Donegal County Council Logo


Home > Your Council > Publications > Data Protection Policy

Data Protection Policy

Data Protection Policy - January 2020   





Purpose & Scope


Data Protection Officer


Rights of Individuals

Personal Data Breaches

Responsibilities of Staff

Subject Access Requests

Further Information



Donegal County Council as the Local Authority for County Donegal is responsible for the provision of an extensive and diverse range of services to the people of County Donegal. These services range from Planning Control, to the provision of Social Housing, to the upkeep and improvement of Roads, to Environment Services, Community Development, Emergency Services and Library Services.


In performing these functions the Council is required to collate and process significant amounts of “personal data” within the meaning of the General Data Protection Regulations (GDPR) and the Data Protection Act, 2018.


Purpose & Scope

The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, and the Data Protection Act 2018 which gives further effect to this regulation impose obligations on Donegal County Council to protect all personal data under its control. The purpose of this document is twofold as follows:


To outline Donegal County Council’s policy for fulfilling its obligations under data protection legislation


To highlight the Council’s commitment to protecting the rights and privacy of individuals and details how the Council ensure compliance with GDPR and Irish Data Protection legislation.



Personal data: any information concerning or relating to a living person who is either identified or identifiable (such a person is referred to as a ‘data subject’).An individual could be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.


Processing: any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.


Data Controller: A “data controller” refers to a person, company, or other body which decides the purposes and methods of processing personal data.


Data Processor: A “data processor” refers to a person, company, or other body which processes personal data on behalf of Donegal County Council.



Some types of processing are carried out on the basis that you have given your consent. Under the GDPR, consent to processing must be freely given, specific, and informed. You cannot be forced to give your consent, you must be told what purpose(s) your data will be used for, and you should show your consent through a ‘statement or as a clear affirmative action’ (e.g. ticking a box).


Consent is not the only lawful basis on which your personal data can be processed. Article 6 of the GDPR sets out the complete list of lawful reasons for processing personal data as:



To carry out a contract.

In order for an organisation to meet a legal obligation.

Where processing the personal data is necessary to protect the vital interests of a person.

Where processing the personal data is necessary for the performance of a task carried out in the public interest.

In the legitimate interests of a company/organisation (except where those interests contradict or harm the interests or rights and freedoms of the individual).

Data Protection Officer Donegal County Council have appointed a Data Protection Officer. The role of the Data Protection Officer will include:


Providing advice to the organisation on the measures that are necessary to achieve and maintain GDPR compliance;

Facilitating the development and maintenance of appropriate policies and procedures in relation to the protection of personal data;

Providing advice on the carrying out, where necessary, of data protection impact assessments;

Acting as a contact point for data subjects with regard to the exercise of their rights under GDPR;

Liaising and co-operating with the Data Protection Commission as appropriate.



The following are the basic principles that a Data Controller (Donegal County Council) will adhere to as outlined in the General Data Protection Regulations (Article 5) and the Data Protection Act 2018.


Lawfulness, Fairness, Transparency

Purpose Limitation

Data Minimisation


Storage Limitation

Integrity and Confidentiality



Lawfulness, Fairness and Transparency

 5.1.1 Donegal County Council is committed to ensuring that the personal data it collects from data subjects is obtained lawfully, fairly and in a transparent manner. Consequently, at the time it collects personal data from data subjects or, in instances where data is obtained from a third party, as soon as practical and before the commencement of processing of such data, the County Council will make them   aware of the following through their privacy statement:

The personal data being obtained

Who the County Council may obtain data from;

The purpose for obtaining and processing their personal data;

Who is processing the data;

Who and in what circumstances their personal data will be disclosed;

Details of how long their personal data will be retained


5.1.2. In order to process personal data you must have a lawful basis to do so. The lawful grounds for processing personal data are set out in Article 6 of the GDPR. These are:

The data subject has given consent to Donegal County Council to the processing of his or her personal data for one or more specific grounds

The processing is necessary by Donegal County Council for the performance of a contract to which the data subject is party

The processing is necessary for compliance with a legal obligation to which Donegal County Council is party

The processing of the date is necessary to protect the vital interests of a person;

The processing is necessary for the performance of a task carried out in the public interest; or in the exercise of an official authority which is vested in Donegal County Council.

