Consular Case Management System Privacy Notice

The Department of Foreign Affairs & Trade (DFAT) has a long and proud track record of delivering high quality consular assistance to Irish citizens in distress overseas in accordance with our Consular Assistance Charter.

This service is delivered on a 24/7/365 basis by our global network of over 100 diplomatic missions, supported by the Department’s Headquarters in Dublin. It is a vital Government service to our citizens and a key priority of the Department.

Where you are being provided with consular assistance, your personal data may be securely recorded on our internal Consular Case Management System. This Privacy Notice has been prepared in accordance with the European Union’s General Data Protection Regulation (GDPR) that came into effect on 25 May 2018.

Everyone has rights with regard to how their personal data is handled. We are committed to complying with our obligations to ensure that we treat your data in an appropriate and lawful manner.

This notice explains why and how personal data within the Department’s Consular Case Management System is obtained, maintained and processed by DFAT on behalf of the Minister for Foreign Affairs and Trade.

If you have any questions about how your information is gathered, stored, shared or used, please contact our Data Protection Officer.

Throughout this notice, “we”, “us”, “our” and “Department” refer to the Department of Foreign Affairs and Trade. The Minister for Foreign Affairs and Trade (“Minister”) is the Data Controller for the Consular Case Management System.

The correspondence address for the Department and the Minister is:

If you are seeking consular assistance, your data will be confidentially used by our consular staff in Ireland and overseas to assess your individual circumstances in order to determine what help you may require. When you are provided with consular assistance, your data may be securely recorded on our internal Consular Case Management System.

In most cases, you will have provided the data we hold. However, in some cases it may have been provided by a family member, friend or another third party contacting us for advice or support on your behalf. During times of crisis, we will always endeavour to highlight the availability of our published Privacy Notice to you, and any third parties acting on your behalf, although this may not always be possible due to the urgency of the situation.

This information that we collect and record in our internal Consular Case Management System, that is obtained during the provision of consular assistance to Irish citizens, may include data across the following categories of data:

Citizen Information

• Name of impacted citizen seeking consular assistance
• Contact details for impacted citizen included phone numbers and email
• Passport details for impacted citizen including Passport Number and Passport Expiry Date

Other Case Stakeholder Information

• Details of stakeholders that may be involved with a particular consular assistance case (e.g. family members) including their name, contact details, relationship to the citizen seeking consular assistance and indicator if the citizen concerned has consented for DFAT to discuss their case with a particular contact
• In crisis situations, additional information may be sought on accompanying dependent family members including nationality, passport details, visa details.

Case Notes

• Key information recorded by DFAT consular assistance officers at HQ or overseas Mission regarding case including interactions with impacted citizen and other key stakeholders

Case Related Documentation

• Digital copies of documentation or queries received by or sent by DFAT, including emails received or issued through the Consular Case Management System, in the context of providing consular assistance to the citizen concerned

Telephony Data

• For calls/to from HQ Consular Assistance Unit, data associated with the date, time, duration and phone number associated with inbound

Special categories of personal data

We must specifically inform you if any of the data that we collect is considered to be a special category of personal data. Where such data is collected, it requires additional safeguards for processing. In the table below, we list the special categories of data identified under GDPR and inform you if we are collecting such personal data in our Consular Case Management System:

Biometric data

Yes (indirectly) - During the provision of consular assistance, the Department may provide or receive documentation that contains photographs e.g. copy of passport page or other ID, copy of Emergency Travel Document issued, etc. that may contain a photograph.

Genetic data

No – We do not process any genetic data

Health data

Yes (indirectly) – During the provision of consular assistance, medical information may be shared with case officers by the impacted citizen, their family or other third-parties. e.g. death, serious injury, sexual assault, mental health assistance cases, etc. or where a citizen or related stakeholder requires reasonable accommodation e.g. deaf or hearing impaired.

