General Data Protection Regulation
(GDPR) Frequently Asked Questions
(FAQs)
What is the GDPR?
The General Data Protection Regulation (GDPR) applies from 25 May 2018. It has general
application to the processing of personal data in the EU, setting out more extensive
obligations on data controllers and processors, and providing strengthened protections for
data subjects.
Although the GDPR is directly applicable as a law in all Member States, it allows for certain
issues to be given further effect in national law. In Ireland, the national law, which, amongst
other things, gives further effect to the GDPR, is the Data Protection Act 2018.
What constitutes personal data?
The GDPR defines ‘personal data’ as any information relating to an identifiable person who
can be directly or indirectly identified, in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data,
including name, identification number, location data or online identifier, reflecting changes in
technology and the way organisations collect information about people.
What is a data controller and who is the data controller?
Data controllers are a person or organisation who (alone or with others) determines the
purposes for which and the manner in which any personal data are, or are to be, processed.
A data controller can be the sole data controller or a joint data controller with another person
or organisation. However, when services are provided directly by private hospital, voluntary
hospitals, agencies or private contractors, the private hospital, voluntary hospital, agency or
private contractor may be the data controller.
What is a data processor?
Data processors are those that processes personal data on behalf of the controller. This
does not include an employee of the controller who processes data during the course of their
employment. A data processor can be held liable if they are responsible for a data protection
breach.
What is data processing?
Processing in relation to personal data is any operation or set of operations performed on
personal data including – collecting, recording, organising, structuring, erasing, destroying,
altering, combining, disclosing or sharing the data.
What are the main GDPR principles?
Personal data must be processed in a transparent manner
We must have a specific purpose to collect your data
We may only keep data for as long as needed to fulfil the purpose for which it was
collected. We delete medical records in accordance with our Records Retention
Policy.
Where data is held on computers, we must ensure that those computers and
networks are safe and secure
Where data is in paper format, we are obliged to ensure that it is as safe and secure
as a computer record