The processing is necessary for the purposes of the legitimate interests of Donegal County Council (except where those interests are overridden by the interests or rights and freedoms of the data subject).


5.1.3 In instances where Donegal County Council is relying on the consent as a lawful processing condition the data subject’s consent must be freely given i.e. a deliberate and specific action to opt in or agree to the processing. For instance, a written statement, including by electronic means, or an oral statement. All consent must be opt-in consent.

Data subjects must be informed by Donegal County Council, at the time of the giving of consent, of their rights to withdraw consent at anytime. The method of withdrawing consent must be as easy as giving it.


5.1.4 Special categories of personal data:

Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:

Personal data revealing racial or ethnic origin.

Political opinions.

Religious or philosophical beliefs.

Trade union membership.

Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.

Data concerning health.

Data concerning a natural person’s sex life or sexual orientation.

Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.


5.2 Purpose Limitation Donegal County Council will, except where otherwise provided by data protection legislation, take measures to ensure that the processing of personal data is limited to the purposes for which it was obtained. Disclosures of personal data to third parties will only occur in circumstances that are permitted by law.

In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.


5.3 Data Minimisation Donegal County Council will put in place appropriate measures to ensure that the personal data held by it is proportionate for the specified purpose that it was obtained. The personal data should therefore be relevant, adequate and absolutely necessary for the specified purpose. Donegal County Council will continually monitor application forms and other means that are used to capture personal data to ensure that only the minimum amount that is necessary to achieve the specified purpose is gathered.


5.4 Accuracy Donegal County Council will implement appropriate measures to ensure that errors in personal data are identified, reported and corrected in as timely a manner as possible. These will include measures that will

Periodically check personal data for its accuracy;

Focus on personal data that is time-sensitive, i.e. likely to become inaccurate over time unless it is updated;

Ensure that the Council’s databases are kept up-to-date.


5.5. Storage Limitation Donegal County Council will ensure that the personal data are not kept longer than necessary. Time limits will be established by Donegal County Council for erasure or for a periodic review and these will be determined by reference to guidelines issued by the Local Government Management Agency (LGMA).


5.6 Integrity and Confidentiality


5.6.1 Donegal County Council will maintain the highest standards of technical and organisational security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular when the processing involves the transmission of date over a network, and against all other unlawful forms of processing.


5.6.2 In order to achieve the highest standards of technical and organisational security appropriate polices and procedures will be developed which will outline the specific security measures to be implemented and responsibilities within the organisation in terms of their implementation.


5.6.3 Security measures will be designed in such a manner that they are proportionate to the risks and sensitivities associated with the various categories of personal data that are under the control of the County Council.


5.6.4 Donegal County Council shall ensure that it will, where processing is carried out on its behalf, choose a processor that provides sufficient guarantees in respect of the technical and organisational security measures that are required to protect personal data.


5.7 Accountability Donegal County Council is responsible for, and must be able to demonstrate, our compliance with all of the above-named Principles of Data Protection. Donegal County Council must take responsibility for our processing of personal data and how we comply with the GDPR, and be able to demonstrate (through appropriate records and measures) our compliance, in particular to the DPC.


Consequently Donegal County Council will:


Adopt and Implement a Data Protection Policy

Appoint a Data Protection Officer

Carry out an information risk assessment

Continue to implement appropriate security measures

Periodic checks to ensure that these security measures remain appropriate and up to date.

Continue to maintain documentation of all processing activities

Continue to develop procedures for staff to follow

Organise further staff training

Record and where necessary, report personal data breaches

Continue to review and update where necessary measures that have been put in place.


Implementing Appropriate Agreements with Third Parties -The Council will continue to put in place appropriate agreements, memoranda of understanding, bilateral agreements or contracts (collectively “agreements”) with all third parties with whom it shares personal data.


