This Cookie Policy was last updated on May 28, 2026 and applies to citizens and legal permanent residents of the European Economic Area and the United Kingdom.
1. Introduction
Our website, https://www.itconsultancy.eu.com (hereinafter: "the website") uses cookies and other related technologies (for convenience all technologies are referred to as "cookies"). Cookies are also placed by third parties we have engaged. In the document below we inform you about the use of cookies on our website.
2. What are cookies?
A cookie is a small simple file that is sent along with pages of this website and stored by your browser on the hard drive of your computer or another device. The information stored therein may be returned to our servers or to the servers of the relevant third parties during a subsequent visit.
3. What are scripts?
A script is a piece of program code that is used to make our website function properly and interactively. This code is executed on our server or on your device.
4. What is a web beacon?
A web beacon (or a pixel tag) is a small, invisible piece of text or image on a website that is used to monitor traffic on a website. In order to do this, various data about you is stored using web beacons.
5. Cookies
5.1 Technical or functional cookies
Some cookies ensure that certain parts of the website work properly and that your user preferences remain known. By placing functional cookies, we make it easier for you to visit our website. This way, you do not need to repeatedly enter the same information when visiting our website and, for example, the items remain in your shopping cart until you have paid. We may place these cookies without your consent.
6. Placed cookies
352_consent_plugin
Functional
| Cookie Name | Purpose | Expiry |
|---|---|---|
352_consent
|
Stores the consent preferences of the data subject. | Session |
352_consent_cid
|
Pseudonymous client identifier for consent logging. | Session |
wordpress_core
Functional
| Cookie Name | Purpose | Expiry |
|---|---|---|
comment_author_*
|
Stores commenter name for convenience. | Session |
comment_author_email_*
|
Stores commenter email for convenience. | Session |
comment_author_url_*
|
Stores commenter URL for convenience. | Session |
wordpress_logged_in_*
|
Authentication cookie for logged-in users. | Session |
wordpress_sec_*
|
Secure authentication cookie. | Session |
wordpress_test_cookie
|
Tests whether the browser accepts cookies. | Session |
wp-settings-*
|
Stores user interface customisation settings. | Session |
wp-settings-time-*
|
Timestamp for wp-settings cookie. | Session |
7. Consent
When you visit our website for the first time, we will show you a pop-up with an explanation about cookies. As soon as you click on "Save preferences", you consent to us using the categories of cookies and plug-ins you selected in the pop-up, as described in this Cookie Policy. You can disable the use of cookies via your browser, but please note that our website may no longer work properly.
7.1 Manage your consent settings
You can change your cookie preferences at any time using the button below:
8. Enabling/disabling and deleting cookies
You can use your internet browser to automatically or manually delete cookies. You can also specify that certain cookies may not be placed. Another option is to change the settings of your internet browser so that you receive a message each time a cookie is placed. For more information about these options, please refer to the instructions in the Help section of your browser.
Please note that our website may not work properly if all cookies are disabled. If you do delete the cookies in your browser, they will be placed again after your consent when you visit our website again.
9. Your rights with respect to personal data
You have the following rights with respect to your personal data:
- You have the right to know why your personal data is needed, what will happen to it, and how long it will be retained.
- Right of access: You have the right to access your personal data that is known to us.
- Right to rectification: you have the right to supplement, correct, have deleted or blocked your personal data whenever you wish.
- If you give us your consent to process your data, you have the right to revoke that consent and to have your personal data deleted.
- Right to transfer your data: you have the right to request all your personal data from the controller and transfer it in its entirety to another controller.
- Right to object: you may object to the processing of your data. We comply with this, unless there are justified grounds for processing.
To exercise these rights, please contact us. Please refer to the contact details at the bottom of this Cookie Policy. If you have a complaint about how we handle your data, we would like to hear from you, but you also have the right to submit a complaint to the supervisory authority (the data protection authority). For more information about how we handle personal data, please see our Privacy Policy.
