Data Protection

GMIT processes personal data about many different types of people such as its current, past or prospective employees, applicants, students, alumni, suppliers, contractors, members of the public, etc. 

This data is processed in order to carry out business and administrative functions and to comply with statutory requirements.

In doing so, the Institute complies with data protection legislation, specifically the GDPR and Data Protection Acts.

Read more on GDPR (External website)


GMIT Privacy Notices

Individuals have the right to know what GMIT does with their personal data.  This information is provided in privacy notices/statements.

Student Privacy Statement

Staff Privacy Statement

Job Applicant Privacy Notice

Website Privacy and Cookies Statement


GMIT Policies

GMIT is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.

GMIT Data Protection Policy (PDF, 293KB)

GMIT CCTV Policy & Procedures (PDF, 272KB)


​Data Protection Principles

  • Personal data shall only be processed fairly, lawfully and in a transparent manner (Principle of Lawfulness, Fairness and Transparency);

  • Personal data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes (Principle of Purpose Limitation);

  • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Principle of Data Minimisation);

  • Personal data shall be accurate, and where necessary, kept up-to-date (Principle of Accuracy);

  • Personal data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which the personal data is processed  (Principle of Data Storage Limitation);

  • Personal data shall be processed in a secure manner, which includes having appropriate technical and organisational measures in place to prevent and / or identify unauthorised or unlawful access to, or processing of, personal data; and prevent accidental loss or destruction of, or damage to, personal data (Principles of Integrity and Confidentiality);

Organisations are responsible for, and must be able to demonstrate compliance with, these principles (Principle of Accountability)


Data Subject Rights

Data subjects have a number of rights under the GDPR:

  • The right to information. Data subjects have the right to be provided with certain information about the data processing done within the Institute. GMIT provides this information in its Privacy Notices.

  • The right to obtain access to personal data. Data subjects have the right to be provided with a copy of their personal data along with certain details in relation to the processing of their personal data. CLICK HERE to find out how to make an access request

  • The right to rectification. Data subjects have the right to have inaccurate personal data that the Institute holds in relation to them rectified. In some circumstances, if the personal data is incomplete, an individual can require the controller to complete the data, or to record a supplementary statement.

  • The right to be forgotten (erasure). Individuals have the right to have their data erased in certain situations such as where the data is no longer required for the purpose for which it was collected, the individual withdraws consent or the information is being processed unlawfully. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research. Individuals can ask the controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved or the processing is unlawful.

  • The right to object and restrict processing. Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right.

  • Rights in relation to automated decision making, including profiling. Data subjects have the right not to be subjected to processing which is wholly automated unless one of a number of limited exceptions applies.

  • Right to data portability. Data subjects have the right to request information in a structured, commonly used and machine-readable form so that it can be sent to another data controller. This only applies to personal data that is processed by automated means (not paper records); to personal data which the data subject has provided to the controller, and only when it is being processed on the basis of consent or a contract.

These are not absolute rights and do not always apply.  There continues to be a number of exemptions to these rights to ensure, for example, legal requirements can be met.

GMIT Data Subject Rights Procedure (PDF, 164KB)

Subject Access Requests

To exercise your rights, contact the Data Protection Officer directly.

Academic Transcripts

If you wish to obtain a copy of your academic transcript, please contact the relevant School/Campus as follows:

Further Information

Mary McDonald
Data Protection Officer