Introduction

Covid Community Response hereinafter referred to as ‘the Organisation’ needs to gather and use certain information about individuals. Covid Community Response is made up of local volunteers to support vulnerable people during the Coronavirus outbreak. The service is set up to help the residents of Ireland with tasks such as shopping, transport, befriending, and basic support during isolation caused by the virus. This policy describes how this personal data must be collected, handled and stored to meet the organisation’s data protection and privacy standards — and to comply with the law. The Organisation is established in the Republic of Ireland therefore this document is written in the vein of Irish Data Protection Law, as the Organisation falls under the jurisdiction of the Irish Data Protection Commission.

Why this policy exists

This policy ensures the Organisation:

• Complies with data protection and privacy law and follow good practice
• Protects the rights of staff, customers and partners
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Data protection and privacy law

The Organisation must comply with the data protection and privacy principles set out in the relevant data protection and privacy law

State and/or Country of Incorporation

Applicable Law

Ireland

-  General Data Protection Regulation (EU Regulation 679/2016) -  Data Protection Act 2018 -  Regulations flowing from DPA 2018 -  Data Protection Act 1988(Revised) -  ePrivacy Regulations 2011 implementing EU Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD) -  Electronic Commerce Act 2000 -  Criminal Justice (Offences Relating to Information Systems) Act 2017

These laws describe how organisations must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

Not all representatives of the Organisation will be expected to be experts in data protection and privacy law. However, the Organisation is committed to ensuring that its representatives have sufficient awareness of the law in order to be able to anticipate and identify a data protection or privacy issue, should one arise. In such circumstances, representatives must ensure that the DPCO is informed, and in order that appropriate corrective action is taken.

The General Data Protection Regulation is underpinned by eight important principles which are explained in detail herein. These say that personal data must:

• -  Be processed fairly and lawfully
• -  Be obtained only for specific, lawful purposes
• -  Be adequate, relevant and not excessive
• -  Be accurate and kept up to date
• -  Not be held for any longer than necessary
• -  Processed in accordance with the rights of data subjects
• -  Be protected in appropriate ways
• -  Not be transferred outside the EU, unless that country or territory also ensures an adequate level of protection

The Organisation as a Data Controller

An organisation responsible for deciding how Personal Data is held and used is called a ‘data controller’. The Organisation processes Personal Data as a data controller according the principles and rules captured herein.

In addition to the above, the Organisation exchanges Personal Data with Service Providers on the Data Subjects’ behalf in order to fulfil services to Data Subjects. This is performed consistently with the obligations of the Organisation under the terms of contracts with Service Providers. Service Providers may be Third Parties or Data. Where required by law, a formal, written contract is in place with the Service Provider, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with data protection and privacy law.

This Policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a representative of the Organisation is unsure whether such data can be disclosed. In general terms, the representative should consult with the DPCO to seek clarification.

People, Risks and Responsibilities

Policy scope

This Policy applies to all Personal Data collected, processed and stored by the Organisation in relation to its

• -  directors,
• -  employees,
• -  contractors,
• -  representatives,
• -  associates,
• -  service providers,
• -  service users
• -  people who have accessed, used or subscribed to Information Services of the Organisation, including web platforms and other applications,
• -  end users of services, or
• -  the general public, or other data subjects and other connections as applicable, in the course of its activities.

This policy applies to:

• -  The general operations of the Organisation
• -  All staff of the Organisation,
• -  All contractors, suppliers and other people working on behalf of the Organisation,

This Policy applies to all data that the company holds relating to living individuals, even if that information technically falls outside of the General Data Protection Regulation 2016/679. This can include:

• -  Names of individuals
• -  Postal addresses
• -  Email addresses
• -  Telephone numbers
• -  ...plus any other information relating directly or indirectly to individual

This Policy covers both personal and special category Personal Data held in relation to data subjects by the Organisation. This Policy applies equally to Personal Data held in manual and automated form. All Personal and Special Category Data will be treated with appropriate care by the Organisation. Both categories will be equally referred-to as personal data or data in this Policy, unless specifically stated otherwise.

