Accessibility OptionsHigh Contrast Text Size
Under the Data Protection Acts 1988 and 2003 and the General Data Protection Regulation (GDPR), SpunOut.ie has certain obligations placed on it as a Data Controller to process personal data in a fair and transparent manner.
SpunOut.ie is committed to best practice in data protection and all data retained by the organisation will be kept no longer than necessary to achieve the stated purpose for which it was originally collected.
The term “data subject” refers to any living human whose personal data might be collected or processed by SpunOut.ie. The “Data Protection Officer” will be an assigned member of SpunOut.ie staff with responsibility for certain processes outlined in this document.
“Personal data” refers to any information which can be used to identify a living person. Personal data can only be collected and processed by SpunOut.ie if doing so satisfies one of the following conditions:
Some forms of data are categorised as “sensitive personal data”, which have stricter rules for collection and processing. Sensitive personal data is any information which records a living person’s:
SpunOut.ie can only collect and process sensitive personal data if doing so satisfies one of the following conditions:
In all cases of personal or sensitive data collection, the preferred condition for collection and processing by SpunOut.ie is that consent has been received by the data subject.
“Data processing” refers to any operation performed on personal data, e.g. collection, recording, organising, structuring, storage, adaptation or alteration.
SpunOut.ie can only process personal data for the specific purpose or purposes for which it was originally gathered. Personal data should only be retained by SpunOut.ie for as long as it takes to fulfill this purpose and no longer, or until the data subject makes a legitimate request to exercise their right of erasure.
All personal data held by SpunOut.ie must be stored in a secure manner. Data should only be accessible to appropriate named members of staff for whom accessing the data in question forms a part of their job.
Be advised that SpunOut.ie is required to retain certain records containing personal information for a pre-set amount of time to satisfy our legal obligations. Premature destruction of such data could result in serious repercussions for the organisation. Members of staff who are in any way unsure as to whether a document should be destroyed or retained should bring their concerns to the Executive Director without delay.
Any individual whose personal data is held by SpunOut.ie has a right to request a copy of all their personal data currently held by the organisation. The information must be clear, free, comprehensive, explain the purpose for which their data is being processed, and be delivered within one month of their initial request.
SpunOut.ie staff who receive a data access request must use the following step-by-step procedure:
SpunOut.ie recognises the legal right of data subjects to be forgotten, withdrawing their consent for SpunOut.ie to hold and process their personal data. All individuals with personal data held by SpunOut.ie may request at any time that all data held on them by the organisation be destroyed.
Data subjects are free to exercise this right, except in cases where to destroy such data would violate SpunOut.ie’s legal obligations, i.e. in the case of employee contractual information, which must be held for a period of years even in the event of an employee ceasing their period of employment with the organisation.
Personal data held by SpunOut.ie which has served the purpose for which it was collected must be destroyed. Likewise, personal data on which a legitimate right of erasure claim has been made must also be destroyed.
The destruction of personal data stored in paper form must be conducted by shredding. Where personal data is stored electronically, care must be taken to ensure it is properly and entirely deleted from all sources (e.g. CRM, Google Drive, Dropbox, etc) and by all employees of SpunOut.ie.
In the event of legal proceedings being launched against SpunOut.ie, the Executive Director may instruct members of staff to cease any data destruction operations currently underway. Destruction should resume as soon as legal proceedings have come to a close.
Different categories of personal data must be retained by SpunOut.ie for different periods of time in order to fulfill their purpose. In general, records should not be retained if there is no clear business reason for doing so.
A “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” by SpunOut.ie. Data breaches can be large or small in scale: for instance, accidentally cc’ing instead of bcc’ing people in an email could constitute a personal data breach.
In the event any member of staff becomes aware of a possible personal data breach, however small, they must inform the Data Protection Officer without delay.
Upon being notified of a potential personal data breach, the DPO must determine the following:
The DPO must assess whether the data breach is significant enough to bring to the attention of the Data Protection Commission based on A, B and C, and if so must inform the Commission within 72 hours. If, for whatever reason, the Data Protection Commission is not notified within 72 hours, the DPO must include reasons for the delay with their submission. The DPO will also inform the affected individuals whose data has been compromised.
The DPO’s notification must include the following information:
Once all relevant parties have been informed, the DPO will work with relevant staff to implement the proposed measures to address the personal data breach, including revision of policies and practices as necessary and subject to the normal processes of SpunOut.ie policy change.
In some cases, SpunOut.ie may engage in peer-to-peer relationships with other organisations in which data is shared between both parties, and both become responsible for the proper use and protection of that data. All such relationships require a Joint Controller Agreement (otherwise known as a Data Sharing Agreement) to be agreed and in place before any data can be shared.
A Joint Controller Agreement must clearly set out:
In other cases, SpunOut.ie may hire a third party service provider to process personal data on the organisation’s behalf, with SpunOut.ie remaining responsible for the proper use and protection of the data. In order for data to be shared in such a manner, a formal Data Processor Contract must be in place with the service provider, which must include: