Privacy and Cookie Notice

General Statement:

This Privacy and Cookie Notice relates to the Commission for Aviation Regulation’s (Commission) privacy practices in connection with our use of your personal data. The Commission is not responsible for the content or privacy practices of other websites. Any external links to other websites are clearly identifiable as such. 

We respect and value the privacy of everyone who visits this website or (“our site”) and where we seek information data from you through any channel i.e., via our website, license application forms, complaint forms, by post, or email. We will only collect and use personal data in ways that are described here and in a manner that is consistent with our obligations and your rights under the Data Protection Law. 

The Commission for Aviation Regulation is the Data Controller for the personal data that we process unless otherwise stated. Please read this Privacy and Cookie Notice carefully and ensure that you understand it.  

Our Contact Details:  

The Commission’s contact details are as follows: 

Post: 3rd Floor, 6 Earlsfort Centre, Earlsfort Terrace, Dublin 2, D02 W773


Telephone: +353 1 6611700 

Definition and Interpretation

Terms Meaning
Personal Data Means data that relates to or can identify a living person either by itself or together with other available data. Examples of personal data include a person’s name, phone number, bank details. 
Special Category Data  Means sensitive personal data which merits higher protection when processing. Example: health data, race and ethnic origin, trade union membership details, genetic data and data concerning a natural person’s sex life or sexual orientation. 
Processing Means any operation or set of operations which is performed on personal data. Such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction. 
Data Controller Means a natural or legal person, public authority, agency, or other body who determines the purpose and means of processing of personal data. 
Data Processor Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. 
Data Subject A natural person to whom personal data relates.
Derogation Means Data Transfer mechanism as provided under Article 49 GDPR and Section 91 Data Protection Act 2018. 
We/Our/The Commission Means the Commission for Aviation Regulation, a public body established under the Aviation Regulation Act 2001 whose headquarters are located at 3rd Floor, 6 Earlsfort Terrace, Dublin 2.
You/ Your Means individuals whose personal data we process.
Cookie Means a small piece of data that a website stores on the visitor’s computer or mobile device.
Cookie law Means the EU ePrivacy Directive 2009/136/EC as transposed into Irish Law.

Purpose of this Privacy Notice

The Commission for Aviation Regulation collects and uses personal data from various categories of individuals for a range of purposes. All personal data collected by the Commission will be protected in line with our responsibilities as a Data Controller pursuant to the Data Protection Laws.  

This privacy notice is provided to you in line with our obligations under the General Data Protection Regulation (2016/679/EU) (GDPR) and Data Protection Act (DPA) 2018; It sets out the following:  

  • What data we collect about you? 
  • Why and how we use your personal data? 
  • Who are the recipients of personal data? 
  • Data transfer outside the EEA  
  • Data security measures implemented by the Commission 
  • Data Retention period  
  • Your rights under data protection law 

Principles of Data Protection   

The principles of Data Protection as provided under Article 5 of the GDPR, sets out the fundamental rules applicable to the processing of personal data. The Commission will adhere to these principles when processing your personal data. The Commission will:  

The principles of Data Protection as provided under Article 5 of the GDPR, sets out the fundamental rules applicable to the processing of personal data. The Commission will adhere to the principles listed below when processing your personal data: 

  • Process your personal data in a lawful, fair and transparent manner. 
  • Collect no more than the relevant data required specific to the purpose of carrying out our duties as a regulatory body. 
  • Keep your personal data accurate and up to date at all times. 
  • Retain your data in line with our Data Retention Schedule. 
  • Process your data in a manner which ensures utmost confidentiality by restricting unauthorised access and protect it against accidental loss, destruction or damage, using appropriate technical or organisational measures. 
  • Keep a record to demonstrate that all data processing activities are carried out in compliance with the above 5 principles.  

