Data Protection


The Charities Regulatory Authority (the “Charities Regulator”) places high importance on the lawful, fair and transparent processing of all Personal Data and is fully committed to protection of the rights and privacy of individuals whose Personal Data it holds in accordance with the EU General Data Protection Regulation, 2016/679 (“GDPR”, the “Regulation”) as given further effect in the Data Protection Act 2018.  This commitment is underpinned by compliance with the statutory measures that ensure these rights. The Charities Regulator reviews its systems and procedures on a regular basis, in order to ensure these rights continue to be protected.

GDPR came into effect on 25 May 2018. The Regulation and the Data Protection Act 2018 confer rights on individuals in relation to the privacy of their Personal Data as well as responsibilities on those persons holding and processing such data.

Under GDPR, Personal Data is defined as: 

any information relating to an identified or identifiable natural person (data subject)”.

This definition provides for a wide range of personal identifiers to constitute Personal Data, including name, address and also electronic, manual and image data which may be held on computer or on manual files.

More information about Data Protection

  • Identity and Contact Details of the Data Controller

    The Data Controller is: Charities Regulator

    Address: 3 George's Dock, IFSC, Dublin 1, D01 X5X0.

  • Contact Details of the Data Protection Officer

    Data protection queries relating to Personal Data held by the Charities Regulator should be directed to the Data Protection Officer (the “DPO”) for the Charities Regulator, contact details are: 


    Phone:    01-211 8600

    Address: Charities Regulator, 3 George's Dock, IFSC, Dublin 1, D01 X5X0.

  • Purpose and Legal Basis for Processing

    The Charities Regulator is Ireland's national statutory regulator for charitable organisations and is an independent authority established in accordance with the Charities Act 2009, as amended (the “2009 Act”). The key functions of the Charities Regulator are set out in Section 14 of the 2009 Act, which includes the requirement to establish and maintain a register of charitable organisations and to ensure and monitor compliance with the 2009 Act. 

    The type of Personal Data that the Charities Regulator processes depends on the purpose and legal basis for processing that data. The Charities Regulator will only process such Personal Data or special category data as is reasonable and necessary in order to perform its functions under the 2009 Act and in performance of the tasks it carries out in the public interest.  The categories of Personal Data processed depends on the business unit that is handing the data, as follows;

    • Compliance

      The Compliance Unit may receive Personal Data and special category data voluntarily from charity personnel; including trustees, members, directors, staff members and volunteers and other third parties, including a member of the public, a charity beneficiary or service user, donors or potential donors of a charity. The Compliance Unit may receive Personal Data (including the name, address, email address, contact number, job title, role or place of work) and special category data (data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, data concerning a natural person's sex life or sexual orientation, and  in relation to criminal convictions and offence) in the course of carrying out its functions under Part 4 of the 2009 Act.

    • Charity Services

      The Charity Services Unit may receive Personal Data from the relevant applicants, including Executors, Trustees or their representatives. The Personal Data received includes, name, address, email address, contact number and date of birth. This Personal Data can relate to the applicant and a third party relevant to the application, including purchasers, beneficiaries and previous title holders.

    • Registration and Reporting

      The Registration and Reporting Unit may receive Personal Data during the registration process from an organisation seeking registration with the Charities Regulator and during the annual reporting process. The Personal Data received can include name, address, email, telephone numbers, bank account number and identity documents (passport/drivers licence). The Personal Data can relate to the organisation’s Trustees (or connected persons to the Trustees), Directors, Officers or members of staff of the applicant, volunteers, donor, beneficiaries and current or former advisors to the applicant.

    • Communication and Stakeholder Engagement

      The Communication and Stakeholder Engagement Unit may receive Personal Data from third parties, including stakeholders, charity personnel, trustees, suppliers and other interested parties. The Personal Data received can include name, address, title, email address and telephone number.

    • Corporate Affairs and Corporate Affairs Secretariat

      These units may receive Personal Data from Charities Regulator personnel, including members of the Authority and staff members, third parties, which might include a member of public, a charity beneficiary or service user, donors or potential donors of a charity and Charity personnel (trustees, members, directors, staff members, volunteers) and suppliers. The Personal Data received can include name, address, email, telephone numbers, occupation history, property holdings, staff ID and bank account number.