10. Contact details
For questions and/or comments about our Cookie Policy and this statement, please contact us by using the following contact details:
IT Consultancy Services Limited29 Priory Hall, Stillorgan,
Co Dublin, Ireland
ie
Website: https://www.itconsultancy.eu.com
Email: [email protected]
Phone number: + 353 353 353 353
11. Additional information for data subjects under European Union — General Data Protection Regulation (Regulation (EU) 2016/679)
11.1 Scope of this section
This section provides additional information for individuals whose personal data is processed under the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"). It applies in addition to, and not in substitution of, the rest of this Cookie Policy and our Privacy Policy.
In line with Article 3 of the GDPR, this section also applies where we offer goods or services to data subjects in the European Economic Area, or where our processing relates to monitoring the behaviour of data subjects taking place in the European Economic Area, even if we are established outside of the European Union.
11.2 Lawful bases for processing
In accordance with Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), we process your personal data only where one or more of the following lawful bases applies:
- You have given consent to the processing of your personal data for one or more specific purposes (Article 6(1)(a));
- The processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract (Article 6(1)(b));
- The processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c));
- The processing is necessary in order to protect your vital interests or those of another natural person (Article 6(1)(d));
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e));
- The processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (Article 6(1)(f)).
Where we rely on legitimate interests, we have carried out a balancing exercise documented in our internal records. You may request further information about this assessment at any time.
11.3 Consent
Where we rely on consent as the lawful basis for processing your personal data, that consent is requested and recorded in accordance with Article 7 of the GDPR. Consent is freely given, specific, informed and unambiguous, given by a clear affirmative act, and the request is presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
You may withdraw your consent at any time. Withdrawal is as easy as the original consent and does not affect the lawfulness of processing carried out before the withdrawal. Where the processing is based on consent, you will be informed before giving consent of your right to withdraw it.
11.4 Special categories of personal data and criminal records
In accordance with Article 9 of the GDPR, we process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning sex life or sexual orientation, only where one of the conditions in Article 9(2) applies, including your explicit consent, the protection of vital interests, or substantial public interest grounds laid down by Union or Member State law.
Personal data relating to criminal convictions and offences are processed only under the control of an official authority or where the processing is authorised by Union or Member State law providing for appropriate safeguards (Article 10).
11.5 Children's consent for information society services
Article 8 of the GDPR provides that, where information society services are offered directly to a child and consent is the relied-upon basis, processing is lawful only where the child is at least 16 years of age. Member States may by law provide for a lower age, provided that it is not below 13.
The applicable digital age of consent therefore depends on the Member State whose law applies. Where the data subject is below the applicable threshold and consent is the relied-upon basis, we obtain consent from the holder of parental responsibility over the child and make reasonable efforts to verify it, taking into account available technology.
11.6 Information provided at collection
In accordance with Articles 13 and 14 of the GDPR, before or at the time of collecting personal data we inform you of: the identity and contact details of the controller and, where applicable, the data protection officer; the purposes of the processing and the lawful basis; the legitimate interests pursued where applicable; the recipients or categories of recipients; any intention to transfer personal data to a third country and the safeguards relied on; the retention period (or the criteria used to determine it); your rights under the GDPR; and your right to lodge a complaint with a supervisory authority.
A consolidated description of our processing activities, retention periods, recipients and your rights is set out in our Privacy Policy.
11.7 International transfers of personal data
In accordance with Articles 44 to 49 of the GDPR, we may transfer your personal data to countries or international organisations outside the European Economic Area (EEA) only where one of the following conditions is met:
- The European Commission has decided that the destination country, territory, sector or international organisation ensures an adequate level of protection (Article 45);
- The transfer is subject to appropriate safeguards under Article 46, such as Standard Contractual Clauses adopted by the European Commission, Binding Corporate Rules approved by a competent supervisory authority, or an approved code of conduct or certification mechanism;
- A specific derogation under Article 49 applies, including your explicit informed consent to the proposed transfer, the necessity of the transfer for the performance of a contract, important reasons of public interest, the establishment, exercise or defence of legal claims, or the vital interests of the data subject.
Following the Schrems II judgment of the Court of Justice of the European Union (Case C-311/18), where we rely on Standard Contractual Clauses or other safeguards we also assess the laws and practices of the destination country and apply supplementary measures where necessary to ensure an essentially equivalent level of protection.
11.8 Your rights under the GDPR
In accordance with Articles 15 to 22 of the GDPR, you have the following rights in respect of your personal data:
- Right of access (Art 15): to obtain confirmation of whether your personal data are being processed and, where that is the case, access to the data and to the information listed in Article 15.
- Right to rectification (Art 16): to obtain the rectification of inaccurate personal data and the completion of incomplete data.
- Right to erasure (Art 17): to obtain the erasure of your personal data without undue delay where one of the grounds in Article 17(1) applies.
- Right to restriction (Art 18): to obtain restriction of processing in the cases listed in Article 18(1).
- Right to data portability (Art 20): to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller, where the processing is based on consent or contract and is carried out by automated means.
- Right to object (Art 21): to object, on grounds relating to your particular situation, to processing based on Article 6(1)(e) or (f); and at any time to object to processing for direct marketing purposes.
- Automated decision-making (Art 22): not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except in the cases set out in Article 22(2).
- Right to lodge a complaint (Art 77): to lodge a complaint with the supervisory authority of the Member State of your habitual residence, place of work or place of the alleged infringement.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, extendable by two further months where necessary, in accordance with Article 12 of the GDPR.
11.9 Data Protection Officer
Articles 37 to 39 of the GDPR require the designation of a Data Protection Officer where the processing is carried out by a public authority or body, where the core activities consist of processing operations which by their nature, scope or purposes require regular and systematic monitoring of data subjects on a large scale, or where the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Where we are required (or have voluntarily chosen) to designate a Data Protection Officer, the contact details of that officer are published in our Privacy Policy and notified to the competent supervisory authority. The Data Protection Officer is the point of contact for data subjects on all issues related to the processing of their personal data and the exercise of their rights under the GDPR.
11.10 Breach notification and impact assessments
In accordance with Article 33 of the GDPR, in the event of a personal data breach we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
In accordance with Article 34, where the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay, in clear and plain language, together with the information listed in Article 34(2). Communication is not required where one of the exceptions in Article 34(3) applies.
In accordance with Article 35, where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (in particular, using new technologies, taking into account the nature, scope, context and purposes of the processing), we carry out a Data Protection Impact Assessment (DPIA) prior to the processing. Where the DPIA indicates a residual high risk that we cannot mitigate, we consult the competent supervisory authority before commencing the processing.
11.11 Profiling and automated decision-making
Where we engage in profiling or in decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you, we comply with Article 22 of the GDPR. Such decisions are made only where: necessary for entering into or performing a contract with you; authorised by Union or Member State law to which we are subject and which provides suitable safeguards; or based on your explicit consent.
Where automated decision-making is permitted, we implement suitable measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on our part, the right to express your point of view and the right to contest the decision.
11.12 Penalties for non-compliance
For information only: the GDPR provides for administrative fines of up to twenty million euros (€20,000,000) or, in the case of an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83). Lower-tier fines of up to ten million euros (€10,000,000) or 2% of worldwide turnover apply to the breaches listed in Article 83(4).
These fines are administered by the competent national supervisory authority of the Member State concerned, in cooperation with other supervisory authorities under the GDPR's consistency mechanism.
11.13 Supervisory authority
The competent national supervisory authority for our processing is the data protection authority of the Member State in which we are established. The full list of EU/EEA national supervisory authorities is available on the European Data Protection Board (EDPB) website at https://www.edpb.europa.eu/.
Without prejudice to the above, you have the right to lodge a complaint with the supervisory authority of the Member State of your habitual residence, place of work or place of the alleged infringement, where you consider that our processing of your personal data infringes the GDPR (Article 77).