Political opinions

No – We do not process data on political opinions

Racial or ethnic origin

Yes (indirectly) – During the provision of consular assistance, the disclosure of Citizenships/Nationalities or documentation provided (e.g. photos or Birth Certificate) may indirectly infer racial or ethnic origin

Religious or philosophical beliefs

Yes (indirectly) – During the provision of consular assistance, the disclosure of Religion on documentation provided (e.g. Marriage Certificate) may indirectly infer religious beliefs.

Sexual orientation

Yes (indirectly) – During the provision of consular assistance, the relationship of a case stakeholder to the citizen seeking assistance may indirectly infer sexual orientation.

Trade union membership

No – We do not process data related to trade union membership

Personal data collected in respect of vulnerable Data Subjects

Given the nature of consular assistance cases, there may be some instances where the Department indirectly collects such data. For example:

• in the case of the abduction of an Irish child, information regarding the child may be captured with the consent of the relevant parent/legal guardian.
• in the case of the arrest, imprisonment or proposed deportation of an Irish citizen abroad, the Mission in the relevant country will usually be informed by the official local authorities under international law to ensure that the Department can offer consular assistance to the impacted citizen.

This data is not systematically collected or used in any profiling by the Department. The provision of such information is wholly coincidental to the provision of consular assistance and to ensure that the Department is best placed to provide effective consular assistance to Irish citizens in distress abroad.

Your information that may be securely recorded on our Consular Case Management System will be used:

• to better enable the Department to provide you, and where applicable your family, with responsive and coordinated consular assistance in line with the provisions of the Department’s Consular Assistance Charter.
• for retrospective case reporting metrics and trend analysis, on an anonymised or pseudononymised basis, to inform future TravelWise campaigns.

We must specifically inform you that your personal information will not be subject to any form of automated decision making, including profiling, that may produce legal or other significant effects on you.

We will only share your information where we are satisfied that a sound legal basis for sharing exists and where we are further satisfied that there are appropriate safeguards in place to protect your information.

To recipients internal to the Department

Outside of the Consular Directorate, we may need to share your information with:

• the Passport Service in the case of lost or stolen passports or where we are seeking to establish your Irish citizenship in order to avail of consular assistance from the Department
• our Finance Unit where the provision of consular assistance may have involved your emergency repatriation that was fully or partially funded by the Department and falls to be recouped to the Department/Exchequer
• our internal legal advisors in the case of more complex consular assistance cases, particularly in the context of international law, or in the defence of a legal claim or dispute involving us
• other authorised officers within the Department in the performance of a function conferred on the Minister under the Ministers and Secretaries Act 1924 (as amended) or on Government under the Constitution of Ireland

To recipients external to the Department

We may share your information with:

• foreign authorities and organisations (e.g. local hospitals, police, prison authorities) as well as tour operators in the context of our endeavouring to provide you with appropriate consular assistance as set out in our Consular Assistance Charter
• other Government Departments including, for example, the Department of Justice for visa purposes where a dependent family member who is not an Irish/EU citizen may seek evacuation with you during a consular crisis event or in its capacity as a Central Authority under certain International Conventions
• Non-Governmental Organisations including international charities such as Irish Council for Prisoners Overseas, International Red Cross, etc; or charities in Ireland such as CrossCare, SafeHome, the Rape Crisis Centre, Irish Red Cross, etc. that can provide you with additional information or supports that we may be unable to provide. Wherever possible, we will seek you consent to share your information with these organisations
• statutory and regulatory bodies where we are required by law to provide information including, for example, the Data Protection Commission, An Garda Síochána; the Decision Support Service, etc.
• our external legal advisors including the Attorney General’s Office or the Chief State Solicitor’s Office in the case of more complex consular assistance cases, particularly in the context of international law, or in the defence of a legal claim or dispute involving us
• the National Archives, in due course, in accordance with our obligations under the National Archives Act, 1986 (as amended)

All of your data is securely held on information systems managed and administered by us.

We maintain appropriate technical and organisational measures to protect your personal information (including special categories of data) against unauthorised access or disclosure and to safeguard against accidental or unlawful destruction, loss or alteration of your information. We evaluate these measures on a regular basis to ensure the security of processing.

