Privacy Statement
This privacy statement explains how Coimisiún na Meán (“An Coimisiún”, “we”, “us”, “our”) uses your personal data.
Last Updated: 03 October 2025. Version 2.0.
Previously updated: 24 February 2025
At An Coimisiún, we are committed to protecting your personal information (‘personal data’). This privacy statement covers our websites – www.cnam.ie and www.medialiteracyireland.ie (‘websites’). It explains your data protection rights and how we, as a Data Controller, may collect, use, process, and disclose your data during your interactions with us via our websites, our telephone lines or otherwise processed offline. You can browse through most of our website without giving us any information about yourself. But sometimes we need information, for example, to respond to your queries and/or complaints. If you do not want to provide any information about yourself, please note that we will not be able to respond to any queries or messages you send us.
Who we are
An Coimisiún is Ireland’s national independent media regulator, responsible for developing and overseeing a thriving, diverse, creative, safe, and trusted media landscape. Our organisation was established in March 2023, further to the provisions of the Online Safety and Media Regulation Act 2022. We have statutory powers, duties and functions under several key pieces of legislation including the Digital Services Act, the ‘Online Safety Framework’ and under the Broadcasting Act 2009 as amended. An Coimisiún implements the regulatory regime for online safety, regulates broadcasters and video-on-demand providers and supports the wider media sector.
How to contact us
You can contact An Coimisiún for any queries about our processing of your personal data in our capacity as data controller using our contact details:
- by email at [email protected]
- by post addressed to our office as follows: Coimisiún na Meán (c/o Data Protection Officer), 1 Shelbourne Buildings, Shelbourne Road, Dublin 4, D04 NP20, Ireland
What personal data we handle
Personal data provided by you to An Coimisiún
An Coimisiún collects and processes personal data in the exercise of our statutory functions and also when processing personal data for other purposes which are for other functional purposes of An Coimisiún. There are many situations when we collect and process personal data. These include- responding to media and broadcasting enquiries, handling complaints, overseeing compliance with relevant legislation, and conducting investigations.
Personal data that you give us may include:
- When you visit our websites and interact with our tools, such as:
- Visiting www.cnam.ie and www.medialiteracyireland.ie
- Populating our online forms
- Filing a complaint
- Any communication you make with us via phone or email
Personal data not provided by you
We may also receive or obtain personal data about you from other sources, such as in response to a complaint you lodge with us, a complainant, an intermediary service provider (‘ISP’), another regulatory authority, or publicly available information that we access while performing our supervisory and enforcement functions.
We may process the following personal data depending on your interactions with us:
- Name
- Address
- Email address
- Telephone number
- Details about your request/query/complaint
- Details of your user account on a particular online platform
- Details of content shared by you on given platform
- Details about interactions between you and the relevant Internet Service Provider (ISP)
- Special Categories of data such as racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation
- Personal data in relation to criminal offences
- When you allow website cookies when browsing our website
How we process your data
The way we process your personal data depends on the nature of your interaction with us.
We use the personal data we collect to:
Perform our tasks and function as a public regulatory body
- Examine and investigate complaints and alleged infringements to determine if further action is needed including whether or not to investigate alleged infringements. This may also require us to share personal data which you have provided to us in a complaint with the organisation we regulate in order to resolve your complaint.
- Conduct legal proceedings where appropriate including in matters connected to our enforcement functions.
- Keeping of certain registers including a register of infringements.
- Provide you with online services which includes the process of your personal data when ‘cookies’ are involved on our websites. More information about cookies can be found in our ‘Cookie Policy’.
- Respond to you in connection with enquiries, complaints and/or submissions you have made.
- Make decisions, develop our analysis and develop our activities concerning findings and corrective actions.
- Cooperate with other enforcement bodies including other EU and international authorities including on enforcement matters.
- Carry out our functions in connection with the prosecution of offences and publication of conviction details.
Meet our legal or regulatory obligations
- Respond to a Freedom of Information request
- Respond to a Subject Rights Request
- Respond to a licensing application
- Generally complying with laws, regulations and other legal obligations to which we are subject
Initiate or fulfil a contract with you
- Make payments to you
- Give effect to contractual provisions that may apply
Conduct business execution
- Financial management, account management, customer service, management reporting, analysis
- Internal audits and investigations
- Monitoring users of the site to identify security threats
- To administer funding and manage funding applications
Communications
- Understand interaction on our website
- To optimise our website for a better user experience
- Communicate with you about enquiries you have made
- Facilitate your access to our websites
- Enable you to submit a complaint
- Create and analyse surveys
- Manage our social media accounts and related activities
- Manage event participation and/or facilitate event participation in conferences, public relations activities (online and onsite)
- Process applications in connection with career and recruitment opportunities directly with candidates and/or with third parties such as the Public Appointments Service
- Send you communications (e.g. newsletters)
- Facilitate your membership of our networks
- To conduct public consultations
- To manage your membership of medialiteracyireland.ie
Legal basis for processing your data
The legal basis for the processing of your personal data depends on the purpose for which the processing is being carried out.
