Questions for the Data Protection Commission

Posted on 1 Sep 2025

There was a great response to the Charities Regulator's webinar with the Data Protection Commission (DPC) last May with plenty of questions. The Charities Regulator has included written answers below prepared by the DPC to some of those questions. The DPC also has a comprehensive Frequently Asked Questions section on their website with answers to a wider range of questions.

DPC answers:

Q: Do charities need a record of processing activities?

DPC: Whether a charity is required to keep a record of data processing activities is contingent on special conditions relating to the size of the charity and the nature of the data that is processed. Article 30 GDPR establishes the obligation on data controllers and data processors to maintain records of their processing activities. Article 30(5) GDPR provides an exemption to the record keeping for enterprises/organisations who have fewer than 250 employees. However, it is important to note that, as stated in Article 30(5) GDPR, this exemption only applies where the rights and freedoms of the data subject are not at risk by the processing, the processing is not occasional or the processing does not include special categories of data (Article 9 GDPR) or data relating to criminal convictions/offences (Article 10 GDPR).

You may wish to review our published guidance on Article 30 GDPR.

Q: What is the safest way to delete data post retention period?

DPC: Where a retention period has come to an end, the data should be deleted in a manner that ensures that that data is no longer accessible by any natural person and/or technological system. The manner in which data is erased is dependent on the system in which the personal data is stored. However, regardless of how the data is retained, the data should be deleted in a manner that ensures that it is no longer possible for it to be obtained by any natural person or processing system once a deletion process has taken place. This is important to ensure that the data subject’s right to erasure under Articles 17 and 19 of the GDPR are protected.

Q: Is there any guidance on managing Subject Access Requests and relying on volunteers to provide data they might hold on a person?

DPC: The DPC has published two guidance notes entitled Subject Access Requests: A Data Controllers Guide and Data Subject Access Requests – FAQs which can provide guidance to data controllers when it comes to managing Subject Access Requests.

As the data controller, a charity holds responsibility for ensuring that personal data processing, including responses to subject access requests, comply with data protection laws. This is an absolute responsibility and cannot be delegated away. Data controllers have the power to delegate authority to process data to a processor or provide authority to individuals to process personal data. Data processing may only be carried out with the express authority of the data controller. In these circumstances, where a volunteer has authority to process data on behalf of a data controller, the data controller is entitled to access to the data collected by the volunteer provided it was collected in the course of their data processing activities on behalf of the controller.

Q. Can children over 16 give consent for their personal information to be shared, or is parental approval required?

DPC: In Ireland, where a data controller processes personal data in the context of online or digital services (for example a website or social media platform), children aged 16 or over can give consent. Parental consent is only required for those under 16.

Otherwise, there is no law in Ireland setting out the age at which children can exercise their own legal rights. A child may exercise their own data protection rights at any time, as long as they have the capacity to do so and it is in their best interests.

To note, parental consent is not always needed for a data controller to share a child’s data with a third party. However, you will need a solid legal basis for doing so, will be responsible for making sure that the third party respects data protection law, and should be fully transparent about why it is sharing this data and inform data subjects of their rights in relation to same.

The DPC has published detailed guidance on the processing of children’s data which you may wish to consult: Fundamentals for a Child-Oriented Approach to Data Processing_FINAL_EN.pdf

Q. If personal data was acquired prior to GDPR, and prior to a processes to request access, do you have to re-request consent to hold on to such data?

DPC: If personal data was acquired prior to the GDPR coming into effect (25 May 2018) it is not necessary to re-request consent from the data subject if the manner in which the consent was given is in line with the conditions of the GDPR. Under the GDPR, consent must be clear, documented and affirmative. Any presumed consent that was based on an implied form of action by the data subject (e.g. a pre-ticked opt-in box) will not adhere to the GDPR standards of consent. If the consent previously obtained under the old legislation does not meet the standard of GDPR consent, then controllers must undertake action to comply with these standards, for example by refreshing consent in a GDPR compliant way. More detailed information on consent obtained under Directive 95/46/EC can be found in Section 8 of the following European Data Protection Board (“EDPB”) guidelines.

The DPC has published guidance on consent as a legal basis

Some further information and useful links

Compliance questions: email the Consultation and Supervision Team consultation@dataprotection.ie.
To sign up for the DPC DPO network email: DPONetwork@dataprotection.ie
DPC podcasts: Podcasts | Data Protection Commission
DPC’s Frequently Asked Questions
Guidance on appropriate qualifications for a Data Protection Officer (GDPR) | Data Protection Commission

Become a Member of The Wheel

Providing practical supports and services, join our network of people powered change today.

Fresh Funding for Your Nonprofit

Subscribe to Fundingpoint, Ireland's largest database of funding opportunities.

Funding updates, sector news and training opportunities direct to your inbox.

Leadership

Leading Remote Teams

25 Sep 2025 - 13 Nov 2025

How can you best support your team to reach their potential in this new remote-working world? This programme is designed to equip busy nonprofit team leaders with the practical skills and confidence to manage their remote working teams.

Learn More

Leadership

Certificate in Nonprofit Leadership and Management

15 Sep 2025 - 9 Dec 2025

Dublin

A Level 9 Certificate aimed at improving specific, managerial and leadership competencies for managers and executives in Irish nonprofit organisations.

Learn More

Leadership

Transformative Leadership Programme 2025/2026 - Level 8 Accredited

20 Nov 2025 - 8 May 2026

Dublin

Applications for the Transformative Leadership Programme 2025-2026 are now open.

Transformation is an integral part of life and it is an integral part of leadership. It is the process by which we make our vision of what could be into a reality.

Learn More

Leadership

CEO Masterclass Series

9 Oct 2025 - 25 Jun 2026

The CEO Masterclasses Series is designed to provide a bespoke and targeted programme focused on impactful learning outcomes for both new and experienced CEOs.

Learn More

Governance

Empowering Communities, Protecting Lives: Safeguarding Training for Adults at Risk in your Community

10 Sep 2025

Empowering Communities, Protecting Lives: Safeguarding Training for Adults at Risk – Join us in Making a Difference!

Learn More

View all Training & Events