The Organisation is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of all individuals with whom it deals.

Data protection risks

This policy helps to protect the Organisation from some very real data security risks, including:

• -  Breaches of confidentiality. For instance, information being given out inappropriately.
• -  Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
• -  Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Data Protection Co-Ordinator (DPCO)

General

As part of the requirements laid down in the General Data Protection Regulation (GDPR), it is not mandatory for the Organisation to have a formally appointed DPO, however the role of Data Protection Co-Ordinator will be fulfilled by Andrea Manning of Data Influence. This role facilitates compliance and ensures that in carrying out its “core activities” – the primary services provided by the Organisation - all private individuals’ data held and processed by the Organisation, such as internal representatives, the Organisation service users, and third parties, is appropriately protected in line with their regulatory rights.

The contact details of the DPCO will be published to all data subjects (internal and external) and the generic privacy address will be provided. The name of the DPCO does not need to be publicly published.

The DPCO will be attend to any matters involving data protection at the earliest possible stage, including privacy impact assessments, data processing activities that may affect data subjects and incidents which effect the data of subjects. This may involve the DPCO engaging external professional support. Where it is decided not to follow the expert advice from a Data Protection specialist, the matter of discussion, the discussion, the professional recommendation, and the reasons for not adhering to the recommendation should be formally recorded.

The DPCO has been and will continue to be educated and upskilled in order to ensure best practice within their role as DPCO.

Responsibilities of the DPCO

The DPCO must monitor the ongoing data processing and storage of Personal Data by the Organisation via:

• -  collection of information to identify processing activities
  • -  If required to do so by law, the DPCO must maintain the “record of processing operations”, a document required by the GDPR which details all the Personal Data processing activities of the Organisation
• -  analysis and checking the compliance of processing activities with GDPR, the Data Protection Acts, and internal policies
  • -  This will be accomplished via technical controls, reviews, assessments, and audits.

Data Protection Impact Assessments

It is the task of the Organisation to carry out Data Protection Impact Assessments (DPIAs) as necessary. If the decision is made to outsource DPIA’s the DPCO provides advice and guidance at each stage of the DPIA as follows:

• -  whether or not to carry out a DPIA
• -  what methodology to follow when carrying out a DPIA
• -  whether to carry out the DPIA in-house or whether to outsource it
• -  what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
• -  whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR

Responsibilities

Everyone who works for or with the Organisation has some responsibility for ensuring data is collected, stored and handled appropriately.

Everyone who handles personal data must ensure that it is handled and processed in line with this policy and data protection and privacy principles. This includes contractors and sub-contractors.

However, these people have key areas of responsibility:

• The DPCO is responsible for:
  • -  Reviewing all data protection and privacy procedures and related policies, in line with an agreed schedule.
  • -  Arranging data protection and privacy training and advice for the people covered by this policy.
  • -  Handling data protection and privacy questions from staff and anyone else covered by this policy.
  • -  Dealing with requests from individuals to see the data the Organisation holds about them (also called ‘subject access requests’).
  • -  Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.

• The Development Team, is responsible for:
  • -  Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • -  Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • -  Evaluating any third - party services the company is considering using to store or process data. For instance, cloud computing services

• The DPCO and Development Team is jointly responsible for:
  • -  Approving any data protection and privacy statements attached to communications such as emails and letters.
  • -  Addressing any data protection and privacy queries from journalists or media outlets like newspapers.
  • -  Where necessary, working with other staff to ensure marketing initiatives abide by data protection and privacy principles

General staff guidelines

•  - The only people able to access data covered by this policy should be those who need it for their work.
•  - Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
•  - the Organisation will provide training to all employees to help them understand their responsibilities when handling data.
•  - Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
•  - In particular, strong passwords must be used and they should never be shared.
•  - Personal data should not be disclosed to unauthorised people, either within the company or externally.
•  - Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
•  - Employees should request help from their line manager or the data protection co-ordinator if they are unsure about any aspect of data protection or privacy

Data Management Rules

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Development Team or data controller.

•  - When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
•  -These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
  •  - When not required, the paper or files should be kept in a locked drawer or filing cabinet.
  •  - Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
  •  - Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Data should be protected by strong passwords that are changed regularly and never shared between employees
• If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
• Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing services.
• Servers containing personal data should be sited in a secure location, away from general office space.
• Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
• Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
• All servers and computers containing data should be protected by approved security software and a firewall.

Data use

Personal data is of no value to the Organisation unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

•   - When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
•   - Personal data should not be shared informally.
•   - Personal data should never be transferred outside of the European Economic Area.

Data accuracy

The law requires the Organisation to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort the Organisation should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

•  - Data will be held in as few places as necessary. Staff and contractors should not create any unnecessary additional data sets.
•  - the Organisation will make it easy for data subjects to update the information the Organisation holds about them. For instance, via the company website.
•  - Data should be updated as inaccuracies are discovered. For instance, if a user can no longer be reached on their stored telephone number, it should be removed from the database.

The Data Protection Principles Explained

This Policy aims to ensure compliance with the data protection and privacy law, particularly the GDPR. The GDPR sets out the following principles with which any party handling Personal Data must comply. Article 5 in the GDPR states that all Personal Data must be:

•   - Processed lawfully, fairly and in a transparent manner in relation to the data subject;
•   - Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject.
•   - Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
•   - Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are processed is erased or rectified without delay;
•   - Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject;
•   - Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
•   - Article 5(2) states that the Controller is responsible for and must be able to demonstrate compliance with the Data Protection Principles.

Lawful, Fair and Transparent Data Processing

The GDPR seeks to ensure that Personal Data is processed lawfully, fairly and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of Personal Data shall be lawful if at least one of the following applies:

•   - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child;
•   - Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
•   - Processing is necessary for compliance with a legal obligation to which the controller is subject;
•   - The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
•   - Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
•   - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
•   -

The Organisation will ensure that at least one of the conditions outlined above will be satisfied whenever any processing activities take place.

In order to obtain Personal Data fairly and in a transparent manner, the Organisation will make the data subject aware of the following at the time the data is collected directly:

•   - Identity of the Data Controller and the DPCO
•   - Purpose and legal basis for processing. An explanation of the legitimate interest of the Organisation will be provided if it is being used as the legal basis.
•   - Data subject’s rights to withdraw consent, request access, rectification or restriction of processing.
•   - Data subject’s rights to complain to the relevant supervisory authority
•   - Recipients of the Personal Data.
•   - Storage periods or criteria used to determine the length of storage.
•   - Legal basis for intended international transfer of data to a third country or organisation, including the fact that either the receiving country has an adequacy decision from the relevant supervisory authority or other appropriate safeguards are in place and how to obtain a copy.

In situations where the data is not being collected directly from the data subject, the Organisation will provide the source along with the other information listed above to the data subject within a reasonable period after obtaining the data but not more than one month. Information will not be provided to the data subject if it will require disproportionate effort or it would render it impossible or seriously impair the purpose of the data processing.

The Data Subjects’ Personal Data will not be disclosed to a third party other than to a party contracted to the Organisation and operating on its behalf.

Processed for Specified, Explicit and Legitimate Purposes

The Organisation follows this purpose limitation principle and only collects and processes Personal Data for the specific purposes set out in the “Record of Processing Activities” document held by the Organisation, where required. The purposes for which the Organisation processes Personal Data will be informed to data subjects at the time their Personal Data is collected or not more than a month if obtained from a third party.

