to obtain proof of identity and address to ensure that the person making the access request is acting legitimately.
Requests should be sent to the Data Protection Officer at the address provided above
A Subject Access Form is available to assist you below.
There is no fee applicable to making an access request for your own personal data, unless the request is considered manifestly unfounded or excessive.
Under the General Data Protection Regulation (GDPR), the information requested must be provided within one month. Where requests are complex or involve a large number of requests, this time limit may be extended for a further two months.
Some exceptions do apply to the release of data, including access to third party data, legally privileged data, or data required for the prevention, investigation or prosecution of criminal offences.
Section 61(1) also allows for restrictions on the exercise of the rights of data subjects where processing is for archiving purposes in the public interest.
If the department fails to comply with a valid data access request, the requester has the right to make a complaint to the Data Protection Commissioner. The Commissioner will investigate the matter and has wide powers to ensure the department complies with the provisions of the Acts. Financial penalties can be imposed.
Complaints should be made in writing, to the Data Protection Commissioner at:
The website of the Data Protection Commissioner at www.dataprotection.ie is an excellent source of information. They can also provide information by phone at: 076 110 4800 or 057 868 4800.
Yes – Section 61(1) allows for restrictions on the exercise of the rights of data subjects where processing is for archiving purposes in the public interest. The rights of a data subject set out in Articles 15 (right of access), 16 (right to rectification), 18 (right to restrictions of processing), 19 (right to notification of rectification, erasure or restriction of processing of personal data), 20 (right to data portability), and 21 (right to object) of the GDPR are restricted to the extent that:
1. the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes, and
2. such restriction is necessary for the fulfilment of those purposes
Where processing is taking place at the same time for any other purpose, other than archiving purposes in the public interest, these restrictions will only apply to processing for archiving purposes in the public interest.
At all times, your personal data will only be shared where there is a valid legal basis to do so and in accordance with the appropriate Data Protection legislation.
In replying to Parliamentary Question requests, all personal information is taken out of the reply which later goes to form the public record.
Information processed for this purpose will only be retained for as long as there is a business need to do so and thereafter will be marked for deletion and will be destroyed in line with internal guidelines or guidelines for destruction received from the National Archives of Ireland or associated permissions received from them.
Where possible, the department may anonymise or pseudonymise (mask) personal data so that the personal data will only be available to those who have a clear business need to see it.
The General Data Protection Regulations (GDPR) came into force in May 2018, in which Article 30 included a requirement for all public bodies to produce a Record of Processing Activities, or a ROPA.
This document is an inclusive and non-exhaustive list of the processes undertaken by sections within the department that utilise personal data; by nature it takes the form of a living document, which will be updated regularly with changes and amendments. If you have any queries regarding specific processes which utilise personal data that are not covered by this document, please contact the Data Protection Officer, as detailed above.
