Vetted Researcher Data Access Supplemental Privacy Statement
This supplemental Privacy Statement supplements the information contained in our general Privacy Statement.
Last Updated: 01.12.25
This supplemental privacy statement explains how Coimisiún na Meán (“An Coimisiún”, “we”, “us”, “our”), uses your personal data in connection with the vetted researcher data access regime provided for by Article 40 of the Digital Services Act.
An Coimisiún is Ireland’s main Digital Services Coordinator (DSC) for the purpose of the Digital Services Act. An Coimisiún collects and processes personal data in the course of performing its functions as a DSC, including in connection with assessing applications by researchers to be awarded vetted researcher status and for An Coimisiún to make a reasoned request for data on their behalf to a provider of a VLOP or VLOSE in accordance with Article 40 of the Digital Services Act.
The purpose of this supplemental Privacy Statement is to inform individuals whose personal data we process (“you”, “your”) of the data relating to you that we collect, the uses we may make of such data in this context, what rights you have in relation to your data and how to exercise them.
Coimisiún na Meán is the controller of the personal data which is described in this supplemental Privacy Statement.
How to contact us
You can contact An Coimisiún for any queries about our processing of your personal data in our capacity as data controller using our contact details:
- by email at [email protected]
- by post addressed to our office as follows: Coimisiún na Meán (c/o Data Protection Officer), 1 Shelbourne Buildings, Shelbourne Road, Dublin 4, D04 NP20, Ireland
What personal data we handle
An Coimisiún may process some or all of the following categories of personal data in this context:
Applicant Data
Personal data relating to an individual who submits an application to become a vetted researcher or who is otherwise referenced in such an application. This personal data may include an individual’s name, DSA Data Access Portal user ID, Application Case ID number, address, email address, telephone number, any supporting materials (such as personal data contained in the documentation demonstrating the individual’s affiliation to a research organisation, and any other personal information deemed necessary for the purpose of participating in the vetted researcher data access process) and details regarding the applicant’s handling of the application.
Expert Data
Personal data relating to an individual expert whom we may consult before formulating a reasoned request or taking on an amendment request by a provider of a VLOP/VLOSE. This personal data may include an individual’s name, email address, telephone number, and materials supporting their independence, impartiality, relevant expertise and skills, and capacity and resources to perform the task without incurring undue delay.
Representative Data
Personal data relating to an employee or other representative of a provider of a VLOP/VLOSE with whom An Coimisiún communicates in connection with a reasoned request for access to data.
Personnel Data
Personal data relating to personnel of the European Commission, the European Board for Digital Services, other Member State DSCs, or other statutory bodies with whom An Coimisiún communicates in connection with an application to become a vetted researcher and/or a reasoned request for access to data.
Legal basis for processing your data
The legal basis for the processing of your personal data depends on the purpose for which the processing is being carried out.
The main legal bases under the GDPR upon which An Coimisiún relies for the purposes of processing personal data are:
Article 6 (1) (c): Processing is necessary for compliance with a legal obligation to which An Coimisiún is subject.
Most of these obligations (which arise from legislation and from laws and legal principles applicable to how we operate) are connected to our functions and powers, which are primarily set out in the following legislation:
- Commission Delegated Regulation (EU) 2025/2050
- Digital Services Act 2022
- Broadcasting Act 2009
- Online Safety and Media Regulation Act 2022
Collectively, for the purpose of understanding the Table below, we refer to these laws as ‘applicable legislation’. The list of legislation may broaden over time and therefore this list is not necessarily exhaustive.
Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in An Coimisiún.
In addition to processing personal data where this is necessary to comply with legal obligations to which we are subject, we also process personal data where this is necessary for the performance of tasks carried out in the public interest or the exercise of official authority vested in us. These tasks and authority are provided for in the same laws as mentioned above.
