Privacy

ComReg collects and uses personal data (personal information) about individuals who come in contact with us, for a variety of purposes. In circumstances where we are responsible for deciding how we hold and use personal data about individuals, we are a “data controller”.

This Privacy Notice outlines what personal data we collect and use about individuals in connection with the services and functions of ComReg, where we obtain the personal data from, what we do with that personal data, how we comply with data protection legislation, who receives personal data from us and how we deal with individuals’ rights in relation to their personal data. This Privacy Notice includes information about the personal data we collect and use about consumers who complain to us, about individuals who we interact with as part of fulfilling our functions (including individuals who work in regulated businesses) and other individuals outside our organisation.

This Privacy Notice also explains what personal data we collect and use about individuals who use our website (www.comreg.ie). We use cookies on our website, and for more information about this, please see our Cookie Notice at www.comreg.ie/cookie-policy/.

The primary data protection legislation that applies to us is the EU General Data Protection Regulation (the GDPR) effective from 25 May 2018, supplemented by Irish legislation (primarily the Data Protection Acts 1988 – 2018 and ePrivacy Regulations 2011).  Where we process personal information for the purposes of our criminal investigation and prosecution powers, we are regulated by the Law Enforcement Directive (Directive (EU) 2016/680) as transposed into Irish law by the Data Protection Act 2018. One of our obligations under data protection legislation is to be transparent with you about our collection and use of personal information about individuals.

Data protection law provides rights to individuals with regard to the use of their personal information (personal data) by organisations, including ComReg. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.

Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.

The data protection rules that apply to us are contained in the EU General Data Protection Regulation (the GDPR) effective from 25 May 2018, supplemented by Irish legislation (primarily the Data Protection Acts 1988 – 2018 and ePrivacy Regulations 2011). Where we process personal information for the purposes of our criminal investigation and prosecution powers, we are regulated by the Law Enforcement Directive (Directive (EU) 2016/680) as transposed into Irish law by the Data Protection Act 2018.

The data protection rules require that the personal data (personal information) that we collect and use about you must be:

1. Collected and used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about, be sufficient (adequate) for those purposes, and be limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.

We must also follow rules in relation to who receives personal data from us (see further below), transferring personal data outside the European Economic Area (EEA) (see further below) and about individuals rights in relation to their personal data (see further information below). Note that some of the rules are more restricted in relation to personal data that we process for the purposes of our criminal investigation and prosecution powers.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been (permanently and irrevocably) removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection, such as information about a person’s health.

We collect, store, and use the following main categories of personal information about individuals who are external to ComReg (that is, outside our organisation) and for the purposes which are set out below:

1 About consumers/customers of telecoms or postal service providers (including those who complain to us about services and businesses which we regulate):

• Name, address and eircode, contact details (including email address and, where relevant, the land line or mobile number that is relevant to the service).
• Signatures.
• Bank details, where relevant.
• Details of the person’s contract with the relevant service provider, including account numbers.
• Account details and billing information (including copies of bills when these are uploaded to one of our online tools or are otherwise provided to us), where relevant.
• Details of usage of mobile, landline or other services where provided using one of ComReg’s online tools (e.g. “Calculate My Spend”).
• Information about complaints or queries, including recordings or transcripts of calls placed with our call centre and information provided by completing our online Query & Complaint Form or using our online webchat service. In the case of postal complaints, personal data (e.g. name, address and eircode) related to the postal item which may include personal information of others used by the complainant (e.g. name, address and eircode on the postal item sent by complainant). In the case of postal complaints, personal data (e.g. name, address and eircode) related to the postal item which may include personal information of others used by the complainant (e.g. name, address and eircode on the postal item sent by complainant).
• Information about resolution of complaints, that is, how the complaint was resolved.
• Details about transferring numbers of individuals from one service provider to another (number porting).

2. About individuals in service providers which we regulate:

• Name, title, business contact details (including email, land line and, where provided, mobile number).
• Other personal information about the activities of individuals working in service providers, where this is relevant to enquiries or investigations which we conduct.