The main legal bases under the GDPR upon which An Coimisiún relies for the purposes of processing personal data are:
Article 6 (1) (c): Processing is necessary for compliance with a legal obligation to which An Coimisiún is subject to.
Most of these obligations are connected to our functions and powers, which are primarily set out in the following legislation:
- Digital Services Act 2024
- Broadcasting Act 2009
- Online Safety and Media Regulation Act 2022
We also have obligations to comply, for example, with data protection laws, freedom of information legislation, employment law, procurement law and other laws. We may also have contractual obligations under contract laws.
Collectively, for the purpose of understanding the Table below, we refer to these laws as ‘applicable legislation’. The list of legislation may broaden over time and therefore this list is not necessarily exhaustive.
Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in An Coimisiún.
The table below illustrates the purposes, categories of personal data and legal bases for our processing:
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| To process and respond to requests, queries and complaints from individuals | Complainant Data Content Data User Data Special Category Data Criminal Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation Art. 9 (2) (g) Substantial public interest |
| If a complaint concerns an ISP’s failure to comply with a DSA provision – to notify the complainant and the relevant intermediary service provider of the complaint, any proposed actions, and any decisions made. | Complainant Data Content Data User Data Personnel Data Special Category Data Criminal Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation Art. 9 (2) (g) Substantial public interest |
| To carry out investigations into alleged/suspected infringements under applicable legislation. | Complainant Data Content Data User Data Representative Data Special Category Data Criminal Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation Art. 9 (2) (g) Substantial public interest |
| To perform An Coimisiún’s supervisory and enforcement functions under applicable legislation. | Complainant Data Content Data User Data Representative Data Personnel Data Special Category Data Criminal Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation Art. 9 (2) (g) Substantial public interest |
| To notify the European Commission, the European Board for Digital Services, other EU Digital Service Coordinators, and any other relevant parties, as deemed appropriate by An Coimisiún, of its decisions. | Complainant Data Content Data User Data Representative Data Personnel Data Special Category Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation Art. 9 (2) (g) Substantial public interest |
| To cooperate with the European Commission, the European Board for Digital Services, other EU Digital Service Coordinators, and any other relevant parties, as deemed appropriate by An Coimisiún, in connection with its enforcement, supervisory and investigatory functions under applicable legislation. | Complainant Data Content Data User Data Representative Data Personnel Data Special Category Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation Art. 9 (2) (g) Substantial public interest |
| Consult with the public – public consultations | Name Contact details Job titles Health data Ethnicity Sexual orientation Financial data Professional qualifications Political opinions | Art. 6(1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation |
| To refer complaints or possible infringements to: – Another EU Digital Service Coordinator ; – The European Commission (for VLOPs or VLOSEs); – The Competition and Consumer Protection Commission (for complaints under Articles 30, 31, or 32 of the DSA); – Any other competent authority (for matters within its remit). | Complainant Data Content Data User Data Representative Data Personnel Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation Art. 9 (2) (g) Substantial public interest |
| To send you newsletters where you have subscribed to one of our mailing lists and/or are a member of one of our networks (Media Literacy Ireland). | Name Email Address | Art. 6 (1) (a) Consent |
| To send you news updates where you have subscribed to our mailing list. | Name Email address Organisation | Art. 6 (1) (a) Consent |
| To register you to attend events convened by An Coimisiún. | Name Email Address | Art. 6 (1) (a) Consent |
| To capture, use and/or publish images and/or video content of you. | Name Email Address Images Video | Art. 6 (1) (a) Consent |
| To carry out research in the public interest and for scientific, historical or statistical purposes. | Name Contact details Age/DOB Political membership Geographical information Qualifications Gender Ethnicity Views & opinions Electoral/public office experience Health data Media consumption habits Personal experiences involving hateful, discriminatory, violent, or abusive language or behaviour. | Art. 6 (1) (e) Public Interest/Official Authority Art. 9 (2) (g) Substantial public interest |
| To respond & process recruitment applications. | Name Contact details CV information Cover Letter Information Professional qualifications Professional references Identification Address verification Gender DOB Ethnicity Health data | Art. 6 (1) (b) Contract Art. 9 (2) (b) Employment. social security & social protection law |
| CCTV footage. | Video imagery | Art. 6 (1) (f) Legitimate Interest |
| To process funding applications. | Name Contact details Job title Gender Ethnicity (GEDI) Health data (disability) Financial data Professional qualifications CV | Art. 6 (1) (a) Consent Art. 9 (2) (a) Explicit Consent |
| To process membership of Medialiteracyireland.ie. | Name Email Address Media Literacy experience/interest Organisation Name | Art. 6 (1) (a) Consent |
Your data protection rights
Under data protection law, you have the following rights:
- Your right to be informed about whether we are processing your personal data;
- Your right of access – You have the right to ask us for a copy of your personal data.