The Organisation will not further process Personal Data in a manner that is incompatible with those purposes unless:

•   - the consent of the data subject has been obtained, or
•   - if the further processing is for archiving purposes in the public interest or scientific and historical research or statistical purposes and the appropriate safeguards are in place and there is no risk of breaching the privacy of the data subject.

Adequate, Relevant and Limited Data Processing

The Organisation follows this data minimisation principle and only collect and process Personal Data for and to the extent necessary for the specific purpose(s) informed to data subjects.

Accuracy of Data and Keeping Data Up to Date

The Organisation will ensure that all Personal Data collected and processed is kept accurate and up-to-date. The accuracy of data will be checked when it is collected. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

• Amend inaccurate data which has been notified to the Organisation by the Data Subject or is revealed as a result of a subject access request.

Timely Processing

The Organisation follows this storage limitation principle and does not keep Personal Data for any longer than is necessary in light of the purposes for which that data was originally collected and processed.

The Organisation will verify whether statutory data retention periods exist in relation to the type of processing e.g., Personal Data may need to be kept in order to comply with tax, health and safety, or employment regulations etc. If the law is silent, internal data retention periods will be set to meet the storage limitation principle.

Retention periods will be set considering the purpose or purpose for which the data is collected and used, and once the storage periods expire, data will be securely deleted/destroyed in the absence of a sound new lawful basis to retain it. However, Personal Data may be stored for longer periods by the Organisation insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific, historical research or statistical purposes ensuring appropriate safeguards are in place i.e.irreversibly anonymised.

The Organisation keeps record of this in the “Record of Processing Activities” document.

Secure Processing

The Organisation will ensure that all Personal Data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. The state of technological development, the cost of implementing the measures, the nature of the data concerned and the degree of harm that might result from unauthorised or unlawful processing are all considered when the Organisation are determining the security measures that are put in place

Accountability

Under the GDPR, organisations are obliged to demonstrate that their processing activities are compliant with the Data Protection Principles. The principle of accountability seeks to guarantee the enforcement of the Principles.

The Organisation will demonstrate compliance in the following ways:

•   - If required by law, by keeping an internal record of all Personal Data collected, held or processed as per Article 30 - “Records of Processing Activities”. Upon request, these records will be disclosed to the relevant supervisory authority. The Organisation is required to keep certain records of processing activity
  •   - When the Organisation is acting as a Data Controller this record will contain the following:
    •      - Contact details of the Controller/representative/Data Protection Officer
    •      - List of Personal Data being processed
    •      - Categories of data subjects
    •      - Processing activities
    •      - Categories of recipients with whom the data will be shared
    •      - Retention periods
    •      - Deletion methods
    •      - International transfers and measures in place to ensure they are lawful
    •      - Detailed descriptions of the security measures implemented in respect of the processed data
  •   - When the Organisation is acting as a Data Processor this record will contain the following:
    •      - Name of Controller
    •      - Name of Data Protection Officer
    •      - Categories of processing carried out on behalf of the Controller
    •      -International transfers and measures in place to ensure they are lawful
•   - In order to assess the potential risks arising out of any new processing activity the GDPR requires organisations to conduct a Data Protection Impact Assessment(DPIA). The Organisation will demonstrate its compliance by carrying out Assessments whenever any new processing activity is proposed, especially where it involves new technologies, resulting in a high degree of risk for data subjects. After the DPIA has been carried out and if all the risks cannot be mitigated, then the Organisation will consult with the relevant supervisory authority. The DPIA will be overseen by the DPCO of the Organisation and the DPIAs will be filed and retained as proof of compliance.
•   - The Organisation will appoint a Data Protection Officer in place of the DPCO if required i.e. if its core data processing activities involve:
  • Regular and systematic monitoring of data subjects on a large scale; or
  • Processing special category Personal Data on a large scale.
• The Organisation maintains a data protection and privacy document framework i.e.policies & procedures, training records etc.
• The Organisation ensures that data protection by design is addressed throughout the life cycle of any processing activity but especially at the time of planning the means and type of processing and during the processing itself. Necessary safeguards are integrated into the systems of the Organisation with the use of data minimisation and pseudonymisation as privacy enhancing tools. The Organisation assess the risks of a process and tries to mitigate those risks in order to meet the data protection by design requirements.
• The Organisation also ensures that data protection by default is implemented by choosing the most data protective setting as the default i.e. users will have to opt in to any settings that presents greater risks. By default, only the Personal Data that is necessary is processed.

