1. Introduction

The Irish Horseracing Regulatory Board (IHRB) regulates horseracing in Ireland. We are committed to protecting your privacy and personal data in accordance with the law.

As the regulator, the IHRB is responsible for licensing participants, making and enforcing the Rules of Racing, conducting investigations, providing disciplinary functions, administering doping control, and ensuring integrity and fairness in the sport.

In fulfilling these statutory functions, the IHRB acts as a Data Controller under the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This means we decide how and why your personal data is processed and are responsible for safeguarding your rights.

This Privacy Notice explains what personal data we collect, how we use it, who we share it with, how we keep it secure, and your rights in relation to your data.

2. Who We Are

Irish Horseracing Regulatory Board (IHRB)
The Curragh, Co. Kildare, R56 Y668, Ireland
Email: dataprivacy@ihrb.ie
Phone: +353 45 445 600

3. Scope

This Privacy Notice applies to all personal data we collect and process in connection with our statutory and regulatory functions. This includes licensing, integrity services, investigations, doping control, recruitment, supplier management, and CCTV monitoring.

4. What Personal Data We Collect

We collect and process the following categories of personal data, for our regulatory functions:

• Identity Data such as name, date of birth, national ID or passport details, photos, signatures
• Contact Data such as home address, email address, phone numbers
• Financial Data such as bank account details, payment information, transaction records
• Employment and Qualification Data such as CV details, employment history, education, certifications (for recruitment)
• CCTV Footage: images recorded at IHRB premises for safety and security
• Technical Data such as IP address, browser type, device identifiers when using our website
• Usage Data such as details of how you use our website, applications, or services
• Communications Data such as your preferences for receiving communications and any correspondence with us

We may also collect and process Special Category (Sensitive) Personal Data where necessary, and is handled with particular care:

• Health and Medical Data such as information about medical conditions or disabilities required to assess fitness to race.

Processing of this data is carried out only where necessary and permitted by law, such as for employment and regulatory purposes, or where you have given explicit consent. Legal Basis: GDPR Article 9(2)(b) (employment and social security obligations) and Article 9(2)(g) (substantial public interest under Irish law).

5. Purposes and Legal Bases for Processing

We only process personal data when we have a legal basis. These include:

• To meet our legal obligations, including the Rules of Racing and statutory duties
• To perform tasks as a regulator in the public interest.
• To enter into and manage contracts with you.
• Where you have given us clear consent (which you can withdraw at any time).
• Legitimate interests: for administration or security, where these do not override your rights.

Typical purposes include:

• Licensing participants in Irish racing
• Enforcing the Rules of Racing and providing integrity services
• Administering doping control and investigations
• Recruitment and employment management
• Managing supplier and tenderer relationships
• Operating CCTV for safety and security
• Communicating with you about our services and regulatory requirements

6. How We Collect Your Data

We collect personal data:

• Directly from you (e.g. licensing applications, recruitment forms)
• From other authorities and agencies (e.g. Garda Síochána, Horse Racing Ireland, Weatherbys, other racing authorities)
• Automatically through our website and CCTV systems

7. How Long We Keep Your Data

We keep personal data only as long as necessary for our purposes and to comply with legal requirements. For example:

• Licensing data: for the duration of the licence plus a defined retention period
• Recruitment data (unsuccessful candidates): 12 months
• CCTV footage: typically 30 days unless needed for investigation
• Doping control and investigation records: as required under racing rules and statutory obligations

We maintain a data retention policy setting out these periods in detail. Data no longer needed is securely destroyed or deleted.

8. How We Share Your Data

• Processors Acting on Our Behalf

We use trusted service providers (processors) who process personal data only on our documented instructions and under contract. Examples include:

• IT hosting and support providers
• Payment service providers
• Recruitment systems
• Communication and mailing service providers

Processors are required to:

• Act only on our instructions
• Maintain confidentiality and security
• Assist us in meeting your data protection rights
• Delete or return data when no longer required

Where processors are outside the EEA, we ensure appropriate safeguards such as European Commission adequacy decisions or Standard Contractual Clauses.

• Other Independent Data Controllers

We may also share personal data with other independent data controllers where necessary and lawful, including: These recipients are responsible for their own use of your data.

• An Garda Síochána and law enforcement agencies
• Revenue Commissioners and other statutory bodies
• Horse Racing Ireland and the Department of Agriculture, Food and the Marine
• Foreign Turf Authorities (with appropriate safeguards)
• Professional advisers such as auditors and legal counsel

9. International Data Transfers

Where personal data is transferred outside the EEA (for example, to foreign turf authorities), we ensure appropriate safeguards are in place, such as European Commission adequacy decisions or Standard Contractual Clauses.

10. How We Protect Your Data

We implement appropriate technical, organisational, and physical security measures to protect your personal data. This includes secure IT systems, staff training, strict access controls, and regular reviews of our security arrangements.

11. Your Data Protection Rights

You have the following rights under the GDPR (subject to certain conditions):

• Right to be informed and access your personal data
• Right to rectification of inaccurate or incomplete data
• Right to erasure in certain circumstances
• Right to restrict processing in certain circumstances
• Right to data portability in certain circumstances
• Right to object to processing based on public interest or legitimate interests
• Rights in relation to automated decision-making and profiling (not currently used by IHRB)

12. Changes to This Privacy Notice

We may update this Privacy Notice to reflect changes in our practices or legal obligations. The latest version will always be available on our website.

Contact Us

For questions or to exercise your rights, please contact:

Data Protection Officer (DPO)
Email: dataprivacy@ihrb.ie
Phone: +353 45 445 600