- Your right to rectification – You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete data you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal data in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal data in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
- Where we process your data on the basis of your consent you have the right to withdraw that consent.
- Your right not to be subject to an automated decision. As we do not engage in automated decision-making, this right does not apply.
Sharing your data
When An Coimisiún processes your Personal Data, the personal data is held confidentially and is shared with third parties only in limited circumstances. Where we share your Personal Data or request it be processed our behalf, we ensure that we have the required contracts and data sharing agreements in place. The personal data sharing is for the purposes previously outlined, including:
- The European Commission, other EU Digital Services Coordinators, the Consumer and Competition Protection Commission (CCPC) and other competent regulatory authorities. Where we share personal information that you have provided to us with the European Commission, another Digital Services Coordinator or the CCPC, this will be done via a secure platform developed by the European Commission;
- Broadcasters, on-demand providers and other concerned parties (e.g. ISPs) (where we need to provide personal information relating to complaints made about such entities with such entities or representatives of such entities);
- An Garda Síochána, where the complaint or potential infringement relates to a suspected criminal offence;
- Other public authorities, law enforcement bodies and/or organisations or bodies where required or permitted by law;
- Courts and persons/bodies associated with courts and/or court proceedings
- Third parties who we engage to provide services to us (Data Processors). In relation to our complaint handling process, as a first point of contact, we engage the services of a contact centre provider called Fexco. All complaints and/or queries to An Coimisiún will be logged in the first instance by Fexco and directed as appropriate to the relevant team in An Coimisiún or other relevant parties/authorities. We also use other third parties that provide services to us. These include ICT related systems and hosting services and professional services such as audit and legal.
How long we keep your data
An Coimisiún will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it or to comply with our obligations under the applicable law.
We retain personal data related to complaints or alleged infringements for the duration of the case while it remains active. Once a case is closed, the data will be retained for a period of five years. After this period, we will review the data to assess its continued necessity and proportionality, taking into account any relevant legal or regulatory considerations. An extension of this time period may include the statutory time limit prescribed for legal action against An Coimisiún’s decision. Therefore, the retention period applied depends on the particular circumstances of the case, the duration of the investigation and the legal and regulatory requirements to retain such information for a specified period, and finally on the relevant limitation periods for taking legal action. If legal action is taken in respect of a decision of An Coimisiún the retention period would extend to the duration of the legal proceedings and for a period of six months thereafter, in line with our retention schedule.
All personal data related to our cooperation with EU authorities will be retained for the necessary duration of that cooperation activity, which may vary by case circumstances.
All personal data related to prosecuting a suspected criminal offence will be retained for as long as necessary for the prosecution and any subsequent legal proceedings.
All personal data collected for research projects will be retained for 5 years, and for longitudinal studies for up to 10 years.
International transfers
Your personal data may be transferred to, and processed in, countries outside of the European Economic Area. These countries may have data protection laws that are different from those in Ireland. We will take appropriate measures to ensure that your data remains protected in accordance with applicable law. We do this by relying on appropriate transfer mechanisms such as Standard Contractual Clauses, Adequacy Decisions or certification methods such as the EU-US Data Privacy Framework. We conduct Transfer Impact Assessments on International Transfers and ensure additional safeguards are in place.
How we protect your data
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction.
We restrict access to your personal data to individuals who have a legitimate business need for it. Those who process your personal data will do so only in an authorised manner. Additionally, we have procedures in place to address any suspected personal data security breaches.
Your requirement to provide data
An individual who contacts us with a query, request or complaint is not under any legal obligation to provide us with any personal data. However, please note that if you contact us with a query, request or complaint and fail to provide some categories of personal data (e.g. if you make an anonymous complaint), then we may not be able to respond to or deal with the issue that has been reported to us.
Separately, we have investigative powers that include the power to compel the provision of information to us. Where we issue a notice to a person requiring them to provide information, then this will give rise to a legal obligation to provide the relevant information, which may include personal data.
How to lodge a complaint with the Data Protection Commission
You have the right to lodge a complaint about how we handle your personal data to the competent supervisory authority, which is the DPC. The DPC can be contacted through their website www.dataprotection.ie or in writing at:
Data Protection Commission
6 Pembroke Row
Dublin 2
D02 X963
Ireland
Change to this Privacy Statement
We may update this Privacy Statement from time to time, so please check this Privacy Statement periodically for changes. You can find a reference to the date of the last update on the top of this statement.