Privacy Policy

General Statement:

This Privacy Notice and Cookie Policy relates to the Commission for Aviation Regulation’s (Commission) privacy practices in connection with our use of your personal data. The Commission is not responsible for the content or privacy practices of other websites. Any external links to other websites are clearly identifiable as such.

We respect and value the privacy of everyone who visits this website, or (“our site”) and where we seek information from you through any channel (e.g., via our complaint forms or in person). We will only collect and use personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under the data protection provisions.

The Commission for Aviation Regulation is the Data Controller for the personal data that we process unless otherwise stated. Please read this Privacy Notice and Cookie Policy carefully and ensure that you understand it.

The Commission for Aviation Regulation is the Data Controller for the personal data that we process unless otherwise stated. Please read this Privacy Notice and Cookie Policy carefully and ensure that you understand it.


Our Contact Details:

The Commission’s contact details are as follows:

Post: 3rd Floor, 6 Earlsfort Terrace, Dublin 2, D02 W773


Telephone: 00353 (1) 6611700


Definition and Interpretation

Terms Meaning
Personal Data Means data that relates to or can identify a living person either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details.
Special Categories of Data Means sensitive personal data which merits higher protection when processing.
Data Concerning Health Means personal data related to the physical or mental health of a natural person
Processing Means any operation or set of operations which is performed on personal data. Such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction
Data Controller Means a Natural or legal person, public authority, agency, or other body who determines the purpose and means of processing of personal data
Data Processor Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Subject Means a natural person or individual who is the subject of personal data.
Derogation Means Data Transfer mechanism as provided under Article 49 GDPR and Section 91 Data Protection Act 2018.
We/Our/The Commission Means the Commission for Aviation Regulation, a public body established under the Aviation Regulation Act 2001 whose headquarters are located at 3rd Floor, 6 Earlsfort Terrace, Dublin 2
You/ Your Means individuals whose personal data we process.
Cookie Means a small piece of data that a website stores on the visitor’s computer or mobile device
Cookie law Means the EU ePrivacy Directive 2009/136/EC as transposed into Irish Law

Purpose of this Privacy Notice

1.1  The Commission for Aviation Regulation collects and uses personal data provided by individuals via this website, by post, or in person for a range of purposes. All personal information collected through a variety of sources by the Commission will be protected in line with our responsibilities as a data controller pursuant to the Data Protection provisions.

1.2 This privacy notice is provided to you in line with our obligations under the General Data Protection Regulation (2016/679/EU) (GDPR); and sets out information on what personal data we collect and how we use it in connection with the functions of the Commission for Aviation Regulation. It sets out:

  • What information we collect about you
  • Why and how we use your personal information
  • Who we share it with
  • If we transfer your data outside EEA
  • Data Security we employ
  • Retention period
  • Exercising your right

Data Protection Legislation as it pertains to us

1.3 The General Data Protection Regulation (GDPR) which came into effect on 25th May 2018, supplemented by the Data Protection Act 2018, provides individuals with increased rights and control over their personal information; and places enhanced obligations and responsibilities on how organisations collect, use, and protect personal data.

1.4 The Commission for Aviation Regulation as a Data Controller is obligated to put in place adequate technical and organisational measures in ensuring all personal and sensitive data are processed in a manner consistent with GDPR as supplemented by the Data Protection Act, 2018.

All personal and special categories of personal data provided to us will be processed in accordance with the Data Protection laws as relevant to us.


Principles of Data Protection

1.5 The principles of Data Protection as provided under Article 5 GDPR, sets out the fundamental rules applicable to the processing of personal data. The Commission will adhere to these principles when processing your personal data. The Commission will:

  • Process your personal data in a lawful, fair, and transparent manner
  • Collect no more than the relevant information required specific to the purpose of carrying out our duties as a Regulatory body
  • Keep your personal information accurate and up to date at all times
  • Retain your information for the duration of your complaint, processing of claims, application for licensing and to comply with our statutory obligations as stipulated under the relevant legislative Provision
  • Process your personal data in a manner which ensures utmost confidentiality by restricting unauthorised access and limiting access to those required to carry out activities arising from our legal obligation
  • Ensure adherence to the rules in relation to who receives personal data from us, transferring personal data outside the European Economic Area (EEA), and about individuals’ rights in relation to their personal data

Personal Information We Collect and Process

1.6 The Commission collects and processes personal data in connection with your use of or and our relationship with you. This personal data includes:

  • Name and Contact Details, including address, phone number and email address.
  • Personal information you provide for the following:
    • Air Passengers complaints form and Air Passengers with Reduced Mobility complaint form.
      o Exercising your information rights under GDPR or Freedom of Information request formo Queries regarding our regulatory functions
  • All other personal data relating to you that is provided to us in connection with your use of this website or

1.7 Special Categories of Data: The Commission utilises limited sensitive/ special categories of data when carrying out our legal obligation. This includes the provision of details of Data Concerning Health of Persons with Reduced Mobility as it pertains to Air Passengers Rights.


