General privacy notice
Introduction
This Privacy Notice provides guidance and information on how the Competition and Consumer Protection Commission (“CCPC”) collects and uses personal data.
The CCPC ("us", "we" or "our") is an independent statutory body in Ireland responsible for promoting competition, and protecting the interests of consumers through enforcement, information and advocacy. We also have roles in market surveillance, financial education and digital and data regulation. In carrying out its statutory functions and activities, the CCPC engages with and may handle personal data relating to various different external parties, both individuals and businesses. In particular, the CCPC obtains data from individual members of the public who make complaints, enquiries or applications for authorisations to the CCPC or otherwise provide data to the CCPC. The CCPC also obtains data from businesses, companies, sole traders, partnerships, Government Departments, State bodies, State-sponsored bodies and other organisations, which may include personal data of individual contacts or officers of such entities.
This Privacy Notice is intended to apply to personal data connected with the aforementioned individuals and businesses. It applies whether such personal data is obtained by the CCPC on a voluntary basis or as a result of the exercise of the CCPC’s statutory powers.
The CCPC is committed to protecting and respecting your privacy. This Privacy Notice sets out the basis on which any personal data we collect from or about you in connection with the performance of the CCPC’s statutory functions and activities will be processed by us. Please read this Privacy Notice carefully to understand our treatment and use of personal data.
In this Privacy Notice, references to “you” mean the person whose personal information we collect, use and process. 1.6 In carrying out its statutory functions and activities, the CCPC processes personal data under different legal frameworks (collectively referred to in this Privacy Notice as “Data Protection Legislation”), depending on the nature and purpose of the processing. In some circumstances, the CCPC processes personal data: i) in the performance of regulatory, administrative, advisory or consumer facing functions, to which the General Data Protection Regulation (Regulation (EU) 2016/679) applies; and ii) in its capacity as a law enforcement authority, for the purposes of the prevention, detection, investigation or prosecution of criminal offences, or the execution of criminal penalties, to which Part 5 of the Data Protection Act 2018 (which gives effect to Directive (EU) 2016/680, the Law Enforcement Directive) applies. The rights and obligations applicable to the processing of personal data may differ depending on the legal framework that applies in the particular circumstances.
We seek to maintain the privacy, accuracy, and confidentiality of data (including your personal data) that we collect and use.
Identity of the controller of personal information
2For the purposes of Data Protection Legislation, the Data Controller is the CCPC, which has its address at Bloom House, Railway Street, Dublin 1, D01 C576.
Contact details of the data protection officer
The contact details of the CCPC’s Data Protection Officer are as follows:
Email Address: dataprotection@ccpc.ie
Address: Bloom House, Railway Street, Dublin 1, D01 C576.
When does this privacy notice apply
This Privacy Notice applies to personal data that we collect, use and otherwise process about you in connection with the performance of the CCPC’s statutory functions and activities.
Processing of your personal data
Where does the CCPC obtain my personal data from?
We collect personal data from the following sources: (i) directly from individuals or businesses who engage with the CCPC; (ii) from other individuals, businesses, regulators or public bodies in the course of the performance of the CCPC’s statutory functions; and (iii) through the exercise of statutory investigative and enforcement powers, including where personal data is obtained compulsorily, or without the knowledge of the individual, where authorised by law. This may include personal data obtained in the context of enquiries, investigations, preservation/production orders, statutory inquiries, enforcement proceedings, surveillance activities and regulatory cooperation.
For example, in the context of cartel investigations, the CCPC may carry out surveillance activities in relation to suspected offences under section 6 of the Competition Act 2002. Such activities may be undertaken pursuant to the Criminal Justice (Surveillance) Act 2009 (as amended). Personal data processed in this context is processed for law enforcement purposes under Part 5 of the Data Protection Act 2018.
In addition, the CCPC may seek preservation and production of specified communications data, including traffic or location data, from service providers for the purpose of investigating suspected criminal offences, in accordance with the Communications (Retention of Data) Act 2011 (as amended).
