Data Protection & Cookies Privacy Policy
Document Control
Reference: GDPR_PRIVACYNOTICE
Issue No: 2.0
Issue Date: 09.07.2025
Page: 1 of 19
- Introduction
The Irish Horseracing Regulatory Board (IHRB) regulates horseracing in Ireland. We are committed to protecting your privacy and personal data in accordance with the law.
As the regulator, the IHRB is responsible for licensing participants, making and enforcing the Rules of Racing, conducting investigations, providing disciplinary functions, administering doping control, and ensuring integrity and fairness in the sport.
In fulfilling these statutory functions, the IHRB acts as a Data Controller under the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This means we decide how and why your personal data is processed and are responsible for safeguarding your rights.
This Privacy Notice explains what personal data we collect, how we use it, who we share it with, how we keep it secure, and your rights in relation to your data.
- Who We Are
Irish Horseracing Regulatory Board (IHRB)
The Curragh, Co. Kildare, R56 Y668, Ireland
Email: [email protected]
Phone: +353 45 445 600
- Scope
This Privacy Notice applies to all personal data we collect and process in connection with our statutory and regulatory functions. This includes licensing, integrity services, investigations, doping control, recruitment, supplier management, and CCTV monitoring.
- What Personal Data We Collect
We collect and process the following categories of personal data, for our regulatory functions:
- Identity Data such as name, date of birth, national ID or passport details, photos, signatures
- Contact Data such as home address, email address, phone numbers
- Financial Data such as bank account details, payment information, transaction records
- Employment and Qualification Data such as CV details, employment history, education, certifications (for recruitment)
- CCTV Footage: images recorded at IHRB premises for safety and security
- Technical Data such as IP address, browser type, device identifiers when using our website
- Usage Data such as details of how you use our website, applications, or services
- Communications Data such as your preferences for receiving communications and any correspondence with us
We may also collect and process Special Category (Sensitive) Personal Data where necessary, and is handled with particular care:
- Health and Medical Data such as information about medical conditions or disabilities required to assess fitness to race.
Processing of this data is carried out only where necessary and permitted by law, such as for employment and regulatory purposes, or where you have given explicit consent. Legal Basis: GDPR Article 9(2)(b) (employment and social security obligations) and Article 9(2)(g) (substantial public interest under Irish law).
- Purposes and Legal Bases for Processing
We only process personal data when we have a legal basis. These include:
- To meet our legal obligations, including the Rules of Racing and statutory duties
- To perform tasks as a regulator in the public interest.
- To enter into and manage contracts with you.
- Where you have given us clear consent (which you can withdraw at any time).
- Legitimate interests: for administration or security, where these do not override your rights.
Typical purposes include:
- Licensing participants in Irish racing
- Enforcing the Rules of Racing and providing integrity services
- Administering doping control and investigations
- Recruitment and employment management
- Managing supplier and tenderer relationships
- Operating CCTV for safety and security
- Communicating with you about our services and regulatory requirements
- How We Collect Your Data
We collect personal data:
- Directly from you (e.g. licensing applications, recruitment forms)
- From other authorities and agencies (e.g. Garda Síochána, Horse Racing Ireland, Weatherbys, other racing authorities)
- Automatically through our website and CCTV systems
- How Long We Keep Your Data
We keep personal data only as long as necessary for our purposes and to comply with legal requirements. For example:
- Licensing data: for the duration of the licence plus a defined retention period
- Recruitment data (unsuccessful candidates): 12 months
- CCTV footage: typically 30 days unless needed for investigation
- Doping control and investigation records: as required under racing rules and statutory obligations
We maintain a data retention policy setting out these periods in detail. Data no longer needed is securely destroyed or deleted.
How We Share Your Data
- Processors Acting on Our Behalf
We use trusted service providers (processors) who process personal data only on our documented instructions and under contract. Examples include:
- IT hosting and support providers
- Payment service providers
- Recruitment systems
- Communication and mailing service providers
Processors are required to:
- Act only on our instructions
- Maintain confidentiality and security
- Assist us in meeting your data protection rights
- Delete or return data when no longer required
Where processors are outside the EEA, we ensure appropriate safeguards such as European Commission adequacy decisions or Standard Contractual Clauses.
- Other Independent Data Controllers
We may also share personal data with other independent data controllers where necessary and lawful, including: These recipients are responsible for their own use of your data.
- An Garda Síochána and law enforcement agencies
- Revenue Commissioners and other statutory bodies
- Horse Racing Ireland and the Department of Agriculture, Food and the Marine
- Foreign Turf Authorities (with appropriate safeguards)
- Professional advisers such as auditors and legal counsel
- International Data Transfers
Where personal data is transferred outside the EEA (for example, to foreign turf authorities), we ensure appropriate safeguards are in place, such as European Commission adequacy decisions or Standard Contractual Clauses.
- How We Protect Your Data
We implement appropriate technical, organisational, and physical security measures to protect your personal data. This includes secure IT systems, staff training, strict access controls, and regular reviews of our security arrangements.
- Your Data Protection Rights
You have the following rights under the GDPR (subject to certain conditions):
- Right to be informed and access your personal data
- Right to rectification of inaccurate or incomplete data
- Right to erasure in certain circumstances
- Right to restrict processing in certain circumstances
- Right to data portability in certain circumstances
- Right to object to processing based on public interest or legitimate interests
- Rights in relation to automated decision-making and profiling (not currently used by IHRB)
- Cookies Policy
A cookie is a small text file that is placed on your device by a web server, which we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive. Our Website(s) uses cookies to distinguish you from other users of our Website(s). This helps us to provide you with a better experience when you browse our Website(s) and also allows us to improve the Website(s). Cookies also help us to improve our Service and to deliver many of the functions that make your browser experience more user-friendly. Those cookies are set by us and called first-party cookies.
We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the purposes set out in the tables below.
We use the following types of cookies:
| Strictly necessary (essential) cookies |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Analytical or performance cookies |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Functionality cookies |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Targeting cookies |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- First Party Cookies
You can find a list of first party cookies we use and the purposes for which we use them in the table below.
| Strictly Necessary (Essential) | |||
| Cookies | Website | Puprose | Duration |
| *-Dismissed | All | (IHRB To keep track of the user selection for dismissing the newsletter popup | 7 days |
| __cf_logged_in | All | (Cloudflare) Cloudflare security firewall | 1 year |
| __RequestVerificationToken | All | (IHRB) This is an anti-forgery cookie set by web application built using ASP.NET MVC technologies. It is designed to stop unauthorised posting of content to a website, known as Cross-Site Request Forgery. It holds no information about the user and is destroyed on closing the browser | session |
| All Cookies Accepted | All | (IHRB) Cookie used to distinguish that cookies are allowed on the site | 6 months |
| ASP.NET_SessionId | All | (IHRB) General purpose platform session cookie, used by sites written with Microsoft.NET based technologies. Usually used to maintain an anonymised user session by the server | session |
| AspNetCore.Antiforgery | All | (IHRB) This is a general-purpose platform session cookie, used by sites written with Microsoft.NET based technologies. It is usually used to maintain an anonymised user session by the server. | session |
| ClientLogin | All | (IHRB Required to store data required for user login to website | 1 year |
| CMSCookieLevel | All | (IHRB) This cookie is used to determine the level of functionality the Kentico CMS can provide based on the user's choice of cookie level | 1 year |
| FGTServer | All | (IHRB) The value of the cookie encodes the server that traffic should be directed to in a web server load-balanced environment | 1 Hour |
| HRI Accepted | All | (IHRB) Used to determine if cookie has been accepted. | 1 year |
| sparrow_id | All | (Cloudflare) Cloudflare security firewall | 1 year |
| Analytical Cookies | Website(s) | Purpose | Duration |
| _cf_bm | All | (Cloudflare) This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website | 30 minutes |
| _ga | All | (Google) This cookie name is associated with Google Universal Analytics- which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the site's analytics reports | 2 years |
| _gat | All | (Google) This cookie is part of Google Analytics and is used to limit requests (throttle request rate). | 1 minute |
| _gat_gtag_UA_* | All | (Google) This cookie is part of Google Analytics and is used to limit requests (throttle request rate). | 1 minute |
| _gid | All | (Google) This cookie is set by Google Analytics. It stores and update a unique value for each page visited and is used to count and track page views. | 1 day |
| Functional Cookies | Website(s) | Purpose | Duration |
| __cflb | All | (Cloudflare) This cookie is used by Cloudflare for load balancing | 23 hours |
- Third-Party Cookies
Please note that a number of third parties may also use cookies. These named third parties may include, for example, advertising networks and providers of external services like web traffic analysis services. These third-party cookies help us to improve our Service and to deliver many of the functions that make your browser experience more user-friendly.
