Data Protection Statement
This Data Protection Statement provides information about the ways in which the Food Safety Authority of Ireland (FSAI) collects, stores and uses personal data relating to individuals (data subjects). The Data Protection Statement relates to personal data received by the FSAI when carrying out its duties and exercising its functions.
Food Safety Authority of Ireland (FSAI)
Who we are
The FSAI was established under the Food Safety Authority of Ireland Act 1998. This legislation was enacted in July 1998 and came into effect on 1 January 1999.
The principal function of the FSAI is to protect consumers and raise compliance through partnership, science and food law enforcement. It is a statutory, independent and science-based body, dedicated to protecting public health and consumer interests in the area of food safety and hygiene.
The FSAI comes under the aegis of the Minister for Health and currently has a Board of ten members. It also has a Scientific Committee that assists and advises the Board. Decisions relating to food safety and hygiene therefore take account of the latest and best scientific advice and information available.
The Data Protection Statement has been developed in accordance with a ‘layered policy’ approach. This means that it offers you the opportunity to obtain more or less information about the FSAI’s information handling practices. By clicking on the links below, you can decide how much you would like to read, what you need to know and how quickly you need to obtain the relevant information.
Key areas of the Data Protection Statement
The FSAI’s Data Protection Statement is designed to cover a number of key areas . These are as follows:
- Food Safety Authority of Ireland and the GDPR
- Data Protection and the Food Safety Authority of Ireland
- Data Protection Officer (DPO)
- Processing of personal data by the Food Safety Authority of Ireland
- What personal data does the Food Safety Authority of Ireland process?
- How does the Food Safety Authority of Ireland collect personal data?
- Lawful basis for processing personal data by the Food Safety Authority of Ireland?
- Law Enforcement Directive (LED)
- Who are the recipients of personal data processed by the Food Safety Authority of Ireland?
- Publication of information
- How long does the Food Safety Authority of Ireland retain personal data?
- Your data protection rights
- Restriction of data subject rights in certain circumstances
- Your right to complain
- Changes to this Data Protection Statement
For the purposes of this Data Protection Statement, the following definitions apply:
An identified or identifiable natural person. It is a person who is living.
Information from which you (or another person) are identifiable or which relates to you. It does not refer to corporate data.
Special categories of personal data
Personal data that are subject to a higher standard of protection under the law due to their sensitivity. This includes personal data which reveal:
- any racial or ethnic origin
- financial status
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- data concerning a person’s sex life or sexual orientation
Processing refers to any use of personal data. It includes collection, disclosure, retention and storage.
The FSAI is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union (EU) regulations and directives. These include, but are not limited to, the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2011.
The General Data Protection Regulation (GDPR) was introduced on 25 May 2018 and affects all countries within the EU. It sets out a series of laws concerning how data can be processed and used by organisations within Member States. According to Article 5 of the GDPR, the key principles relating to the processing of personal data are:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
The GDPR is designed to strengthen and standardise data protection laws for all EU citizens. It increases the obligations and responsibilities for the FSAI in how it collects, uses and protects personal data. This means that the FSAI is required to be fully transparent in how it uses and protects personal data. It also means that it must show accountability for its data processing activities.
The GDPR applies to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instruction of a Data Controller (a Data Processor). The FSAI is a Data Controller for personal data collected for the purpose of its core activities. The FSAI decides the minimum amount of personal data it needs to collect from you to allow it to operate its services. Its data processes are then documented and issued to relevant staff. In short, the FSAI staff, contractors, agents and other third parties are all bound by the rules set out in the GDPR.
You may contact the FSAI in a number of ways. These are as follows:
Food Safety Authority of Ireland, The Exchange, George’s Dock, D01 P2V6, Dublin 1
The GDPR affects data protection in all EU Member States. The Data Protection Act 2018 gives further effect to the GDPR in Irish law. Collectively, the GDPR and the 2018 Act place enhanced accountability and transparency obligations on all organisations using your information. As importantly, it gives you greater control over your personal information.
In accordance with Article 37 of the GDPR, the FSAI has appointed a Data Protection Officer (DPO). Should you have any questions about how the FSAI uses your information, or you are concerned about any issue relating to your personal data, you may contact the DPO in either of the following ways:
Data Protection Officer (DPO), Governance and Information Unit, Food Safety Authority of Ireland, The Exchange, George’s Dock, D01 P2V6, Dublin 1
The FSAI processes personal data for a number of different purposes which arise from its statutory powers, functions and duties. These are set out in the Food Safety Authority of Ireland Act 1998 and its data protection responsibilities are outlined under the GDPR and the Data Protection Act 2018.
