Data Protection Policy

Who This Policy Applies To

This policy covers how Galway County Council handles your personal data. It works alongside our other policies, like our Privacy Statement and Subject Access Requests Policy.

Key Definitions

Personal Data: Any information that can identify you, like your name, address, or ID number.

Processing: Any action we take with your data—collecting, storing, using, sharing, or deleting it.

Who Controls Your Data?

Galway County Council is the Data Controller. This means we decide why and how your personal data is used, in line with Irish and EU law.

When We Share Your Data

• Between departments within the Council if it’s necessary for our legal duties.
• With other public bodies or third-party service providers, when required by law or to support our services.

Why We Use Your Data

We process your data because:

• It’s required by law.
• It’s needed to carry out our public duties.
• You’ve given us permission (in some cases).

We only keep your data as long as necessary and then securely delete it.

Your Data Protection Rights

You have the right to:

• Access your data – See what data we hold about you.
• Correct your data – Fix any mistakes.
• Delete your data – Ask us to remove your data in certain cases.
• Restrict use – Limit how we use your data.
• Data portability – Get your data in a format you can share.
• Object – Say no to certain uses of your data.
• Avoid automated decisions – Ask for a human review if decisions are made by computers.

How We Protect Your Data

We use strong security measures to protect your data from loss, misuse, or unauthorised access.

Working with Others

• We keep records of how we use your data.
• We have contracts with third parties who process data for us.
• We don’t send your data outside the EU unless it’s safe and legal to do so.

Privacy by Design

We build privacy into our systems from the start and only collect what’s necessary.

Data Protection Impact Assessments

For high-risk data uses, we carry out assessments to protect your rights and consult with the Data Protection Commissioner if needed.

If There’s a Data Breach

If your data is lost or accessed without permission, we’ll follow our breach protocol and notify you and the Data Protection Commissioner if required.

Limits to Access Rights

In some cases, we may not provide access to your data if it’s necessary to protect:

• National security
• Public safety
• Legal investigations
• Other people’s rights

Our Data Protection Officer (DPO)

Galway County Council has appointed a Data Protection Officer (DPO) to ensure we meet our obligations under the GDPR and the Data Protection Act 2018. The DPO acts independently and reports directly to senior management.

What the DPO Does:

• Advises the Council and its staff on data protection responsibilities.
• Monitors compliance with data protection laws and internal policies.
• Provides training and raises awareness among staff.
• Conducts audits to ensure data is handled properly.
• Reviews and advises on Data Protection Impact Assessments (DPIAs).
• Acts as a contact point for the Data Protection Commission.
• Supports individuals (like you) with questions or concerns about how their data is used.

Raising a Concern or Making a Complaint

We are committed to protecting your personal data and handling it responsibly. If you have any concerns about how your data is being used, we encourage you to contact us.

How to Raise a Concern

Contact our DPO using the details below. We will listen to your concern and aim to resolve it quickly and fairly. If you're not satisfied with our response, you can escalate your complaint to the Data Protection Commission.

Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28
1800 437 737 / 01 765 0100
info@dataprotection.ie