Personal Data We Collect and Process 

The Commission collects and processes various categories of personal data in connection with your use of our websites ( or and our relationship with you. This includes personal data (including special categories of data): 

i. Provided as a part of air passenger complaint (including persons with reduced mobility) forms, travel operator and travel agent license applications, air carrier operator license applications, applications for groundhandling approval, travel collapse claims forms or response to public consultations.  

ii. Collected for the purpose of assessing tender proposals, recruiting candidates for positions available in the Commission, responding to requests made under the Freedom of Information Act 2014, Access to Information on the Environment legislations, the GDPR and DPA 2018 or general queries from the public or sending newsletters. 

Lawful Grounds and Data Processing Purposes  

The Commission relies on lawful grounds provided under the GDPR and DPA 2018 to carry out various data processing activities as explained below: 

Processing based on the performance of our regulatory task and legal obligation 

  • Informing the public on the Commission’s consultation decision. 
  • Investigating and resolving complaints in relation to air passenger rights and persons with reduced mobility. 
  • Issuing and renewing travel operator licenses, travel agent licenses, air carrier operator licenses or groundhandling approvals.  
  • Monitoring travel operators, travel agents, air carrier operators and groundhandling companies.  
  • Processing licensing payment either directly or through our nominated payment services provider. 
  • To liaise with other competent authorities (Example: Irish Aviation Authority, the Department of Transport, Tourism and Sports etc). 
  • Responding to requests made under the Freedom of Information Act 2014, Access to Information on the Environment legislations or Data Protection legislations and other queries or complaints from public.  
  • Investigating Protected Disclosures received by the Commissioner.  
  • Complying with court orders arising in civil or criminal proceedings. 
  • Managing and administering our legal and compliance affairs.

Processing Based on Contractual Obligations 

  • Carrying out public procurement activities including E-tender Contracts and other Service Level Agreements.  
  • Recruiting candidates for roles available in the Commission, either directly or through recruitment agencies. 

Processing Based on Consent  

  • Subscribing to the Commission’s newsletters.  
  • Use of details provided during consultation on our websites. 
  • Effectively managing the functionality and usability of the Commission’s websites by placing cookies on website users’ devices.  

Special Category Data 

As a part of the Commission’s regulatory function, we process special categories of data in accordance with the requirements of Article 6 and 9 of the GDPR and the DPA 2018. Our processing of such data respects the rights and interests of the data subjects. 

We process special categories of personal data under the following Data Protection Provision: 

Article 9(2)(g) of the GDPR and Section 49(b) DPA 2018: where processing is necessary for performing our obligations conferred to us by law as a regulatory body. Example: Processing health data for the purpose of investigating and resolving air passenger complaints relevant to persons with reduced mobility.  

The Commission reserves the right to update the list of data processing activities as the need arises. 

Personal Data Recipients  

We may share your data with third parties, including our third-party service providers and other competent authorities. Some of these recipients are our Data Processors, i.e., they can process the personal data that they receive from us only on our instructions and under our monitored control. 

We require all recipients to respect the security of your personal data and act solely. Third-party service providers i.e., Data Processors who have a business need to know will only process your personal data on our instruction and are subject to a contract which incorporates a duty of confidentiality and a data processing agreement. 

Below is the non-exhaustive list of third-party recipients we share your personal data with: 

  • IT service providers   
  • Records storage company 
  • Travel agency 
  • Recruitment agency  
  • Professional advisors  
  • Banks  
  • Airlines  
  • Internal auditors  
  • Comptroller and Auditor General 
  • Department of Revenue 
  • Department of Transport  
  • Irish Aviation Authority  
  • National Archives  
  • National Enforcement Bodies  
  • Office of Government Procurement  

The Commission reserves the right to update this list as the need arises. 

The Commission’s Privacy Notice does not apply to activities of above referenced third parties. Please consult the respective privacy notices of such third parties or contact such third parties for more data. 

