Any organisation that processes personal data in the EU/EEA, or offers goods or services to, or monitors the behaviour of, individuals in the EU/EEA must comply with GDPR, regardless of where it is based. In Ireland, GDPR is supplemented by the Data Protection Act 2018.

Personal data is any information relating to an identified or identifiable person—for example, names, contact details, ID numbers, online identifiers, location data, or factors specific to someone’s identity. If a person can be identified directly or indirectly from the information, it is personal data.

Every processing activity must have at least one lawful basis under Article 6 GDPR. The six lawful bases are:

• Consent

• Performance of a contract

• Legal obligation

• Vital interests

• Public task

• Legitimate interests

You must choose the most appropriate basis for each purpose and document it.

No. Consent is only one lawful basis and is often not the most appropriate. You can also rely on contract, legal obligation, public task or legitimate interests where those fit better. If you do rely on consent, it must be freely given, specific, informed, unambiguous, and easy to withdraw.

A privacy notice must clearly explain:

• Who the controller is and how to contact them

• What personal data is collected and how it is obtained

• Why it is processed and the lawful basis

• Who it is shared with and any international transfers

• How long it is kept

• Individuals’ rights and how to exercise them

• How to complain to the Data Protection Commission

Individuals have the rights to:

• Access their personal data

• Rectify inaccurate data

• Erase data in certain circumstances

• Restrict processing

• Object to certain processing

• Data portability (for some data)

• Not be subject to some automated decisions with legal or similarly significant effects

They also have the right to complain to the Data Protection Commission and to seek compensation through the courts.