General Privacy Notice

Introduction

This Privacy Notice provides guidance and information on how the Competition and Consumer Protection Commission (“CCPC”) collects and uses personal data.

The CCPC (“us”, “we” or “our”) is an independent statutory body with a mandate to enforce competition and consumer protection law in Ireland. In carrying out its statutory functions and activities, the CCPC engages with and may handle personal data relating to various different external parties, both individuals and businesses. In particular, the CCPC obtains data from individual members of the public who make complaints, enquiries or applications for authorisations to the CCPC or otherwise provide data to the CCPC. The CCPC also obtains data from businesses, companies, sole traders, partnerships, Government Departments, State bodies, State-sponsored bodies and other organisations, which may include personal data of individual contacts or officers of such entities.

This Privacy Notice is intended to apply to personal data connected with the aforementioned individuals and businesses. It applies whether such personal data is obtained by the CCPC on a voluntary basis or as a result of the exercise of the CCPC’s statutory powers.

The CCPC is committed to protecting and respecting your privacy. This Privacy Notice sets out the basis on which any personal data we collect from or about you in connection with the performance of the CCPC’s statutory functions and activities will be processed by us. Please read this Privacy Notice carefully to understand our treatment and use of personal data.

In this Privacy Notice, references to “you” mean the person whose personal information we collect, use and process.

We will use your personal data only for the purposes and in the manner set forth below, which describes the steps we take to ensure the processing of your personal data is in compliance with the Data Protection Acts 1988 to 2018 and any related or subsequent data protection and privacy legislation and amendments, as well as European Union Law including Regulation (EU) 2016/679 (known as the General Data Protection Regulation or GDPR), the Law Enforcement Directive (i.e. Directive (EU) 2016/680) and any subsequent implementing legislation and amendments (collectively referred to in this Privacy Notice as “Data Protection Legislation”).

We seek to maintain the privacy, accuracy, and confidentiality of data (including your personal data) that we collect and use.

Identity of the controller of personal information

For the purposes of Data Protection Legislation, the Data Controller is the CCPC, which has its address at Bloom House, Railway Street, Dublin 1, D01 C576.

Contact details of the data protection officer

The contact details of the CCPC’s Data Protection Officer are as follows: Email Address: dataprotection@ccpc.ie

Address: Bloom House, Railway Street, Dublin 1, D01 C576.

When does this privacy notice not apply

This Privacy Notice applies to personal data that we collect, use and otherwise process about you in connection with the performance of the CCPC’s statutory functions and activities.

Processing of your personal data

Where does the CCPC obtain my personal data from?

Most of the personal data we process is obtained from you when you provide it directly to the CCPC, but we may also obtain personal data about you from other sources in the course of the performance of our statutory functions and activities (see “Introduction” section above).

How and why do we process your personal data?

The personal data we collect from or about you or through our systems helps us to comply with our legal obligations or to carry out our statutory functions and activities. The personal data we collect, the basis of processing and the purposes of processing are detailed below. Sometimes, these activities may be carried out by third party service providers on behalf of the CCPC (see “Sharing of Personal Data” section below).

Source and Purpose  of Processing

Basis of Processing Categories  of Data
Requests, Queries and Complaints

Information supplied by individuals or businesses who submit a request, query or complaint to the CCPC.

 

This is required to enable the CCPC to: (i) deal with and respond to your request, query or complaint, (ii) ensure compliance with the CCPC’s legal obligations and corporate governance requirements, and (iii) perform its statutory functions and activities.

Consent, where the personal data relates to the person supplying it to the CCPC and has been supplied to the CCPC voluntarily.

In relation to other personal data (e.g. personal data relating to a third party and/or personal data which is supplied as a result of the exercise of the CCPC’s statutory powers), processing is necessary for the performance of a task carried out by the CCPC in the public interest or in the exercise of official authority vested in the CCPC and/or to comply with legal obligations.

Personal data (including name, gender, address, telephone number, email address, eircode, job title) of the person submitting the request, query or complaint to the CCPC and/or of another individual (e.g. the subject of the complaint).
CCPC Enquiries and Investigations

Information supplied by or obtained from individuals or businesses who are the subject of enquiries or an investigation conducted by the CCPC on its own behalf or on behalf of another agency.

 

This is required to enable the CCPC to perform its statutory functions and activities.

Consent, where the personal data relates to the person supplying it to the CCPC and has been supplied to the CCPC voluntarily.