The length of time we hold information data depends on a number of factors. These factors include:

• our obligations to retain information for prescribed periods under national legislation or associated regulations including, for example, the National Archives Act, 1986 (as amended)
• whether you or a regulatory authority asks us to keep it for a valid reason
• whether you are in a legal dispute with us
• whether we use your data for long-term statistical analysis or modelling, provided such data has been appropriately anonymised or pseudonymised

As a general rule, and subject to our obligations at law, we will ordinarily retain personal information for 15 years initially with records then being reviewed in the context our obligations under the National Archives Act, 1986 (as amended) which may involve the retention of your data for a further period, the transfer of your data to the National Archives or an application to the National Archives for permission to securely destroy your data.

The legal basis for processing of personal data, including special categories of data, is grounded in national, EU and international law including inter alia:

• Article 28(2), 29(4)1° and 29(4)2° of the Irish Constitution
• Ministers and Secretaries Act 1924 (as amended)
• Diplomatic Relations and Immunities Act 1967 (as amended)
• European Union (Consular Protection) Regulations 2018
• Section 38(1) of the Data Protection Act 2018 (as amended)
• EU General Data Protection Regulation including Articles 6(1)(d) & (e) and, in the case of special categories of data, Articles 9(2)(c), (f) & (g)

All of your data is securely stored and processed on ICT systems managed and administered in the European Union. It is not envisaged that we will store or permit the transfer of your information to any service provider or organisation outside of the European Union.

In the event that the transfer or storage of your data to an ICT systems managed outside of the European Union is contemplated, a comprehensive data privacy impact assessment will be completed in advance. If proceeding thereafter, we will ensure that this service provider or organisation agrees to act solely on our instructions and that your information is protected to the same standard as applies in the European Union in accordance with our obligations under GDPR.

Providing and holding personal information comes with significant rights on your part and significant obligations on ours. You have several rights under GDPR in relation to how we use your information.

In the context of the Consular Case Management System, you have the right to:

• be informed that your personal information is being submitted to the Consular Case Management System and to obtain information on how and why your information is processed. This Privacy Notice provides this information
• establish if the Consular Case Management System holds personal information about you and, if so, to be provided with a copy of this information. Please see the “Making a Subject Access Request (SAR)” section below for further information on how you can submit a request for a copy of your personal information
• make a request that any inaccurate information within the Consular Case Management System be corrected and/or any incomplete information is updated. We will grant this request as soon as possible if we are satisified that your request is well-grounded
• in particular circumstances, restrict the processing of your information
• in particular circumstances , ask to have certain information erased
• in particular circumstances, object to us processing your information
• not be subject to automated decision-making, including profiling, where it produces legal or other significant effects on you
• the right to lodge a complaint with the Data Protection Commission

To make a request for access to your personal data, including a Data Subject Access Request you should submit your request in writing to the Department’s Data Protection Officer:

When submitting your request, you should ensure that you attach the necessary information to confirm your identity.

The Department of Foreign Affairs & Trade will usually supply you with your information free of charge. However, we may charge a reasonable fee if we believe that your request is clearly unfounded, excessive or repetitive. Where we have identified that a charge is applicable, we will notify you in advance so that you can decide whether to continue or not.

We are obliged to respond to you without undue delay. In most instance, we will respond to you within one calendar month of your request having been accepted. If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will inform you within one month of the receipt of request and explain the reasons why an extension is necessary.

If you make your request electronically, we will, where possible, provide the relevant information to you electronically, in a universally accessible format, unless you ask us otherwise.

Complaints

If you have a complaint about how your personal data is being handled, please contact us to give us the opportunity to put things right as quickly as possible.

If, however, you feel that your complaint hasn’t been dealt with fully or appropriately, you have the right to complain to the Data Protection Commission. You can contact the Data Protection Commission using the details below:

If you have any questions about how your information is gathered, stored, shared or used, please contact our Data Protection Officer:

We will update this Data Privacy Notice from time to time.

17 December 2025