The table below illustrates the purposes, categories of personal data and legal bases for our processing:
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| To process and respond to vetted researcher applications. | Applicant Data Expert Data Representative Data Personnel Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation |
| To notify the European Commission, other EU Digital Services Coordinators, and any other relevant parties, as deemed appropriate by An Coimisiún, of its decisions. | Applicant Data Expert Data Representative Data Personnel Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation |
| To cooperate with the European Commission, other EU Digital Services Coordinators, and any other relevant parties, as deemed appropriate by An Coimisiún, in connection with its review and decisions regarding vetted researcher applications. | Applicant Data Expert Data Representative Data Personnel Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation |
| To deal with any disputes or claims in relation to any vetted researcher applications and/or reasoned requests for data access | Applicant Data Expert Data Representative Data Personnel Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation |
| In connection with an investigation as to whether a vetted researcher no longer meets the applicable conditions and should have their data access pursuant to a reasoned request terminated in accordance with Article 40(10) of the Digital Services Act. | Applicant Data Expert Data Representative Data Personnel Data | Art. 6 (1) (e) Public Interest/Official Authority Art. 6 (1) (c) Legal Obligation |
Your data protection rights
Under data protection law, you have certain rights in relation to the processing of your personal data. For further details regarding your rights and how to exercise them please refer to our general Privacy Statement.
Sharing your data
When An Coimisiún processes your Personal Data, the personal data is held confidentially and is shared with third parties only in limited circumstances. These may include where we are legally obliged to share your Personal Data with a third party, such as a VLOP/VLOSE, another Digital Services Coordinator or the European Commission. Where we share your Personal Data or request it be processed on our behalf, we ensure that we have the required contracts and or data sharing agreements in place to the extent necessary to comply with applicable law. The personal data sharing is for the purposes previously outlined, including with:
- The European Commission, other EU Digital Services Coordinators, and other competent regulatory authorities. Where we share personal information that you have provided to us with the European Commission or another Digital Services Coordinator, this will be done via a secure platform developed by the European Commission;
- Experts with whom we consult as part of our review of applications;
- The provider of the VLOP/VLOSE the subject of the vetted researcher application;
- Other public authorities where required or permitted by law.
How long we keep your data
An Coimisiún will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it or to comply with our obligations under the applicable law.
We retain personal data related to vetted researcher applications for the duration of the application process while it remains active. Once an application decision has been made, the data will be retained for a period of seven years. After this period, we will review the data to assess its continued necessity and proportionality, taking into account any relevant legal or regulatory considerations. An extension of this time period may include the statutory time limit prescribed for legal action against An Coimisiún’s decision. Therefore, the retention period applied depends on the particular circumstances of the application and on the relevant limitation periods for taking legal action. If legal action is taken in respect of a decision of An Coimisiún the retention period would extend to the duration of the legal proceedings and for a period of six months thereafter, in line with our retention schedule.
All personal data related to our cooperation with the European Commission, other Digital Services Coordinators and other competent regulatory authorities will be retained for the necessary duration of that cooperation activity, which may vary by case circumstances.
International transfers
Your personal data may be transferred to, and processed in, countries outside of the European Economic Area. These countries may have data protection laws that are different from those in Ireland. We will take appropriate measures to ensure that your data remains protected in accordance with applicable law. We do this by relying on appropriate transfer mechanisms such as Standard Contractual Clauses, Adequacy Decisions or certification methods such as the EU-US Data Privacy Framework. We conduct Transfer Impact Assessments on International Transfers and ensure additional safeguards are in place.
How we protect your data
Please refer to our general Privacy Statement for further details on how we protect your personal data.
Your requirement to provide data
Please note that if you wish to make an application for vetted researcher status but fail to provide some categories of personal data (e.g. if you do not provide any information evidencing your affiliation with a research organisation), then we will not be able to grant you vetted researcher status.
How to lodge a complaint with the Data Protection Commission
You have the right to lodge a complaint about how we handle your personal data to the competent supervisory authority, which is the DPC. The DPC can be contacted through their website www.dataprotection.ie or in writing at:
Data Protection Commission
6 Pembroke Row
Dublin 2
D02 X963
Ireland
Change to this Supplemental Privacy Statement
We may update this Supplemental Privacy Statement from time to time, so please check this Supplemental Privacy Statement periodically for changes. You can find a reference to the date of the last update on the top of this statement.