The Charities Regulator is committed to protecting the rights and privacy of individuals in accordance with the General Data Protection Regulation (the GDPR) and the Data Protection Act 1988 - 2018 (the DPA). The DPA compliments the GDPR and deals extensively with how the GDPR is enforced in Ireland. Throughout this statement 'Data Protection Laws' should be taken as referring to the GDPR, the DPA and any amending legislation. Data Protection Laws give rights to individuals about the privacy of their personal data. Data Protection Laws also place responsibilities on those persons holding and processing such data. The Charities Regulator collects, stores and processes certain personal data in order to carry out its functions. Personal data means any information relating to an identified or identifiable living individual.
Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes:
- the collection,
- adaptation or alteration,
- disclosure by transmission,
- sharingor otherwise making available,
- alignment or combination,
- restriction, and
- erasure or destruction of personal data.
This Data Protection Statement provides information about the ways in which the Charities Regulator collects, stores and uses personal data relating to individuals.
Data Protection Legislation
The GDPR came into force on 25 May 2018 and significantly changed data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations. The GDPR is designed to give individuals more control over their personal data.
The key principles relating to the processing of personal data under the GDPR are:
- Limiting what it can be used for;
- Limiting what can be collected and used for ;
- storage limitation;
- integrity and confidentiality; and
- accountability (Article 5 of the GDPR).
Although the GDPR is directly applicable as a law in all Member States, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).
Data Protection and the Charities Regulator
Who we are
The Charities Regulatory Authority (the “Charities Regulator”) is Ireland's national statutory regulator for charitable organisations and is an independent authority established in accordance with the Charities Act 2009, as amended (the “2009 Act”). The key functions of the Charities Regulator are set out in Section 14 of the 2009 Act which includes the requirement to establish and maintain a register of charitable organisations and to ensure and monitor compliance with the 2009 Act.
Our Data Protection Principles
The Charities Regulator is committed to following and showing compliance with the following principles relating to the processing of personal data as set out in Data Protection Laws.
Personal data shall be:
- processed lawfully, fairly and transparently;
- collected for specific, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary for processing;
- accurate and, where necessary, kept up to date;
- kept in a form such that the data subject can be identified only as long as is necessary; and
processed in a manner that ensures appropriate security.
Rights of individuals whose data is collected
The Charities Regulator is committed to designing and maintaining appropriate policies and procedures to protect the rights of individuals as set out in Data Protection Laws to:
- access their personal data;
- correct their personal data;
- erase their personal data;
- restrict processing of their personal data;
- transfer their personal data;
- object to the processing of their personal data; and
- withdraw consent (where we are relying on consent to process data).
None of the rights mentioned above are absolute and certain situations may arise when individuals cannot enact them in particular circumstances. If this situation does arise the individual will be given a detailed explanation as to why.
Controller contact details
The data controller decides why and how the personal data is processed. In this instance the Charities Regulator is the Controller for the personal data it processes. You can contact the Charities Regulator in a number of ways, which are set out on the contact page of our website.
Data Protection Officer contact details
The Charities Regulator has appointed a Data Protection Officer. You can contact Data Protection Officer by e-mailing DPA@Charitiesregulator.ie.
What is the Legal Basis for Processing of Personal Data by the Charites Regulator
The legal basis for the processing of personal data by the Charities Regulator will depend on what we do as set out in our governing legislation the Charities Act 2009 and why the processing is being carried out.
Where the Charities Regulator is processing personal data to carry out its legal functions, it must meet at least one of the requirements that are laid out in Article 6 of the GDPR. Each of these requirements and examples of them are expanded on below:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes. Consent is likely to be appropriate ground where an organisation wants to offer a real choice to individuals – for example, whether they want to receive newsletters. Organisations must give consideration when utilising consent as consent can always be withdrawn by the data subject. Additionally if a relationship between the Controller and Data Subject has a power imbalance (such as employment or during processing by a public authority), it may be difficult to establish valid legal consent.
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The execution of a contract between two or more parties often involves some processing of personal data. This would include the Charities Regulator processing the personal data of staff to ensure that they receive payment in line with their employment contracts.