Based on its legislative purpose, it carries out the following functions:
Enforcement and compliance
- Lead and support Ireland’s food safety regulators to implement a fair, consistent and effective system of enforcement
- Manage risks in the food chain and respond effectively to any national or international food incident or crisis
- Ensure the safety, integrity and authenticity of the food chain by detecting, deterring and preventing breaches of food law and taking action to protect consumers
- Strive for a world-class official food control system for Ireland which delivers the best outcomes for consumers
Science, expertise and evidence
- Support risk-based decision-making and policy with high-quality, independent expertise
- Expand the evidence base through research, coordinated studies and scientific collaboration
- Advance risk assessment practice to promote trust and engagement
- Grow our ability to identify emerging risks and threats to the food chain
- Influence the development of food standards and enforcement approaches at European and international levels
Engagement and communication
- Provide clear and evidence-based advice and information to promote food safety and build compliance with food law
- Work in partnership with the Government and other State agencies, academia and civil society organisations to champion food safety within Ireland
- Collaborate with key stakeholders to foster and promote a culture of food safety and compliance within Ireland’s food industry
- Improve our capacity and capability by working with others to advocate for safe and trustworthy food for everyone
- Ensure a high-performing and empowering culture for our people, built on innovation, shared values and teamwork
- Provide a robust and targeted information framework to deliver internal efficiencies and meet stakeholder and customer needs
- Ensure that our governance structures support informed and accountable decision-making underpinned by responsive leadership, risk management processes and compliance
- Embed a culture of quality through ensuring that systems, processes and procedures meet the highest standards
- Enhance recognition of the FSAI’s identity, influence and reputation among staff, stakeholders and customers
In carrying out these functions, the FSAI may collect personal data. This may occur in the following ways:
- Queries and concerns including personal data received from individuals who have raised queries or concerns with the FSAI
- Service providers and suppliers including personal data obtained from service providers and suppliers engaged by the FSAI
- Job applications, including personal data received from persons applying for roles within the FSAI
- Conferences and events including personal data relating to attendees at conferences and events organised by the FSAI
- Training sessions including personal data relating to attendees at events organised by the FSAI
- Complaints handling including personal data received from a data subject directly (or through his/her/their legal representative) where the data subject makes a complaint to the FSAI
- Inquiries and investigations including personal data received from data subjects directly and personal data received from an agency or company which is the subject of an inquiry and/or investigation (this may also include personal data received by the FSAI in its role as a ‘competent authority’ under Part 5 of the 2018 Act (‘Processing of Personal Data for Law Enforcement Purposes’)
The FSAI processes personal data. This includes personal data received by the FSAI where data subjects contact, or request information from, the FSAI directly and personal data received by the FSAI indirectly. This is under the conditions set out above. Personal data the FSAI processes may include the following:
- Basic personal information (for example, a persons’ first name, surname, date of birth, etc.)
- Contact information (for example, a data subject’s postal address, email address and phone number/s)
- Any other personal data that is provided to the FSAI during the course of performing its statutory functions.
Special categories of personal data
The FSAI may also process ‘special categories of personal data.’ This includes special category personal data received by the FSAI where the data subject contacts, and requests information from, the organisation directly in addition to special category personal data received by the FSAI indirectly.
According to Article 9 of the GDPR, such special category personal data may include personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.
Telephone calls to the FSAI
The FSAI does not audio record or retain audio recordings of telephone conversations.
During the course of dealing with a query, complaint or other matter, the FSAI may record personal data received by it during the course of phone calls in the form of notes made on the relevant case file.
All emails sent to the FSAI are recorded, forwarded to the relevant section of the organisation and are stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter.
Please note: It is the sender’s responsibility to ensure that the content of his/her/their emails does not infringe the law. Unsolicited unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
Post received by the FSAI may be scanned and stored for the purpose of the matter to which the post item relates. Original hard copy versions of post items are retained for a period set out in the FSAI’s Data Retention Policy and are confidentially and securely destroyed thereafter.
The FSAI receives personal data through its interactions on social media platforms (for example, Twitter and LinkedIn). The FSAI operates accounts on these platforms to promote awareness of its role in the overseeing of food safety and hygiene in Ireland and protecting the rights of service users. Messages and/or posts received by the FSAI are viewed by FSAI staff but personal data contained therein are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by the FSAI.
The FSAI operates closed-circuit television at its offices inside The Exchange. Cameras are located inside its office space and three cameras operate in its Reception area.
The purpose of the FSAI’s processing of personal data collected by the CCTV in operation at its offices, as detailed above, is for security and safety. The legal basis of the processing is Article 6.1(f) of the GDPR, which allows the FSAI to process personal data on the basis that it is necessary for the organisation’s legitimate interests. CCTV footage is retained by the FSAI for a period of 38 days.