3. About licence holders (licence holders under the Wireless Telegraphy legislation):

• Name, address and eircode, contact details (including telephone numbers and email address).
• Date of birth (where relevant to the licence).
• Details of entitlement to disability allowance (where relevant to the licence).
• Details of examinations taken and passed (e.g. relating to the radio amateur exam).
• Details of licences held, renewals and expirations.
• Call signs used by licence holders (where relevant to the licence).
• Payment details, where provided directly to ComReg. (Note that ComReg uses a third party payment services provider (currently Realex) which is PCI DSS certified to process payments made to it online – see [link – recipients of personal data].)
• Login details (username and passwords/PINs) for access to licence holder’s online files and details about access to that file (i.e. when last accessed).

4. About individuals who have registered Personal Locator Beacons (PLBs) with us and their emergency contacts (see also here):

• Name, address and eircode, contact details (including telephone numbers and email address).
• Login details (login and password) for access to our online file about PLB registration and details about access to that file (i.e. when last accessed).
• Three emergency contacts for the person (being name, telephone numbers and email address for the emergency contacts).

5. About visitors to our website or our offices and premises:

• Browsing information about what sections of our website were browsed, when, and whether the person was a repeat browser. (This information is collected using “cookies”. For more information, please see the Cookie Notice on our website here).
• Details provided or information uploaded when using our online tools, e.g. when inputting information to our Compare Communications Services tools.
• CCTV images captured on our CCTV system about visitors to our offices and premises.
• Name, organisation details, date and time of visit and signature, provided by visitors to our offices and premises.

We also collect and use personal information about individuals who we investigate for breaches of the legislation which we regulate. This includes personal information (including location information and property folio information) about individuals who are investigated and/or prosecuted for interfering with the radio spectrum, or who unlawfully import wireless telegraphy equipment, and about officers of service providers who are individually investigated and/or prosecuted for offences committed under the relevant legislation. We may also collect personal information (including name and address) about individuals who whistle-blow to us about wrongdoing.

We also collect, use and hold the following personal information:

• Names and contact details of individuals who submit requests to us under data protection legislation and under freedom of information legislation, and details of their requests.
• Names, addresses and other contact details of individuals (including members of the public and journalists) who have subscribed to receive our regulatory updates and news alerts.
• Names, addresses and other contact details of individuals who have attended our conferences and who are on the invitation lists for future conferences.
• Names, contact details, qualifications and experience, dates and details of appointment, and details of meeting attendances of members of our Consumer Advisory Panel.
• Names, contact details, qualifications and experience, dates and details of appointment, and details of meeting attendances of participants in our meetings on Electronic Communications Services for People with Disabilities.
• Names, addresses, contact details and other personal information provided by individuals who make submissions to us in response to consultations we undertake.
• Names, addresses, contact details, CVs, professional profiles and other personal information provided as part of tenders submitted to us.
• Names, titles and work contact details of individuals with whom we liaise as part of our regular organisational activities, for example: about individuals in other regulators, in Government Departments or in BEREC (Body of European Regulators for Electronic Communications) or in ERGP (European Regulators Group for Postal Services).
• Names, titles and work contact details of individuals who work for our service providers.
• We carry monitoring of social media and other public information for information about any issues with the areas which we regulate. This can include monitoring of information posted on individuals’ social media and related processing of that posted information.

ComReg collects personal data (personal information) in a variety of ways. These include:

