The Charities Regulator places high importance on the correct, lawful and fair handling of all Personal Data and is fully committed to protection of the rights and privacy of individuals whose personal information it holds in accordance with the EU General Data Protection Regulation, 2016/679 (GDPR) as given further effect in the Data Protection Act 2018. This commitment is underpinned by compliance with the statutory measures that ensure these rights. The Charities Regulator has put in place a range of systems and procedures, which it reviews on a regular basis, in order to protect these rights. For a summary of our information practices, please click here.
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The Regulation and the Data Protection Acts confer rights on individuals in relation to the privacy of their Personal Data as well as responsibilities on those persons holding and processing such data.
Under the General Data Protection Regulation (GDPR), Personal Data is defined as:
“any information relating to an identified or identifiable natural person (data subject)”.
This definition provides for a wide range of personal identifiers to constitute Personal Data, including name, address and also electronic, manual and image data which may be held on computer or on manual files.
More information about Data Protection
Identity and Contact Details of the Data Controller
The Data Controller is: Charities Regulator
Address: 3 George's Dock, IFSC, Dublin 1, D01 X5X0.
Contact Details of the Data Protection Officer
Data protection queries relating to Personal Data held by the Charities Regulator should be directed to the Data Protection Officer for the Charities Regulator, contact details are:
Phone: 01-633 1500
Address: Charities Regulator, 3 George's Dock, IFSC, Dublin 1, D01X5X0.
Purpose and Legal Basis for Processing
Use of Personal Data
The Charities Regulator will use this information:
- to assess applications for registration;
- to maintain a Public Register of charitable organisations operating in Ireland;
- to provide charity trustees/charities with information about its news and events, training and seminars and e-learning services;
- to inform research into the charity sector in Ireland;
- to maintain an accurate mailing list of subscribers; and
- to administer and improve its website and for internal operations, including troubleshooting, data analysis, testing, research and for statistical and survey purposes.
GDPR seeks to ensure that Personal Data is processed lawfully, fairly and transparently, without adversely affecting the rights of the data subject. GDPR states that processing of Personal Data shall be lawful if at least one of the following applies:
- the data subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.
The Charities Regulator will rely on the following legal bases under Data Protection Law in processing Personal Data:
- Protection Law in processing Personal Data:
The Charities Regulator will process your Personal Data where you provide your consent for the provision and use of training facilities.
In compliance with legal obligations
The Charities Regulator will process your Personal Data for the purpose of undertaking monitoring to ensure compliance with the Charities Act 2009, investigations and providing information to the Gardaí Síochána, the Revenue Commissioners, the Director of Corporate Enforcement, the Competition Authority or any other person charged with the detection, investigation or prosecution of offences.
Performance of a task in the public interest
The Charities Regulator will process your Personal Data for the purpose of maintaining and providing departmental records to the National Archives, where they will be available for public inspection.
Performance of a contract
The Charities Regulator will process your Personal Data to the extent required to obtain goods and service requested.
Where the lawful basis for the processing of Personal Data is based on the consent or explicit consent, where necessary, of the Data Subject, that consent can be withdrawn at any time. Where consent is withdrawn, it will not affect the lawful basis for processing up until that time.
Legal Obligation to provide Personal Data and Consequences for failing to do so
The Charities Regulator may require a charitable organisation to provide information it may reasonably require to enable it to perform its functions and the charitable organisation is required to comply with that direction (or risk being removed from the Register, i.e. it is not an offence, unlike Sections 59, 65, 68 of the Charities Act 2009).
Where, in the course of carrying out their duties in relation to a charitable organisation, an:
- auditor of a charitable organisation;
- a person who is a trustee of the charitable organisation or carrying out any of the function of the trustees of the organisation;
- a person who is an investment business firm which has advised the charitable organisation or received payment in relation to the investment of any charity property; or,
- a person who has been involved in the preparation of the annual report of the organisation
comes into the possession of information that causes them to form an opinion that there are reasonable grounds for believing that an offence under the Charities Act 2009 has been committed, that person is required to notify the Charities Regulator in writing of that opinion and provide the Authority with a report in writing of the particular grounds upon which the opinion was formed.
The Charities Regulator may require a charitable organisation or the trustees of a charitable organisation, at such time and place as may be specified in the direction, to produce such books, documents or other records as may be so specified.
Charity Trustees or agents of charitable organisations are required to produce all books, document and other records relating to the organisation in their possession or power of procurement to Charities Regulator inspectors when required to do so by that inspector.
A Charities Regulator inspector can require any person the inspector considers may be in possession of information concerning a charitable organisation, to produce all books, document and other records relating to the organisation in their possession or power of procurement.