Special Category Data

At times the Organisation may be required to process special category data. The Data Subject will be notified of this at the data collection point. The Organisation will only process special category data on one of the following grounds:

•   - Explicit Consent – The individual has given their clear and unambiguous explicit consent.
•   - Legal obligation related to employment – The processing is necessary for the purposes of carrying out a legal obligation and exercising specific rights of the organisation or of the individual in the field of employment, social security law or for a collective agreement.
•   - Vital interests – The processing is necessary to protect the vital interests of the individual or of another person where the data subject is physically or legally incapable of giving consent.
•   - Not-for-Profit bodies – The processing is carried out in the course of the legitimate activities, with appropriate safeguards by the Not-for-Profit body and on condition that the processing only relates to members or related persons, or to former members of the body, or to persons who have regular contact with it in connection with its purposes and the Personal Data is not disclosed outside that body without consent.
•   - Public Information – the processing relates to Personal Data which is manifestly made public by the individual.
•   - Legal Claims – The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
•   - Substantial public interest - The processing is necessary for reasons of substantial public interest.
•   - Healthcare – The processing is necessary for the purposes of preventive or occupational medicine,(i.e., healthcare purposes), for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Irish law, or pursuant to contract with a health professional and is subject to suitable safeguards.
•   - Public Heath - The processing is necessary for reasons of public interest purposes and is subject to suitable safeguards.
•   - Archiving – The processing is necessary for archiving scientific or historical research purposes or statistical purposes and based on EU or Irish law.

Data Subject Rights and Access Requests

The Organisation has a separate and detailed procedure for handing data subject rights requests. As part of the day-to-day operation of the Organisation, the representatives of the Organisation engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by the Organisation, such a request gives rise to access rights in favour of the Data Subject. Data Subjects can exercise their rights by contacting the DPCO utilising the contact details listed herein. The Organisation will always verify the identity of anyone making a subject access request before handing over any information

Where a formal request is submitted by a Data Subject in relation to the data held by the Organisation, such a request gives rise to access rights in favour of the Data Subject, the GDPR sets out the following rights applicable to data subjects:

•   - The right to be informed;
•   - The right of access;
•   - The right of rectification;
•   - The right to erasure (also known as the “right to be forgotten”);
•   - The right to restrict processing;
•   - The right to data portability;
•   - The right to object to
•     - processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
•     - direct marketing (including profiling); and
•     - processing for purposes of scientific/historical research and statistics.
•   - Rights with respect to automated decision-making and profiling.
•   - The right to withdraw consent

There are specific time-lines (30 days) within which the Organisation must respond to the Data Subject, depending on the nature and extent of the request. The representatives of the Organisation will ensure that, where necessary, such requests are forwarded to the DPCO in a timely manner, and they are processed as quickly and efficiently as possible.

Disclosing data for other reason

In certain circumstances, the General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, the Organisation will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary

Data Protection Notices, or as known in practice, Privacy Notices

The Organisation adheres to the following requirements related to data protection and privacy notices and the provision thereof.

When is a data protection notice required?

•   - Where information is being collected directly from an individual, a Data Protection Notice must be provided at the point at which the data is collected.
•   - Where information is obtained from another source, a Data Protection Notice must be provided:
•    - at least one month after obtaining the data;
•    - if Personal Data is to be used to communicate with the data subject at the latest at the time of the first communication with the data subjects;
•   - If disclosure to another recipient is envisaged, at the latest when Personal Data are first disclosed.