How and why do we process your personal data?
The personal data we collect from or about you or through our systems helps us to comply with our legal obligations or to carry out our statutory functions and activities. The personal data we collect, the basis of processing and the purposes of processing are detailed below. Sometimes, these activities may be carried out by third party service providers on behalf of the CCPC (see “Sharing of Personal Data” section below).
| Source and Purpose of Processing | Basis of Processing | Categories of Data |
|---|---|---|
Requests, Queries and Complaints Information supplied by individuals or businesses who submit a request, query or complaint to the CCPC. This is required to enable the CCPC to: (i) deal with and respond to your request, query or complaint, (ii) ensure compliance with the CCPC’s legal obligations and corporate governance requirements, and (iii) perform its statutory functions and activities.
|
Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC Article 6(1)(c) - Legal Obligation Article 9(2)(g) - Substantial public interest
| Personal data (including name, gender, address, telephone number, email address, eircode, job title) of the person submitting the request, query or complaint to the CCPC and/or of another individual (e.g. the subject of the complaint). |
CCPC Enquiries and Investigations
Information supplied by or obtained from individuals or businesses who are the subject of enquiries or an investigation conducted by the CCPC on its own behalf or on behalf of another agency. This is required to enable the CCPC to perform its statutory functions and activities.
|
Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC Article 6(1)(c) - Legal Obligation Article 9(2)(g) - Substantial public interest
| Personal data (including name, gender, address, telephone number, email address, eircode, date of birth, job title, financial information, employment information, previous criminal convictions, family details) of the person submitting the information to the CCPC and/or of another individual (e.g. employees, customers, competitors or suppliers). |
Mergers and Acquisitions
Information supplied by individuals or businesses involved in a proposed merger or acquisition which is notified to the CCPC. This is required to enable the CCPC to: (i) ensure compliance with the CCPC’s legal obligations, and (ii) perform its statutory functions and activities.
|
Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC Article 6(1)(c) - Legal Obligation Article 9(2)(g) - Substantial public interest
| Personal data (including name, gender, address, telephone number, email address, eircode, job title, financial information) of the person submitting the information to the CCPC and/or of another individual (e.g. employees, customers, competitors or suppliers). |
Responses to Consultations, Information Requests or Questionnaires issued by the CCPC
Information supplied by individuals or businesses who respond to consultations, information requests or questionnaires issued by the CCPC. This is required to enable the CCPC to perform its statutory functions and activities.
|
Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC Article 6(1)(e) - Public Interest/Official Authority Article 6(1)(c) - Legal Obligation
| Personal data (including name, gender, address, telephone number, email address, eircode, job title, financial information) of the person submitting the information to the CCPC and/or of another individual (e.g. employees, customers, competitors or suppliers). |
Information received from Third Parties Information supplied to the CCPC by other third parties (e.g. other external bodies and agencies). This is required to enable the CCPC to: (i) ensure compliance with the CCPC’s legal obligations, and (ii) perform its statutory functions and activities. | Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC Article 6(1)(c) - Legal Obligation Article 9(2)(g) - Substantial public interest | Personal data (including name, gender, address, telephone number, email address, eircode, date of birth, job title, financial information, employment information, previous criminal convictions, family details). |
Financial Information
Details supplied for the purpose of the CCPC processing payments. This is required to enable the CCPC to: (i) process any payment to be made to or by you; and/or (ii) to comply with its legal obligations; or (iii) to perform its statutory functions and activities.
