Alan Kelly (Tipperary North, Labour)
Link to this: Individually | In context | Oireachtas source

55. To ask the Minister for Enterprise, Trade and Employment when his Department officials last met with the Data Protection Commissioner to ensure the highest standards are being met by the Department, and all agencies under its remit, in terms of compliance with data protection legislation. [14438/25]

Peter Burke (Longford-Westmeath, Fine Gael)
Link to this: Individually | In context | Oireachtas source

A full-time Data Protection Officer (DPO) at the level of Assistant Principal Officer was appointed by my Department on 30 April 2018. My Management Board agreed the assignment of a full-time post at this level to ensure the highest standards are being met by my Department and its Offices in terms of compliance with data protection laws, including the GDPR and Data Protection Act 2018. The DPO operates with independence in this important role and with the full authority of the Secretary General and Management Board.

In that context, given the broad range of the functions under the remit of my Department and its Offices, our DPO regularly meets and engages with the Data Protection Commission (DPC) on a number of important data protection compliance issues. These contacts often occur on a monthly basis but can also occur weekly depending on the nature and complexity of the issues involved.

Typically, these contacts would include:

• mandatory prior-consultation procedures with DPC for all legislative measures involving the processing of Personal Data.
• liaising with the DPC on reviews of data protection complaints and other data protection rights including Right to Erasure, Right to Rectification as provided for under Articles 15 to 22 of the GDPR.
• liaising with the DPC in relation to any high risk personal data breaches that are reported by my Department or its Offices to ensure that activated risk mitigants meet the DPC's requirements.
• liaising with the DPC to review compliance issues for new or significantly changing processing activities, including the sign-off of Data Protection Impact Assessments (DPIAs) for higher risk processing activities.
• liaising with the DPC for all s. 109 Amicable Resolution procedures in relation to data protection complaints where the DPC recommends the initiation of this process under data protection laws.
• engaging with the DPC for advice on any new processing activities involving larger scale personal data processing.