GDPR-compliant databases

Databases containing personal information must be compliant with GDPR.

Data held on databases must be:

  • used only for the purpose for which it was collected
  • held in the agreed location, not being moved or copied without permission


  • Databases cannot be shared across the organisation or with third parties without a legitimate reason for sharing
  • Database access is confined to staff using it for work duties
  • Third parties being given access to databases must sign the HSE Data Processing Agreement before accessing any identifiable data. This is in compliance with Article 28 General Data Protection Regulation (GDPR).

GDPR records of processing activities template (Excel, 580KB)