  • Use of Personal Data

    The Charities Regulator will use Personal Data for the purposes for which it was collected, which may include:

    • Assessing applications for registration;
    • Maintaining a Public Register of charitable organisations operating in Ireland;
    • Carrying out investigations into the affairs of charitable organisations;
    • Maintaining and administering the Common Investment Fund;
    • Providing charity trustees/charities with information about its news and events, training and seminars and e-learning services;
    • Informing research into the charity sector in Ireland;
    • Maintaining an accurate mailing list of subscribers;
    • Administering and improving its website and internal operations, including troubleshooting, data analysis, testing, research, and for statistical and survey purposes; and
    • Human resource purposes relating to employment with or appointment to the Board or a Committee of the Charities Regulator.

    GDPR seeks to ensure that Personal Data is processed lawfully, fairly and transparently, without adversely affecting the rights of the Data Subject. 

    The Charities Regulator will rely on the following legal bases under the Regulation and the Data Protection Act 2018 in processing Personal Data. The relevant legal basis is dependent on the relevant business unit that processes the data, as follows:

    Legal Basis

    Business Unit

    The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes

    The Corporate Affairs Unit

    The Communication and Stakeholder Engagement Unit

    The processing is necessary for  compliance with legal obligations to which the controller is subject

    The Compliance Unit

    The Charity Services Unit

    The Corporate Affairs Unit

    The Corporate Affairs Secretariat Unit

    The Registration and Reporting Unit

    The processing is necessary for the performance of a task carried out in the public interest

    The Compliance Unit

    The Charity Services Unit

    The Corporate Affairs Unit

    The Corporate Affairs Secretariat Unit

    The processing is necessary for reasons of substantial public interest

    The Compliance Unit

    The processing is necessary for the performance of a contract

    The Communication and Stakeholder Engagement Unit

    The Corporate Affairs Unit

    Where the lawful basis for the processing of Personal Data is based on the consent or, where necessary, the explicit consent of the Data Subject, that consent can be withdrawn at any time. Where consent is withdrawn, it will not affect the lawful basis for processing up until that time. 

  • Existence of Automated Decision Making

    The Charities Regulator uses cookies when visiting its website and has introduced Google Analytics to assist in its development.  Google Analytics allows the Charities Regulator to measure and learn in aggregate how its website is being used, and to see, for example, which are the most popular pages.  This will help the Charities Regulator provide relevant information in an easily accessible format.  The Charities Regulator also uses a number of session cookies and a persistent cookie to record acknowledgement of cookie usage.  To view the Charities Regulator’s Cookie Policy, click here.

  • Recipients or Categories of Recipients of Personal Data

    When undertaking its legal functions, the Charities Regulator may publish Personal Data of individuals, such as the names of trustees, on its public register.

    The Charities Regulator may share Personal Data with third parties where it is necessary, lawful and / or appropriate.

    The Charities Regulator will not disclose Personal Data that it collects to any third parties other than in order to fulfil its statutory obligations under the 2009 Act or in compliance with another legal obligation, for example under applicable freedom of information legislation. 

    The third parties that the Charities Regulator may share Personal Data with include the following:

    • An Gardaí Síochána;
    • The Revenue Commissioners;
    • The Director of Corporate Enforcement;
    • The Competition Authority;
    • Any other person charged with the detection, investigation or prosecution of offences;
    • Relevant Regulators and Foreign Statutory Bodies prescribed by regulation;
    • Legal or other advisors;
    • ICT system and service providers;
    • Auditors (internal or Comptroller and Auditor General);
    • Authorities to whom the Charities Regulator is legally obliged to disclose Personal Data - law enforcement, tax authorities or for the purposes of court proceedings.

    Whenever the Charities Regulator discloses information to third parties, it will only disclose the amount of Personal Data that is necessary.  Third parties receiving Personal Data from the Charities Regulator must satisfy the Charities Regulator as to the measures taken to protect and keep it secure.

