IAA General Privacy Notice
This Privacy Notice describes the ways in which the Irish Aviation Authority (“IAA”, “We”, “Our” or “Us”) collects, stores and uses your personal data. This Privacy Notice relates to personal data processed by the IAA for a number of different purposes, including via our website www.iaa.ie and customer portal MySRS (iaa.mysrs.ie). The Irish Aviation Authority is committed to safeguarding all personal data we handle and adhering to our responsibilities under Data Protection Law. We kindly ask you to provide us with the specific personal information we explicitly request. Please refrain from submitting any personal information that we have not solicited.
The IAA processes personal data for a number of different purposes, which arise from its statutory powers, functions and duties. The IAA is committed to protect all personal data that we collect and process through various channels such as our websites, license application forms, claim forms, complaint forms, phone, email, post, etc. The IAA is the Data Controller for all personal data that we process unless otherwise stated. Please read this Privacy Notice carefully and ensure that you understand it.
The IAA is not responsible for the content or privacy practices of other websites. Any external links to other websites are clearly identifiable as such.
This Privacy Notice is provided to you in line with our obligations under the General Data Protection Regulation (2016/679/EU) (GDPR) and Data Protection Act (DPA) 2018; It sets out the following:
- Purpose of personal data processing
- Categories of personal data we collect and process
- Lawful grounds for data processing
- Recipients of personal data
- Data transfer outside the European Economic Area
- Data security measures
- Data retention period
- Automated decision making
- Minimum age and consent requirement
- Processing of children’s data
- Your rights under data protection law
Overview of Personal Data Processing in the IAA
Purpose of Personal Data Processing
The IAA collects and processes various categories of personal data depending on our relationship with you.
If you are an applicant/complainant:
Information that you provide by filling in forms on our website www.iaa.ie and customer portal (MySRS) or in paper copy. This includes:
- Personnel license application
- Air carrier operator license application
- Aircraft registration
- Groundhandling approval application
- Travel trade operator and travel agent license application
- Air passenger complaint (including persons with reduced mobility) form
- Examiner certificate application and assessment form
- Authorisation form
- Declaration form
- Drone registration application
- Customer complaint form
- Aviation security application
- Aerodrome applications
If you are filing a safety concern
We process personal data that is submitted to us as part of the aviation safety related occurrence report/s.
If you sign up for newsletters, updates or customer portal (MySRS)
We obtain your name and email address for the purpose of providing you with a newsletter or updates about IAA services. You have the right to unsubscribe to these newsletters and updates at any time, if you wish to do so. Two-factor authentication is mandatory for using your identity-verified account to safeguard your personal data. The account will not permit transactions without two factor authentication being enabled.
If you or your employer provide your details in connection with aviation security functions
If you hold certain security posts or roles identified under the EU Aviation Security Regulations, we hold the contact details provided on an IAA database and also upload them as required on the European Commission (EC) databases.
Where a security manager submits a report of an incident, details may be shared with other relevant bodies and / or to the EC.
If you are present at IAA office
To ensure safety and security on our office premises, we have installed CCTV cameras to record images and videos, and we maintain a log register of visitors.
If you are a current or prospective vendor
We use your personal data for the purpose of contacting and corresponding with you. We also obtain your personal information through materials you may provide to us in relation to the services/products you supply to us, as well as your bank account and/or other payment details for the purpose of paying your fees.
If you are a job applicant:
As part of our recruitment process, we handle personal data that you provide us when applying for a job. If you are applying for a temporary position, we may indirectly obtain your personal data from recruitment agencies. We may collect various types of personal data from you, including your name, address, personal public service number, contact details such as email address and telephone number, details about your qualifications, skills, experience, and employment history.
If you contact us via a web form:
Web forms may be used to submit queries, complaints, course registration and other communications to the IAA. We use your personal data provided via website to respond to you in the most efficient way.
If you contact us via twitter phone, email, post or social media.
We collect your name and contact details for the purpose of responding to you.
If you are submitting response to a public consultation
We process your personal data provided by you as a part of response to a public consultation.
Categories of Data We Collect and Process
We collect and process your personal information required for various purposes set out above. This may include, name, date of birth, the organisation or company you work for, contact details such as phone number, email address and postal address, employment history, education and qualification details, references, financial details, signatures, visual images and any other personal information provided to us during the course of performance of our functions.
Special category data:
We also process special category personal information that may include, physical or mental health details, trade union membership, offences (including alleged offences), criminal and legal proceedings, outcomes and sentences, racial and ethnic origin and sexual orientation.
Lawful Grounds for Processing Personal Data:
The IAA complies with its obligations under the data protection legislations. We only collect, utilise and share your data in strict adherence with these laws and principles. Your data will only be collected, processed or shared by the IAA if the processing is:
- undertaken on the basis of your consent
- necessary for the performance of (or entering into) a contract
- required to fulfil our legal obligation
- to protect your vital interest
- in the public interest
- to exercise the official authority vested in us
- to protect our legitimate interests
We rely on one or more of the above-mentioned lawful grounds to process your personal data.
Recipients of Personal Data
The IAA shares your personal data with various third parties, including our service providers and other competent authorities. The recipients are only provided with access to your personal data based on need-to-know basis. Some of these recipients are our Data Processors, i.e., they can process your personal data that they receive from us only on our instructions and under our monitored control.
All third-party recipients with whom we share personal data are required to ensure confidentiality, integrity and availability of personal data. They are required to implement appropriate technical and organisational measures to protect it against accidental loss, destruction, unauthorised access or damage. Third-party service providers i.e., Data Processors are subject to a contract which incorporates a duty of confidentiality and a data processing agreement.
Below is a list of third parties with whom we share personal data:
- Medical practitioners
- Security contractors
- Facilities management contractors
- Business management consultants
- Professional advisors
- Internal auditors
- Comptroller and Auditor General
- National enforcement authorities and regulatory bodies
- Insurance companies
- Department of Transport
- Revenue Commissioners
- National Archives
- Garda Síochána
These recipients include third party agents or subcontractors who work on our behalf and provide us with expertise or assistance in areas such as legal, compliance, audit, debt collection, credit agencies, IT or insurance.
We reserve the right to update this list as the need arises.
Data Transfer Outside the European Economic Area
Personal data that we collect may be transferred, stored, processed and accessed from other jurisdictions throughout the world. Laws in these other jurisdictions may differ and may not provide an equivalent level of data privacy, security, and protection as the EEA. Where your data is transferred outside the EEA, we ensure that there are appropriate safeguards in place, such as EU Commission approved Standard Contractual Clauses.
Data Security Measures
The IAA has put in place adequate and appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. In circumstances where third-party service providers have access to personal data on need-to-know basis will only process your personal data on our instruction and are subject to a contract which incorporates a duty of confidentiality and are required to have appropriate security measures in place to protect personal data.
We have also put in place procedures to deal with any suspected personal data breach and will notify You and any applicable regulator of a breach where we are legally required to do so.
Data Retention Period
The IAA will retain your personal data for as long as it is necessary to fulfil the purposes for which it was collected. However, we may be required by applicable laws and/or regulations to hold your data for longer than this period.
Unless legally obliged to the contrary, the IAA will delete your personal data in line with our Records Retention Policy.
We do not subject any individuals to automated decision making. However, we do use automatic processing technology on our Customer Portal as explained below:
- MySRS platform integrates a technology to assist when creating your account – the email address entered during account creation automatically receives a message to complete set-up of the account (using auto processing).
- Basic account set-up requires your name and email address. This account type allows you to submit Occurrence Reports (Aviation Security) and send messages.
- Identity verified account set-up requires you to verify your identity by providing personal details (identification data) which are matched against the identity document you provided and entered, and subsequently are stored in your account profile. These details are automatically used when you make an application for any licence type.
- Auto Address functionality (auto processing) is available to assist when entering your address by using Eircode or Post code.
Minimum Age and Consent Requirement
The minimum age to set-up an account on MySRS portal is 16 years. You are required to acknowledge you meet this requirement and provide consent when creating your account.
After reading the Data Privacy Statement the following consent statement must be affirmed before creating a portal account, ‘I have read the IAA privacy notice and by selecting Sign up, I confirm that I am at least 16 years or older and I consent to creating an account using my personal data provided. I understand that I will have to provide proof of my age when verifying my identity’.
Processing of Children’s Personal Data
In certain circumstances we collect and process children’s personal data. For example: to process air passenger complaints filed under Regulation (EC) No 261/2004 and Regulation (EC) No 1107/2006.
Your Data Protection Rights
As a data subject you have the following rights under the data protection legislation:
- Right to access your personal data
- Right to have any incorrect personal data rectified
- Right to have your personal data erased (where appropriate)
- Right to object or restrict processing of your personal data (where appropriate)
- Right to request for transfer your data to another organisation
- Right not to be subjected to automated decision making and profiling
For full details on your rights please see the following here.
To exercise any of the above rights or if you have any queries concerning data protection in the IAA, please contact our Data Protection Officer using the contact details provided below:
Post: Data Protection Officer, Irish Aviation Authority, The Times Building, 11-12 D’Olier Street, Dublin 2, D02 T449, Ireland.
Alternatively, you can fill in a copy of this data subject rights request form here and submit to our DPO via email or post.
We will respond to you within 1 month of receipt of your request.
Right to Lodge a Compliant
If you are dissatisfied with how we process your personal data, you have the right to complain to the Data Protection Commission, the data protection supervisory body in Ireland via:
Online: Contact Form
Post - Dublin: 21 Fitzwilliams Square South, Dublin 2, D02 RD28
Post – Laois: Canal House, Station Road, Portarlington, Co. Laois, R32 AP23
Telephone: 01 7650100 / 1800437 737
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device to remember information about you, such as your language preference or login information. Except for necessary cookies, we only process cookies with your consent.
MySRS platform is accessed through your web browser and uses the following necessary cookies:
- When making electronic payments to check the browser is working properly, to detect and prevent fraudulent payments.
- Security protection which maximizes network resources, traffic management and to protect the platform site against malicious traffic.
- Application information involving error messages and exceptions to functionality is automatically pulled from your browser, used to maintain the application, and does not contain any personally identifiable information.
Changes to this Data Privacy Notice
We may make amendments to this Notice from time to time (for example, if the law changes). Any changes will be immediately posted on our website. We recommend that you check this page regularly to keep up to date.
If you have an account with the customer portal (MySRS) you will be required to read and to reaffirm consent when the change to this statement is published.