Data Protection is the means by which the privacy rights of individuals are safeguarded in relation to the processing of their personal data. The Company needs to collect and use personal data about its employees, customers and other individuals who come into contact with the Company. Those individuals (“data subjects”) have privacy rights in relation to the processing of their personal data. The Company must, therefore, comply with the EU General Data Protection Regulation (“GDPR”) and the Irish Data Protection Acts, 1988 to 2018 (the “DPA”) – known collectively in this policy as “the Data Protection Acts”. The Data Protection Acts confer rights on individuals as well as responsibilities on those who process personal data.
This policy is a statement of the Company’s commitment to protecting the rights and privacy of individuals in accordance with the Data Protection Acts. In addition, it outlines our duties and responsibilities regarding the protection of such Personal Data.
This policy applies to all personal data created or received in the course of Company business in all formats, of any age. Personal data may be held or transmitted in paper, physical and electronic formats or communicated verbally in conversation or over the telephone. This policy applies to: • Any person who is employed or engaged by the Company who processes personal data in the course of their employment or engagement; • Individuals who are not directly employed by the Company, but who are employed by contractors (or subcontractors) and who process personal data in the course of their duties for the Company • This policy applies to all locations from which Company personal data is accessed, including home use.
4. Personal Data and Special Categories of Personal Data
‘Personal data’ means any information relating to an identified or identifiable living person (‘data subject’). It is important to note that the definition of personal data now specifically includes information such as identification numbers, location data and online identifiers. In practice, any data about a living person who can be identified from the data available (or potentially available) will count as personal data. This will include reversibly anonymised (‘pseudonymised’) data, i.e. replacing any identifying characteristics of data with a value which does not allow the data subject to be directly identified (pseudonym). Where a pseudonym is used, it is often possible to identify the data subject by analysing the underlying or related data. Stronger safeguards and requirements are required for ‘special categories of data’ (previously known as ‘sensitive personal data’) under the GDPR. This refers to data falling under the following categories: • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Data concerning health • Data concerning a person’s sex life or sexual orientation • Genetic data • Biometric data.
Personal data falling under these categories can be processed only under specific circumstances, which are described in Article 9(2) of the GDPR. Personal data relating to criminal convictions and offences, while not included in the list of ‘special categories’ of personal data, have extra safeguards applied to processing.
In this policy, the following words shall have the following meanings:
“Act” means the Data Protection Act 2018. “Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
“the Data Protection Regulations” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“the Law” means all or any of: (a) the Data Protection Regulation, (b) the Act, (c) the Data Protection Act 1988, (d) the Data Protection Act 2003, (e) regulations made under the Act, (f) Directive.
“data controller”, “data processor”, “data subjects”, “personal data”, “process”, “processed” and “processing” shall have the meanings respectively, as defined in the Act. Note that “process” and “processing” are defined to include simple events like receiving data into our system or storing it. Processing is not limited to “doing something with it”.
6. Data Protection Policy
The Company undertakes to perform its responsibilities under the legislation in accordance with the Data Protection Acts.
6.1 Data Protection Principles
The Company is responsible for, and must be able to demonstrate, compliance (“accountability”) with the following Data Protection Principles: Personal data shall be: • Processed lawfully, fairly and in a way that is transparent to the data subject (“lawfulness, fairness and transparency”); • Collected, created or processed only for one or more specified, explicit and lawful purpose (“purpose limitation”); • Adequate, relevant and limited to what is necessary for those purposes (“data minimisation”); • Kept accurate and, where necessary, up-to-date (“accuracy”); • Retained no longer than is necessary (“storage limitation”); • Kept safe and secure (“integrity and confidentiality”)
These provisions are binding on every data controller, including the Company. Any failure to observe them would be a breach of the Data Protection Acts. Further explanation of each principle is outlined below.
1) Processing Personal Data Lawfully, Fairly and Transparently
When the Company collects personal data, it has to make certain information available to the person the data relates to. This applies whether the information is collected directly from the individual or from another source.