Data Processing Purpose and Legal Ground for Processing

1.8 This entails the legal basis on which we process all personal information received by you in connection with our functions.

Processing based on the performance of our regulatory task and legal obligation

  • Contacting you by post, phone, and email
  • General information requests or queries regarding our functions
  • Consumer Complaints Resolution in relation to Air Passenger Rights and Persons with Reduced Mobility
  • Complying with your information rights under the General Data Protection Regulation, 2018 and the Freedom of Information Act, 2014
  • To fulfil our legal obligations to liaise with other regulators (e.g., the Irish Aviation Authority, the Department of Transport, Tourism and Sports etc.)
  • Protected Disclosures to the Commissioner
  • Complying with court orders arising in civil or criminal proceedings
  • Managing and administering our legal and compliance affairs
  • – Managing and responding to complaints about us

Processing Based on Contractual Obligations

  • Public Procurement activities including E-tenders, suppliers, and goods and service providers

Processing Based on Consent

  • Subscribing to the Commission’s publication updates
  • Effectively managing the functionality and usability of the Commission’s website through the use of cookies.

Special Category and Criminal data

As part of the Commission’s Regulatory function, we process Special category data in accordance with the requirements of Article 6 and 9 of the General Data Protection Regulation (‘GDPR’) and the Data Protection Act, 2018. Our processing of such data respects the rights and interests of the data subjects.

We process special categories of personal data under the following Data Protection Provision:

  • Article 9(2)(g) and Section 49(b) Data Protection Act – where processing is necessary for performing our obligations conferred to us by law as a regulatory body in resolving passenger’s complaint relevant to Passengers with Reduced Mobility.

Personal Data Recipients

1.9 We may share your data with third parties, including our third-party service providers and other recipients. Some of these recipients are our data processors, that is, they can only take and use the personal information that they receive from us only on our instructions and under our monitored control.

1.10 We require all our data processors and service providers to respect the security of your personal information and act solely on our instructions to protect your personal data in accordance with data processing agreements and confidentiality agreements as provided under the law.

1.11 This provides a non-exhaustive list of recipients/ service providers we share your personal information with:

Third Party Name Description of Services
IT/ Software Service Provider Managing our IT system and databases containing personal information

  • Cloud service providers
  • IT data centre provider
  • IT service provider
  • Software for processing payments
Capita Hosting, support, and management of our online licensing complaint system
Webtrade Hosting and support of our websites
Telephone Company Hosting, support and service providers of phone communication equipment and software
Professional Advisors Providing professional services to the Commission regarding Passengers rights
Internal Auditors For auditing purposes
Comptroller & Auditor General Reviews our expenditure of public funds, the C&AG may require access to files containing personal information to conduct their review
Banks For the payment of licensing, levies, and travel trade claims
National Enforcement Bodies Co-ordinating Passengers Rights Applications
Airlines Liaising on behalf of passengers making complaints against airlines with whom they have a contract with
Kefron File Stores Provides file storage services
Cyclone Shredding Confidential shredding services
Other Statutory bodies relevant to the performance of our legal obligations Liaising with other statutory bodies to resolve all matters arising out of the performance of our regulatory duties
Other Services Providers whom the Commission subcontracts to provide ad-hoc services For operational purposes when carrying out our functions as an organisation

The Commission reserves the right to update this list as the need arises.

The Commission’s Privacy Policy does not apply to activities of above referenced third parties. Please consult the respective privacy policies of such third parties or contact such third parties for more information.


Data Processing outside the EEA

1.12 The Commission only processes information outside of the EEA in very limited circumstances including:

  • Complaint resolution relating to Air Passenger Rights and Persons with Reduced Mobility; where the complaint involves an airline whose registered office is outside the EEA.

1.13 To ensure that the Commission can carry out its complaint resolution function, we rely on Article 49(1)(d) GDPR, which provides for Derogations for specific situations in facilitating transfers of personal data to a third country or an international organisation.


Data Security

The Commission for Aviation Regulation has put in place adequate and appropriate security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Access to your personal data is strictly on a need-based access (with limited access to functional areas in the Commission where the personal information is required in carrying out their regulatory task). In certain circumstances, a third-party service provider who have a business need to know but will only process your personal information on our instruction and are subject to a contract which incorporates a duty of confidentiality and a data processing agreement.


