Go to main Enterprise Ireland site
 
Advanced Search
 
 
 

 
 
 
Key Messages
How-To Guides
Case Studies
Assessment Tools
Solutions Providers
Library

4. Collecting Personal Information

 


Communicating or transacting with customers online carries legal obligations. This section explains:

  • Data protection law and specifically your
    company's obligations as a data controller
  • Website privacy policies and why they are
    necessary


a Data Protection
If you collect personal data about living individuals, you are considered to be a data controller. Most businesses will collect such data, whether about customers, potential customers or employees. Personal data means data relating to an individual who is or can be identified either from the data or
where the data is combined with other data available to the data controller. Examples of such personal information include home addresses, ages, gender details and occupations.

All data controllers must comply with certain important rules about how they collect and use personal information. Many controllers are obliged to register annually with the Data Protection Commissioner. failure to do so can result in prosecution.

All data controllers, that is, those that obtain personal data first hand, must comply with certain important rules about how they collect and use personal information. Equally, data processors, that is, those that process data collected by data controllers also have to meet certain obligations. Controllers
and processors are obliged to register annually with the Data Protection Commissioner. Failure to do so can result in prosecution.

There is a selective system of registration. Data controllers who process personal data are not required to register separately as a processor (although a registered processor that begins to control data would have to re-register). However, you are required to register specifically with the Data Protection Commissioner if:

  • You collect and process sensitive personal information (eg, data relating to health, racial origin etc.)
  • Your business consists wholly or mainly of direct marketing, credit referencing or debt collection
  • You are a public body or a telecommunications company or ISP

The requirement for registration is part of an effort to supervise the retention of personal data, in the interests of those people whose data are being stored. In summary, data controllers are under a duty to ensure that data is:

  • Obtained and processed fairly
  • Kept only for one or more specified lawful purposes
  • Processed in ways compatible to the purposes for which it was supplied initially
  • Kept safe and secure
  • Not disclosed to third parties except where it is appropriate to do so
  • Kept accurate and up to date
  • Adequate, relevant and not excessive
  • Retained for no longer than is necessary.

In addition, a copy of the data must be provided, on request, to the individual to whom it refers. This means that if someone wants to check the accuracy of your records, they can ask you to provide a copy of all data which you hold on them. The individual has the right to have this data corrected, if it is
inaccurate, or erased, if you do not have a legitimate reason for retaining it.

When your customers are providing information to you, they must be made aware of who is collecting this information, what use will be made of this information and who will have access to it. In addition, if you plan to pass on this information to another party, you should obtain the customer's consent.

Where personal data is kept only for the purpose of direct marketing and the person to whom this data relates makes a request in writing that the data controller stops using it for this purpose, then the data controller must comply with this request within 40 days by erasing the data.

Where this data is kept for both direct marketing and another purpose - for example, invoicing or subscription renewal - then the data controller must stop using the data for marketing, and
inform the individual concerned of the purposes for which the data is being retained and used in the future.

The personal data you hold must be accurate and, where necessary, kept up to date. In addition, you must take appropriate security measures against unauthorised access to or unauthorised destruction of this data.


b Privacy Policies
It is necessary to publish a privacy policy if your website does any of the following:

  • Collects personal data (visitors filling in web forms, feedback forms, etc.)
  • Uses cookies or web beacons,
  • Covertly collects user data (IP addresses, e- mail addresses), which may or may not identify an individual

The privacy policy must be accessible from all points of the site where personal data is collected. This statement should detail what personal data is collected by the site, and the purpose for which it is collected. The Data Protection Commissioner has published guidelines on such privacy statements.

Placing a statement only on a home page may not be sufficient. Links from other websites or through search engines may bring a visitor into the site via a page other than the home page. The ideal solution is to place a link to the privacy statement on each page. Alternatively, a link could be placed on any page on which data is collected, although if the website uses cookies, this could mean all pages.

Related Links

Read Enterprise Ireland's guide to website privacy policies

Find out more about what data is covered by the Data Protection Acts

Read more about data protection legislation

<<<Previous  Start of Guide Next>>>


Legal | Contact | Sitemap
National Development Plan The Programmes of Enterprise Ireland are co-funded by EU Structural Funds