Data Protection

The Data Protection Act 2018 came into effect on 25 May 2018. The Data Protection Act gives effect to the General Data Protection Regulation (EU 2016/679) and the Law Enforcement Directive (EU 2016/680). The Act amends the Data Protection Acts 1988 and 2003.

The General Data Protection Regulation (GDPR) is designed to give people greater control over their personal data by setting out clearly defined rights for individuals whose personal data is collected and processed.

The GDPR also imposes increased obligations on organisations that control and process personal data.

Article 4(1) of GDPR defines personal data as any information relating to an identified or identifiable natural person.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier such as user IP addresses or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special category personal data relates to any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Special category personal data is processed in accordance with article 9 GDPR.

Article 5 of GDPR sets out six key principles which lie at the heart of the general data protection regime.

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality

The Chief State Solicitor’s Office (CSSO) is a constituent element of the Office of the Attorney General. The principal functions of the Attorney General are to advise the Government in matters of law and legal opinion and to provide the State with both drafting and litigation services.

The Chief State Solicitor's Office (CSSO) provides litigation, advisory and conveyancing services to government departments and offices and to certain other State agencies. The CSSO also provides solicitor services at tribunals and commissions of inquiry and represents Ireland at the Court of Justice of the European Union.

For the purpose of GDPR the Office is considered a Data Controller of any personal data which it holds. In data protection, a data controller determines the purposes and means of processing personal data.

We process the personal data that you provide to us, this includes when you do so through a representative, for example through a solicitor or other authorised persons.

The CSSO also processes personal data not collected from you. If you are involved in legal proceedings involving a government department or other public service body, we may receive personal data to facilitate the provision of legal advice.

All individuals who enter our buildings will have their personal data processed via our closed-circuit television (CCTV) systems. Further information relating to this can be found in our CCTV notice below.

Our primary function is to provide legal advice and services to government departments and offices. The processing of your personal data is necessary for the purposes of providing legal advice, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings.

The Office receives and shares personal data with third parties, such as client departments, the Courts Service, An Garda Síochána, external counsel, other professional experts and legal service providers as required. As the State’s legal advisor it is necessary to share personal data for the purposes of providing legal advice to our clients.

In accordance with Sections 41 and 47 of the Data Protection Act 2018, personal data held by the Office may be further processed if it is necessary for the purposes of providing legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Subject to certain restrictions, which are set out below, you can exercise your rights in relation to your personal data that is processed by the CSSO. You have:

• The right to be informed about the processing of your personal data
• The right to access your personal data
• The right to rectification of your personal data
• The right to erasure of your personal data
• The right to data portability
• The right to object to processing of your personal data
• The right to restrict processing of your personal data

If an individual wishes to know about their personal data they can make a subject access request.

Some exceptions do apply to the release of data, including access to third party data, data availing of legal privilege, or data required for the prevention, investigation or prosecution of criminal offences.

Section 61(1) also allows for restrictions on the exercise of the rights of data subjects where processing is for archiving purposes in the public interest.

If the CSSO restricts an individual’s right of access to personal data, the individual can appeal the decision to the Data Protection Commission.

The CSSO must keep a record of reasons for decisions to restrict access to information. The Data Protection Commission can ask to see this record at any time.

A subject access request may be made by email or post to:

Applicants must provide proof of identity, such as a copy of their driver’s licence or passport. This is to ensure that the Data Protection Officer can confirm the requestor's identity.

Valid requests will be responded to within one month of receipt. In certain circumstances this may be extended. There is no fee for making an application.

An individual can also ask the CSSO to correct or erase any personal data held by the CSSO which they believe to be inaccurate – with the exception of personal data contained in witness statements.

It is important to note that only personal data relating to an individual applicant can be provided. The CSSO cannot provide personal information relating to another individual. Exceptions are made in some cases where parents or guardians request personal data relating to their children.

A solicitor can also make a request on behalf of a client but must show their client has authorised the request.

The CSSO will store your data for the duration of processing and as required by law and in line with its obligations under the National Archives Act 1986.

The Data Protection Officer for the CSSO is Stephen Finlan. He can be contacted at the address below.

Individuals who wish to make a complaint can contact the Data Protection Commission at the address below.