Coordination of national supervisory authorities at EU level is carried out by:
European Data Protection Board (EDPB)
Rue Wiertz 60, B-1047 Brussels, Belgium
https://www.edpb.europa.eu/
12. Additional information for data subjects under United Kingdom — UK GDPR + Data Protection Act 2018
12.1 Scope of this section
This section provides additional information for individuals whose personal data is processed under the UK General Data Protection Regulation (the "UK GDPR") and the Data Protection Act 2018 (the "DPA 2018"). It applies in addition to, and not in substitution of, the rest of this Cookie Policy and our Privacy Policy.
In line with the territorial scope of the UK GDPR, this section also applies where we offer goods or services to data subjects in the United Kingdom, or where our processing relates to monitoring the behaviour of data subjects taking place in the United Kingdom, even if we are established outside of the UK.
12.2 Lawful bases for processing under the UK GDPR
In accordance with Article 6 of the UK General Data Protection Regulation (the "UK GDPR"), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as supplemented by the Data Protection Act 2018 (the "DPA 2018"), we process your personal data only where one or more of the following lawful bases applies:
- You have given consent for one or more specific purposes (Article 6(1)(a) UK GDPR);
- The processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract (Article 6(1)(b));
- The processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c));
- The processing is necessary to protect vital interests (Article 6(1)(d));
- The processing is necessary for the performance of a public task (Article 6(1)(e));
- The processing is necessary for our legitimate interests or those of a third party, except where overridden by your interests or fundamental rights and freedoms (Article 6(1)(f)).
Where we offer goods or services to data subjects in the European Economic Area, or monitor their behaviour in the EEA, our processing may also be subject to the EU GDPR. In such cases, both the UK GDPR and the EU GDPR apply in parallel and we comply with both.
12.3 Consent
Where we rely on consent as the lawful basis for processing your personal data, that consent is requested and recorded in accordance with Article 7 of the UK GDPR. Consent is freely given, specific, informed and unambiguous, given by a clear affirmative act, and the request is presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
You may withdraw your consent at any time. Withdrawal is as easy as the original consent and does not affect the lawfulness of processing carried out before the withdrawal.
Separately, in respect of cookies and similar technologies, regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) requires opt-in consent for any non-essential cookies or similar technologies before they are placed on or read from your device.
12.4 Special categories of personal data
In accordance with Article 9 of the UK GDPR, we process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning sex life or sexual orientation, only where one of the conditions in Article 9(2) applies. Where we rely on a UK-specific condition, we do so in accordance with Schedule 1 to the DPA 2018, which lists the conditions of substantial public interest, employment, social security and other categories that supplement the UK GDPR.
Personal data relating to criminal convictions and offences are processed only under the control of an official authority or where authorised by UK law providing for appropriate safeguards.
12.5 Children's consent for information society services
Article 8 of the UK GDPR provides that, where information society services are offered directly to a child and consent is the relied-upon basis, processing is lawful only where the child is at least the applicable age threshold.
In the United Kingdom, the digital age of consent has been set at 13 years. Where the data subject is below 13 and consent is the relied-upon basis, we obtain consent from the holder of parental responsibility over the child and make reasonable efforts to verify it, taking into account available technology.
12.6 Information provided at collection
In accordance with Articles 13 and 14 of the UK GDPR, before or at the time of collecting personal data we inform you of: the identity and contact details of the controller and, where applicable, the data protection officer or UK representative; the purposes of the processing and the lawful basis; the legitimate interests pursued where applicable; the recipients or categories of recipients; any intention to transfer personal data outside the United Kingdom and the safeguards relied on; the retention period (or the criteria used to determine it); your rights under the UK GDPR; and your right to lodge a complaint with the Information Commissioner's Office.
A consolidated description of our processing activities, retention periods, recipients and your rights is set out in our Privacy Policy.