    Appropriate measures will be taken to ensure that all such disclosures or transfers of Personal Data to third parties will be completed in a secure manner and pursuant to contractual safeguards.

    The Charities Regulator may provide information, when legally obliged to do so and in response to properly made requests, for the purpose of the prevention and detection of crime, and for the apprehension or prosecution of offenders. In the case of any such disclosure, the Charities Regulator will only do so in accordance with Data Protection Law.

  • Data Retention

    The Charities Regulator is a scheduled body a set out under Section 1(2) of the National Archives Act 1986, (the “NA Act”) and is obliged to comply with the NA Act in relation to the retention of all departmental records as defined under Section 2(2) of the NA Act. Once documentation is more than 30 years old, under Section 8(1) of the NA Act, the Charities Regulator is obliged to transfer all Departmental Records to the National Archives, where they will be available for public inspection.

    Documentation that is not required to be retained under the NA Act are retained for shorter periods, as follows;

    • Personal Data relating to Charities Regulator staff members will normally be retained for the period of the employment relationship plus seven years. The facts of a person’s employment with the Charities Regulator will be retained indefinitely for pension / benefits purposes and to verify subsequent referee requests.
    • Personal Data for supply contracts and tenders will be held for the period relevant to the contract.
  • Transferring Personal Data to a country out the Economic European Area (EEA)

    All requests from staff members of the Charities Regulator, or contractors acting on behalf of the Charities Regulator, to transfer Personal Data outside the EEA (“transfer” includes making available remotely) must be formally made in writing to the Charities Regulator’s DPO before any authorisation can be provided.

  • Where can I get more information about my rights under GDPR?

    GDPR sets out the following rights applicable to Data Subjects.  These rights are restricted in certain circumstances as prescribed under Article 23 of the GDPR and the Data Protection Act 2018:

    • The right to be informed;
    • The right of access;
    • The right of rectification;
    • The right to restrict processing;
    • The right to data portability;
    • The right to object;
    • Rights with respect to automated decision-making and profiling;
    • The right to withdraw consent (this applies where the legal basis for processing is consent); and
    • The right to erasure (also known as the “right to be forgotten”).

    The Data Protection Commission’s website offers an explanation of the rights and responsibilities under the Data Protection Acts and information is also available from:

    Data Protection Commission
    Canal House, Station Road, Portarlington, Co. Laois R32 AP23 

    The Data Protection Commission may also be contacted by:

    If you believe that the Charities Regulator has not processed your data in accordance with the GDPR or otherwise complied with data protection legislation, you may make a complaint to the Data Protection Commission.

  • How can I access my Personal Data (Subject Access Request)?

    Among the rights conferred by the GDPR on Data Subjects is the right to obtain a copy of their Personal Data which is being processed by the Charities Regulator.

    In order for the Charities Regulator’s to identify and locate the Personal Data sought, you should complete and return our online Subject Access Request (“SAR”) form, ensuring that you provide, in so far as is possible, details of your interaction with the Charities Regulator.

    Please note: As we need to verify the identity of anyone making a Subject Access Request, you will need to provide us with specific forms of identification (details contained in the SAR form). 

    Your Subject Access Request will be responded to within one month of the date of receipt or, where difficulty arises in the verification of your identity, within one month of identity verification.

    You can also make a Subject Access Request by writing to the Charities Regulator:

    Data Protection Officer
    Charities Regulator, 3 George’s Dock, IFSC, Dublin 1 D01 X5X0

    Alternatively, please email

    A Data Subject may also seek to have any of his or her Personal Data rectified. This will be done within 40 days of the request being made, provided there is reasonable evidence in support of the need for rectification or erasure. You need to tell us what information is incorrect and what should replace it. We will inform recipients to whom that Personal Data have been disclosed (if any), unless this proves impossible or has a disproportionate effort.

    It is your responsibility to ensure that all of the Personal Data provided to us is accurate and complete. If any information you have given us changes, please let us know as soon as possible.

    This Website Privacy Notice will be reviewed regularly in light of any legislative or other relevant developments and, at a minimum, on an annual basis.