| Article 6(1)(b) - performance of a contract Article 6(1)(c) - Legal Obligation Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC | Financial information (including bank account details) of the person submitting the information to the CCPC. |
Law Enforcement purposes In addition to its regulatory and administrative functions, the CCPC processes personal data for the prevention, detection, investigation and prosecution of criminal offences under competition and consumer protection law, including in the exercise of related statutory investigative, enforcement and information‑gathering powers | Where personal data is processed by the CCPC for law‑enforcement purposes, such processing is carried out in accordance with Part 5 of the Data Protection Act 2018 and is necessary for the performance of a task carried out by the CCPC in its capacity as a law‑enforcement authority, in accordance with its statutory functions. In such cases, the processing of personal data is not based on consent. | Personal data (including name, gender, address, telephone number, email address, eircode, date of birth, job title, financial information, employment information, previous criminal convictions, family details) of the person submitting the information to the CCPC and/or of another individual whose information is relevant to any investigation, enquiry or enforcement action (e.g. employees, customers, competitors or suppliers). |
Information-sharing required or permitted by law The CCPC has entered into co-operation agreements under applicable legislation in respect of areas where we share concurrent regulatory jurisdiction with other public bodies which permit the sharing of information (including personal data) relevant to those matters. We have also entered into a co-operation agreement in relation to the sharing of information with Comisiún na Meán under the Digital Services Act 2024 (as amended). Copies of relevant co-operation agreements can be accessed here. The CCPC is also permitted by law to share information with certain public bodies in relation to the prevention, detection, investigation and prosecution of offences under the remit of such other public bodies and/or in connection with the performance of other statutory functions of those public bodies. In some cases, the CCPC may be required by law to share certain information, including personal data, for example with the subject of a statutory inquiry and/or to ensure fair procedures in accordance with applicable law. In the course of such proceedings, personal data may be processed and disclosed to investigation or inquiry subjects, including through the provision of draft reports or statements of objections, or access to file procedure, where this is required or permitted by law. | Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CCPC Article 6(1)(c) - Legal Obligation Article 9(2)(g) - Substantial public interest | Personal data (including name, gender, address, telephone number, email address, eircode, date of birth, job title, financial information, employment information, previous criminal convictions, family details) of the person submitting the information to the CCPC and/or of another individual whose information is relevant to any investigation, enquiry or enforcement action related to criminal offences within the competence of the public bodies with whom the relevant information is shared (e.g. employees, customers, competitors or suppliers). |
In some limited circumstances, we may request your explicit consent to process (specific types of) personal data. This will be predominantly where you voluntarily provide your personal data to the CCPC. In these circumstances, you are able to withdraw your consent at any time by following the instructions provided when you gave consent or at the contact details below. Consent will rarely be considered to be a basis for processing personal data gathered or obtained by the CCPC on foot of its competition or consumer protection law enforcement functions and activities.
Sharing of personal data
Internally within the CCPC
Your personal data will be held by the Division within the CCPC which originally obtained it. Your personal data will only be shared with the Members of the CCPC and with persons in other Divisions of the CCPC in certain circumstances and where necessary and lawful to do so, i.e. it may be necessary to share your personal data with persons in other Divisions of the CCPC for the purposes of performing our statutory functions and activities. Access to your personal data will be granted to persons within the CCPC only on a need to know basis, depending on job functions and roles.
Service Providers
We use third party service providers who provide services to the CCPC, including consumer helpline services, public relations services, IT systems, communications services and professional services such as audit and legal. In providing these services, your personal data will, where applicable, be processed by the service provider on our behalf.
We will check any third-party service provider that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your personal data. We will have written contracts with them which provide assurances regarding the protections that they will give to your personal data and their compliance with our data security standards and international transfer restrictions.
Disclosures to Other Third Parties
In the course of performing its statutory functions, the CCPC may share personal data with third parties where this is necessary and lawful and/or if required by statue. In certain circumstances, we share and/or are obliged to share your personal data with third parties, for the purposes described above and/or in the course of the exercise of the CCPC’s statutory functions and activities. In particular, as outlined above, the CCPC is permitted to share certain information (which may include your personal data) with bodies with whom it has a cooperation agreement pursuant to section 19 of the Competition and Consumer Protection Act 2014 (referred to in this Privacy Notice as the “2014 Act”) and/or with the bodies specified in section 24(1) of the 2014 Act for the purposes of prevention, detection, investigation and prosecution of offences under the remit of those public bodies. In addition, the CCPC is permitted to share information with other authorities in the European Union pursuant to Council Regulation (EC) No 1/20031 and Regulation (EC) No 2006/20042 (as may be amended or replaced). Any disclosure of personal data by the CCPC to a third party shall be conducted in accordance with Data Protection Legislation.