12.7 International transfers of personal data
Following the United Kingdom's departure from the European Union, transfers of personal data from the United Kingdom to third countries are governed by Articles 44 to 49 of the UK GDPR and Part 5 of the DPA 2018. We transfer personal data outside the United Kingdom only where one of the following conditions is met:
- The Secretary of State has made adequacy regulations in respect of the destination country, territory, sector or international organisation;
- The transfer is subject to appropriate safeguards, including (since 21 March 2022) the International Data Transfer Agreement ("IDTA") issued by the Information Commissioner, or the UK Addendum to the European Commission's Standard Contractual Clauses;
- Binding Corporate Rules have been approved by the Information Commissioner;
- A specific derogation under Article 49 of the UK GDPR applies, such as your explicit informed consent or the necessity of the transfer for the performance of a contract.
Where we rely on the IDTA or the UK Addendum, we carry out a transfer risk assessment in line with Information Commissioner's Office (ICO) guidance and apply supplementary measures where necessary.
12.8 Your rights under the UK GDPR
In accordance with Articles 15 to 22 of the UK GDPR, you have the following rights in respect of your personal data:
- Right of access (Art 15): to obtain confirmation of whether your personal data are being processed and access to those data.
- Right to rectification (Art 16): to obtain the rectification of inaccurate or incomplete personal data.
- Right to erasure (Art 17): to obtain the erasure of your personal data without undue delay where one of the grounds in Article 17(1) applies.
- Right to restriction (Art 18): to obtain restriction of processing in the cases listed in Article 18(1).
- Right to data portability (Art 20): to receive personal data you have provided in a structured, commonly used and machine-readable format and to transmit it to another controller.
- Right to object (Art 21): to object, on grounds relating to your particular situation, to processing based on Article 6(1)(e) or (f); and at any time to object to processing for direct marketing.
- Automated decision-making (Art 22): not to be subject to a decision based solely on automated processing, including profiling, except in the cases set out in Article 22(2).
- Right to lodge a complaint (Art 77): to lodge a complaint with the Information Commissioner's Office.
To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month, extendable by two further months where necessary, in accordance with Article 12 of the UK GDPR.
12.9 Data Protection Officer and UK representative
Articles 37 to 39 of the UK GDPR require the designation of a Data Protection Officer where the processing is carried out by a public authority or body, where the core activities consist of regular and systematic monitoring of data subjects on a large scale, or where the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Where we are not established in the United Kingdom but we offer goods or services to, or monitor the behaviour of, data subjects in the UK, we designate in writing a UK representative under Article 27 of the UK GDPR. The contact details of the UK representative are published in our Privacy Policy.
12.10 Breach notification and PECR enforcement
In accordance with Article 33 of the UK GDPR, in the event of a personal data breach we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms.
In accordance with Article 34, where the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay, in clear and plain language, together with the information listed in Article 34(2).
Separately, the ICO enforces the Privacy and Electronic Communications Regulations 2003 (PECR), which govern cookies, electronic marketing and certain other electronic communications. PECR enforcement may be exercised independently of UK GDPR enforcement.
12.11 ICO Age Appropriate Design Code (Children's Code)
The ICO Age Appropriate Design Code (the "Children's Code") sets out 15 standards for online services likely to be accessed by children in the United Kingdom. Where our service is likely to be accessed by children, we comply with the Children's Code, which includes data minimisation, default high-privacy settings, transparent processing notices written in age-appropriate language, restrictions on profiling, and a best-interests-of-the-child assessment.
The Children's Code is a statutory code of practice issued under section 123 of the DPA 2018. The ICO takes the standards into account when considering whether processing complies with the UK GDPR and PECR.
12.12 Penalties for non-compliance
For information only: the UK GDPR provides for administrative fines of up to £17.5 million or, in the case of an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. Lower-tier fines of up to £8.7 million or 2% of worldwide turnover apply to the breaches in the lower tier.
These fines are administered by the Information Commissioner's Office. The DPA 2018 also creates specific criminal offences (including under section 199 — information offences) which may result in criminal penalties.
