Privacy and Data Protection

The data controller is the HPRA unless otherwise specified.

The data protection officer can be contacted at

Personal data are processed by the HPRA in the performance of our regulatory functions to protect and enhance public and animal health through assessing the safety, quality and effectiveness of healthcare products. These functions include enforcement activities related to the investigation of activities associated with the illegal supply, manufacture or advertising of health products.

Personal data are processed by HPRA employees, who shall ensure the confidentiality of the data.

The legal bases for the of processing is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the HPRA and that it necessary for reasons of public interest in the area of public health. Some processing may be carried out as it is necessary for compliance with a legal obligation to which the HPRA is subject. A list of relevant legislation outlining our responsibilities can be found here.

How is your information shared?

Any personal information which you provide is made available to other regulatory bodies in Europe and third countries when required to fulfil our regulatory functions. Personal information may be also be shared with a third party when you are making an online payment to the HPRA. We also co-operate with and may share data with An Garda Siochána, The Revenue's Customs Service, and with other national and international counterparts and official bodies as required.

In relation to the reporting of safety and quality concerns, specific information on who data is shared with and transferred to can be found under the privacy notices for each type of report.

All personal data relating our regulatory functions are kept indefinitely.

The HPRA fully respects your right to privacy and treats all personal information with the appropriate standards of security and confidentiality, strictly in accordance with the General Data Protection Regulation 2016/679.  

Personal data is only processed for secondary purposes under the following conditions:

  • The secondary use is related to the original reason the data was collected and/or is part of the HPRA’s regulatory functions.
  • The data are not sensitive personal data.
  • The processing of the personal data is unlikely to cause damage or distress to the data subject.
  • There are no consequences for the data subjects following further processing.
  • There are safeguards in place to ensure the confidentiality and integrity of the data.


What are your rights under data protection law?

The GDPR provides you with the following rights regarding the processing of your personal data

  • the right to request access to your data
  • the right to request your data be rectified or erased
  • the right to object to processing or request processing of your data be restricted.
  • the right to data portability
  • the right to lodge a complaint to the Data Protection Commissioner.

The HPRA uses profiling (e.g. psychometric testing) for recruitment purposes. When this is necessary, the HPRA will take steps to ensure that the data is only transmitted to qualified companies.

Further information

To make a request regarding your personal data under the GDPR, please submit your request in writing or via email:

Data Protection Officer
Health Products Regulatory Authority 
Kevin O’Malley House, 
Earlsfort Centre
Earlsfort Terrace
Dublin 2
D02 XP77

Tel: +353 (1) 6764971
Fax: +353 (1) 6767836



Please ensure that you describe the records you seek in the greatest detail possible to enable us to identify the relevant records. The HPRA must confirm within one month if data is held and if so, the description of the data and the purposes for which they are kept.  The Irish supervisory authority for data protection is the Data Protection Commission. They may be contacted here. Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter or email.

Further details on data protection can be found here.

Details on the collection of information online and regarding cookies on the HPRA website can be found here.

Please note that CCTV is in operation on the HPRA premises.

  • The HPRA is the data controller and our contact details can be found here.
  • The data protection officer can be contacted using the details listed above.
  • The purposes of the CCTV are:
    • to protect against theft, vandalism or other criminal offences by any persons.
    • to provide evidential material to An Garda Síochána where necessary and appropriate.
    • to support the maintenance of health and safety standards in the workplace.
    • for the security of HPRA staff and property.
  • The legal basis for processing is Article 6(f) of the GDPR where processing is necessary for the legitimate interests pursued by the controller.
  • The data collected may be shared with or supplied to An Garda Síochána where necessary or to the management of relevant contractors or employees in limited circumstances.
  • All recording devices and any tapes/discs are securely located and operated within the HPRA.
  • Footage is retained for approximately 31 days.
  • Details of data subject rights are listed above.


Retention of data of those visiting HPRA premises

Please note on visiting the HPRA premises, your sign-in details are retained for six months before destruction in order to maintain security records for the building.
If required, your details may be shared with the HSE within two weeks of your visit. Your data may be shared to facilitate contact tracing which is carried out to try reduce the spread of coronavirus in the community. The legal basis for the processing of data is Article 6(1)e of GDPR which states that:

'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.'