Privacy Notice - Cosmetics Undesirable Effect Reporting
The HPRA is responsible for collecting reports about serious undesirable effects of cosmetics and communicating this information to relevant stakeholders. Providing reports of serious undesirable effects and sharing this information makes cosmetics safer and is an important aspect in the protection of public health.
What information do we process?
To comply with our statutory and legal reporting requirements, partially anonymised details of this report (your personal contact information will be removed) will be shared with other bodies also responsible for monitoring the safety of products. These bodies include other regulatory authorities in Ireland, regulatory authorities in the EEA, and the European Commission. The personal data in serious undesirable effect reports is not transmitted to third countries by the HPRA.
How is your information shared?
The HPRA is also legally obliged to communicate serious undesirable effect reports to the natural or legal person that is responsible for the cosmetic, known as the responsible person. The HPRA may share your contact details with the responsible person to allow them to follow up with you in relation to the undesirable effect you experienced. The HPRA will always seek your consent before providing your contact details to the responsible person.
The legal basis for serious undesirable effect report collection is SI 440/2013 and related European Union laws. If the reported undesirable effect does not meet the seriousness criteria, the HPRA will only communicate partially anonymised details of this report to the responsible person. The healthcare professional, for whom you provided contact details, may be contacted to determine if the reported undesirable effect meets the seriousness criteria.
The legal basis for processing personal data in serious undesirable effect reports is firstly, Article 6(1)(c) of the General Data Protection Regulation (GDPR), which states:
Processing is necessary for compliance with a legal obligation to which the controller is subject
Some of the information in serious undesirable effect reports will comprise personal data, and will include what are called special categories of personal data, in particular, health data.
In terms of special categories of personal data, the HPRA relies on Article 9(2)(g) of GDPR, which states:
Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
However, given the nature of serious undesirable effect reports, some information may include data that in conjunction with other information contained in the report or elsewhere, may identify individuals.
The HPRA is a data controller in respect of the data in serious undesirable effect reports. The data is retained indefinitely.
What are your rights under data protection law?
The right exists to request a copy of personal data held by the HPRA and to have any inaccuracies in such data corrected or deleted. Further details on data protection can be found here.
To make a request regarding your personal data under the GDPR, please submit your request in writing or via email:
Data Protection Officer
Health Products Regulatory Authority
Kevin O’Malley House,
Tel: +353 (1) 6764971
Fax: +353 (1) 6767836
Please ensure that you describe the records you seek in the greatest detail possible to enable us to identify the relevant records. The HPRA must confirm within one month if data is held and if so, the description of the data and the purposes for which they are kept. The Irish supervisory authority for data protection is the Data Protection Commission. They may be contacted here. Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter or email.