Data protection

This page outlines: 

  • What data protection is
  • The differences between data protection and freedom of information
  • The main HPRA privacy notice
  • Information on the use of CCTV and sign-in information on the HPRA premises

Links to other privacy notices in place for specific HPRA activities can be found on the left-hand side at the top of this page.

What is Data Protection? 

Data protection is about ensuring that people’s personal data is collected, used and stored safely. Legislation has been put in place to ensure that individuals rights concerning their personal data are upheld. The HPRA adheres to the principles of data protection which are to: 

  • Process information lawfully, fairly and transparently (‘lawfulness’).
  • Collect data only for specified, explicit and legitimate purposes. Further processing of data is only carried out for purposes which are compatible with the original purpose the data was collected for (‘purpose limitation’). 
  • Collect only data that are adequate, relevant and limited to what is necessary (‘data limitation’). 
  • Ensure data are accurate and kept to up to date where necessary (‘accuracy’). 
  • Retain data which permits identification of data subjects for no longer than is necessary (‘storage limitation’).
  • Process data securely and protect against unauthorised or unlawful processing, loss, destruction, damage ('integrity and confidentiality').

What is the difference between Data Protection and Freedom of Information?

The GDPR provides similar rights of access as the Freedom of Information Acts. The main difference is that the GDPR does not apply to the records of deceased persons. There are also exemptions provided for in the legislation. This means that there are specific circumstances when the requested information will not be released. If any of these exemptions are used to withhold information, the reasons will be clearly explained to you.

You may use either the Freedom of Information Acts or the GDPR to access personal information held by public bodies. However, the GDPR applies only to your own personal information. Please see our privacy notice below for more information on how the HPRA processes personal data. 

Privacy notice

Personal data are processed by the HPRA in the performance of our regulatory functions to protect and enhance public and animal health through assessing the safety, quality and effectiveness of healthcare products. These functions include enforcement activities related to the investigation of activities associated with the illegal supply, manufacture or advertising of health products. 

Personal data are processed by HPRA employees, who shall ensure the confidentiality of the data. 

Personal data is only processed for secondary purposes under the following conditions:

  • The secondary use is related to the original reason the data was collected and/or is part of the HPRA’s regulatory functions. 
  • The data are not sensitive personal data. 
  • The processing is unlikely to cause damage or distress to the data subject. 
  • There are no long-term consequences for the data subjects following further processing.
  • There are safeguards in place to ensure the confidentiality and integrity of the data. 

Legal basis for processing

The legal bases for the processing are Articles 6(1) a, c,  and e of the GDPR:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

The legal basis for processing of special category data (e.g. data related to health) is Article 9(1)i of the GDPR: 

  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy

A list of relevant legislation outlining our responsibilities can be found under the relevant areas on this website.  

How is your information processed and shared?

Where required, any personal information which you provide is made available to other regulatory bodies in Europe and third countries to fulfil our regulatory functions. Personal information is also shared with a third party when you make online payments to the HPRA. 

We also co-operate with and may share data with An Garda Siochána, The Revenue’s Customs Service, and with other national and international counterparts and official bodies as required. 

The HPRA uses third party service providers and suppliers (also known as data processors) in order to carry out both our regulatory functions and other related matters. These third parties process personal data on behalf of the HPRA and appropriate arrangements are in place with them to protect personal data.

The HPRA have implemented accepted standards of technology and operational security in order to protect personally identifiable data and information from loss, misuse, alteration or destruction. In particular, we ensure that appropriate confidentiality obligations and technical and organisational security measures are in place to prevent any unauthorised or unlawful disclosure or processing of such information and data and the accidental loss or destruction of or damage to such information and data. 

All personal data relating our regulatory functions are kept permanently. 

The HPRA fully respects your right to privacy and treats all personal information with the appropriate standards of security and confidentiality, strictly in accordance with data protection legislation.  

What are your rights under data protection law?

Data protection legislation provides you with the following rights regarding the processing of your personal data, although your ability to exercise these rights may be subject to certain conditions:

  • the right to withdraw your consent to this processing at any time. Note the withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal. 
  • the right to request access to your data
  • the right to request your data be rectified or erased
  • the right to request processing of your data be restricted  the right to object to processing 
  • the right to lodge a complaint with the Data Protection Commission

Note that the right to data portability does not apply as the HPRA does not process data by automated means. 

How to contact us

For more information or to make a request regarding your personal data under data protection law, please submit your request in writing or via email to:

Data Protection Officer
Health Products Regulatory Authority
Kevin O'Malley House,
Earlsfort Centre,
Earlsfort Terrace,
Dublin 2

Tel: +353 (1) 676 4971
Fax: +353 (1) 676 7836
Email: dataprotectionofficer@hpra.ie

Please provide sufficient information in your request to enable us to deal with your query.

CCTV use at the HPRA premises

CCTV is in operation on the HPRA premises. The HPRA is the data controller for this and our contact details and information on your rights are listed in the privacy notice above. 

The purposes of the CCTV are: 

  • to protect against theft, vandalism or other criminal offences by any persons
  • to provide evidential material to An Garda Síochána where necessary and appropriate
  • to support the maintenance of health and safety standards in the workplace
  • for the security of HPRA staff and property

The legal basis for processing is Article 6(f) of the GDPR where processing is necessary for the legitimate interests pursued by the controller. 

The data collected may be shared with or supplied to An Garda Síochána where necessary or to the management of relevant contractors or employees in limited circumstances. All recording devices and any tapes/discs are securely located and operated within the HPRA.

Footage is retained for approximately 31 days. 

Retention of sign-in details when visiting the HPRA premises

Please note on visiting the HPRA premises, your sign-in details are retained for six months before destruction in order to maintain security records for the building.