General Data Protection Regulation (GDPR)

The main Irish law dealing with Data Protection is the Data Protection Act 1988, amended by the Data Protection (amendment) Act 2003. The EU are introducing a new regulation, called the General Data Protection Regulation (GDPR). This will start in Ireland on 25th May and will replace the existing legislation.

GDPR gives people greater access to their personal information and control over how it is used.

We are writing to you to make it easier for you to understand what control you have over your data and how you can access the information we hold relating to you.  There is no change to how you use our services, and there is no need for you to do anything differently as a result of this legislation.

What is data?

Data is information or facts that are usually stored on a computer or paper.

What is a Data Controller?

Data controller is a person, or group of people, who control the contents and use of personal information for example companies, government departments or voluntary organisations or individuals such as general practitioners (GPs), pharmacists or sole traders.

Why do we have personal data relating to survivors?

We collect information relating to you, the survivor, in order to perform our function as a data controller and comply with our legal obligations as set out in the legislation that Caranua was established under, the Residential Institutions Statutory Fund Act of 2012.  

This Act says that we must make decisions about applications by taking account of individual circumstances and assessing the likely effect of the provision of a service on you, the survivor, decide what supporting evidence we need to assess an application, and we must specify the minimum standards to be met by the providers of that service.  We must also apply relevant limits to the money that may be made available for an arrangement or payment.

How long do we keep your data for?

The length of time we keep personal data is called the ‘retention period’.  We keep personal data for no longer than is necessary.  

For some data types there is legislation telling us how long we must keep this data.  This means that the retention period for your personal data will vary depending on the type of personal data.  All information will be destroyed and shredded once this retention period is over. 

What rights do I have as a survivor in relation to the data held by Caranua?

You have the right to access the information we hold on you, and if you request a copy of that information, we will provide it to you within 1 month free of charge.  If you would like a copy of your information you can email us on or, if you would prefer, you can write to us, at Caranua, PO Box 12477, Dublin 1.  We may ask for proof of identification before we give out the information.  This is to make sure we only give out personal information to the right people. 

If you discover that the information we hold in relation to you contains errors, you have the right to have those errors corrected.  If you find that any information we hold in relation to you is not correct, please let us know so that we can correct this.  You can phone us on (01) 874 2277, email us on or write to us at Caranua, PO Box 12477, Dublin 1.

You have the right to object to Caranua’s processing of your personal data. You can contact our Data Protection Officer to do so. Our Data Protection Officer will consider your objection. If Caranua does not have legitimate grounds for the processing of this data the data Protection Officer will address this issue.  You can e-mail Caranua’s Data Protection Officer at or you can write to Data Protection Officer, Caranua, PO Box 12477, Dublin 1.

Under GDPR legislation, you have the right to object at any time to processing of personal data for direct marketing.  Caranua will never use your personal information for this purpose, do not maintain a database of survivors who apply to Caranua for that purpose, and will not provide your data to any other company for this purpose.

Also, under the legislation, you have the right not to be subject to a decision based solely on automated processing, including profiling.  This is where applications are approved or denied without review by a person, and Caranua do not use this method for any survivor who applies to Caranua.  All applications that we receive are reviewed carefully by a member of staff.

The GDPR also states that you have the right to be forgotten.  This is where you can withdraw consent to having your information stored by a company.  The GDPR legislation restricts this right to be forgotten where the data must be retained by law.  Caranua are subject to legislation in this area, which means that once we have made a payment to a survivor, we are obliged by law to retain certain information relating to the survivor.

How can I make a request under GDPR?

A request for information under GDPR must be in writing – either email or letter.  You can send an email to or post to Data Protection Officer, PO Box 12477 Dublin 1.

There will be no charge for making your request.  You should make it clear what information you are looking for, how you would like to receive the information, and if you need any help in making the request.

See Also

Data Protection Commissioner website

Data Protection Bill 2018 (giving effect to GDPR in Ireland and establishing the Data Protection Commission)

Full text of EU General Data Protection Regulation

Full text of Residential Institutions Statutory Fund Act 2012