In relation to other personal data (e.g. personal data relating to a third party and/or personal data which is supplied as a result of the exercise of the CCPC’s statutory powers), processing is necessary for the performance of a task carried out by the CCPC in the public interest or in the exercise of official authority vested in the CCPC and/or necessary to comply with legal obligations.

Personal data (including name, gender, address, telephone number, email address, eircode, date of birth, job title, financial information, employment information, previous criminal convictions, family details) of the person submitting the information to the CCPC and/or of another individual (e.g. employees, customers, competitors or suppliers).
Mergers and Acquisitions

Information supplied by individuals or businesses involved in a proposed merger or acquisition which is notified to the CCPC.

 

This is required to enable the CCPC to: (i) ensure compliance with the CCPC’s legal obligations, and (ii) perform its statutory functions and activities.

Consent, where the personal data relates to the person supplying it to the CCPC and has been supplied to the CCPC voluntarily.

In relation to other personal data (e.g. personal data relating to a third party and/or personal data which is supplied as a result of the exercise of the CCPC’s statutory powers), processing is necessary for the performance of a task carried out by the CCPC in the public interest or in the exercise of official authority vested in the CCPC and/or necessary to comply with legal obligations.

Personal data (including name, gender, address, telephone number, email address, eircode, job title, financial information) of the person submitting the information to the CCPC and/or of another individual (e.g. employees, customers, competitors or suppliers).
Consumer Protection Act 2007 (Grocery Goods Undertakings) Regulations 2016

Information supplied by individuals or businesses who are, or who are acting on behalf of, a relevant grocery goods undertaking.

 

This is required to enable the CCPC to perform its statutory functions and activities.

Consent, where the personal data relates to the person supplying it to the CCPC and has been supplied to the CCPC voluntarily.

In relation to other personal data (e.g. personal data relating to a third party and/or personal data which is supplied as a result of the exercise of the CCPC’s statutory powers), processing is necessary for the performance of a task carried out by the CCPC in the public interest or in the exercise of official authority vested in the CCPC and/or necessary to comply with legal obligations.

Personal data (including name, gender, address, telephone number, email address, eircode, job title, financial information) of the person submitting the information to the CCPC and/or of another individual (e.g. employees, customers, competitors or suppliers).
Responses to Consultations, Information Requests or Questionnaires issued by the CCPC

Information supplied by individuals or businesses who respond to consultations, information requests or questionnaires issued by the CCPC.

 

This is required to enable the CCPC to perform its statutory functions and activities.

Consent, where the personal data relates to the person supplying it to the CCPC and has been supplied to the CCPC voluntarily.

In relation to other personal data (e.g. personal data relating to a third party and/or personal data which is supplied as a result of the exercise of the CCPC’s statutory powers), processing is necessary for the performance of a task carried out by the CCPC in the public interest or in the exercise of official authority vested in the

CCPC and/or necessary to comply with legal obligations.

Personal data (including name, gender, address, telephone number, email address, eircode, job title, financial information) of the person submitting the information to the CCPC and/or of another individual (e.g. employees,

customers, competitors or suppliers).

Financial Information

 

Details supplied for the purpose of the CCPC processing payments.

This is required to enable the CCPC to: (i) process any payment to be made to or by you; and/or

(ii) to comply with its legal obligations; or (iii) to perform its statutory functions and activities.

Processing is necessary for the performance of our contract with you (if any), to comply with legal obligations and/or for the performance of a task carried out by the CCPC in the public interest or in the exercise of official authority vested in the CCPC. Financial information (including bank account details) of the person submitting the information to the CCPC.

In some limited circumstances, we may request your explicit consent to process (specific types of) personal data. This will be predominantly where you voluntarily provide your personal data to the CCPC. In these circumstances, you are able to withdraw your consent at any time by following the instructions provided when you gave consent or at the contact details below. Consent will rarely be considered to be a basis for processing personal data gathered or obtained by the CCPC on foot of its competition or consumer protection law enforcement functions and activities.

Sharing of personal data

Internally within the CCPC

Your personal data will be held by the Division within the CCPC which originally obtained it. Your personal data will only be shared with the Members of the CCPC and with persons in other Divisions of the CCPC in certain circumstances and where necessary and lawful to do so,

i.e. it may be necessary to share your personal data with persons in other Divisions of the CCPC for the purposes of performing our statutory functions and activities.