• Directly from individuals themselves or their nominated representatives, for example from completing our application forms and our Query & Complaint forms (in hard copy or online), from emails to us, from using our web chat service (available on our website), from using our online tools, from calls to our call centre and through other direct contact with us.
• From third parties who make queries or representations on behalf of individuals (but who might not be formally representing the individual), e.g. TDs, Government Departments or agencies with which the individual might have raised a complaint or query and which have referred the complaint or query to us.
• From regulated service providers, (including staff of regulated service providers), for example, where they confirm their customers’ details in the context of us dealing with a complaint, query or investigation.
• From individuals’ employers, for example where regulated service providers put us in contact with specific individuals in their organisations as our contact point, or where tenderers submit details of their employees’ CVs or professional profiles, or where our suppliers provide us with contact details for their employees to act as our contacts for the services.
• From browsing or using our website or from using the online tools made available on our website. (For more information about the browsing information we collect, please see our Cookie Notice here.)
• From third parties (members of the public and organisations), e.g. those who inform us about individuals who are suspected of interfering with the radio spectrum or otherwise breaching the legislation we regulate.
• From Revenue and Customs (regarding suspected unlawful importation of wireless telegraphy equipment), from the Gardaí (regarding suspected breaches of the legislation we regulate), from the Irish Coast Guard and emergency services (regarding suspected interference with the radio spectrum) and from other regulators or supervisory authorities, for example the Data Protection Commissioner, the Competition and Consumer Protection Commission, the Utilities Regulator and from the Ombudsman’s Office.
• From our own service providers, e.g. in relation to the examination results for the radio amateur examination.
• From the Number Portability Database: this is the database of telephone numbers that are the subject of number transfer requests between service providers. The database is operated privately, on arrangements made by the service providers. However, ComReg has access to this database so that it can facilitate a back-up of it if required.
• By ComReg, from visiting our office (e.g. details from visitor badges), our CCTV system or from public sources.
• From public information, e.g. as posted on the internet and/or on social media accounts.

ComReg will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• Where it is necessary in order for us to fulfil our regulatory functions, to meet our obligations under legislation and to exercise our legislative powers (e.g. our criminal prosecution powers).
• Where is it necessary for the purposes of legal claims or legal proceedings.
• Where we are permitted by relevant legislation to do so in the context of marketing communications. (Note, however, that we do have an information provision obligation under our legislation, and so we would rely on this obligation to provide information updates in appropriate circumstances.)
• To report suspected criminal offences to other relevant authorities, including the Gardaí and other regulators.
• For our legitimate interests, including in relation to security of our offices and premises, where these interests are not outweighed by individuals’ rights and interests.

We may also use your personal information in the following situations, which are likely to be unusual:

• Where we need to protect your vital interests (or someone else’s vital interests), e.g. in an emergency health situation, or where we are requested to disclose information urgently and with good cause to the Irish Coast Guard or to the emergency services.
• Where it is needed in the public interest or for official purposes.

The main situations in which ComReg will use your personal information are listed below:

• To resolve queries, to investigate complaints made by consumers and by customers of regulated service providers, and to resolve those complaints or, if necessary, take enforcement action in relation to them.
• To maintain contact with individuals in regulated service providers, including to provide them with updates about ComReg’s regulatory activities and relevant market updates through our eAlerts service.
• To fulfil our information provision obligations, about our regulatory activities.
• In relation to the Number Portability Database, to ensure a back-up of that database if required.
• To fulfil our obligations to assist consumers in understanding their rights, understanding the services which we regulate and to enable consumers to vindicate their rights.
• To fulfil our obligations as a licensing body, in relation to licences issued under the Wireless Telegraphy legislation. This includes us having to take payments for licences, either directly or through our nominated payment services provider.
• To fulfil our legal obligations to liaise with other regulators (the Competition and Consumer Protection Commission, the Utilities Regulator, the Ombudman’s Office), which this is provided for by law.
• To otherwise fulfil our regulatory and/or legal obligations and conduct our functions as a regulator, public body and/or employer.
• To help us to take or defend legal claims and/or legal proceedings, including relating to any legal enforcement action or criminal prosecution.
• To invite individuals to attend our conferences and information meetings and keep information about who attended.
• To market to individuals, where this not covered by our legal obligations to provide information.
• In relation to use of our website, to enable us to understand how users interact with the website so that we can improve the content, navigation or other features of the website. (For more information, please see our Cookie Notice here.)
• In relation our offices and premises, to ensure security of our offices and premises, and to enable us to investigate incidents that occur at our offices and premises.