You can find a list of third-party cookies we use and the purposes for which we use them in the table below.
| Strictly Necessary | ||||
| Analytical Cookies | Website(s) | Purpose | Duration | |
| APISID | All |
| Persistant | |
| VISITOR_INFO1_LIVE | All | (Google) This cookie is set by YouTube to keep track of user preferences for YouTube videos embedded in sites. It can also determine whether the website visitor is using the new or old version of the YouTube interface | 6 months | |
| YSC | All | (Google) This cookie is set by YouTube to track views of embedded Videos. | Session | |
| test_cookie | All | (Google) This cookie is set by DoubleClick (which is owned by Google) to determine if the website visitor's browser supports cookies. | 15 minutes | |
| Targeting Cookies | Website(s) | Purpose | Duration | |
| __Secure-1PAPISID | All | (Google) Builds a profile of website visitor interests to show relevant and personalised ads through retargeting | 2 years | |
| __Secure-1PSID | All | (Google) Used to profile the interests of website visitors and display relevant and personalised Google ads. | 2 yeas | |
| __Secure-1PSIDCC | All | (Google) Used for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising. | 2 years | |
| __Secure-3PAPISID | All | (Google) Builds a profile of website visitor interests to show relevant and personalised ads through retargeting | 2 years | |
| __Secure-3PSID | All | (Google) Used to profile the interests of website visitors and display relevant and personalised Google ads. | 2 years | |
| __Secure-3PSIDCC | All | (Google) Used to profile the interests of website visitors and display relevant and personalised Google ads. | 2 years | |
| _fbp | All | (Meta) The '_fbp' cookie identifies browsers for the puposes of providing advertising and site analytical services and has a lifespan of 90 days | 3 months | |
| _gcl_au | All | (Google) Used by Google AdSense for experimenting with advertisement efficiency across websites using their services. | 3 months | |
| 1P_JAR | All | (Google) Based on recent searches and previous interactions, custom ads are placed on Google websites | 1 week | |
| AES | All | (Google) ensure that requests within a browsing session are made by the user, and not by other sites. | 2 years | |
| AnalyticsSyncHistory | All | (LinkedIn) Used to store information about the time a sync took place with the las_analytics cookie | 1 month | |
| bcookie | All | (LinkedIn) Used for remembering that a logged in user is verified by two factor authentication | 1 year | |
| HSID | All | (Google) Contain digitally signed and encrypted records of a user's Google Account ID and most recent sign-in time. | 2 years | |
| IDE | All | (Google) This cookie is set by Doubleclick and carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website | 1 year | |
| lang | All | (LinkedIn) Used to store consent of guests regarding the use of cookies for non-essential purposes | session | |
| li_gc | All | (LinkedIn) Used to store consent of guests regarding the use of cookies for non-essential purposes | 1 month | |
| lidc | All | (LinkedIn) To facilitate data centre selection | 1 day | |
| Li_sugar | All | (LinkedIn) sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant | 2 months | |
| Ln_or | All | (LinkedIn) This cookie registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator | 1 day | |
| NID | All | (Google) Stores visitor preferences and personalises ads on Google sites based on recent searches and interactions | 6 months | |
| SEARCH_SAMESITE | All | (Google) Used to prevent the browser from sending the cookie along with cross-site requests | 2 years | |
| SID | All | (Google) Google Analytics customisation cookie. used by the Google + 1 sharing button and is required to link content to your Google + 1 account | 2 years | |
| SIDCC | All | (Google) Security cookie to confirm visitor authenticity, prevent fraudulent use of credentials, and protect visitor data from unauthorised access | 3 months | |
| UserMatchHistory | All | (LinkedIn) LinkedIn Ads ID syncing | 1 month |
- How to manage or turn off cookies
The ‘Help Menu’ on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. You can also disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-ons settings or visiting the website of its manufacturer.
Further information about cookies and how to disable them can be found at www.allaboutcookies.org or ico.org.uk/your-data-matters/online/cookies. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies), you may not be able to fully experience the interactive features of our Service/Website or other related websites/applications which you visit/use.
- Changes to This Privacy Notice
We may update this Privacy Notice to reflect changes in our practices or legal obligations. The latest version will always be available on our website.
Contact Us
For questions or to exercise your rights, please contact:
Data Protection Officer (DPO)
Email: [email protected]
Phone: +353 45 445 600