GDPR – General Data Protection Regulation

EU General Data Protection Regulation (GDPR)

The European Union GDPR commences on the 25th May 2018.  The GDPR provides for the consistent application of rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data across the EU member states.

The GDPR grants greater rights to you as an individual or “Data Subject”, and imposes greater responsibilities on GSOC as a “Data Controller”.  One of the central  requirements under the GDPR is for the collection of personal data to be lawful and fair.  It should be clear to you that personal data concerning you is collected, used, consulted or otherwise processed, and to what extent that personal data is or will be processed. This page explains what information about you GSOC processes, why we process it, with whom we share it, and what your rights are with respect to your information.

GSOC and the GDPR

GSOC has actively prepared for the introduction of the GDPR by reviewing what data we retain and how we process that data to ensure that we are legally compliant in how we handle and process personal data.

GSOC will shortly be publishing our updated Data Protection Policy on our website

GSOC has also updated our website privacy policy in accordance with the GDPR directive, please click on the following link to view our updated policy.

GSOC will be providing training to all our staff in the coming months to ensure that they are fully informed of their responsibilities regarding GSOC’s use of your data.

GSOC will continue to work towards fully implementing our obligations under the GDPR.  Over the coming months we will update this page to highlight the changes that we have implemented to ensure that data privacy and protection will be at the heart of all our functions.

Our Data Protection Officer is Louise O’Meara.



1.  What is GSOC’s legal basis for processing personal data?

In order for processing to be lawful, personal data should be processed on the basis of your consent or some other legitimate basis. The Garda Síochána Act, 2005 (as amended) is the legislation that governs the functions of the Garda Síochána Ombudsman Commission (GSOC).  Section 67 (2) of that Act outlines GSOC’s functions which are (in summary):

  • to receive complaints made by members of the public concerning the conduct of gardaí and investigate those complaints,
  • to report the results of those investigations to the Director of Public Prosecutions or the Garda Commissioner which may involve sending a copy of the investigation file to either or both;
  • to examine and investigate matters concerning the conduct of gardaí which may have resulted in the death or serious harm to a person;
  • to examine practices, policies and procedures of the Garda Síochána, for the purpose of preventing complaints arising or reducing incidences of complaints.

2. What data does GSOC collect about you?

In order to perform our statutory functions, GSOC processes personal information about individual members of the public and individual garda members.  GSOC collects and processes the following types of information:

  • Name
  • Address
  • Email address
  • Date of Birth
  • Gender
  • Garda rank
  • Garda registration number
  • Name of next of kin
  • Phone numbers

GSOC may also collect personal data of a sensitive nature, as defined under the GDPR, including data such as,

  • racial or ethnic origin, through our questionnaires.
  • genetic and biometric data for the purpose of uniquely identifying a natural person, which may be collected for the purposes of a criminal investigation.
  • data concerning health, including medical records or injury photographs, which may be collected for the purposes of investigating a complaint.

Personal data is normally obtained directly from you.  In certain circumstances, it will, however, be necessary to obtain data from third parties such as the Garda Síochána, independent witnesses, medical professionals or CCTV footage.

The categories of personal data we process and the legal bases for doing so will be set out in more detail later.

3.  How will your personal data be used by GSOC?

The information we hold or collect about you will be used for management and administrative purposes, to administer complaints, to decide if a complaint is admissible or not, to investigate or resolve complaints and for matters that involve alleged garda misconduct and for potential court or disciplinary proceedings in line with the Garda Síochána (Discipline) Regulations 2007.

GSOC is an employer also and processes the personal data of its staff and contracted service providers in order to run the organisation effectively and manage its employment relationship with staff.

4. Who receives your personal information outside of GSOC?

Your information may be disclosed to third parties such as the Garda Síochána to enable us to effectively investigate complaints or where we are legally obliged to do so. For example, if we are investigating a complaint we may share personal information with the Garda Síochána in order to identify the garda members concerned.  In order to fulfil our obligations as an employer, we share personal information with Peoplepoint and Payroll Shared Services.

More detailed information on how we share your personal data will be provided in our Data Protection Policy.

5. What are GSOC’s responsibilities when processing or collecting your personal data?

The Data Protection Acts 1998 and 2003 is the current legislation that governs your right as an individual—or data subject—to access your personal data.  These Acts will shortly be replaced by a new Data Protection Bill.  The Data Protection Bill provides that the processing of personal data shall be lawful where such processing is necessary for the performance of a statutory function of a controller of data. As already outlined GSOC’s functions are set out under section 67 of the Garda Síochána Act, 2005.

GSOC is a “Data Controller”. This means that GSOC has certain responsibilities in how we process and retain personal data.  We must:

  • Obtain and process information fairly
  • Keep it only for one or more specified, explicit and lawful purposes
  • Use and disclose it only in ways compatible with these purposes
  • Keep it safe and secure
  • Keep it accurate, complete and up-to-date
  • Ensure that it is adequate, relevant and not excessive
  • Retain it for no longer than is necessary for the purpose or purposes
  • Give a copy of his/her personal data to an individual, on request

6. What are your rights under data protection law?

You have the following rights under data protection law, although your ability to exercise these rights may be subject to certain conditions:

  • The right to receive a copy of and/or access the personal data that we hold about you together with other information about our processing of that personal data
  • The right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete
  • The right, in certain circumstances, to request that we erase your personal data
  • The right, in certain circumstances, to request that we no longer process your personal data the way in which we process it
  • The right, in certain circumstances, to transfer your personal data to another organisation
  • The right to object to automated decision making and/or profiling and
  • The right to complain to the Data Protection Commissioner

Further information on the GDPR and how it impacts individuals and organisations is available from the Data Protection Commissioner website and the EUGDPR website.

7. How do you access your personal data?

GSOC is aware of our obligations as a data controller with primary responsibility for, and a duty of care towards, the personal data within our control. Our obligations are set out in the GDPR and associated Irish legislation.

Data subjects, whose personal data is held by GSOC, are entitled to ask and receive confirmation about whether or not personal data concerning them is being processed. Where that is the case, data subjects are entitled to access their personal data as well as certain information in relation the processing of that data. In certain cases, access may be delayed if GSOC decides that releasing the data at that time would negatively impact our investigation of a complaint or referral.

The subject access request should be made in writing, and should include sufficient information to identify you, to our reasonable satisfaction so we can verify that we are not releasing your data to someone who is impersonating you.

Access requests should be directed to Further information on how to make a request for access to your personal data is available on the ‘Make a personal data request’ page on this website.

GSOC will try to respond as quickly as possible and in any event without undue delay, but if we have not been able to complete our response to you within one calendar month we will update you about our progress.

7.1   Exemptions

This right to access your personal data is subject to very limited exemptions.  GSOC is partially exempt from the duty to disclose in certain circumstances, including where such data is retained for the purposes of investigating criminal offences.

8.  Further information or complaints

If you have any queries in relation to how your data is processed, please contact our Data Protection Officer, Ms Louise O’Meara at the details below.


Phone: 1890 600 800 (press 2 for Reception)

Address: GSOC, 150 Abbey Street Upper, Dublin 1, D01 FT73


9. Non-personal data

GSOC also holds “Non-Personal Data”, such as numbers of complainants, statistical information about complaints or investigations and financial information. Non-personal data is not covered by the Data Protection Acts. For access to this type of information, you can make a request under the Freedom of Information Act 2014.

For further information on how to do that and to view our previous responses to requests, please visit here.