Data Transfer Processing outside the EEA  

The Commission only transfers data outside of the EEA in very limited circumstances such as: 

  • In the process of investigating and resolving complaints relating to air passenger rights and persons with reduced mobility, where the complaint involves an airline, whose registered office is outside the EEA. 
  • Where the data centre of the IT service providers is based outside the EEA. 

To ensure that the Commission can carry out its regulatory function, we rely on adequacy decision or Article 49(1)(d) of the GDPR for transferring data outside the EEA. 

Data Security  

The Commission for Aviation Regulation has put in place adequate and appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. In certain circumstances, a third-party service providers who have a business need to know will only process your personal data on our instruction and are subject to a contract which incorporates a duty of confidentiality and a data processing agreement.  

Data Retention Period  

The Commission is committed to protecting your personal data and will ensure all appropriate steps are taken throughout the lifecycle of data processing to maintain the integrity and security of data. 

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. 

After expiration of retention period, we securely delete or destroy your data permanently. In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this data indefinitely without further notice to you. 

Cookie Notice 

Upon your use of our websites and, we sometimes place small data files known as cookies on your device. This section of the Privacy Notice details data about the types of cookies we use and why we use them. This Cookie Notice applies to use of both websites.  

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device to remember data about you, such as your language preference or login data. 

This website utilises two types of cookies:  

  • First-Party Cookies: Those set by us upon your use of Our website. 
  • Third-Party Cookies: Third-party Cookies are those placed by websites, services, and/or parties other than us. These Cookies are not integral to the functioning of our site and your use and experience of our site will not be impaired by refusing consent to them. 

All cookies used by and on our site are used in accordance with current ePrivacy Directive 2009/136/EC. 

Our cookies are not used to identify users personally. They are used to improve the effectiveness of the website and to provide you with a better end user experience on our websites. 

Before cookies are placed on your computer or device, you will be shown a pop-up message requesting your consent to set those cookies. By giving your consent to the placing of cookies you are enabling us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of cookies. 

To further ensure your privacy and restrict third-party cookies on your devices, it is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.  

Categories of Cookies Utilized on this Website

Strictly Necessary Cookies:  

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set-in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.  You can set your browser to block or alert you about these cookies, but some parts of the site will no longer work. These cookies do not store any personally identifiable data. 

Performance Cookies:  

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All data these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. 

Functional Cookies: 

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all these services may not function properly. 

Targeting Cookies: 

These cookies may be set through third party companies. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not directly store personal data but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. 

Data Subject Rights  

As a data subject you have the following rights under the GDPR: 

  • Right to access your personal data 
  • Right to have any incorrect personal data rectified 
  • Right to have your personal data erased (where appropriate) 
  • Right to object or restrict processing of your personal data (where appropriate) 
  • Right to request for transfer your data to another organisation  
  • Right not to be subjected to automated decision making and profiling.  

 For full details on your rights please see the following here

The Commission’s Data Protection Officer Contact Details  

The Commission has appointed a Data Protection Officer to oversee our data protection compliance. Our DPO can be contacted at: 

Post: 3rd Floor, 6 Earlsfort Terrace, Dublin 2, D02 W773 


Phone: +35316346851 

Right to Lodge a Complaint   

You have the right to lodge a complaint with a supervisory authority, which in Ireland is the Office of the Data Protection Commission (DPC). The Data Protection Commission can be contacted in the following ways: 

Online Contact Form:  

Post - Dublin: 21 Fitzwilliams Square South, Dublin 2, D02 RD28  

Post – Laois: Canal House, Station Road, Portarlington, Co. Laois, R32 AP23  

Telephone: +353 578684 800 or +353 761104 800 

Changes to Our Privacy and Cookie Notice

We may change this Privacy Notice from time to time (for example, if the law changes). Any changes will be immediately posted on our site. We recommend that you check this page regularly to keep up to date. 

© 2022 Commission for Aviation Regulation
  • 3rd Floor 6 Earlsfort Terrace Dublin 2, D02 W773 
  • Phone: +353-(0) 1-6611700, Email: