1. You are here:/
  2. Governance/
  3. Data protection & privacy/
  4. Privacy Statement: Complaints handling, supervision and enforcement/

Privacy Statement: Complaints handling, supervision and enforcement

Who we are

Coimisiún na Meán (“An Coimisiún”, “we”, “us”, “our”) is Ireland’s commission for regulating broadcasters, providers of on-demand media services (an “on-demand provider”), providers of intermediary services (an “intermediary service provider” or an “ISP”) and supporting media development. The Online Safety and Media Regulation Act 2022 amended the Broadcasting Act 2009 (as amended, the “2009 Act”) to establish An Coimisiún and to dissolve the Broadcasting Authority of Ireland (BAI). 

We are responsible for ensuring and maintaining a thriving and diverse media landscape in Ireland that facilitates a mix of voices, opinions and sources of news and current affairs, as well as a safe online environment.  

Our responsibilities include:  

  • Developing and enforcing the Irish regulatory regime for online safety.  
  • Overseeing the regulation of broadcasting and video-on-demand services.  
  • Overseeing the funding of and support the development of the wider media sector in Ireland.  

In addition, under the Digital Services Act (Regulation (EU) 2022/2065) (the “DSA”), An Coimisiún is Ireland’s Digital Services Coordinator (DSC). The DSA aims to provide a safer online environment in respect of online services and to prevent illegal and harmful activities online and the spread of disinformation. As DSC, An Coimisiún has supervision and enforcement functions as well as a role in coordinating and cooperating with other national and EU authorities that also regulate online content. 

Data protection

An Coimisiún collects and processes personal data in the course of performing its statutory functions under the DSA and the 2009 Act, including responding to media and broadcasting queries, dealing with complaints, supervising compliance with the DSA and carrying out investigations. 

The purpose of this Privacy Statement is to inform individuals whose personal data we process (“you”, “your”) of the data relating to you that we collect, the uses we may make of such data in this context, what rights you have in relation to your data and how to exercise them. 

Coimisiún na Meán is the controller of the personal data which is described in this Privacy Statement.

How to contact us

Postal address: Coimisiún na Meán, 1 Shelbourne Buildings, Shelbourne Road, Dublin 4, D04 NP20, Ireland 

Web address: www.cnam.ie 

Email: [email protected] 

Phone: 353 1 644 1200 

Data protection queries can be sent to our Data Protection Officer Ms Rachel Joyce at [email protected]

What type of data will we collect? 

Coimisiún na Meán may collect and process some or all of the following categories of personal data: 

  • Complainant Data – personal data relating to an individual who submits a request, query or complaint to Coimisiún na Meán. This personal data may include an individual’s name, address, e-mail address, telephone number, details of their request/query/complaint, etc.; 
  • User Data – personal data relating to a user of an intermediary service, including the user’s name, address, e-mail address, telephone number, details of a user’s account on a particular online platform, details of any content shared by the user on that platform and details of any interaction between the user and the relevant ISP; 
  • Content Data – personal data received in connection with a specific complaint, including for example a particular piece of online content, a URL address, an online account or profile etc. or otherwise collected or received by us in connection with the performance of our supervisory or enforcement functions; 
  • Representative Data – personal data relating to an employee or representative of a broadcaster, on-demand provider or an intermediary service provider; 
  • Personnel Data – personal data relating to personnel of the European Commission, the European Board for Digital Services, other Member State DSCs, the Competition and Consumer Protection Commission or other statutory bodies; 
  • Special Category Data – where relevant, we may collect or process special category personal data, which is personal data concerning racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation; and 
  • Other Data – where relevant, we may also collect personal data relating to criminal offences.

The personal data described above is processed by us and by third party service providers acting on our behalf. The legal bases on which we collect and process personal data for these purposes are that: 

  • such processing is necessary for the performance of An Coimisiún’ s tasks in the public interest and/or in the exercise of official authority vested in An Coimisiún under the DSA and the 2009 Act (“Public Interest/Official Authority”); or 
  • such processing is necessary for compliance with a legal obligation that applies to us (“Legal Obligation”). 

Where we collect and process special categories of personal data, the legal bases on which we do so are that: 

  • such processing relates to special categories of personal data which are manifestly made public by the data subject; 
  • such processing is necessary for the establishment, exercise of defence of legal claims; 
  • such processing is necessary for reasons of substantive public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject. 

Our collection and use of personal information for the purposes outlined in this Privacy Statement are based on the legal bases described above. We do not rely on consent as a lawful basis for processing personal data for these purposes.

Purposes of processing and legal basis

Coimisiún na Meán processes personal data for the following purposes: 

PurposeCategories of Personal DataLegal Basis
To process and respond to requests, queries and complaints from individualsComplainant Data 
Content Data 
User Data 
Special Category Data (if applicable) 
Criminal Data (if applicable) 
Other Data 		Public Interest/Official Authority in accordance with: 
·         Section 48 of the 2009 (where a complaint relates to a failure by broadcaster or an on-demand provider to comply with certain provisions of the 2009 Act, a media service code or a media service rule); or 
·         Article 53 of the DSA and Section 201 of the 2009 Act (where a complaint relates to failure by an ISP to comply with a provision of the DSA) 
Where a complaint relates to failure by an ISP to comply with a provision of the DSA, to notify the complainant and the intermediary service provider to which the complaint relates of the complaint made, any action proposed by An Coimisiún and any decision made by An Coimisiún in relation to the complaint Complainant Data 
Content Data 
User Data 
Personnel Data 
Special Category Data (if applicable) 
Criminal Data (if applicable) 
Other Data 		Public Interest/Official Authority under section 201 of the 2009 Act 
Legal Obligation under section 201 of the 2009 Act 
To carry out investigations into suspected infringements of certain provisions of the 2009 Act or the DSA Complainant Data 
Content Data 
User Data 
Representative Data 
Special Category Data (if applicable) 
Criminal Data (if applicable) 
Personnel Data 
Other Data 		Public Interest/Official Authority in accordance with Part 8B of the 2009 Act 
Legal Obligation under Part 8B of the 2009 Act 
To perform An Coimisiún’s supervisory and enforcement functions under the 2009 Act and the DSA Complainant Data 
Content Data 
User Data 
Representative Data 
Special Category Data (if applicable) 
Criminal data (if applicable) 
Personnel Data 
Other Data
Public Interest/Official Authority in accordance with the 2009 Act and the DSA 
Legal Obligation under the 2009 Act and the DSA 
To notify the European Commission, the European Board for Digital Services, other EU Digital Service Coordinators and where An Coimisiún considers it appropriate, any other person of a decision of An Coimisiún Complainant Data 
Content Data 
User Data 
Representative Data 
Personnel Data 
Special Category Data (if applicable) 
Other Data 		Public Interest/Official Authority in accordance with section 139ZT of the 2009 Act 
Legal Obligation under section 139ZT of the 2009 Act 
To refer complaints or reports of possible infringements to: 
·         another EU Digital Service Coordinator (where a complaint concerns an ISP which has its headquarters in another EU Member State); or 
·         the European Commission (where a complaint concerns a VLOP or VLOSE); or 
·         the Competition and Consumer Protection Commission (where a complaint concerns Article 30, 31 or 32 of the DSA); or 
·         any other competent authority (where the complaint concerns matters within that authority’s competence). 		Complainant Data 
Content Data 
User Data 
Representative Data 
Special Category Data (if applicable) 
Criminal Data (if applicable) 
Other Data 		Public Interest/Official Authority in accordance with the 2009 Act and the DSA 
Legal Obligation under the 2009 Act and the DSA 

Do we share or transfer your data with other organisations or individuals?

We may share the personal information you submit to us or that we otherwise collect or obtain in the course of performing our functions with a number of parties, as is appropriate, for the purposes outlined above, including to: 

  • The European Commission, other EU Digital Services Coordinators, the Consumer and Competition Protection Commission (CCPC) and other competent regulatory authorities. Where we share personal information that you have provided to us with the European Commission, another Digital Services Coordinator or the CCPC, this will be done via a secure platform developed by the European Commission; 
  • Broadcasters, on-demand providers and ISPs (where we need to provide personal information relating to complaints made about such entities with such entities or representatives of such entities); 
  • An Garda Síochána, where the complaint or potential infringement relates to a suspected criminal offence; 
  • Other public authorities or bodies where required or permitted by law; 
  • Other third parties who we engage to provide services to us (Data Processors). In relation to our complaint handling process, as a first point of contact, we engage the services of a contact centre provider called Fexco. All complaints and/or queries to An Coimisiún will be logged in the first instance by Fexco and directed as appropriate to the relevant team in An Coimisiún or other relevant parties/authorities. We also use other data processors who are third parties that provide services to us. These include ICT related systems and hosting services and professional services such as audit and legal. 

How long do we retain data for?

We will not hold your personal data for longer than is necessary. We retain your personal data for as long as we need it for the purposes described in this Privacy Statement, or to comply with our obligations under applicable law. 

In particular, we retain personal data relating to complaints or alleged infringements for an initial period of two years. After a period of two years, we will review this personal data to assess the proportionality and necessity of retaining such data, or any legal or regulatory matters arising in relation to such data. 

Where we process personal data in connection with our  cooperation with other EU supervisory or competent authorities under applicable law, the retention period for such personal data will coincide with the length of time necessary for such cooperation activity to be fully carried out, which may vary depending on the circumstances of the case. 

Where we process personal data in connection with the prosecution of a suspected criminal offence, such personal data will be kept for as long as is necessary to bring the prosecution or proceedings to an end, and thereafter for any period that any legal action may be contested.

Transfers abroad 

In connection with the above, we might transfer your personal data outside the European Economic Area (EEA), including to a jurisdiction which is not recognised by the European Commission as providing for an equivalent level of protection for personal data as is provided for in the European Union, e.g. the United States of America. If and to the extent that we do so, we will rely on one of the legitimising conditions set out in applicable data protection law. For example, we may rely on one of the derogations for specific situations set out in Article 49 of the GDPR, such as where the transfer is: 

  • necessary for important reasons of public interest; or 
  • necessary for the establishment, exercise or defence of legal claims.

If you would like to receive further details on any transfers of personal data outside the EEA, please contact us at [email protected].

Requirement to provide data

An individual who contacts us with a query, request or complaint is not under any legal obligation to provide us with any personal data. However, please note that if you contact us with a query, request or complaint and fail to provide some categories of personal data (e.g. if you make an anonymous complaint) then we may not be able to respond to or deal with the issue that has been reported to us. 

Separately, we have investigative powers that include the power to compel the provision of information to us. Where we issue a notice to a person requiring them to provide information, then this will give rise to a legal obligation to provide the relevant information, which may include personal data. 

Sources of data

As well as collecting information from individuals who submit queries, requests or complaints to us directly, we may also receive or obtain information relating to individuals from other sources, including for example from a complainant, or an intermediary service provider, or another regulatory authority, or from publicly available information that we access in the course of performing our supervisory and enforcement functions. 

Automated decision making

We do not engage in any automated decision-making or in any automated processing or profiling that has legal or similarly significant effects.

Information on your rights

Data protection law confers a number of rights for people in relation to their personal data (outlined below). The extent to which some of these rights apply may depend on the lawful basis for processing or the specific purpose. For example, the right to object applies where we process personal data on the basis that this is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in us, however it does not apply where we process personal data on the basis that this is necessary to comply with a legal obligation applicable to us.  Any request submitted will be considered fully and should any restrictions apply to the circumstances, this will be explained to the requester. 

  • Right of access – You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data. 
  • Right to rectification – You have the right to request that any inaccurate personal data that we hold about you is rectified, or if we have incomplete information you may request that we update the information so that it is complete. 
  • Right to erasure – You have a right to have your personal data erased in certain circumstances. 
  • ​​​​​​Right to restrict processing or object to processing – You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes. 

Please note that these rights are not absolute and are subject to certain restrictions and exemptions. For example, the right to erasure of personal data will not apply where we have a legitimate reason to hold such data and we may continue to process your personal data, despite an objection by you, where we have compelling legitimate grounds for the processing which override your interests, rights and freedoms. If you wish to exercise any of the rights set out above, please contact us at [email protected] or you can contact our Data Protection Officer at [email protected].

Making a complaint with the Data Protection Commission

If you are unhappy with the way we are using your personal data or how we facilitate your rights or comply with our obligations under applicable data protection law, you may make a complaint to the Data Protection Commission. They can be contacted through their website www.dataprotection.ie or in writing at: 

Data Protection Commission 
21 Fitzwilliam Square South 
Dublin 2 
D02 RD28 
Ireland 

Further details on your rights under Data Protection legislation are also available on their website. 

In this section

1