Privacy and Cookie Notice

General Statement:

This Privacy Notice relates to the Commission for Aviation Regulation’s (Commission) privacy practices in connection with our use of your personal data. The Commission is not responsible for the content or privacy practices of other websites. Any external links to other websites are clearly identifiable as such.

We respect and value the privacy of everyone who visits this website, or (“our site”) and where we seek personal information from you through any channel i.e., via our website, license application forms, complaint forms, by post, or email. We will only collect and use personal data in ways that are described here and in a manner that is consistent with our obligations and your rights under the Data Protection Law.

The Commission for Aviation Regulation is the Data Controller for the personal data that we process unless otherwise stated. Please read this Privacy Notice carefully and ensure that you understand it.

Our Contact Details:  

The Commission’s contact details are as follows: 

Post: 3rd Floor, 6 Earlsfort Centre, Earlsfort Terrace, Dublin 2, D02 W773


Telephone: +353 1 661 1700 

Definition and Interpretation

Terms Meaning
Personal Data

Means data that relates to or can identify a living person either by itself or together with other available data. Examples of personal data include a person’s name, phone number, bank details.

Special Category Data 

Means sensitive personal data which merits higher protection when processing. Example: health data, race and ethnic origin, trade union membership details, genetic data and data concerning a natural person’s sex life or sexual orientation. 


Means any operation or set of operations which is performed on personal data. Such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction.

Data Controller

Means a natural or legal person, public authority, agency, or other body who determines the purpose and means of processing of personal data.

Data Processor

Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Data Subject

A natural person to whom personal data relates.


Means Data Transfer mechanism as provided under Article 49 GDPR and Section 91 Data Protection Act 2018. 

We/Our/The Commission

Means the Commission for Aviation Regulation, a public body established under the Aviation Regulation Act 2001 whose headquarters are located at 3rd Floor, 6 Earlsfort Terrace, Dublin 2.

You/ Your

Means individuals whose personal data we process.


Means a small piece of data that a website stores on the visitor’s computer or mobile device.

Cookie law

Means the EU ePrivacy Directive 2009/136/EC as transposed into Irish Law.

Purpose of this Privacy Notice

The Commission for Aviation Regulation collects and uses personal data from various categories of individuals for a range of purposes. All personal data collected by the Commission will be protected in line with our responsibilities as a Data Controller pursuant to the Data Protection Laws.

This privacy notice is provided to you in line with our obligations under the General Data Protection Regulation (2016/679/EU) (GDPR) and Data Protection Act (DPA) 2018; It sets out the following:

  • What data we collect about you?
  • Why and how we use your personal data?
  • Who are the recipients of personal data?
  • Data transfer outside the EEA
  • Data security measures implemented by the Commission
  • Data Retention period
  • Your rights under data protection law

Principles of Data Protection   

The Commission complies with the following principles enshrined in Article 5 of the GDPR:

  • Process your personal data in a lawful, fair and transparent manner.
  • Collect no more than the relevant data required specific to the purpose of carrying out our duties as a regulatory body.
  • Keep your personal data accurate and up to date at all times.
  • Retain your data in line with our Data Retention Schedule.
  • Process your data in a manner which ensures utmost confidentiality by restricting unauthorised access and protect it against accidental loss, unauthorised access, destruction or damage, using appropriate technical or organisational measures.
  • Keep a record to demonstrate that all data processing activities are carried out in compliance with the above 5 principles.

Personal Data We Collect and Process 

The Commission collects and processes various categories of personal data in connection with your use of our websites ( or and our relationship with you. This includes personal data (including special categories of data): 

i. Provided as a part of air passenger complaint (including persons with reduced mobility) forms, travel operator and travel agent license applications, air carrier operator license applications, applications for groundhandling approval, travel collapse claims forms or response to public consultations.  

ii. Collected for the purpose of assessing tender proposals, recruiting candidates for positions available in the Commission, responding to requests made under the Freedom of Information Act 2014, Access to Information on the Environment legislations, the GDPR and DPA 2018 or general queries from the public or sending newsletters. 

Lawful Grounds and Data Processing Purposes  

The Commission relies on lawful grounds provided under the GDPR and DPA 2018 to carry out various data processing activities as explained below: 

Processing based on the performance of our regulatory task and legal obligation 

  • Informing the public on the Commission’s consultation decision.
  • Investigating and resolving complaints in relation to air passenger rights and persons with reduced mobility.
  • Issuing and renewing travel operator licenses, travel agent licenses, air carrier operator licenses or groundhandling approvals.
  • Monitoring travel operators, travel agents, air carrier operators and groundhandling companies
  • Processing licensing payment either directly or through our nominated payment services provider.
  • To liaise with other competent authorities (Example: Irish Aviation Authority, the Department of Transport, etc).
  • Responding to requests made under the Freedom of Information Act 2014, Access to Information on the Environment or Data Protection legislations and other queries or complaints from public.
  • Investigating Protected Disclosures received by the Commissioner.
  • Complying with court orders arising in civil or criminal proceedings.
  • Managing and administering our legal and compliance affairs.

Processing Based on Contractual Obligations 

  • Carrying out public procurement activities including E-tender Contracts and other Service Level Agreements.  
  • Recruiting candidates for roles available in the Commission, either directly or through recruitment agencies. 

Processing Based on Consent  

  • Subscribing to the Commission’s newsletters.  
  • Use of details provided during consultation on our websites. 
  • Effectively managing the functionality and usability of the Commission’s websites by placing cookies on website users’ devices.  

Special Category Data 

As a part of the Commission’s regulatory function, we process special categories of data in accordance with the requirements of Article 6 and 9 of the GDPR and Chapter 2 of the DPA 2018. Our processing of such data respects the rights and interests of the data subjects.

Example: We rely on Article 9(2)(g) of the GDPR and Section 49(b) of the DPA 2018 for processing health data for the purpose of investigating and resolving air passenger complaints relevant to persons with reduced mobility.

The Commission reserves the right to update the list of data processing activities as the need arises.

Personal Data Recipients  

We may share your data with third parties, including our third-party service providers and other competent authorities. Some of these recipients are our Data Processors, i.e., they can process the personal data that they receive from us only on our instructions and under our monitored control.

All third-party recipients with whom the Commission shares personal data are required to ensure confidentiality, integrity and availability of data. They are required to implement appropriate technical and organisational measures to protect it against accidental loss, destruction, unauthorised access or damage. Third-party service providers i.e., Data Processors who have a business need to know will only process your personal data on our instruction and are subject to a contract which incorporates a duty of confidentiality and a data processing agreement.

Below is the non-exhaustive list of third-party recipients we share your personal data with:

  • IT service providers  
  • Records storage company
  • Travel agency
  • Recruitment agency
  • Professional Advisors
  • Banks
  • Airlines
  • Internal auditors
  • Comptroller and Auditor General
  • Revenue Commissioners
  • Department of Transport
  • Irish Aviation Authority
  • National Archives
  • National Enforcement Bodies
  • Office of Government Procurement 

The Commission reserves the right to update this list as the need arises. 

The Commission’s Privacy Notice does not apply to activities of above referenced third parties. Please consult the respective privacy notices of such third parties or contact such third parties for more data. 

Data Transfer Processing outside the EEA  

The Commission only transfers data outside of the EEA in very limited circumstances such as: 

  • In the process of investigating and resolving complaints relating to air passenger rights and persons with reduced mobility, where the complaint involves an airline, whose registered office is outside the EEA. 
  • Where the data centre of the IT service providers is based outside the EEA. 

To ensure that the Commission can carry out its regulatory function, we rely on adequacy decision or Article 49(1)(d) of the GDPR for transferring data outside the EEA. 

Data Security  

The Commission for Aviation Regulation has put in place adequate and appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. In certain circumstances, third-party service providers who have a business need to know will only process your personal data on our instruction and are subject to a contract which incorporates a duty of confidentiality and a data processing agreement.

Data Retention Period  

The Commission is committed to protecting your personal data and will ensure all appropriate steps are taken throughout the lifecycle of data processing to maintain the integrity and security of data.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements.

After expiration of retention period, we securely delete or destroy your data permanently. In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research and statistical purposes in which case we may use this data indefinitely without further notice to you.

Data Subject Rights

As a data subject you have the following rights under the GDPR:

  • Right to access your personal data,
  • Right to have any incorrect personal data rectified,
  • Right to have your personal data erased (where appropriate),
  • Right to object or restrict processing of your personal data (where appropriate),
  • Right to request for transfer your data to another organisation,  
  • Right not to be subjected to automated decision making and profiling.

For full details on your rights please see the following here.

To exercise any of the above rights, please contact our Data Protection Officer using the details provided in the next section.

Alternatively, you can fill the data subject request form available on our contact page.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, which in Ireland is the Office of the Data Protection Commission (DPC). The Data Protection Commission can be contacted in the following ways:

Online:                         Contact Form

Post - Dublin:              21 Fitzwilliams Square South, Dublin 2, D02 RD28   

Post – Laois:                 Canal House, Station Road, Portarlington, Co. Laois, R32 AP23       

Telephone:                   01 765 0100 / 1800 437 737 / 05 7868 4800

Cookie Notice 

General Statement

This Cookie Notice provides details about the types of cookies we use on our  and website.

What are Cookies

Cookies are small text files which are downloaded and saved to your computer or device when you visit a website. Your web browser (such as Internet Explorer, Google Chrome, Mozilla Firefox or Safari) then sends these cookies back to the website every time you visit it again to remember things like your preferences.

This website utilises two types of cookies:

  1. First-Party Cookies: Those set by us upon your use of Our website.
  2. Third-Party Cookies: Third-party Cookies are those placed by websites, services, and/or parties other than us. These Cookies are not integral to the functioning of our site and your use and experience of our site will not be impaired by refusing consent to them.

All cookies used by and on our site are used in accordance with current ePrivacy Directive 2009/136/EC.

Our cookies are not used to identify users personally. They are used to improve the effectiveness of the website and to provide you with a better end user experience on our websites.

Before cookies are placed on your computer or device, you will be shown a pop-up message requesting your consent to set those cookies. By giving your consent to the placing of cookies you are enabling us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of cookies.

To further ensure your privacy and restrict third-party cookies on your devices, it is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.

Please read this Cookie Notice carefully and ensure that you understand it.

Categories of Cookies Utilized on this Website

Strictly Necessary Cookies:

These cookies are necessary for the website to function and cannot be switched off on our systems. They are usually only set-in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.  You can set your browser to block or alert you about these cookies, but some parts of the site will no longer work. These cookies do not store any personally identifiable data.

Cookie Subgroup Cookies Cookies Used Lifespan


First Party     


6 Months


First Party      1 Month




First Party


30 Days

30 Days



First Party

179 Days

179 Days

6 Months


First Party 364 Days


First Party 30 Days

Performance Cookies:

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All data these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.

Cookie Subgroup Cookies Cookies Used Lifespan _hjIncludedInSample

First Party







 First Party

730 Days

1 Day

A few seconds


A few seconds ak_bmsc

First Party

A few seconds



First Party

A few seconds

365 Days



First Party

1 Day

730 Days

Functional Cookies:

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all these services may not function properly.

Cookie Subgroup


  Cookies Used     Lifespan



First Party


248 Days bm_sv  Third Party A few seconds

Targeting Cookies:

These cookies may be set through third party companies. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not directly store personal data but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookie Subgroup Cookies Cookies Used Lifespan


Third Party Session

Managing and Disabling Cookies

Any cookie that is not Strictly Necessary is not active by default and does not send information to the resource it is called from. Accepting all cookies, makes all cookies active. You can modify your cookie preferences for the website at any time by clicking on the ‘Cookie Settings’ button below.

The Commission’s Data Protection Officer Contact Details  

The Commission has appointed a Data Protection Officer to oversee our data protection compliance. Our DPO can be contacted at: 

Post: 3rd Floor, 6 Earlsfort Terrace, Dublin 2, D02 W773 


Phone: +353 1 634 6851 

 Changes to Our Privacy and Cookie Notice

We may change this Privacy and Cookie Notice from time to time (for example, if the law changes). Any changes will be immediately posted on our site. We recommend that you check this page regularly to keep up to date. 

© 2023 Commission for Aviation Regulation
  • 3rd Floor 6 Earlsfort Terrace Dublin 2, D02 W773 
  • Phone: +353-(0) 1-6611700, Email: