Privacy Notice - Quality Defects Reporting

The HPRA is responsible for collecting reports about quality defects in human and veterinary medicinal products.

The HPRA is legally obliged to receive reports of defects in human and veterinary medicinal products under the provisions of SIs 539/2007, 540/2007, 538/2007 and 786/2007 (all as amended).

What information do we process?

Some of the information in a defect report may comprise personal data such as age and sex. Reports may also include what are called ‘special categories’ of personal data, in particular, health data, such as the condition being treated and the product defect experienced. The HPRA also collects personal data of the reporter submitting a defects report. This information comprises contact details of the reporter, and is collected to facilitate communication and follow up with the reporter in relation to a particular report.

How is your information shared?

Information regarding quality defects in human and veterinary medicinal products is shared with other European regulatory bodies and the European Commission, however the personal data of a reporter or a person who experienced a defect will not be shared with these bodies. Data is also shared with other international regulatory bodies however, data is shared either in aggregated form or where personal data and other potentially identifying information is removed from the report.

The HPRA also communicates defect reports to the authorisation holder, manufacturer or wholesaler of the product. The HPRA may seek to share an individual’s contact details with these parties to allow them to follow up with individuals in relation to the defects experienced. The HPRA will always seek consent before providing an individual’s contact details to the authorisation holder, manufacturer or wholesaler of the product.

The legal basis for processing personal data in incident reports is Article 6(1)(c) of the General Data Protection Regulation (GDPR), which states:

Processing is necessary for compliance with a legal obligation to which the controller is subject

In terms of special categories of personal data, the HPRA relies on Article 9(2)(i) of GDPR, which states:

processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

The HPRA may share quality defect reports regarding centrally authorised products with the European Medicines Agency, as the Agency coordinates the investigation of those reports across the EU.  These reports may contain individual’s contact information. The HPRA does not transmit names or contact details of individuals when providing defect reports to other EU bodies. However, given the nature of defect reports, in that they can comprise a variety of different forms, some information may include data that in conjunction with other information contained in the report or elsewhere, may identify individuals.

The HPRA is a data controller in respect of the personal data collected in quality defects in human and veterinary medicines and products reports. The personal data is retained indefinitely.

What are your rights under data protection law?

The right exists to request a copy of personal data held by the HPRA and to have any inaccuracies in such data corrected or deleted. Further details on data protection can be found here.

Further information

To make a request regarding your personal data under the GDPR, please submit your request in writing or via email:

Data Protection Officer
Health Products Regulatory Authority 
Kevin O’Malley House, 
Earlsfort Centre
Earlsfort Terrace
Dublin 2
Tel: +353 (1) 6764971
Fax:+353 (1) 6767836


Please ensure that you describe the records you seek in the greatest detail possible to enable us to identify the relevant records. The HPRA must confirm within one month if data is held and if so, the description of the data and the purposes for which they are kept.  The Irish supervisory authority for data protection is the Data Protection Commission. They may be contacted here. Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter or email.