Access to your personal data will be granted to persons within the CCPC only on a need to know basis, depending on job functions and roles.

Service Providers

We use third party service providers who provide services to the CCPC, including consumer helpline services, public relations services, and IT and communications services. In providing these services, your personal data will, where applicable, be processed by the service provider on our behalf.

We will check any third party service provider that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your personal data. We will have written contracts with them which provide assurances regarding the protections that they will give to your personal data and their compliance with our data security standards and international transfer restrictions.

Disclosures to Third Parties

In certain circumstances, we share and/or are obliged to share your personal data with third parties, for the purposes described above and/or in the course of the exercise of the CCPC’s statutory functions and activities. In particular, the CCPC is permitted to share certain information (which may include your personal data) with bodies with whom it has a cooperation agreement pursuant to section 19 of the Competition and Consumer Protection Act 2014 (referred to in this Privacy Notice as the “2014 Act”) and/or with the bodies specified in section 24(1) of the 2014 Act. In addition, the CCPC is permitted to share information with other competition and consumer protection authorities in the European Union pursuant to Council Regulation (EC) No 1/20031 and Regulation (EC) No 2006/20042 (as may be amended or replaced). Any disclosure of personal data by the CCPC to a third party shall be conducted in accordance with Data Protection Legislation.

These third parties may include:

  • any of the bodies with whom the CCPC has entered into a cooperation agreement pursuant to section 19 of the 2014 Act;
  • any of the bodies specified in section 24(1) of the 2014 Act;
  • the Director of Public Prosecutions;
  • the European Commission and national competition or consumer protection authorities in other EU Member States;
  • the CCPC’s external legal and professional advisors;
  • courts and tribunals of relevant jurisdiction;
  • the Department of Business, Enterprise and Innovation, the Department of Communications, Climate Action and Environment and other relevant Government Departments;
  • regulatory and supervisory authorities;
  • banks and financial institutions;
  • external auditors; and
  • others, where it is permitted by law, or where we have your consent.

Transfers outside the European economic area

Your personal data may be transferred, stored and processed in one or more countries outside the European Economic Area (“EEA”), for example, when one of our third-party service providers use employees or equipment based outside the EEA. For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Legislation. We will put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we will establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU Commission’s model clauses.

If you would like to see a copy of any relevant provisions, please contact our Data Protection Officer (see “Contact Us” section below).

How is my personal data secured 

We have in particular taken appropriate security measures to protect any personal data held by the CCPC from accidental or unlawful destruction, loss or alteration, and from unauthorised disclosure or access. Access to your personal data is only granted on a need-to-know basis to those people within the CCPC whose roles require them to process your personal data and, in certain circumstances, to third parties (see the “Sharing of Personal Data” section above). In addition, our third party service providers are also selected carefully and required to use appropriate protective measures.

If you would like further information about security measures applied to personal data held by the CCPC, please contact the CCPC’s Data Protection Officer (see the “Contact Us” section below).

Storage of personal data

We will keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. This may mean that some information is held for longer than other information. The criteria we use to determine data retention periods for personal data includes the following:

Retention in case of queries and complaints; we will retain it for a reasonable period after the query or complaint has been resolved or, if a formal investigation is opened by the CCPC in respect of the query or complaint, for a reasonable period after the conclusion of such investigation and/or any subsequent related legal proceedings;

Retention in case of investigations; we will retain it for a reasonable period after the conclusion of the investigation and/or any subsequent related legal proceedings;

Retention in case of reviews of mergers and acquisitions; we will retain it for a reasonable period after the CCPC issues its determination in relation to the merger or acquisition or, if the CCPC’s decision is challenged, for a reasonable period after the conclusion of any subsequent related legal proceedings; and

Retention in accordance with legal and regulatory requirements; we will consider whether we need to retain it after the periods described in 9.1.1 to 9.1.3 above because of a legal or regulatory requirement (e.g. as set out in the National Archives Act 1986, as amended) or for the purpose of performing our statutory functions and activities.

If you would like further information about our data retention practices, please contact the

CCPC’s Data Protection Officer (see the “Contact Us” section below).

Your rights

You may have various rights under Data Protection Legislation. However, in certain circumstances, these rights may be restricted3. In particular, your rights may be restricted where this is necessary: (i) for the prevention, detection, investigation and prosecution of criminal offences; (ii) in contemplation of or for the establishment, exercise or defence of a legal claim or legal proceedings (whether before a court, tribunal, statutory body or an administrative or out-of-court procedure); and/or (iii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC. Therefore, the CCPC considers that, in most cases, these rights will not apply in connection with the performance of the CCPC’s competition and consumer protection law enforcement functions and activities.