Data Retention Period

1.14 The Commission is committed to protecting your personal data and will ensure all appropriate steps are taken throughout the lifecycle of data processing in maintaining the integrity and security of all personal information under our care.

1.15 We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

1.16 Personal data relevant to complaint handling will be deleted six (6) months after closure of case in line with the Commission’s Records Management and Retention Schedule.

1.17 Our current retention periods are based on:

  • Statutory obligations (e.g., we are required to keep records created for the purpose of fulfilling Our obligations in line with Comptroller and Auditor General Audit review)
  • Contractual obligations, for example, we are required to keep records for a certain period as provided for in contracts with service providers such as IT services. Upon completion of the contract, we request all data to be deleted in accordance with our data protection agreement.
  • Our view that retention is necessary for the original purpose or a compatible purpose and such data will be reviewed in line with our Record of Processing Activities and Records Management policy
  • On a case-by-case basis, records may be retained for longer where they are required for actual or potential legal actions or the management of mitigation of operational or strategic risks to the Commission. Where records are subject to this kind of review, the ongoing retention will be assessed continually.

1.18 In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.


Cookie Notice

1.19 Upon your use of our websites and, we sometimes place small data files known as cookies on your device. This section of the Privacy policy details information about the types of cookies we use and why we use cookies. This cookie policy applies to use of both websites.

1.20 A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device to remember information about you, such as your language preference or login information.

1.21 This website utilises two types of cookies:

  • First-Party Cookies: Those set by us upon your use of Our website
  • Third-Party Cookies: Third-party Cookies are those placed by websites, services, and/or parties other than us. These Cookies are not integral to the functioning of our site and your use and experience of our site will not be impaired by refusing consent to them.

1.22 All Cookies used by and on our site are used in accordance with current ePrivacy Directive 2009/136/EC.

1.23 Our cookies are not used to identify users personally. They are used to improve the effectiveness of the website and to provide you with a better end user experience on our websites.

1.24 Before Cookies are placed on your computer or device, you will be shown a pop-up message requesting your consent to set those Cookies. By giving your consent to the placing of Cookies you are enabling us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of Cookies.

1.25 To further ensure your privacy and restrict third-party cookies on your devices, it is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.


Categories of Cookies Utilized on this Website:

Controlling your cookies

Any cookie that is not Strictly Necessary is not active by default and does not send information to the resource it is called from. Accepting all cookies, makes all cookies active. You can modify your cookie preferences for the website at any time by clicking on the ‘Cookie Settings’ button below.

Data Subject Rights

You have the following rights:

1.26 The Right to Access Information; this includes the right to know if we are processing your personal information, to receive a copy of the personal data being processed, and information regarding how your data is being processed. To exercise this right, please fill out the Data Subject Access Request form and send that to the Data Protection Officer (details below). In exercising your right above, please be aware you may need to provide us with adequate Proof of Identity where the identity of the data subject is uncertain.

1.27 The Right to be Informed includes information regarding how your information is collected, used, or otherwise processed.

1.28 The Right to Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

1.29 The Right of Rectification; if your personal data is inaccurate you have the right to have the data rectified without undue delay, and if it is incomplete you have the right to have the data completed by means of providing supplementary information. This right is restricted in certain circumstances such as for reasons of public interest and the right of freedom of expression and information.

1.30 The Right to Erasure; you have the right to have your personal data erased in certain circumstances.

1.31 The Right to Data Portability; in some circumstances you may be entitled to obtain your personal data from us in a format that makes it easier to reuse your information.

1.32 Rights regarding automated decision making, including profiling; the Commission does not engage in automatic decision making or profiling.

1.33 The Right to Restrict Processing; you have a limited right of restriction of processing of your personal data by a data controller.

1.34 The Right to Object to Processing; you have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks in the public interest, under official authority or in the legitimate interests of others.

For full details on your rights please see the following here.


The Commission’s Data Protection Officer Contact Details

The Commission has appointed a Data Protection Officer to oversee our data protection compliance. Our DPO can be contacted at:

Post: 3rd Floor, 6 Earlsfort Terrace, Dublin 2, D02 W773


Phone: 00353 (1) 6346851


Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, which in Ireland is the Office of the Data Protection Commission (DPC). The Data Protection Commission can be contacted in the following ways:

Online Contact Form:

Post – Dublin: 21 Fitzwilliams Square South, Dublin 2, D02 RD28

Post – Laois: Canal House, Station Road, Portarlington, Co. Laois, R32 AP23

Telephone: +353 578 684 800 or +353 761 104 800


Changes to Our Privacy Notice and Cookie Policy

We may change this Privacy Notice from time to time (for example, if the law changes). Any changes will be immediately posted on our site. We recommend that you check this page regularly to keep up to date.