• This information must be provided via a Data Protection Notice (or Privacy Statement in the case of a website). In addition, the Company must have a legal basis for processing the data. • Where possible, the informed consent of the Data Subject will be sought before their data is processed; Where it is not possible to seek consent, the Company will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.; • Where the Company intends to record activity on CCTV or video, a Fair Processing Notice will be posted in full view; • Processing of the personal data will be carried out only as part of the Company’s lawful activities, and the Company will safeguard the rights and freedoms of the Data Subject; • The Data Subject’s data will not be disclosed to a third party other than to a party contracted to the Company’s and operating on its behalf.
2) Legal Basis for Processing
The Company will obtain data for purposes which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which the Company holds their data, and the Company will be able to clearly state that purpose or purposes.
3) Process personal data only for one or more specified, explicit and LAWFUL purposes (“purpose limitation”) Any use of the data by the Company will be compatible with the purposes for which the data was acquired.
4) Ensure that personal data being processed is adequate, relevant and not excessive (“data minimisation”) The Company will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by the Company in its capacity as Data Controller.
Access to and management of staff and customer records is limited to those employees who have appropriate authorisation and password access
5) Keep personal data accurate and, where necessary, up-to-date (“accuracy”)
The Company will: • Ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy; • Conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. • Conduct regular assessments in order to establish the need to keep certain Personal Data.
6) Retain personal data no longer than is necessary for the specified purpose or purposes (“storage limitation”) The Company will ensure that the data it processes in relation to Data Subjects are relevant to the purposes for which those data are collected. Data which are not relevant to such processing will not be acquired or maintained.
7) Keep personal data safe and secure (“integrity and confidentiality”) The Company has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and automated format. Once the respective retention period has elapsed the Company undertakes to destroy, erase or otherwise put this data beyond use.
7. Circuit Television Cameras (CCTV)
The Company has CCTV located throughout the property, including external and internal spaces within the building, car parks, pathways and grounds. The Company CCTV system is implemented in a proportionate manner as necessary to protect the Company’s property against theft or pilferage and for the safety and security of employees, customers and visitors to the property (to protect their vital interests).
While CCTV footage is monitored by security staff, access to recorded footage is strictly limited to authorised personnel. The footage is retained for 10 days, except where incidents or accidents have been identified in which case such footage is retained specifically in the context of an investigation of that issue. CCTV footage may be used in the context of disciplinary proceedings involving employees (to protect the vital interests of the Company, employees, customers and affected individuals). CCTV footage is not disclosed to third parties except where disclosure is required by law (such as for the purpose of preventing, detecting or investigating alleged offences) and in such instance’s disclosure is based on a valid request. Signage indicating that CCTV is in use is displayed prominently throughout the property.
8. Breaches of this Policy
If any breach of this Policy is observed, then disciplinary action may be taken in accordance with the Company’s disciplinary procedures as amended or updated from time to time.
9. Data Subject Requests
As part of the day-to-day operation of the organisation, the Company’s staff engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by the Company’s, such a request gives rise to access rights in favour of the Data Subject.
There are specific timelines within which the Company must respond to the Data Subject, depending on the nature and extent of the request. These are outlined in the attached Subject Access Request document.
The Company’s employees will ensure that, where necessary, such requests are forwarded to the Data Protection Officer in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than 40 days from receipt of the request.
The Company shall implement appropriate measures to makes its employees and other relevant parties aware of the content of this policy document
As a Data Controller, the Company ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation.
Failure of a Data Processor to manage the Company’s data in a compliant manner will be viewed as a breach of contract and will be pursued through the courts.
Failure of the Company’s employees to process Personal Data in compliance with this policy may result in disciplinary proceedings.
11. Supporting Policies, Procedures & Guidelines
This policy supports the provision of a structure to assist in the Company’s compliance with the Data Protection Acts. The policy is not a definitive statement of Data Protection law.
The company shall adhere to all relevant the Data Protection Acts/Codes of Practice issued by the Data Protection Commission and/or other statutory bodies.
12. Monitoring and Review
Provisions contained in this policy document shall be subject to on-going monitoring and review.