12.13 Supervisory authority
The supervisory authority responsible for monitoring the application of the UK GDPR, the DPA 2018 and PECR in the United Kingdom is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
https://ico.org.uk/
You have the right to lodge a complaint with the Information Commissioner's Office where you consider that our processing of your personal data infringes the UK GDPR or the DPA 2018 (Article 77 UK GDPR).
13. Additional information for data subjects under Ireland — Data Protection Act 2018 + GDPR
13.1 Scope of this section
This section provides additional information for individuals whose personal data is processed under the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the Irish Data Protection Act 2018 (the "Irish DPA 2018"). It applies in addition to, and not in substitution of, the rest of this Cookie Policy and our Privacy Policy.
In line with the territorial scope of the GDPR, this section also applies where we offer goods or services to data subjects in the European Economic Area, or where our processing relates to monitoring the behaviour of data subjects taking place in the European Economic Area, even if we are established outside of the European Union.
13.2 Lawful bases for processing under GDPR and Irish law
In accordance with Article 6 of the GDPR, as supplemented by the Irish Data Protection Act 2018, we process your personal data only where one or more of the following lawful bases applies:
- You have given consent to the processing for one or more specific purposes (Article 6(1)(a) GDPR);
- The processing is necessary for the performance of a contract to which you are party, or to take steps at your request prior to entering into a contract (Article 6(1)(b));
- The processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c));
- The processing is necessary in order to protect your vital interests or those of another natural person (Article 6(1)(d));
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e));
- The processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where overridden by your interests or fundamental rights and freedoms (Article 6(1)(f)).
Where Irish national law authorises specific derogations (for example, under Section 60 of the Irish DPA 2018) or imposes additional conditions on a particular processing operation, those national-level rules apply in addition to the GDPR baseline above.
13.3 Consent
Where we rely on consent as the lawful basis for processing your personal data, that consent is requested and recorded in accordance with Article 7 of the GDPR. Consent is freely given, specific, informed and unambiguous, given by a clear affirmative act, and the request is presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
You may withdraw your consent at any time. Withdrawal is as easy as the original consent and does not affect the lawfulness of processing carried out before the withdrawal. Where the processing is based on consent, you will be informed before giving consent of your right to withdraw it.
13.4 Special categories of personal data
In accordance with Article 9 of the GDPR, we process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning sex life or sexual orientation, only where one of the conditions in Article 9(2) applies.
In Ireland, Section 76 of the Irish DPA 2018 supplements those conditions by providing further specific bases for the processing of special category data, including in employment, social security, and substantial public interest contexts, subject to suitable safeguards.
13.5 Children's data and consent for information society services
Article 8 of the GDPR provides that, where information society services are offered directly to a child, the processing of the child's personal data is lawful on the basis of consent only where the child is at least 16 years of age. Member States may by law provide for a lower age, provided that it is not below 13.
Section 31 of the Irish Data Protection Act 2018 confirms the digital age of consent in Ireland as 16 years. Where the data subject is below this age and consent is the relied-upon basis, we obtain consent from the holder of parental responsibility over the child and make reasonable efforts to verify it, taking into account available technology.
13.6 Information provided at collection
In accordance with Articles 13 and 14 of the GDPR, before or at the time of collecting personal data we inform you of: the identity and contact details of the controller and, where applicable, the data protection officer; the purposes of the processing and the lawful basis; the legitimate interests pursued where applicable; the recipients or categories of recipients; any intention to transfer personal data to a third country and the safeguards relied on; the retention period; your rights under the GDPR; and your right to lodge a complaint with the Data Protection Commission.
A consolidated description of our processing activities, retention periods, recipients and your rights is set out in our Privacy Policy.