Where any such person required to provide the opinion, report, information or documentation referred to above fails to do so they will be guilty of an offence and subject to:
- on summary conviction, to a fine not exceeding €5,000 or to imprisonment for a term not exceeding 12 months or to both, or
- on conviction on indictment, to a fine not exceeding €300,000 or to imprisonment for a term not exceeding 10 years or to both.
Where an offence under the Charities Act 2009 is committed by a body corporate and it is proved to have been so committed with the consent or connivance of or to be attributable to any neglect on the part of any person, being a director, manager, secretary or other officer of the body corporate, or a person who was purporting to act in such capacity, that person shall, as well as the body corporate, be guilty of an offence and shall be liable to be proceeded against and punished as if he or she were guilty of the first-mentioned offence.
Existence of Automated Decision Making
Recipients or Categories of Recipients of Personal Data
When undertaking its legal functions, the Charities Regulator may publish Personal Data of individuals such as Trustees and share such Personal Data with third parties where it is necessary, lawful and/or appropriate.
Personal Data may be disclosed internally when passed from one unit to another in accordance with the data protection principles and this notice. Personal Data is not passed to any internal department or any individual that does not reasonably require access to that Personal Data with respect to the purpose(s) for which it was collected and is being processed.
Except as disclosed in this Privacy Notice, the Charities Regulator will not disclose Personal Data that it collects to any parties other than for the purpose outlined, in order to fulfilling its statutory obligation or in compliance with a legal obligation, without your consent. Categories of such third parties may include:
- Gardaí Síochána;
- Revenue Commissioners;
- Director of Corporate Enforcement;
- Competition Authority;
- any other person charged with the detection, investigation or prosecution of offences;
- Relevant Regulators and Foreign Statutory Bodies prescribed by regulation;
- legal advisors;
- ICT system and service providers;
- authorities to whom the Charities Regulator is legally obliged to disclose Personal Data, e.g. law enforcement, tax authorities, etc.
Whenever the Charities Regulator discloses information to third parties, we will only disclose that amount of Personal Dta that is necessary. Third parties that receive Personal Data from the Charities Regulator must satisfy the Charities Regulator as to the measures taken to protect and keep it secure.
Appropriate measures will be taken to ensure that all such disclosures or transfers of Personal Data to third parties will be completed in a secure manner and pursuant to contractual safeguards.
The Charities Regulator may provide information, when legally obliged to do so and in response to properly made requests, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. In the case of any such disclosure, the Charities Regulator will only do so in accordance with Data Protection Law.
The Charities Regulator is a scheduled body a set out under Section 1(2) of the National Archives Act 1986, (the “NA Act”) and is obliged to comply with the NA Act in relation to the retention of all departmental records as defined under Section 2(2) of the NA Act. Once documentation is more than 30 years old, under Section 8(1) of the NA Act, the Charities Regulator is obliged to transfer all Departmental Records to the National Archives where they will be available for public inspection.
Transferring Personal Data to a country out the Economic European Area (EEA)
All requests from staff members of the Charities Regulator, or contractors acting on behalf of the Charities Regulator, to transfer Personal Data outside the EEA (“transfer” includes making available remotely) must be formally made in writing to the DPO before any authorisation can be provide to transfer Personal Data to countries outside the EEA.
The GDPR requires that Personal Data is:
- Processed in a way that is lawful, fair and transparent;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and is limited to what is necessary;
- Accurate and kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- Processed in a manner that ensures appropriate security of the data.
Where can I get more information about my rights under GDPR?
The Data Protection Commission’s website offers an explanation of the rights and responsibilities under the Data Protection Acts and information is also available from:
Data Protection Commission
The Data Protection Commission may also be contacted by:
How can I access my Personal Data (Subject Access Request)?
Among the rights conferred by the GDPR on ‘data subjects’ is the right to obtain a copy of their Personal Data which is being processed by the Charities Regulator.
In order for the Charities Regulator’s to identify and locate the Personal Data sought, you should complete and return our online Subject Access Request Form (SAR) ensuring that you provide, in so far as is possible, details of your interaction with the Charities Regulator.
Please note: As we need to verify the identity of anyone making a Subject Access Request, you will need to provide us with specific forms of identification (details contained in the SAR form).
Your Subject Access Request will be responded to within one month of the date of receipt or, where difficulty arises in the verification of your identity, within one month of identity verification.
You can also make a Subject Access Request by writing to the Charities Regulator:
Data Protection Officer
3 George’s Dock
Alternatively, please email DPA@charitiesregulator.ie
This Privacy Notice will be reviewed regularly in light of any legislative or other relevant developments and at a minimum on an annual basis.