The Irish Data Protection Commissioner has been quite active of late, in the enforcement of data protection laws and in issuing guidance notes in respect of aspects of the applicable legislation. The loss of government data in the UK recently has received a lot of news coverage and has increased public awareness and media focus on the use of personal data and the rights that people have regarding their personal information.

Against this backdrop, the Irish Data Protection Commissioner issued a guidance note on Tuesday, 8 January 2008 entitled "Guidance Note for Data Controllers on Purpose Limitation and Retention in Relation to Credit/Debit/Charge Card Transactions".

Guidance notes that are issued by the Irish Data Protection Commissioner do not have the force of law, but they are useful in terms of understanding the way in which the Data Protection Commissioner interprets the legislation.

Clients that process payment cards should be aware of the limitations applicable to the information that is gathered when processing the cards: the information may only be used for specific and legitimate purposes.

Commercial operations and procedures should reflect the legal obligations and responsibilities owed to the people providing the payment card details, and data protection restrictions should be taken account of in contracts with service providers which may provide payment processing services to a business.

For further information, or if you would like a copy of the guidance note,
please contact Deirdre Kilroy.

January 2008.