What needs to be included in a data protection notice?

Data protection notices must contain specific information (set out in the legislation) which informs data subjects of:

•   - who is collecting the data
•   - why it is being collected
•   - what legal basis is being relied upon to process the data
•   - how it will be processed
•   - how long it will be kept for
•   - who it will be disclosed to
•   - what rights people have in relation to their own data

Individuals must also be made aware of:

•   - the right to lodge a complaint with the Data Protection Commission,
•   - the consequences of failure by the Data Controller to provide the data, and
•   - the existence of automated decision making, including profiling.

Marketing and Mailing Lists

  - The Electronic Privacy Regulations 2011 (SI 336 of 2011) sit alongside the Data Protection Acts. They give people specific privacy rights in relation to electronic communications and contain specific rules on:

•   - Marketing calls, emails, texts and faxes
•   - Cookies (and similar technologies)
•   - Keeping communications services secure; and
•   - Customer privacy regarding traffic and location data, itemised billing, line identification, and directory listings.

While primarily aimed at electronic communications companies (telecommunications companies and internet services providers), the Electronic Privacy Regulations also apply to any entity using such communications and electronic communications networks to communicate with customers, e.g. by telephone, via a website or over email, etc.

Unsolicited direct marketing is one of the main sources of complaints from individuals to the Data Protection Commission and anyone who fails to comply with the E-Privacy Regulations can be prosecuted as each unlawful marketing message or call constitutes a separate offence.

It is imperative that the necessary marketing opt-ins and opt-outs (via a data protection notice or privacy notice or otherwise) are in place before using Personal Data for marketing purposes

Transferring Personal Data to a Country Outside the EEA

The Organisation transfers data outside the EEA.

The transfer of Personal Data to a “third country” i.e. outside the EEA, will only take place if one or more of the following applies:

•   - Is a country that the European Commission has determined to have an adequate level of protection for Personal Data;
•   - The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority; certification under an approved certification mechanism as provided for in the GDPR; contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
•   - The transfer is made with the informed consent of the relevant data subject(s);
•   - The transfer is necessary for the performance of a contract between the data subject and the Organisation (or for pre-contractual steps taken at the request of the data subject);
•   - The transfer is necessary for important public interest reasons;
•   - The transfer is necessary for the conduct of legal claims;
•   - The transfer is necessary to protect the vital interests of the data subjects or other individuals where the data subject is physically or legally unable to give their consent; or
•   - The transfer is made from a register that, under relevant data protection and privacy law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

Data Breach Notification

The Organisation has a separate and detailed Data Breach Handing Procedure. If a Data Subject becomes aware of a Data Breach, then the Data Subject is encouraged to contact the DPCO immediately with all known information.

It should be noted that the Organisation treat data breaches very seriously and any employee who becomes aware of a likely data breach and fails to notify the DPCO or, if the Organisation has in place, a member of the Data Protection and Privacy Committee may be subject to the disciplinary procedure of the Organisation depending on the severity of the breach.

Organisational and Technical Measures for Security and Safety

The Organisation adheres to a comprehensive Information Security Policy. The Organisation shall ensure that adequate organisational and technical measures are taken with respect to the collection, holding, and processing of Personal Data. These measures shall not be manifestly made public and are available upon request, as required by law.

Registration of a DPO with the Supervisory Authority

The Organisation is not required to register a DPO with the Supervisory Authority and has officially documented reasons for not appointing or registering a DPO

Appointed Data Protection Officer / Co-Ordinator and Contacting the Organisation

The Organisation shall accept communication addressed to the Data Controller, Data Protection Officer or Co-Ordinator

•   via email at

Policy Review

The Organisation will continue to review the effectiveness of this Policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required considering changes in the law and organisational or security changes.