Mental Health Commission

Our Values: Dignity and Respect, Human Rights, Confidentiality, Quality, Accountable and Transparent, Person-Directed

Learn more about the Mental Health Commission

Data Protection

EU Regulation 2016/679 known as the GDPR and the Data Protection Act 2018 regulate the processing of personal data of a living person (known as a data subject), which is in the possession or under the control of a data controller such as the Mental Health Commission.

Personal data is defined as information from which the individual (data subject) concerned can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  These requirements do not apply however to fully anonymised or aggregated data where a living individual cannot be identified. There are also “special categories of personal data”, which is any data that relates to a data subjects’:

 (a)  Trade union membership.
 (b)  Data concerning physical or mental health or condition, or sexual life or orientation.
 (c)  Genetic data, biometric data.
 (d)  Racial or ethnic origin, political opinions, religious or philosophical beliefs, and which attract a greater level of protection under the GDPR.

Data relating to criminal convictions or offences is subject to specific protection and may only be processed under the control of official authority or where authorised by Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

The requirements apply to any person or entity that falls within the definition of a data controller or data processor.  The obligations primarily apply to data controllers, defined as the entity that determines the purposes and means of data processing (alone or together with others). As noted above, the Mental Health Commission is a data controller.

Information should be collected fairly and for a specific purpose and it should only be processed by reference to specific legal grounds.

Generally, data controllers are under an obligation to process personal data lawfully, fairly and in a transparent manner (e.g. pursuant to a privacy policy that meets the requirements of the GDPR) and for a specified purpose in ways that are compatible with that purpose.  All data processing must be supported by reference to one or more “lawful bases of processing”.  Please open the attached document to review the MHC’s Privacy Policy. Please click here for Your Guide to the Mental Health Commission Privacy Policy.

The processing of special categories of personal data is subject to separate grounds for processing, which are set out in Article 9 GDPR.  In addition, the Data Protection Act 2018 states that the processing of special categories of personal data is permissible when processing respects the essence of the right to data protection and is necessary and proportionate for the performance of a statutory function.

There is a requirement that “appropriate technical and organisational measures” are in place to protect the security of personal data and that personal data not be retained for longer than is necessary for the purpose or purposes for which the data are processed.

Data subjects have enhanced rights in relation to their personal data, most of which only apply in specific circumstances. These are known as data subject access rights. These include the right of access, deletion (e.g. where processing is unlawful or excessive) and to rectification of inaccurate personal data.  Please contact the MHC’s Data Protection Officer at for any further information in relation to this issue. The other rights introduced by the GDPR which apply in certain circumstances include the right of restriction and right of objection. Please contact the MHC’s Data Protection Officer for any further information in relation to this issue.

The GDPR introduces a compulsory requirement for controllers to report data breaches to its supervisory authority (i.e. in Ireland, the Data Protection Commission) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.  A risk assessment will therefore need to be taken by the controller in evaluating whether the obligation to report arises.  Where a breach poses a high risk to data subjects, the GDPR also requires that the controller communicate the breach to the affected data subjects without undue delay.  Regardless of whether a notification to the regulator is made or not, controllers must document all personal data breaches, comprising the facts, its effects and remedial action taken.  Where a processor has suffered a personal data breach, the processor must notify the controller “without undue delay” after becoming aware of the breach.

The GDPR gives data subjects a right to claim compensation for material or non-material loss or damage arising from an infringement of the GDPR by a controller or a processor (who can be sued on a joint and several basis where they are both involved in the processing giving rise to the infringement). Under the Data Protection Act 2018, these are classified as actions in tort subject to the jurisdiction of the Circuit Court and High Court.

Should you have any queries please contact:

Data Protection Officer
Mental Health Commission
Waterloo Exchange
Waterloo Rd
Dublin 4
Tel: (01) 6362400
Fax: (01) 6362440

Back to top


Contact Details

Waterloo Exchange, Waterloo Road, Dublin 4

Ph: 353(1) 636 2400

Fax: 353(1) 636 2440

Eircode: D04 E5W7

GPS coordinates: 53°19'58.6"N 6°14'36.9"W