1. Introduction
Under the Data Protection Acts 1988 and 2003 and the General Data Protection Regulation (GDPR), spunout has certain obligations as a Data Controller to process personal data in a fair and transparent manner.spunout is committed to best practice in data protection and all data retained by the organisation will be kept no longer than necessary to achieve the stated purpose for which it was originally collected.The term “data subject” refers to any living human whose personal data might be collected or processed by spunout. The “Data Protection Officer” will be an assigned member of spunout staff with responsibility for certain processes outlined in this document.
2. Data Collection
“Personal data” refers to any information which can be used to identify a living person. Personal data can only be collected and processed by spunout if doing so satisfies one of the following conditions:
In all cases of personal or sensitive data collection, the preferred condition for collection and processing by spunout is that consent has been received by the data subject.
3. Data Processing
“Data processing” refers to any operation performed on personal data, e.g. collection, recording, organising, structuring, storage, adaptation or alteration. spunout can only process personal data for the specific purpose or purposes for which it was originally gathered. Personal data should only be retained by SpunOut.ie for as long as it takes to fulfill this purpose and no longer, or until the data subject makes a legitimate request to exercise their right of erasure.
4. Data Storage
All personal data held by spunout must be stored in a secure manner. Data should only be accessible to appropriate named members of staff for whom accessing the data in question forms a part of their job.Be advised that spunout is required to retain certain records containing personal information for a pre-set amount of time to satisfy our legal obligations. Premature destruction of such data could result in serious repercussions for the organisation.
5. Data Access Requests
Any individual whose personal data is held by spunout has a right to request a copy of all their personal data currently held by the organisation. The information must be clear, free, comprehensive, explain the purpose for which their data is being processed, and be delivered within one month of their initial request being received.spunout staff who receive a data access request must use the following step-by-step procedure:
- Notify the Data Protection Officer (DPO) that a data access request has been received as soon as possible, preferably immediately
- The DPO will attempt to determine whether the individual who made the request is definitely the subject of the data in question; the DPO will request clear identification which may include a passport or other form of state-issued I.D., and, if deemed necessary, proofs of address, as well as requesting clarification, if needed, on the nature of the individual’s relationship or former relationship with spunout
- If the DPO is satisfied with the above, they will identify the member of staff best placed to handle the data access request
- The designated member of staff will acknowledge receipt of the request to the requester, and inform them of the timeframe (no more than one month from the original staff member receiving the request) in which they can expect a full reply
- If necessary, confirm the identity of the person making the request beyond reasonable doubt
- Agree a timeframe with DPO for collation of all information held by spunout on the requester, treating one month as an outer limit for delivery. If possible, the process should be completed well in advance of one month.
- The designated member of staff will raise the issue at the next Team Meeting, after which all members of staff will search their records for relevant data and share any such data with the designated member of staff as soon as possible
- Upon completion of the data file, the designated member of staff must state in writing that no additional data has been withheld to their knowledge
- With the approval of the DPO, the file containing all relevant data will be sent to the requester.
6. Right of Erasure
spunout recognises the legal right of data subjects to be forgotten, withdrawing their consent for spunout to hold and process their personal data. All individuals with personal data held by spunout may request at any time that all data held on them by the organisation be destroyed.Data subjects are free to exercise this right, except in cases where to destroy such data would violate spunout’s legal obligations, i.e. in the case of employee contractual information, which must be held for a period of years even in the event of an employee ceasing their period of employment with the organisation.
7. Data Destruction
Personal data held by spunout which has served the purpose for which it was collected will be destroyed. Likewise, personal data on which a legitimate right of erasure claim has been made will also be destroyed.The destruction of personal data stored in paper form will be conducted by shredding. Where personal data is stored electronically, care must be taken to ensure it is properly and entirely deleted from all sources (e.g. CRM, Google Drive, Dropbox, etc) and by all employees of spunout.In the event of legal proceedings being launched against spunout, the CEO may instruct members of staff to cease any data destruction operations currently underway. Destruction should resume as soon as legal proceedings have come to a close.
8. Data Retention Periods
Different categories of personal data must be retained by spunout for different periods of time in order to fulfill their purpose. In general, records should not be retained if there is no clear business reason for doing so.
9. Data Breaches
A “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” by spunout. Data breaches can be large or small in scale: for instance, accidentally cc’ing instead of bcc’ing people in an email could constitute a personal data breach.In the event any member of staff becomes aware of a possible personal data breach, however small, they must inform the Data Protection Officer without delay.Upon being notified of a potential personal data breach, the DPO must determine the following:
10. Data Sharing
In some cases, spunout may engage in peer-to-peer relationships with other organisations in which data is shared between both parties, and both become responsible for the proper use and protection of that data. All such relationships require a Joint Controller Agreement (otherwise known as a Data Sharing Agreement) to be agreed and in place before any data can be shared.
A Joint Controller Agreement must clearly set out:
- Which party is responsible for which particular elements or phases of data processing;
- Which party is responsible for responding to requests from data subjects regarding their rights, e.g. for data access requests;
- The point of contact with whom data subjects can communicate in relation to certain aspects of processing.
In other cases, spunout may hire a third party service provider to process personal data on the organisation’s behalf, with spunout remaining responsible for the proper use and protection of the data. In order for data to be shared in such a manner, a formal Data Processor Contract must be in place with the service provider, which must include:
- The subject matter and duration of the data processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of spunout
11. Contacting the Data Protection Officer
The Data Protection Officer (DPO) of spunout can be contacted at [email protected].
Data access requests, data destruction requests, requests to exercise a right of erasure and any queries about data protection policies should be addressed to the DPO and will be actioned within one month of receipt of request.
Please note that the [email protected] email will only respond on issues relating to data protection. All other matters should be directed to [email protected].
12. spunout, Community Creations and 50808
spunout is a project of Community Creations Company Limited by Guarantee, a registered charity that also runs the 50808 service. Each of these names refers to a single legal entity with one charity number, one CEO and one Board of Directors.
For our Text About It Data Protection Policy and Data Privacy Statement please click here.