Skip to main content


What is the GDPR?

The General Data Protection Regulation (GPPR) is relatively new legislation which came into force on 25 May 2018 governing the use of personal data by organisations and individuals, and the rights of individuals. 

What is the GDPR’s aim?

Alongside the Data Protection Act 2018, the GDPR aims to standardise and strengthen the right of European citizens to data privacy. These changes are designed to help you gain a greater level of control over your data, while offering more clarity about how your data is collected and processed. 
Requirements and language of the GDPR build upon previous data protection legislation, but the GDPR imposes new obligations and stricter requirements on organisations.

What is personal data?

Personal data is information that relates to an individual who can be identified or who is identifiable directly from the information in question or who can be indirectly identified from that information in combination with other information.  

Examples of personal data are:

  • an individual’s name
  • postal address
  • telephone number
  • an identification number
  • date of birth
  • email address
  • location data or online identifiers such as an IP address or cookies. 

However, there are some types of personal data which are more sensitive in nature and therefore requires a higher level of protection. This is referred to in the GDPR as special categories of personal data.  

It is personal data that reveals an individual’s:

  • race or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where this is used for identification purposes)
  • health data
  • sex life or sexual orientation.

This type of data is often referred to a special category personal data or sensitive personal data. 

Personal data can include information relating to criminal convictions and offences. This also requires a higher level of protection.

What are data controllers, data processors and data subjects?  

A data controller is an individual or organisation which, alone or jointly with others, processes personal data.  Belfast City Council is a data controller.

A data processor is an individual or organisation which processes personal data on behalf of the data controller.  Belfast City Council sometimes uses data processors.

A data subject is anyone about whom personal data is processed (held).  This may be someone who uses a Council service or is signed up to receive our event emails.

Processing means any operation involving personal data, such as collecting, recording, use, storing, sharing, disclosure, deletion or destruction.

The GDPR applies to all data controllers, data processors and data subjects based in the EU, so if an individual or organisation processes the personal data of people in the EU, or is a data controller or processor established in the EU, the GDPR will apply. Data controllers and data processors may be subject to fines and sanctions if they do not comply with GDPR requirements.

What are the Data Protection Principles?

The GDPR places a legal obligation on data controllers, such as the Council, to comply with rules when processing personal data, known as the Data Protection Principles, to ensure that personal data is:

  1. processed  lawfully, fairly and in a transparent manner
  2. collected for a specified, explicit and legitimate purpose only
  3. adequate, relevant and limited to the purposes for which it was collected
  4. accurate and kept up to date
  5. retained for no longer than is necessary for the purpose it was processed, and
  6. kept safe and secure to protect its integrity and confidentiality.

What are the Rights of Individuals?

The GDPR gives you rights relating to the processing of your personal data, which are:

  1. Right to be informed – individuals must be provided with ‘fair processing information’ through privacy notices. There must be transparency at the point of collection on how the information will be used and there is an emphasis on providing you with clear and concise privacy notices.
  2. Right of access – individuals must be able to access their data to ensure that it is being processed lawfully. This is commonly referred to as a 'subject access request'.  Individuals can make a subject access request verbally or in writing. This right always applies, however, there are exemptions, which means you may not always receive all the information we process.
  3. Right to rectification – individuals have the right to have inaccurate personal data rectified or completed if incomplete. This right always applies.
  4. Right to erasure – individuals have the right to have personal information deleted or destroyed. This is also known as the ‘right to be forgotten’. This is not absolute and only applies in certain circumstances.
  5. Right to restrict processing –individuals can request the restriction or suppression of their personal data. This is not absolute and only applies in certain circumstances.  
  6. Right to data portability – enables individuals to reuse and transfer their personal data across IT systems for their personal use, from one data controller to another without affecting its usability. This right only applies to information you have given us and in certain circumstances.
  7. Right to object – individuals have the right to object to processing we undertake as part of a public task or in our legitimate interests. This is not absolute and only applies in certain circumstances.  Individuals can object to the processing of personal data for direct marketing purposes. They also can object to processing for scientific, historical research or statistical purposes, unless it is necessary for public interest reasons.
  8. Rights in relation to automated decision-making and profiling - automated decision-making is a decision made by automated means without any human involvement. Individuals have the right in certain circumstances not to be subject to a decision based solely on automated processing, including profiling, which significantly affects him or her. Individuals also have the right to understand the reasons behind decisions made by automated processing and the possible consequences of the decisions.

You are usually not required to pay any charge for exercising your rights. You can make a request verbally or in writing and we have one calendar month to respond to you.

Does Belfast City Council process personal data?

Yes. Belfast City Council is a data controller, under the data protection legislation, for the personal data it gathers from members of the public, staff, contractors, and other individuals who interact with us. We establish that the Council has a lawful basis for processing the personal data and only process for it for specific purposes.  We explain these matters when we collect personal data, and describe how it will be used (known as fair processing information), in a privacy notice. 

We use the personal data we collect to provide a proper service and improve our interaction with citizens on a wide range of matters.  For instance, personal data is used to manage an individual’s specific needs and keep them informed about matters such as changes to services, initiatives, events, dealing with complaints, employing contractors and dealing with enforcement action. 

We collect personal data in a variety of ways, for example, through correspondence such as letters and emails, or the telephone, face to face conversations or completed forms, including online forms. Personal data is held in paper and electronic format, but will always be managed in a safe and secure environment. 

Do you need my consent to process my personal data?

Not always. However, there may be occasions when consent is the only lawful basis we have to process your personal data.  In these circumstances, we will seek your consent at the time we gather your personal data. You will normally be asked to provide a signature or indicate consent by ticking a box, but this will only be carried out after a full explanation has been provided and you are clear as to what you are consenting to. 

Can my personal data be shared?

Yes, but your personal data will not be shared or disclosed to any other individual or organisation without your consent or unless the law permits or places an obligation on us to do so. 

Where this criteria is met, personal data may be shared between council staff who are involved in providing a service and between council departments with the purpose of supporting an effective delivery of service. In addition, provided the above-mentioned criteria is met, we may also share your personal data with other statutory and non-statutory organisations.

We may also use external organisations to carry out services on our behalf which requires us to provide them with access to your personal data. These organisations will act as data processors for us and they are legally obliged to keep your personal data secure and only process it under the specific direct instructions issued by us in line with data protection legislation.

We will not supply your information to any other organisation for marketing purposes without your prior consent. 

Are there special rules for children’s personal data?

Children have all the same basic rights as adults and some additional specific protection. We will abide by all the data protection principles when dealing with children.  

When we are dealing with children we will require consent from whoever holds parental responsibility for the child.  If we are offering an online service, only children aged 13 or over are able to provide their own consent.   

Where can I get further information?

Should you wish to obtain more information about the council’s personal data processing activities, we have a dedicated Data Protection Officer who you can contact by email at or by writing to:

Data Protection Officer
Belfast City Council
City Hall

We are registered as a data controller with the Information Commissioner’s Office (ICO), which regulates compliance with the data protection legislation. You may view our Data Protection Registration entry by searching for our registration number ZA104779 on the Information Commissioner’s website (  If you consider that we have breached any of the requirements of this legislation, you may contact the ICO, who may carry out an assessment, audit or investigation to establish if we are compliant with it.  The ICO can be contacted at:

Information Commissioner’s Office – Northern Ireland  
3rd Floor
14 Cromac Place

Telephone: 028 9027 8757 or 0303 123 1114


Our privacy statement

You can view our corporate privacy statement to learn more about how we collect and manage your personal data. You will also find a link to it at the bottom of any page on this website.

Read aloud icon Read aloud