Last Updated - February 2024
Data Protection Statement
This Data Protection Statement provides information about the ways in which the Food Safety Authority of Ireland (FSAI) collects, stores and uses personal data relating to individuals (data subjects). The Data Protection Statement relates to personal data received by the FSAI when carrying out its duties and exercising its functions.
The Data Protection Statement has been developed in accordance with a ‘layered policy’ approach. This means that it offers you the opportunity to obtain more or less information about the FSAI’s information handling practices. By clicking on the links below, you can decide how much you would like to read, what you need to know and how quickly you need to obtain the relevant information.
Key areas of the Data Protection Statement
The FSAI’s Data Protection Statement is designed to cover a number of key areas . These are as follows:
- Who we are
- What we do
- How to contact us
- What personal data we handle
- How the FSAI collects personal data
- What we do with your data
- Lawful bases for processing personal data
- What we do not do with your personal data
- Does the FSAI provide information to the National Archives?
- How long do we keep your data?
- Law Enforcement Directive (LED)
- When do we transfer your data to third countries?
- Who we share your data with
- Your rights on your data
- Restriction of data subject rights in certain circumstances
- How to make a complaint about the handling of your personal data
- Changes to this statement
- Questions or feedback
The FSAI was established under the Food Safety Authority of Ireland Act 1998. This legislation was enacted in July 1998 and came into effect on 1 January 1999.
The FSAI comes under the aegis of the Minister for Health and currently has a Board of ten members. It also has a Scientific Committee that assists and advises the Board. Decisions relating to food safety and hygiene therefore take account of the latest and best scientific advice and information available.
The principal function of the FSAI is to protect consumers and to raise compliance through partnership, science and food law enforcement. It is a statutory, independent and science-based body, dedicated to protecting public health and consumer interests in the area of food safety and hygiene.
The FSAI is based at The Exchange, George’s Dock, D01 P2V6, Dublin 1. You may contact the FSAI for any queries about how we process your personal data in our capacity as data controller using our contact details:
- by email at DPO@fsai.ie
- by post addressed to the Data Protection Officer, The Exchange, George’s Dock, D01 P2V6, Dublin 1
In order to ensure a timely reply to your query, we recommend that you contact our Data Protection Officer (DPO). The DPO is an independent person within the FSAI who is specifically entrusted with the task of receiving any such queries about our processing of your personal data.
For the purposes of this Data Protection Statement, the following definitions apply:
An identified or identifiable natural person. It is a person who is living.
Information from which you (or another person) are identifiable or which relates to you. It does not refer to corporate data.
Special categories of personal data
Personal data that are subject to a higher standard of protection under the law due to their sensitivity. This includes personal data which reveal:
- any racial or ethnic origin
- financial status
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- data concerning a person’s sex life or sexual orientation
Processing refers to any use of personal data. It includes collection, disclosure, retention and storage.
The FSAI is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union (EU) regulations and directives. These include, but are not limited to, the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2011.
The FSAI processes personal data. This includes personal data received by the FSAI where data subjects contact, or request information from, the FSAI directly and personal data received by the FSAI indirectly. Personal data the FSAI processes may include the following:
- Basic personal information (for example, a persons’ first name, surname, date of birth, etc.)
- Contact information (for example, a person’s postal address, email address, phone number/s, etc.)
- Any other personal data that is provided to the FSAI during the course of performing its statutory functions.
Special categories of personal data
The FSAI may also process ‘special categories of personal data.’ This includes special category personal data received by the FSAI where the person contacts, and requests information from, the organisation directly in addition to special category personal data received by the FSAI indirectly.
All emails sent to the FSAI are recorded, forwarded to the relevant section of the organisation and are stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter.
Please note: It is the sender’s responsibility to ensure that the content of his/her/their emails does not infringe the law. Unsolicited unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
Post received by the FSAI may be scanned and stored for the purpose of the matter to which the post item relates. Original hard copy versions of post items are retained for a period set out in the FSAI’s Data Retention Policy and are confidentially and securely destroyed thereafter.
The FSAI receives personal data through its interactions on social media platforms (for example, X and LinkedIn). The FSAI operates accounts on these platforms to promote awareness of its role in the overseeing of food safety and hygiene in Ireland and protecting the rights of service users. Messages and/or posts received by the FSAI are viewed by FSAI staff but personal data contained therein are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by the FSAI.
The FSAI operates closed-circuit television at its offices inside The Exchange.
The purpose of the FSAI’s processing of personal data collected by the CCTV is for security and safety. The legal basis of the processing is Article 6.1(f) of the GDPR. This allows the FSAI to process personal data on the basis that it is necessary for the organisation’s legitimate interests. CCTV footage is retained by the FSAI for a period of 38 days.
Personal data relating to attendees at conferences, training sessions and events organised by the FSAI may be collected.
The FSAI website is located at www.fsai.ie. It uses third party and persistent cookies. Analysis of data from the website may take place in order for any user of our website and any of its subdomains to use the services we provide when requested. The FSAI’s Cookies Statement can be accessed here.