Rights of Individuals Whose Data is Collected

Donegal County Council implements appropriate policies and procedures, facilitates training and provides advice to staff to ensure that data subjects can exercise their rights as follows:-


Right of Access

Donegal County Council implements procedures to ensure that requests from data subjects for access to their personal data will be identified and fulfilled in accordance with relevant legislation. A Subject Access Request Form is available.


Right to Rectification

Donegal County Council is committed to holding accurate data about data subjects and will continue to implement processes and procedures to ensure that data subjects can rectify their data where inaccuracies have been identified.


Right to Erasure (right to be forgotten)

Data subjects have a right to request the erasure of their personal data in specific circumstances. Where such a request is made, the Council will assess each case on its merits.


Right To Restriction of Processing

Donegal County Council implements and maintains appropriate procedures to assess whether a data subject’s request to restrict the processing of their data can be implemented.  Where the request for restriction of processing is carried out, Donegal County Council will write to the data subject to confirm the restriction has been implemented and when the restriction is lifted.


Right to Data Portability

Where the Council has collected personal data on data subjects by consent or by contract then the data subjects have a right to receive the data in electronic format to give to another data controller.  It is expected that this right will apply only to a small number of data subjects.


Right to Object

Data subjects have a right to object to the processing of their personal data in specific circumstances. Where such an objection is received, the Council will assess each case on its merits.


Right not to be subject to Automated Decision Making

Data subjects have the right not to be subject to a decision based solely on automated processing, where such decisions would have a legal or significant effect concerning him or her.  Data subjects will be informed when elements of processing include automated decision making or profiling.


Right to Complain

Donegal County Council implements and maintains a complaints process whereby data subjects can contact the Data Protection Officer [email protected] . The Data Protection Officer’s role includes working with the data subject to bring complaints to a satisfactory conclusion for both parties. Data subjects are also informed of their right to bring their complaints to the Data Protection Commissioner.


Personal Data Breaches Donegal County Council defines a ‘personal data breach’ as meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed (e.g. the most common breach incidents that can occur are correspondence issuing to an unauthorised third party). The Council deems any loss of personal data in paper or digital format to be a personal data breach.


Donegal County Council aims to ensure that in the event of a personal data breach occurring that-

there is a system in place for recording how and when the organisation became aware of the breach

an immediate risk assessment of the risk is carried out

if required, notification is made of a personal date breach to the Data Protection Commission within 72 hours and to the individual ‘without undue delay’

implement controls to prevent a reoccurrence of the personal data breach


Any recommendations following the breach will be implemented as soon as possible


8.  Responsibilities of Staff

All staff processing personal data on behalf of Donegal County Council has a responsibility to comply with this Data Protection Policy.

The Council will aim to ensure that all employees who have access to any personal data held by the Council are fully aware and abide by the duties and responsibilities as provided for in the legislation.

The Council will continue to provide support, assistance, advice and Data Protection Awareness training to staff.

The Council takes compliance with this policy very seriously. If a staff member knowingly or wilfully fails to comply with any requirement, the Council may consider action under the Council’s Disciplinary Code.


9.  Subject Access Requests

It is the policy of Donegal County Council to have a central point of access for Data Protection requests as well as providing assistance to requesters. A data subject has the right to access personal data which has been collected concerning them. Donegal County Council will aim to ensure that this right can be exercised easily. All data subject access requests will be channelled through the D.P.O office.

There are no other formal requirements for an access request to be valid, other than that the request is sufficiently clear to act upon, and that the identity of the requester is sufficiently clear.

Donegal County Council upon receiving a valid subject access request will respond to the request without undue delay and at the latest within one month of receiving the request. The time to respond  can be extended by a further two months if the request is complex or Donegal County Council have received a number of requests from the same individual, but Donegal County Council will let the individual know within one month of receiving their access request and explain to them why the extension is necessary.


10.  Further Information

The Data Protection Officer is available to provide information and advice.

Contact details for the County Council’s Data Protection Officer are as follows:


Phone: 074 9153900

Email:                      [email protected]



Postal Address:          Donegal County Council, County House,

                                The Diamond, Lifford, Co Donegal F93 Y622