Processing is necessary for compliance with a legal obligation to which the controller is subject. For this section to be applicable any data processing must have a basis in EU or Irish law. A few examples of this would be sharing employee data with Revenue, processing data under money laundering regulations or disclosing data as a result of a court order
Processing is necessary in order to protect the vital interests of the data subject or of another natural person. The definition that is given for vital interest is “an interest which is essential for the life of the data subject or that of another natural person”. This means that we can only process data under this article in a life-or-death situation and when the processing is necessary for the survival of the data subject. This is likely to only be applicable in emergency situations. This can also be applied to large scale situations including the processing of personal data for humanitarian purposes including monitoring epidemics and their spread.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. For this section to apply the task of data processing must have a clear basis in law. In the case of the Charities Regulator this would be required to be covered under certain sections of the Charities Act 2009 such as section 39 which requires Trustees to provide certain personal data for the registration process.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Legitimate Interest would apply to data processing whenever an organisation uses personal data in a way that the data subject would expect their data to be used. The conditions of Legitimate Interest would apply when the processing isn’t required by law, but there’s a clear benefit to it, there is little risk of the processing infringing on the data subjects privacy and the data subject should reasonably expect their data to be used in that way. Examples of this would include the Charities Regulator giving an IT company access to its online platforms to ensure that the IT safeguards are sufficient and the proper safeguards are in place.
The Charities Regulator is also designated as a competent authority under the Law Enforcement Directive (LED) which has been enacted into law under part 5 of the Data Protection Act 2018. The LED deals with the processing of personal data for law enforcement purposes which fall outside the scope of the GDPR. The processing of personal data under the LED will be limited to a number of activities of the Charities Regulator, namely the following processes:
- the prevention of criminal offences;
- the investigation of criminal offences;
- the detection of criminal offences; and
- the prosecution of criminal offences.
Examples of the purposes for which the Charities Regulator may collect personal data under the LED include inquiries and investigations - including personal data received from data subjects directly; and personal data received from an organisation, which is the subject of an inquiry or investigation.
How Does The Charities Regulator Collect Personal Data?
The type of Personal Data that the Charities Regulator processes depends on the purpose and legal basis for processing that data. The Charities Regulator will only process such Personal Data or special categories of data as is reasonable and necessary in order to carry out its functions under the 2009 Act and in carrying out these tasks will do so in the public interest. The categories of Personal Data processed depends on the business unit that is handing the data, as follows:
The Compliance Unit in the course of carrying out its functions may receive:
- Personal Data (including the name, address, email address, contact number, job title, role or place of work); and
- Special category data (data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, data concerning a natural person's sex life or sexual orientation).
The Charity Services in the course of carrying out its functions may receive:
- The Personal Data received includes, name, address, email address, contact number and date of birth. This Personal Data can relate to the applicant and a third party relevant to the application, including purchasers, beneficiaries and previous title holders.
Individuals contacting the Charity Services Unit may give it Personal Data and special category data these individuals may be:
- Trustees or their representatives.
Registration and Reporting
The Registration and Reporting Unit in the course of carrying out its functions may receive:
- The Personal Data received can include name, address, email, telephone numbers, bank account number and identity documents (passport/drivers licence). The Personal Data can relate to the organisation’s Trustees (or connected persons to the Trustees), Directors, Officers or members of staff of the applicant, volunteers, donor, beneficiaries and current or former advisors to the applicant.
Communication and Stakeholder Engagement
The Communication and Stakeholder Engagement Unit in the course of carrying out its functions may receive:
- The Personal Data from third parties, including stakeholders, charity personnel, trustees, suppliers, journalists and other interested parties. The Personal Data received can include name, address, title, email address and telephone numbers.
The Corporate Affairs Unit in the course of carrying out its functions may receive:
- The Personal Data received can include names, addresses, email, telephone numbers, identity documents, staff ID and bank account details. The Personal Data can relate to individuals submitting requests as well as Stakeholder Engagement relating to Research carried out by the Charities Regulator as well as Personal data relating to staff.
The Finance Unit in the course of carrying out its functions may receive:
- The Personal Data from third parties, including stakeholders, charity personnel, trustees and suppliers. The Personal Data received can include name, address, title, email address, bank account details and telephone numbers.
Purpose for Processing Personal Data
The Charities Regulator processes personal data for a number of different purposes, which arise from its statutory powers, functions and duties.