The FSAI collects personal data through its recruitment processes.
Complaints handling may involve processing of personal data received from a data subject directly (or through his/her/their legal representative) where the person makes a complaint to the FSAI.
The FSAI will provide you with specific information such as that outlined in this Data Protection Statement in relation to any further activities (further processing) that we may need to undertake with your data. We will do so before we commence such activities, and only insofar as the purposes of those activities are compatible with the purposes of processing outlined in this section.
In certain instances, however, we may not be able to furnish you with the information in advance of our activities when your right to receive that information is restricted in accordance with law. If the information collected from you (including any personal data of yours), for example, is of assistance for the prevention of a terrorism-related offence, we may be obliged by law to report it to An Garda Síochána. Or, where the FSAI is sent an email or letter containing unlawful material, it may be necessary for the FSAI to report the information to the relevant authorities without any prior information being furnished to the sender.
The FSAI processes personal data for a number of different purposes which arise from its statutory powers, functions and duties. These are set out in the Food Safety Authority of Ireland Act 1998 and its data protection responsibilities are outlined under the GDPR and the Data Protection Act 2018.
Based on its legislative purpose, it carries out the following functions:
Enforcement and compliance
- Leads and supports Ireland’s food safety regulators to implement a fair, consistent and effective system of enforcement
- Manages risks in the food chain and responds effectively to any national or international food incident or crisis
- Ensures the safety, integrity and authenticity of the food chain by detecting, deterring and preventing breaches of food law and taking action to protect consumers
- Strives for a world-class official food control system for Ireland which delivers the best outcomes for consumers
Science, expertise and evidence
- Supports risk-based decision-making and policy with high-quality, independent expertise
- Expands the evidence base through research, coordinated studies and scientific collaboration
- Advances risk assessment practice to promote trust and engagement
- Grows its ability to identify emerging risks and threats to the food chain
- Influences the development of food standards and enforcement approaches at European and international levels
Engagement and communication
- Provides clear and evidence-based advice and information to promote food safety and build compliance with food law
- Works in partnership with the Government and other State agencies, academia and civil society organisations to champion food safety within Ireland
- Collaborates with key stakeholders to foster and promote a culture of food safety and compliance within Ireland’s food industry
- Improves our capacity and capability by working with others to advocate for safe and trustworthy food for everyone
- Ensures a high-performing and empowering culture for our people, built on innovation, shared values and teamwork
- Provides a robust and targeted information framework to deliver internal efficiencies and meet stakeholder and customer needs
- Ensures that its governance structures support informed and accountable decision-making underpinned by responsive leadership, risk management processes and compliance
- Embeds a culture of quality through ensuring that systems, processes and procedures meet the highest standards
- Enhances recognition of the FSAI’s identity, influence and reputation among staff, stakeholders and customers
The lawful basis for processing personal data by the FSAI will depend on the legislative framework that applies and the purpose for which the processing is being carried out.
Article 6 of the GDPR sets out six lawful bases on which personal data may be processed. Where the FSAI is processing personal data for the purpose of performing its core functions, it will do so on one of these. The six lawful bases are as follows:
- Contractual necessity
- Legal obligation
- Vital interests
- Public interest
- Legitimate interest
Where the FSAI is processing special category personal data, it will choose a lawful basis under Article 6 of the GDPR as set out above and also, a lawful basis as set out under Article 9.
Telephone calls to the FSAI - The FSAI does not audio record or retain audio recordings of telephone conversations. Where an individual contacts us by phone, caller numbers are automatically stored on the recipient’s phone in the FSAI for a limited time in a list of inbound and outbound calls but no further processing of this data (caller numbers) is carried out. During the course of dealing with a query, complaint or other matter, the FSAI may record personal data received by it during the course of phone calls in the form of notes made which are required to allow us to follow-up on the matter raised.
Automated decision making – The FSAI and the third parties which process personal data on our behalf (data processors) do not undertake any profiling or automated decision making within the meaning of those activities under data protection laws.
Direct marketing – The FSAI and the third parties which process personal data on our behalf (data processors) do not undertake any activity with your data for the purposes of direct marketing within the meaning of data protection laws.
Requesting privileged legal material – In the exercise of our functions under law, we do not have the power to compel any controller or processor to furnish information that would be exempt from disclosure in court proceedings on the grounds of legal professional privilege. This includes any personal data that would qualify as privileged legal material.
The FSAI is not governed by the National Archives legislation. It does not therefore have to transfer records to the National Archives of Ireland.
The length of time in respect of which we keep personal data depends on the processing operation carried out with the data. The retention periods for personal data are based on the requirements of the GDPR, the Data Protection Act 2018, and on the purpose for which the personal data are collected and processed. The retention periods applied to personal data processed are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action, if applicable.