The FSAI website is located at www.fsai.ie. It uses third party and persistent cookies. See the FSAI’s Cookies Statement.
The lawful basis for processing personal data by the FSAI will depend on the legislative framework that applies and the purpose for which the processing is being carried out.
Article 6 of the GDPR sets out six lawful bases on which personal data may be processed. Where the FSAI is processing personal data for the purpose of performing its core functions, it will do so on one of these. The six lawful bases are as follows:
- Contractual necessity
- Legal obligation
- Vital interests
- Public interest
- Legitimate interest
Where the FSAI is processing special category personal data, it will choose a lawful basis under Article 6 of the GDPR as set out above and also, a lawful basis as set out under Article 9.
The Law Enforcement Directive (EU 2016/680) is a piece of EU legislation, running parallel to the GDPR, which also took effect from May 2018. The Law Enforcement Directive (LED) deals with the processing of personal data by Data Controllers where the processing is for ‘law enforcement purposes’ which fall outside the scope of the GDPR.
As a Directive, the LED was transposed into Irish law through the enactment of the Data Protection Act 2018. More specifically, Part 5 of the 2018 Act sets out the LED in the Irish context. It identifies the processing of personal data for ‘law enforcement purposes’ by data controllers which fall within the definition of being a ‘competent authority’.
Section 70 of the 2018 Act defines the scope of processing of personal data which falls within that part of the Act. It states that Part 5 of the Act applies to the processing of personal data carried out ‘for the purposes of (i) prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and prevention of, threats to public security or (ii) the execution of criminal penalties…’
The term ‘competent authority’ is defined in Section 69 of the 2018 Act as being ‘a public authority, competent for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security.’ For certain processing activities which it carries out, the FSAI is a ‘competent authority’ for the purposes of Part 5 of the 2018 Act.
In terms of the legal basis for the processing of personal data by the FSAI as a ‘competent authority’, Section 71.2 of the 2018 Act provides that the processing of personal data (for the purpose of the LED) shall be lawful where, and to the extent
- it is necessary for the performance of a function of a controller for one of the purposes specified in Section 70 (as referred to above) or
- the data subject has, subject to certain requirements set out in Section 71.3, given his or her consent to processing
- it is necessary for the performance of a legal function as set out in the Food Safety Authority of Ireland Act 1998
- it is disclosed to third parties
Disclosure to third parties
Personal data collected by the FSAI is held confidentially and securely. It is not shared by the organisation with any third parties with the following exceptions:
- For the purposes of co-operation with regulatory authorities
In certain circumstances, the FSAI must cooperate with, and assist, regulatory authorities in Ireland. Where this happens, the FSAI may provide personal data to authorities but will aim, wherever possible, to do so on an anonymised basis.
- Where there is an issue of concern
In certain circumstances, the FSAI may request personal data to monitor issues of concern. This may be, for example, to ensure that a service has appropriate systems and procedures in place to address a specific incident.
- For the purposes of legal proceedings
In certain circumstances, the FSAI must assist law enforcement authorities. Where this happens, in accordance with the law, the FSAI may provide personal data to, for example, An Garda Síochána and/or the Courts. Where this happens, the FSAI takes all steps necessary to ensure such personal data are protected.
- In the case of service providers or suppliers to the FSAI
The FSAI uses Data Processors to provide designated services to the organisation. It requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing a service in accordance with the requirements set out in Article 28.3 of the GDPR.
With the exception of information about the Board and Senior Management, the FSAI does not publish personal data on its website.
The retention periods for personal data are based on the requirements of the Data Protection Act 2018, the GDPR and on the purpose for which the personal data are collected and processed. The retention periods applied to personal data processed are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action, if applicable.
Under data protection legislation, you have designated rights. Subject to certain restrictions which are set out below, you can exercise these rights in relation to your personal data that is processed by the FSAI. Your rights are as follows:
1. The right to be informed about the processing of your personal data
2. The right to access your personal data
3. The right to the rectification of your personal data
4. The right to the erasure of your personal data
5. The right to data portability
6. The right to object to the processing of your personal data
7. The right to restrict the processing of your personal data
8. Rights in relation to automated decision making (including profiling)
Article 23 of the GDPR allows for data subjects’ rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission (DPC) and are available on its website: www.dataprotection.ie.
Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of Data Controllers and on the rights of data subjects for important objectives of general public interest.
If you have any concerns in relation to the manner in which the FSAI processes your personal data, you may contact the organisation’s Data Protection Officer (DPO) at DPO@fsai.ie.
This Data Protection Statement is kept under regular review and may therefore be subject to change. If you have any comments and/or queries in relation to this Data Protection Statement, please contact the Data Protection Officer (DPO) at DPO@fsai.ie.
Go to the top ⇧