ARTICLE
14 October 2025

A DPC Toolkit For Vulnerable People

RL
RDJ LLP

Contributor

At RDJ, we combine legal insight and human intelligence to deliver long-lasting business impact. As one of Ireland’s leading corporate law firms, we’re as ambitious for your business as you are. With offices in Cork, Dublin, Galway and London, we represent clients from scaling and established Irish companies to multinationals, financial institutions and global insurance companies with unique cross-sectoral expertise. We build meaningful relationships with clients and counsel to deliver tangible value for more sustainable businesses, becoming our client’s most trusted advisors and the number one employer of choice for legal talent in Ireland. And, by investing in the progress of our people and harnessing new technologies, we power agile decision-making that adds long-term value every step of the way. Legal Insights. Human Intelligence. Business Impact
On 31 July 2025, the Data Protection Commission (DPC) launched the Adult Safeguarding Toolkit. This resource is designed to guide organisations and professionals who process the personal data of vulnerable...
Ireland Privacy
Jennifer Noctor’s articles from RDJ LLP are most popular:
  • in United States
  • with readers working within the Accounting & Consultancy, Banking & Credit and Insurance industries
RDJ LLP are most popular:
  • within International Law, Transport, Media, Telecoms, IT and Entertainment topic(s)

Background

On 31 July 2025, the Data Protection Commission (DPC) launched the Adult Safeguarding Toolkit. This resource is designed to guide organisations and professionals who process the personal data of vulnerable or 'at-risk' adults. The toolkit aims to ensure compliance with data protection legislation while promoting best practices for safeguarding sensitive information.

The toolkit aligns with the DPC's Regulatory Strategy 2022–2027, which prioritises a consistent approach to data protection, the promotion of equality, the prevention of discrimination, and the protection of vulnerable groups' data. The toolkit sits alongside the DPC's guidance for safeguarding children's rights [ see our RDJ insight on data protection toolkit for schools ] and was developed in close collaboration with stakeholders in the safeguarding sector, including the HSE, Sage Advocacy, and Safeguarding Ireland. The primary focus is to support staff in healthcare and social care settings in making informed decisions about data processing, data sharing with third parties, and handling information related to criminal offences.

Defining 'Vulnerable' and 'At-Risk' Adults

The toolkit adopts a broad definition of 'vulnerable' and 'at-risk' adults:

"A person who, by reason of their physical or mental condition or other particular personal characteristics or family or life circumstance, is in a vulnerable situation and/or at risk of harm and needs support to protect themselves from harm at a particular time."

This definition encompasses individuals with physical or mental conditions, young adults with additional needs, victims of domestic violence, coercive control, financial abuse, or trafficking, and those experiencing homelessness.

Legal Considerations

Article 5 of the GDPR sets out the core principles for processing personal data, with lawfulness, fairness, and transparency at its heart. 'Processing' covers any operation performed on personal data, including collection, recording, storage, sharing, or use. When processing personal data relating to a vulnerable person, you are expected to go further than standard GDPR compliance.

The toolkit provides article-by-article guidance on GDPR compliance, clarifying when sensitive data may be shared—such as with consent, in performance of a contract, to comply with a legal obligation, or for vital, public, or legitimate interests. Where legitimate interest is relied upon a detailed balancing test must be carried out to show that the rights of the individual are not overridden.

Organisations processing such data must ensure a lawful basis for processing under Article 6 and use a risk-based approach that considers the nature, scope, context, and purpose of processing. If processing health , biometric, ethnicity or other sensitive data, controllers must also meet the requirements of Article 9, such as health care provisions, public interest in safeguarding , vital interests or defence of legal claims . It is important to align risk assessment with other relevant safeguarding laws in place such as the Children First Act 2015. There is also a higher expectation to have enhanced security measures in place as breaches could have a potential for greater harm for vulnerable individuals. Security like encryption, restricted access, and staff training should be considered. In line with the principle of accountability under data protection law, controllers should keep a record of the decision-making process to protect both sides.

Practical Resources

The toolkit includes practical templates and examples to help organisations implement mandatory data protection measures. Notably, it provides:

  • Guidance on conducting balancing exercises and weighing the need for the processing against the individual's rights. This requires stricter controls to ensure controllers consider the purpose/ necessity of the processing, the impact to the individual of such processing and the safeguards in place to mitigate the risk.
  • A sample Data Protection Impact Assessment (DPIA) template to help identify and mitigate risks early. A DPIA for vulnerable persons should go further than a standard DPIA and pay special attention to power imbalances and reduced autonomy. It is vital that it is documented why the processing is in their best interest and ensure that extra safeguards and transparency is built into the process.
  • Checklists for data sharing and risk-based assessments to protect both the individual's rights and the decision made by an organisation to ensure it's lawful, necessary and proportionate.
  • A section on drafting Privacy Policies. Again, this should go further than your standard privacy policy and explain clearly why the data is collected, what special safeguards are in place and how the rights are supported with formats adopted for accessibility.

Conclusion

The intention of the toolkit is for organisations to have the tools and knowledge to safeguard personal data and uphold the rights of vulnerable individuals. It is intended to empower both data controllers and data subjects to engage confidently with their obligations and rights as the digital landscape evolves.

RDJ's data protection team regularly deal with queries from clients in relation to data subject rights. GDPR is often used as a blanket refusal when processing such data without considering other lawful bases and proportionality. There can be a natural reluctance and concern when processing personal data relating to a vulnerable individual which sometimes results in paralysis in decision making that can potentially put the vulnerable person at more risk. The toolkit reassures controllers of such data that GDPR is not to be used as a barrier. The key aspect is to act proportionally and document the lawful basis and reasoning for processing and the toolkit provides the means to do so.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More