If you fail to provide certain information when requested by ComReg, then we may not be able to respond or deal with a request that you have made to us (for example, to be granted a licence, or relating to a complaint against a service provider or to include you in our contact list for information updates), or we may be prevented from complying with our legal obligations (such as to investigate complaints made to us).

For the majority of uses that ComReg makes of the personal information that is described in this Privacy Notice, we do not require your consent. Our collection and use of personal information is mainly based on our legal obligations and to enable us to fulfil our role as a regulator.

For providing information or for making marketing communications, we only communicate to individuals who have asked to receive these updates (e.g. our eAlerts service) or (in relation to marketing communications) where we are entitled to rely on “opt-out consent” which are provided for under the rules on direct marketing (for example, business-to-business communications).

Please also see our Cookie Notice here which explains how and why we use cookies and other information-gathering devices on our website, and how you can prevent cookies being used.

In the limited circumstances where you may have provided your consent to the collection or use of your personal information for a specific purpose, you have the right to withdraw your consent for that specific use at any time. You can access your cookie preferences here to withdraw consent:

Cookie Settings

Or you can contact our Data Protection Officer (DPO) – please see the section below which provides contact details for our DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. Please note that withdrawal of consent to processing, where relevant to a licence granted by ComReg, may result in the cancellation of that licence.

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

1. Where we have notified you of the decision and given you 21 days to request reconsideration.
2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Currently, our system uses automated decision-making to automatically revoke licences and licence applications that have expired due to non-renewal or non-payment.  We do not envisage that any other decisions will be taken about you using automated means, however we will notify affected individuals if this position changes.

We may share your data with third parties, including our third-party service providers and other recipients. Some of these recipients are our data processors, that is, they can only take and use the personal information that they receive from us strictly only on our instructions and under our control.

Then there are other recipients which are not our data processors, but which are regarded as separate data controllers, with which we interact and share personal information. This includes our auditors and solicitors (to the extent that they might need to review our records in order to provide professional services to us), our payment services provider (to facilitate payments made to us for licences), regulated service providers (where we need to provide personal information relating to complaints made about them), but also other regulators with which we interact as part of our regulatory obligations.

We require all our data processors to respect the security of your personal information and to treat it in accordance with the law.

We will share your personal information with these third parties where required by law, or where we have legitimate interest in doing so (for example, to help us to efficiently operate our organisation).

We may transfer your personal information outside the EU.

If we do, you can expect a similar degree of protection in respect of your personal information.

We set out below descriptions of our data processors which process personal information on our behalf, and under our control:

• Our managed services provider, to which we have outsourced our office IT functions. This includes management of our databases and other electronic files containing personal information. We also use other external IT services to help us to support and maintain our IT systems.
• Our call centre services provider, which operates our consumer call centre to enable consumers to make complaints and raise queries with us.
• Our service provider (currently Agiloft) which provides our case management database, our online web chat service and other online tools provided to consumers.
• The provider of our SMS service number (51500).
• Our digital communications service provider, which assists us in sending our news alerts and marketing communications and managing our relevant contact lists.
• Our service provider which manages the examinations for radio amateur licences on our behalf.
• Service providers which assists us in conducting investigations of suspected breaches of the Wireless Telegraphy legislation, in particular in relation to suspected spectrum interference. This includes processing personal information about individuals who complain to us or report to us about suspected interferences and about the individuals who are suspected of interference.
• IT forensics services providers, which provide litigation support services to us, including in relation to assisting us with processing discovery (document disclosure) obligations in legal proceedings.
• File storage and confidential document destruction services.

