What information must be in a privacy notice?

What the Law Says

The Data Protection Act 2018 implements the GDPR in Irish law and sets out specific requirements for privacy notices — also known as 'information to be provided' — when personal data is collected from individuals.

Under section 38 of the Data Protection Act 2018, organisations that collect personal data directly from individuals must provide a clear, concise, and easily accessible privacy notice at the time of collection.

This notice must be written in plain language — especially if addressed to children — and provided free of charge. It must include seven core elements: who is responsible for the data (the controller), why the data is being processed, the lawful basis for doing so, who else may receive the data, how long it will be kept, what rights individuals have (e.g., access, erasure, objection), and whether automated decision-making applies.

If data is not collected directly from the individual (e.g., obtained from a third party), the notice must still be provided within one month of obtaining the data — or sooner if the data is used to communicate with the person or disclosed to another recipient.

Statutory Text

The controller shall provide the data subject with the following information… (a) the identity and the contact details of the controller… (b) the purposes of the processing… (c) the legal basis for the processing… (d) the recipients or categories of recipients… (e) the period for which the personal data will be stored… (f) the existence of the right to request… access, rectification, erasure… (g) the right to lodge a complaint…

— Data Protection Act 2018, s. 38 — Information to be provided where personal data are collected from the data subject

What to Do

Sources