Subject to the above, your rights under Data Protection Legislation may include (as relevant):

Your right What  does it mean? How do I execute this right? Conditions          to exercise?
Right of access Subject to certain conditions, you are entitled to have access to your personal data which we hold(this is more commonly known as submitting a “data subject access request”). Request for such information should be made in writing to  dataprotection@ccpc.ie. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other individuals and/or businesses.
Right of data portability Subject to certain
conditions, you are
entitled to receive
the data which you
have provided to us and which is
processed by us by
automated means, in a commonly-used
machine readable
format.
Requests should be
made in writing to
dataprotection@ccpc.ie.
If possible, you should
specify the type of
information you would
like to receive to
ensure that our
disclosure is meeting
your expectations.
The GDPR does not establish a general right to data portability. This right only applies if the processing is based on your
consent or on our
contract with you
and when the
processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. Therefore, it does not, as a rule, apply to personal data
that was created by the CCPC or
supplied to the
CCPC by any other individual and/or business.
Rights in relation to
inaccurate personal
or incomplete data
You may challenge
the accuracy or completeness of personal data which
we process about
you. If it is found that personal data is inaccurate, you are entitled to have the
inaccurate data removed, corrected
or completed, as appropriate.
We encourage you to
notify us of any
changes regarding your
personal data as soon
as they occur, including
changes to your
contact details.
Requests should be
made in writing to
dataprotection@ccpc.ie.
This right only
applies to your own personal data. When
exercising this right, please be as specific as possible.
Right to object to or restrict our data
processing
Subject to certain
conditions, you have
the right to object to
or ask us to restrict
the processing of
your personal data.
Requests should be
made in writing to
dataprotection@ccpc.ie.
This right applies
only if the
processing of your
personal data is
necessary for the
performance of a
task carried out in the public interest (see “basis of
processing” above). Objections must be based on grounds
relating to your
particular situation.
They must not be generic so that we
can demonstrate
that there are still
lawful grounds for us to process your personal data.
Right to have
personal data
erased
Subject to certain
conditions, you are
entitled, on certain
grounds, to have your personal data
erased (also known
as the “right to be
forgotten”) e.g. where you think
that the information
we are processing is
inaccurate, or the
processing is
unlawful.
Requests should be
made in writing to
dataprotection@ccpc.ie.
There are various
lawful reasons why we may not be in a position to erase your personal data.
This may apply (i) where we have to comply with a legal obligation, (ii) in
case of bringing
legal proceedings
(including any legal proceedings relating to an investigation
conducted by the
CCPC which are not brought directly by the CCPC) or
defending legal
proceedings, or (iii) where retention
periods apply by law or under the CCPC’s internal data retention policies.
Right to withdrawal You have the right
to withdraw your
consent to any
processing for which
you have previously
given that consent.
Requests should be
made in writing to
dataprotection@ccpc.ie.
If you withdraw
your consent, this
will only take effect
for the future.

Your right to lodge a complaint  with a supervisory authority

If you are unhappy about any aspect of the way we collect, share or use your personal data, please let us know using the contact details below.

You also have a right to complain to the Data Protection Commission by post to 21 Fitzwilliam Square South, Dublin 2, D02 RD28; and/or by telephone at 1800 437 737/01 765 0100; and/or by using the webform available on the website www.dataprotection.ie.

Changes to this information 

We reserve the right to change this Privacy Notice at any time in our sole discretion. If we make changes to this Privacy Notice, we will publish any relevant changes on the CCPC’s public website (www.ccpc.ie) so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it. By continuing your relationship with us after we post any such changes on our website, you accept and agree to this Privacy Notice as modified.

Contact us

For further information or if you have any questions or queries about this Privacy Notice, please contact our Data Protection Officer at dataprotection@ccpc.ie or alternatively you can write to us at Emily Barry, Data Protection Officer, Competition and Consumer Protection Commission, Bloom House, Railway Street, Dublin 1, D01 C576.

Footnotes

1 Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty.

2 Regulation (EC) No 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, which was transposed into Irish law by the European Communities (Co-operation between National Authorities Responsible for the Enforcement of Consumer Protection Laws) Regulations 2006 (S.I. No. 290/2006).