The Charities Regulators statutory powers, functions and duties derive from the Charites Act 2009, and include the following:
- assessing applications for registration;
- maintaining a Public Register of charitable organisations operating in Ireland;
- carrying out investigations into the affairs of charitable organisations;
- maintaining and administering the Common Investment Fund;
- providing charity trustees/charities with information about its news and events, training and seminars and e-learning services;
- informing research into the charity sector in Ireland;
- maintaining an accurate mailing list of subscribers;
- administering and improving its website and internal operations, including troubleshooting, data analysis, testing, research, and for statistical and survey purposes; and
- human resource purposes relating to employment with or appointment to the Board or a Committee of the Charities Regulator.
The Charities Regulator will also process personal data in the performance of its general function including the recruitment of staff, payment to staff, sharing employee personal data with tax authorities etc.
GDPR seeks to ensure that Personal Data is processed lawfully, fairly and transparently, without adversely affecting the rights of the Data Subject.
The Charities Regulator will rely on the following legal bases under the Regulation and the Data Protection Act 1988 - 2018 in processing Personal Data. The relevant legal basis is dependent on the relevant business unit that processes the data, as follows:
Compliance and Enforcement
Registration and Reporting
Where the lawful basis for the processing of Personal Data is based on the consent or, where necessary, the explicit consent of the Data Subject, that consent can be withdrawn at any time. Where consent is withdrawn, it will not affect the lawful basis for processing up until that time.
Who Are The Recipients Of Personal Data Processed By The Charities Regulator?
The Charites Regulator takes all reasonable steps to ensure that our staff protect your personal data and are aware of their information security obligations. We limit access to your personal data to those who have a business need to know it.
We may share personal data with trusted third parties, when we have lawful reason do so, including:
- Service providers for our registration system;
- Service providers for out IT system;
- Service providers issuing our E-zine or invites to events;
- Ensuring payments for the Common Investment Fund;
- Carrying out our necessary functions with other government agencies including Revenue, An Garda Síochana and the Companies Registration Office; and
- Financial Institutions for the processing of payments.
Before any personal data is shared the Charities Regulator ensures that the relevant data sharing agreements and safeguards are in place.
Retention means how long we keep your personal data. The retention periods for personal data held by the Charities Regulator are based on the requirements of the data protection legislation and on the purpose for which the personal data is collected and processed. For example, in the case of complaints, the Charities Regulator will retain personal data for as long as is necessary for the handling of the complaint and for any subsequent action that is required.
The retention periods applied by the Charities Regulator to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.
As well as this as a public body the Charities Regulator must adhere to the National Archives Act 1986 which state that; No legislation takes precedence over the National Archives Act, 1986 with regard to the management of public records. Before destruction, retention or withholding of records can take place, the provisions as set out in the National Archives Act, 1986 and Regulations, 1988 must be adhered to.
How to access your Personal Data
Among the rights given by the GDPR on Data Subjects is the right to get a copy of their Personal Data which is being processed by the Charities Regulator.
In order for the Charities Regulator’s to find the Personal Data sought, you should complete and return our online Subject Access Request (“SAR”) form,
Please note: As we need to verify the identity of anyone making a Subject Access Request, you will need to give us specific forms of identification (details contained in the SAR form).
Your Subject Access Request will be responded to within one month of the date of receipt or, where difficulty arises in the verification of your identity, within one month of identity verification.
You can also make a Subject Access Request by writing to the Charities Regulator:
Data Protection Officer
Charities Regulator, 3 George’s Dock, IFSC, Dublin 1 D01 X5X0
Alternatively, please email DPA@charitiesregulator.ie
A Data Subject may also seek to have any of his or her Personal Data corrected. This will be done within 40 days of the request being made, provided there is reasonable evidence in support of the need for correction or erasure. You need to tell us what information is incorrect and what should replace it. We will inform recipients to whom that Personal Data have been disclosed (if any), unless this proves impossible or has a disproportionate effort.
It is your responsibility to ensure that all of the Personal Data provided to us is accurate and complete. If any information you have given us changes, please let us know as soon as possible.
Any person (staff or contracted person) who processes personal data on behalf of the Charities Regulator has a responsibility to comply with this data protection policy.
Training and Awareness
All staff receive training on this policy. New staff receive training as part of their induction training process. Completion of this training is compulsory.
Changes to the Data Protection Statement
This Data Protection Statement is kept under regular review and is therefore subject to change.
If you have any comments or queries in relation to this Data Protection Statement, please forward same to our Data Protection Team at DPA@CharitiesRegulator.ie.