13.7 International transfers of personal data
In accordance with Articles 44 to 49 of the GDPR, we may transfer your personal data to countries or international organisations outside the European Economic Area (EEA) only where one of the following conditions is met:
- The European Commission has decided that the destination country, territory, sector or international organisation ensures an adequate level of protection (Article 45);
- The transfer is subject to appropriate safeguards under Article 46, such as Standard Contractual Clauses, Binding Corporate Rules or an approved code of conduct or certification mechanism;
- A specific derogation under Article 49 applies, including your explicit informed consent to the proposed transfer or the necessity of the transfer for the performance of a contract.
Following the Schrems II judgment of the Court of Justice of the European Union (Case C-311/18), where we rely on Standard Contractual Clauses or other safeguards we also assess the laws and practices of the destination country and apply supplementary measures where necessary to ensure an essentially equivalent level of protection.
13.8 Your rights under the GDPR
In accordance with Articles 15 to 22 of the GDPR, you have the following rights in respect of your personal data:
- Right of access (Art 15): to obtain confirmation of whether your personal data are being processed and access to those data.
- Right to rectification (Art 16): to obtain rectification of inaccurate or incomplete data.
- Right to erasure (Art 17): to obtain erasure of your personal data without undue delay where one of the grounds in Article 17(1) applies.
- Right to restriction (Art 18): to obtain restriction of processing in the cases listed in Article 18(1).
- Right to data portability (Art 20): to receive personal data you provided in a structured, commonly used and machine-readable format and to transmit it to another controller.
- Right to object (Art 21): to object to processing based on Article 6(1)(e) or (f); and at any time to object to direct marketing.
- Automated decision-making (Art 22): not to be subject to a solely automated decision producing legal or similarly significant effects, except in the cases of Article 22(2).
- Right to lodge a complaint (Art 77): to lodge a complaint with the Data Protection Commission.
These rights may be subject to restrictions where authorised by Union or Irish law in accordance with Section 60 of the Irish DPA 2018 and Article 23 of the GDPR (for example, to safeguard national security, defence, public security, the prevention and investigation of criminal offences, or important objectives of general public interest).
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, extendable by two further months where necessary, in accordance with Article 12 of the GDPR.
13.9 Data Protection Officer
Articles 37 to 39 of the GDPR require the designation of a Data Protection Officer where the processing is carried out by a public authority or body, where the core activities consist of regular and systematic monitoring of data subjects on a large scale, or where the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Where we are required (or have voluntarily chosen) to designate a Data Protection Officer, the contact details of that officer are published in our Privacy Policy and notified to the Data Protection Commission.
13.10 Notification of personal data breaches
In accordance with Article 33 of the GDPR, in the event of a personal data breach we will notify the Data Protection Commission without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms.
In accordance with Article 34, where the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay, in clear and plain language, together with the information listed in Article 34(2).
13.11 Complaints and the role of the Data Protection Commission
In accordance with Article 77 of the GDPR and the Irish Data Protection Act 2018, you have the right to lodge a complaint with the Data Protection Commission (the "DPC") if you consider that our processing of your personal data infringes data protection law.
Where we operate cross-border processing across multiple Member States, the DPC may act as the lead supervisory authority under the GDPR's "one-stop-shop" mechanism (Article 56). In that case, the DPC coordinates with concerned supervisory authorities in other Member States in accordance with the cooperation and consistency procedures of the GDPR.
13.12 Penalties for non-compliance
For information only: the GDPR provides for administrative fines of up to twenty million euros (€20,000,000) or, in the case of an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83). Lower-tier fines of up to ten million euros (€10,000,000) or 2% of worldwide turnover apply to the breaches in the lower tier.
These fines are administered by the Data Protection Commission in respect of processing within its competence. The Irish DPA 2018 also creates specific criminal offences which may result in additional penalties.
13.13 Supervisory authority
The supervisory authority responsible for monitoring the application of the GDPR and the Irish DPA 2018 in Ireland is:
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
https://www.dataprotection.ie/
You have the right to lodge a complaint with the DPC, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, where you consider that our processing of your personal data infringes the GDPR (Article 77).
This Cookie Policy was synchronised with cookiedatabase.org on May 28, 2026.