The Law Enforcement Directive (EU 2016/680) is a piece of EU legislation running parallel to the GDPR which took effect from May 2018. The Law Enforcement Directive (LED) deals with the processing of personal data by Data Controllers where the processing is for ‘law enforcement purposes’ which fall outside the scope of the GDPR.
As a Directive, the LED was transposed into Irish law through the enactment of the Data Protection Act 2018. More specifically, Part 5 of the 2018 Act sets out the LED in the Irish context. It identifies the processing of personal data for ‘law enforcement purposes’ by data controllers which fall within the definition of being a ‘competent authority’.
Section 70 of the 2018 Act defines the scope of processing of personal data which falls within that part of the Act. It states that Part 5 of the Act applies to the processing of personal data carried out ‘for the purposes of (i) prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and prevention of, threats to public security or (ii) the execution of criminal penalties…’
The term ‘competent authority’ is defined in Section 69 of the 2018 Act as being ‘a public authority, competent for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security.’ For certain processing activities which it carries out, the FSAI is a ‘competent authority’ for the purposes of Part 5 of the 2018 Act.
In terms of the legal basis for the processing of personal data by the FSAI as a ‘competent authority’, Section 71.2 of the 2018 Act provides that the processing of personal data (for the purpose of the LED) shall be lawful where, and to the extent that
- it is necessary for the performance of a function of a controller for one of the purposes specified in Section 70 (as referred to above) or
- the data subject has, subject to certain requirements set out in Section 71.3, given his/her/their consent to processing
- it is necessary for the performance of a legal function as set out in the Food Safety Authority of Ireland Act 1998
- it is disclosed to third parties
In the event that the FSAI is required by law to disclose information to public authorities of countries outside the European Economic Area (EEA) (third countries) (the EEA encompasses all the EU Member States plus Liechtenstein, Norway and Ireland), it will endeavour to minimise personal data if required.
If the transfer of personal data is necessary and proportionate, and/or to comply with a legal obligation of the FSAI, we will transfer the data on the basis of an adequacy decision of the European Commission in accordance with Article 45 of the GDPR. This certifies that the country where your data are being transferred guarantees a level of protection of personal data equivalent to that in the EEA. In the absence of such a decision by the European Commission, we will rely on appropriate safeguards including the assessment of need for supplementary measures in accordance with Article 46 of the GDPR (for example, a legally binding instrument between public authorities or a non-legally binding agreement between public authorities as approved by the Data Protection Commission (DPC)). In the alternative, we will transfer the personal data only when a derogation under Article 49 of the GDPR is applicable (for example, when the transfer is necessary for important reasons of public interest such as national security).
Personal data processed by the FSAI is held confidentially and, in general, it is not shared with any third parties. There are exceptions, however, and these are set out below:
Cooperation with other public authorities
Personal information may be shared with other public authorities within and outside the State for the purposes of cooperation and/or as required by law to allow the FSAI to comply with its legal obligations.
Law enforcement purposes
Inquiries and investigations may include processing personal data received from data subjects directly and personal data received indirectly from an agency or company which is the subject of an inquiry and/or investigation. This may also include personal data received by the FSAI in its role as a ‘competent authority’ under Part 5 of the Data Protection Act 2018 (‘Processing of Personal Data for Law Enforcement Purposes’).
Courts and court audience
When the FSAI is involved in legal proceedings, it may, of its own volition or where it is legally obliged to, share information including any personal data which relate to the subject matter of the proceedings at issue. Personal data which are opened to the Court become a matter of court record and may be accessed by members of the public, including journalists, in accordance with the open justice principle.
Service providers and suppliers
The FSAI uses third parties such as service providers and suppliers in order to perform some of its functions. These third parties in particular process personal data on our behalf and we have in place specific arrangements which are mandated by applicable data protection laws.
Under data protection legislation, you have designated rights. Subject to certain restrictions which are set out below, you can exercise these rights in relation to your personal data that is processed by the FSAI. Your rights are as follows:
1. The right to be informed about the processing of your personal data
2. The right to access your personal data
3. The right to the rectification of your personal data
4. The right to the erasure of your personal data
5. The right to data portability
6. The right to object to the processing of your personal data
7. The right to restrict the processing of your personal data
8. Rights in relation to automated decision making (including profiling)
Article 23 of the GDPR allows for data subjects’ rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission (DPC) and are available on its website: www.dataprotection.ie.
Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of Data Controllers and on the rights of data subjects for important objectives of general public interest.
You have the right to make a complaint about how we handle your personal data to the competent supervisory authority. In Ireland, this is the Data Protection Commission (DPC). For further information, please see the DPC’s website: www.dataprotection.ie.
This Data Protection Statement is kept under review and is subject to change. We recommend that you regularly visit the FSAI’s website to ensure that you are consulting the latest version of the statement. You can find a reference to the last update on the top of this statement.
We hope you have a clearer understanding of our activities concerning your personal data and of how you can exercise your rights in relation to the FSAI as data controller of whatever of your personal data we may hold. If you have any questions or comments on this notice, please contact us or our Data Protection Officer using the contact details outlined above.