There are other organisations to which we disclose personal information or with which we share personal information. The majority of these recipients are independent data controllers. These organisations include:

• Regulated service providers (e.g. landline and mobile companies, postal companies) where we need to disclose the personal information in order to deal with a regulatory issue (e.g. investigate and resolve a complaint or query, or take enforcement action).
• Other regulators, such as the Competition and Consumer Protection Commission, the Utilities Regulator and the Ombudman’s Office, where there is a legal basis for us to disclose or share personal information with them. We also share personal information with the Irish Coast Guard and with the emergency services, for example where there is interference with their radio spectrum and we need to investigate and deal with it.
• Our auditors, legal advisers, economic advisers and similar professional services providers, where this is required for the purposes of the professional services which they provide to us. Also, where the Comptroller & Auditor General’s Office (C&AG) reviews our expenditure of public funds, the C&AG may require access to files containing personal information in order to conduct this review.
• Our third party payment services provider, Realex, which processes payments made to us online. Realex is an independent data controller to us, and its services are PCI-DSS certified.
• The Office of Government Procurement (OGP), which is an agency of the Department of Finance. The OGP sometimes helps us with administering our tender competitions, and they can see the personal information submitted as part of tenders as a result.
• The Irish Coast Guard, which has access to the Personal Locator Beacon (PLB) database for search and rescue purposes.

All our data processors are required to take appropriate security measures to protect your personal information. We do not allow our data processors to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

As a general rule, we do not transfer personal information contained on our IT systems outside the European Economic Area (being the EU plus Norway, Iceland and Liechtenstein). Our policy is to require any data that is processed on our behalf by our data processors to be kept on servers located within the EU.

To the extent that any personal information under our control might be transferred outside the EU, we ensure that the personal information receives an adequate level of protection. So, for example, we check whether the information recipient is located in a country which the EU Commission has ruled has an adequate level of data protection.  Otherwise, we ensure that appropriate measures are put in place to protect the personal information and that the personal information is treated by the recipients in a way that is consistent with and which respects data protection legislation. This can include using measures like Standard Contractual Clauses to underpin the data transfers. If you require further information about this or about specific protection measures, please contact our Data Protection Officer (DPO): here.

We have put in place measures to protect the security of your personal information.

Our third-party service providers (data processors) will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach (including personal data breach) and will notify you and any applicable regulator of a suspected personal data breach where we are legally required to do so.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. If legislation requires us to retain personal data for a specified period, then we retain it in accordance with those legislative obligations.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and any specific legal obligations that apply to us to retain personal information or records which might contain personal information.

The following are examples of the retention periods we apply:

• We keep information about consumer complaints and queries (and personal data related to those complaints and queries) on our case management database for two years after closure of the complaint or query.
• Our customer call centre recordings are retained for 30 days after the call was made to us.
• CCTV footage is kept for a period of three months.
• We hold personal data related to current licences held for the duration of the licence. In addition, we have a full database of historic licences.
• We hold data related to Personal Locator Beacons (PLBs) for as long as PLB is registered.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal information in accordance with our data retention schedule (or based on applicable laws and regulations where these override our nominated retention period).

We may retain your personal information longer than our nominated retention period where we need it in order to make or defend legal claims, and if this happens, we will retain the personal information for as long as it takes to resolve the legal claim or have it finally determined by a court.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. You can do so by contacting our Data Protection Officer (DPO) – see here or by using our online tools (e.g. where you have an online account with us). Under certain circumstances, by law you have the right to:

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information, including to another party, a commonly-used structure and format – this is also known as the right to data portability.

Some of the above rights are more restricted in relation to personal data that is held and processed by us for the purposes of the investigation and/or prosecution by us of criminal offences.

If you want to review, verify, access, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please email dataprotection@comreg.ie, giving as much information as possible to help us to verify who you are and what your request is about.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the personal information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request in order to speed up our response.

Time limit for us to respond to requests

We try to respond to all legitimate requests within one month of receiving them. (One month is the specified time limit for response under data protection legislation.) Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated about our timing for response.

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice and generally with our obligations under the data protection rules. If you have any questions about this Privacy Notice or how we handle your personal information, please contact the DPO at dataprotection@comreg.ie.

If you have any issues about our handling of your personal information or about our data protection compliance, you have the right to make a complaint at any time to the Data Protection Commission (DPC), which is the Irish supervisory authority for data protection legislation (including under the GDPR and Data Protection Acts 1988 – 2018).

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Updated – 25 November 2020