These third parties may include:
- any of the bodies with whom the CCPC has entered into a co-operation agreement pursuant to section 19 of the 2014 Act including the Central Bank of Ireland and ComReg and any other bodies with whom it enters into co-operation agreements from time to time in accordance with applicable law, e.g. Coimisiún na Meán. See here for further information in respect of current co-operation agreements;
- any of the bodies specified in section 24(1) of the 2014 Act;
- other regulators and public authorities with whom the CCPC cooperates and is permitted to share information under statute;
- bodies exercising concurrent or related regulatory or enforcement functions;
- the Director of Public Prosecutions;
- the European Commission and national competition or consumer protection authorities in other EU Member States;
- the CCPC’s external legal and professional advisors;
- courts and tribunals of relevant jurisdiction;
- the Department of Enterprise, Tourism and Employment, the Department of Culture, Communications and Sport and other relevant Government Departments;
- regulatory and supervisory authorities;
- banks and financial institutions;
- external auditors; and
- inquiry subjects and other parties, where disclosure is required as part of statutory procedures or to ensure fair procedures;
- others, where it is permitted by law, or where we have your consent.
Such disclosures may take place without consent and may occur even where the personal data was originally obtained for a different statutory purpose.
Transfers outside the European economic area
Your personal data may be transferred, stored and processed in one or more countries outside the European Economic Area (“EEA”), for example, when one of our third-party service providers use employees or equipment based outside the EEA. For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Legislation. We will put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we will establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU Commission’s model clauses.
If you would like to see a copy of any relevant provisions, please contact our Data Protection Officer (see “Contact Us” section below).
How is my personal data secured
The CCPC operates and uses appropriate technical and physical security measures to protect your personal data.
We have in particular taken appropriate security measures to protect any personal data held by the CCPC from accidental or unlawful destruction, loss or alteration, and from unauthorised disclosure or access. Access to your personal data is only granted on a need-to-know basis to those people within the CCPC whose roles require them to process your personal data and, in certain circumstances, to third parties (see the “Sharing of Personal Data” section above). In addition, our third-party service providers are also selected carefully and required to use appropriate protective measures.
If you would like further information about security measures applied to personal data held by the CCPC, please contact the CCPC’s Data Protection Officer (see the “Contact Us” section below).
Storage of personal data
We will keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. This may mean that some information is held for longer than other information. The criteria we use to determine data retention periods for personal data includes the following:
- Retention in case of queries and complaints; we will retain it for a reasonable period after the query or complaint has been resolved or, if a formal investigation is opened by the CCPC in respect of the query or complaint, for a reasonable period after the conclusion of such investigation and/or any subsequent related legal proceedings;
- Retention in case of investigations; we will retain it for a reasonable period after the conclusion of the investigation and/or any subsequent related legal proceedings;
- Retention in case of reviews of mergers and acquisitions; we will retain it for a reasonable period after the CCPC issues its determination in relation to the merger or acquisition or, if the CCPC’s decision is challenged, for a reasonable period after the conclusion of any subsequent related legal proceedings; and
- Retention in accordance with legal and regulatory requirements; we will consider whether we need to retain it after the periods described in 9.1.1 to 9.1.3 above because of a legal or regulatory requirement (e.g. as set out in the National Archives Act 1986, as amended) or for the purpose of performing our statutory functions and activities.
If you would like further information about our data retention practices, please contact the CCPC’s Data Protection Officer (see the “Contact Us” section below).
