Mr. Barry Lowry:

We met with the Department of Health and HSE about GDPR. We met the Data Protection Commissioner several weeks ago and we have had regular meetings since. The Department of Health and HSE act as joint controllers of the data. They only transfer the data relevant to the certificate. The delivery partners, which produce the certificates, only produce the data that are relevant to the certificate. We do not see anyone's health record or anything else. That is all securely managed by the Department of Health. We have signed a processing agreement with the HSE and Department. Revenue and our other partners, NearForm, have signed sub-processing agreements with us. Everything is in compliance with GDPR and the way the forms and so on are done is transparent. Only the data that are needed are accessed in the whole process and they are not retained beyond 72 hours. It is needed at that point in case there are any inquiries. After that, it is deleted, which is entirely compliant with GDPR.