Data Protection

 What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union Regulation that has been designed to strengthen and unify Data Protection within the EU. It also provides a number of rights to data subjects.

The Department will comply with its responsibilities under the legislation in accordance with the data protection principles as follows:

  1. Personal data shall be processed lawfully and fairly
  2. Personal data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with such purposes
  3. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed
  4. Personal data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  5. Personal data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed
  6. Personal data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against
  1. Unauthorised or unlawful processing
  2. Accidental loss, destruction or damage.

Key Definitions

Personal data

Under the GDPR, personal data is data that relates to or can identify a living person, either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history.

Special category personal data

Special category personal data means personal data relating to any of the following:

  • The data subject’s racial or ethnic origin, their political opinions or their religious or philosophical beliefs
  • Whether the data subject is a member of a trade union
  • The data subject’s physical or mental health or condition or sexual life
  • Whether the data subject has committed or allegedly committed any offence
  • Any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings

data subject is the individual to whom the personal data relates. You can read more in our document 

Organisations that collect or use personal data are known as data controllers and data processors.

Data Protection Policy Documents

In preparation for the GDPR, we have been updating and developing data protection policies such as our data protection policy (also known as our privacy policy), our departmental privacy notice and guidance on making an application for your personal data.  We are also developing a number of other policies which will be published on this page shortly.

What are my rights?

The rights individuals enjoy under the GDPR are the same as those under the Data Protection Acts, but with some changes.

Individual rights include:

  1. The right to obtain access to personal data. Data subjects have the right to be provided with copies of their personal data along with certain details in relation to the processing of their personal data.
  2. The right to information. Data subjects have the right to be provided with certain information, generally at the time at which their personal data is obtained. We comply with this obligation through our privacy notice(s)
  3. The right to rectification. Data subjects have the right to have inaccurate personal data that a controller holds in relation to them rectified.
  4. The right to object and restrict processing. Data subjects have the right to require that a controller restricts its processing of their data in some circumstances, and have the right to object to the processing of their personal data in certain circumstances.
  5. Rights in relation to automated decision making. Data subjects have the right not to be subjected to processing which is wholly automated and which produces legal effects or otherwise which significantly affects them, and which is intended to evaluate certain personal matters, such as creditworthiness or performance at work, unless one of a number of limited exceptions applies.
  6. The right to request erasure of personal data. Under certain circumstances a data subject has the right to request the erasure of their personal data.​

If you are making a subject access request, and to help us answer your request, please fill in our subject access request form which can be found in pdf format or alternatively in word format

Completed forms should be emailed to or sent by post to

Ms Aoife McQuillan

Data Protection Officer

Data Protection Unit

Department of Transport, Tourism and Sport

Leeson Lane

Dublin D02 TR60.

You are legally entitled to a decision regarding your request within 1 month of the receipt of a valid subject access request. However every effort will be made by the Data Protection Officer to deal with your request as soon as possible. In order to validate your request, you will be asked to provide proof of your identity.

To exercise any of your data protection rights contact the Data Protection Office directly.

If you are unhappy with the decision of the Data Protection Officer you have the right to complain to the Data Protection Commissioner who will investigate the matter for you. The Commissioner has legal powers to ensure that your rights are upheld.

Further details on your rights under the Data Protection Acts are available at the Data Protection Commissioners website

If you have any questions or concerns please contact our Data Protection Office on 00353 1 604 1239 or

Privacy Statement

We require customers to provide certain personal data in order to carry out our legislative and administrative functions. We treat all information and personal data that you provide as confidential, in accordance with the General Data Protection Regulation and Data Protection legislation.

Your personal data may be exchanged with other Government Departments or agencies under the remit of DTTAS in accordance with law. Full details of the Department's data protection policy setting out how we will use your personal data as well as information regarding your rights as a data subject are available at  Details of this policy are also available in hard copy upon request by emailing or in writing to Data Protection Unit, Department of Transport, Tourism and Sport, Leeson Lane, Dublin D02 TR60.