Your rights
The rights available to individuals in respect of their personal data depend on the nature and purpose of the processing. Where the CCPC processes personal data under the GDPR, individuals may exercise the rights provided for under that Regulation, subject to applicable limitations imposed by law. These are set out below. Where the CCPC processes personal data for law enforcement purposes under Part 5 of the Data Protection Act 2018, certain data protection rights may be restricted, in whole or in part, where and to the extent that this is necessary and proportionate to: (i) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or execution of criminal penalties; (ii) avoid obstructing official or legal inquiries, investigations or procedures; (iii) safeguard the rights and freedoms of others; or (iv) protect national or public security. In such circumstances, you may not receive the same information, access or outcomes that would otherwise apply under the GDPR.
Subject to the above, your rights under Data Protection Legislation may include (as relevant):
| Your right | What does it mean? | How do I execute this right? | Conditions to exercise? |
| Right of access | Subject to certain conditions, you are entitled to have access to your personal data which we hold (this is more commonly known as submitting a “data subject access request”). | Requests for such information should be made in writing to dataprotection@ccpc.ie. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. | We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other individuals and/or businesses. |
| Right of data portability | Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine readable format. | Requests should be made in writing to dataprotection@ccpc.ie. If possible, you should specify the type of information you would like to receive to ensure that our disclosure is meeting your expectations. | The GDPR does not establish a general right to data portability. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. Therefore, it does not, as a rule, apply to personal data that was created by the CCPC or supplied to the CCPC by any other individual and/or business. |
| Rights in relation to inaccurate personal or incomplete data | You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate. | We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details. Requests should be made in writing to dataprotection@ccpc.ie. | This right only applies to your own personal data. When exercising this right, please be as specific as possible. |
| Right to object to or restrict our data processing | Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data. | Requests should be made in writing to dataprotection@ccpc.ie. | This right applies only if the processing of your personal data is necessary for the performance of a task carried out in the public interest (see “basis of processing” above). Objections must be based on grounds relating to your particular situation. They must not be generic so that we can demonstrate that there are still lawful grounds for us to process your personal data. |
| Right to have personal data erased | Subject to certain conditions, you are entitled, on certain grounds, to have your personal data erased (also known as the “right to be forgotten”) e.g. where you think that the information we are processing is inaccurate, or the processing is unlawful. | Requests should be made in writing to dataprotection@ccpc.ie. | There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of bringing legal proceedings (including any legal proceedings relating to an investigation conducted by the CCPC which are not brought directly by the CCPC) or defending legal proceedings, or (iii) where retention periods apply by law or under the CCPC’s internal data retention policies. |
| Right to withdrawal | You have the right to withdraw your consent to any processing for which you have previously given that consent. | Requests should be made in writing to dataprotection@ccpc.ie. | If you withdraw your consent, this will only take effect for the future. |
Your right to lodge a complaint with a supervisory authority
If you are unhappy about any aspect of the way we collect, share or use your personal data, please let us know using the contact details below.
You also have a right to complain to the Data Protection Commission by post to 6 Pembroke Row, Dublin 2, D02 X963; and/or by telephone at 1800 437 737/01 765 0100; and/or by using the webform available on the website www.dataprotection.ie
Changes to this information
12.1 We reserve the right to change this Privacy Notice at any time in our sole discretion. If we make changes to this Privacy Notice, we will publish any relevant changes on the CCPC’s public website (www.ccpc.ie) so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it. .
Contact us
13.1 For further information or if you have any questions or queries about this Privacy Notice, please contact our Data Protection Officer at dataprotection@ccpc.ie or alternatively you can write to us at Data Protection Officer, Competition and Consumer Protection Commission, Bloom House, Railway Street, Dublin 1, D01 C576.
Footnotes
1 Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty.
2 Regulation (EC) No 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, which was transposed into Irish law by the European Communities (Co-operation between National Authorities Responsible for the Enforcement of Consumer Protection Laws) Regulations 2006 (S.I. No. 290/2006).
