General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is designed to give individuals more control over their personal data. The Irish Universities Association (IUA) becomes subject to the GDPR on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
Under the GDPR, individuals have the following rights:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling
Click here for a link to the Data Protection Commission’s publication “Rights of Individuals under the GDPR”.
Definition of Personal Data
The term “personal data” means any information relating to a living person who is identified or identifiable (such a person is referred to as a “data subject”).
A person is identifiable if they can be identified directly or indirectly using an “identifier”. The GDPR gives examples of identifiers, including names, identification numbers, photographs and location data. A person may also be identifiable by reference to factors which are specific to their identity, such as physical, genetic or cultural factors.
How to submit a subject access request to Irish Universities Association under the General Data Protection Regulation
You can submit a subject access request in writing by post or by email to:
Data Protection Contact
Irish Universities Association
48 Merrion Square Dublin 2 D02 PK02
+353 1 6764948
Your request should include the following:
- A statement that the request is being made under the General Data Protection Regulation
- As much information as possible about the subject matter of the access request
- In what format you wish to receive any records released (e.g. photocopies or electronically).
Proof of ID is required to process subject access requests, e.g. driver’s license or passport. Please note depending of the nature of the request additional ID maybe required. Irish Universities Association’s Data Protection Contact will discuss this requirement for additional ID if required prior to the request being processed.
Response time to a subject access request
Your subject access request will be acknowledged within five working days. A response to your request will be given no later than a month of receipt of the request. The one month period may be extended by two further months, where necessary, taking into account the complexity and number of requests. In this case, the IUA shall inform you of any extension within one month of receipt of the request and the reasons for the delay.
If the IUA does not take action on foot of your request, the IUA must inform you without delay and, at the latest, within one month of receipt of your request, of:
- The reasons for not taking action;
- Your right to lodge a complaint with a supervisory authority and seek a judicial remedy.
Cost of submitting a subject access request
Your request will be dealt with free of charge. However, where requests from a data subject are considered ‘manifestly unfounded or excessive’ (for example where an individual continues to make unnecessary repeat requests or the problems associated with identifying one individual from a collection of data are too great) the IUA may:
- Charge a reasonable fee, taking into account the administrative costs of providing the information/ taking the action requested; or
- Refuse to act on your request.
Where the IUA refuses to respond to an access request or to charge a fee on this basis, the IUA shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.