About Us

Data Protection Policy

Purpose

The purpose of this policy is to demonstrate spunout’s commitment to safeguarding the privacy and security of personal data, in compliance with the General Data Protection Regulation (GDPR), the Data Protection Acts 1988 and 2003, and other relevant data protection laws and regulations.

Scope

This policy applies to all spunout personnel (including employees, volunteers, members of the Board of Directors, interns and work experience candidates, contractors, sub-contractors, agency staff) and authorised third party commercial service providers and other persons or entities when receiving, handling or processing personal data as defined by the GDPR.

This Data Protection Policy applies to all current and future spunout activities and programmes that include personal data collected or processed by spunout or agents thereof.

Definitions

A list of terms used throughout this policy are defined in Appendix A.

1. Principles of Data Protection

The following data protection requirements apply to all instances where data is stored, transmitted, processed or otherwise handled, regardless of geographic location. spunout will comply with the following high level principles for processing activities set out in Article 5(1) of the GDPR:

spunout will only process personal data fairly, lawfully and in a transparent manner.
spunout will only collect personal data for specific, explicit, lawful and legitimate purposes, and will not process data in any manner incompatible with those purposes.
spunout will only collect and process personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed.
spunout will take every reasonable step to ensure personal data is accurate and, where necessary, kept up to date.
spunout will not keep personal data for longer than is necessary for the purposes for which they are processed.
spunout will process personal data in a secure manner that ensures its security, including protection against unauthorised or unlawful access to, or processing of, personal data, and prevention of accidental loss or destruction of, or damage to, personal data.

spunout shall be responsible for, and be able to demonstrate compliance with, these key principles. In addition, spunout will ensure that data subject’s rights are protected as set out in the GDPR.

Data subjects:

will be able to request access to data spunout holds on them through a Subject Access Request.
can request to change or correct any inaccurate data spunout holds on them.
have the right to object to having their data processed by spunout.
can request to delete data that spunout holds on them.
can request to have their data moved outside of spunout if it is in an electronic format.

Data subjects can object to a decision made by automated processing, within certain limited exceptions (such as legitimate grounds for the processing or the defence of legal claims) and request that any decision made by automated processes have some human element.

2. Types of Personal Data

2.1 Personal Data

“Personal data” are defined by the GDPR as meaning any information related to an identified or identifiable living person (a “Data Subject”).

Personal data includes information such as names, contact details, identification numbers, location data, online identifiers, and reversibly anonymised/pseudonymised data. In addition, where it is possible to identify Data Subjects by analysing underlying or related data.

More comprehensive examples of personal data can be found in Appendix B of this policy.

2.2 Special Categories of Personal Data

“Special Category Data” are defined by the GDPR and include data falling under the following categories:

Racial or ethnic origin
Religious, philosophical or political beliefs
Trade union membership
Health, genetic or biometric data
Data concerning a person’s sex life or sexual orientation

spunout may only process Special Category Data under specific circumstances which are described in Article 9 (2) of the GDPR, contained in Appendix C of this policy.

3. Roles and Responsibilities

3.1 Data Protection Officer (DPO)

spunout will designate a Data Protection Officer (DPO) responsible for overseeing data protection compliance, providing guidance, and acting as a point of contact for data subjects and supervisory authorities.

The DPO should be involved, properly and in a timely manner, in all issues which relate to the protection of personal data. They are bound by confidentiality concerning the performance of their tasks, in accordance with EU and Irish legislation.

The DPO is responsible for monitoring compliance with the GDPR and has overall control of how data is processed within spunout. This will include:

Collecting information about processing activities.
Analysing and checking the compliance of processing activities.
Informing, advising and issuing recommendations to management and the relevant data processors and controllers.
Where a unified or coordinated response is needed, cooperation/collaboration with other organisations’ DPOs may take place.

3.2 Data Processors and Controllers

We ensure that all spunout personnel and third-party vendors who process personal data on behalf of spunout have received appropriate training, in line with their role and responsibilities, and comply with GDPR and all relevant legislation.

4. Data Processing Procedures

4.1 Data Collection

spunout will clearly communicate the purposes of data collection to individuals and obtain their consent when required. Data subjects will be informed about their rights under GDPR and other relevant legislation.

4.2 Data Access

Access to personal data will be restricted to authorised individuals. Sharing of personal data will only occur when necessary and with appropriate safeguards in place.

4.3 Data Security

All personal data held by spunout, whether physically or electronically, must be stored in a secure manner. Data should only be accessible to appropriate members of staff.

spunout will implement technical and organisational measures to protect data against breaches, including encryption, access controls, and regular security assessments.

4.4 Data Subject Rights

spunout will respect data subjects’ rights, including the right to access, rectification, erasure, and data portability. Requests will be addressed promptly and in compliance with GDPR and other relevant legislation.

4.5 Data Storage Limitation

spunout shall retain personal data only for the period necessary for the purposes for which it was collected, and in accordance with spunout’s Data Retention Schedules set out in Section 6 of this policy.

spunout shall erase any personal data that violates:

Data Protection Law
Data Protection Regulations
Contractual Obligations
Requirements of this policy

4.6 Data Anonymisation and Pseudonymisation

spunout shall anonymise and/or pseudonymise personal data when it is being used for purposes other than the direct provision of services.

4.7 Information Security

All spunout personnel must familiarise themselves with the up-to-date spunout IT Policy. Any questions concerning these policies should be raised with their line manager or Head of IT and Information Security.

4.8 Unauthorised Disclosure or Access

All persons covered under this policy are prohibited from disclosing or accessing a data subject’s confidential information (including personal data or special categories of personal data), unless this policy or a legal basis allows for such disclosures.

All persons covered under this policy must report all suspected incidents of unauthorised disclosure or access to the Data Protection Officer. Incidents include disclosure, loss, destruction or alteration of staff and service user’s personal information, regardless of whether it is in paper or electronic form.

4.9 Privacy and Data Protection by Design and Default

spunout aims to use its systems and processes, which are guided by strict adherence to data protection legislation, in the delivery of services.

Aside from general data protection policy, spunout will strive to incorporate the principles of privacy and data protection by design and default in projects involving the design of new services, or changing of existing services.

The need to conduct a Data Protection Impact Assessments (DPIA) is considered before any new programme or system is implemented within spunout. The risk assessment considers how new systems and technologies will impact the security of any personal data that is stored and how that complies with this policy.

4.10 Data Protection Impact Assessments

spunout will conduct Data Protection Impact Assessments (DPIA) whenever a new processor or service is introduced to ensure personal data is kept confidential and secure in accordance with this policy.

If any staff member considers that a particular class of personal data processing may affect a data subject’s rights and freedoms, they should engage the DPO in terms of the issue. A mandatory DPIA must then be carried out.

All DPIAs must be registered with the DPO. A sample DPIA is included as Appendix D to this policy.

5. Data Sharing

5.1 Third Party Transfer Policy

If spunout transfers data outside the European Economic Area, appropriate safeguards will be implemented as required by GDPR and other relevant legislation.

spunout shall not transfer personal data to a Third Party outside of the European Economic Area (EEA) regardless of whether spunout is acting as a Data Controller or Data Processor unless:

The European Union recognises the transfer country/territory as having an adequate level of data subject legal protection relating to personal data processing; or,
The European Union recognises the transfer mechanism as providing adequate protection when made to countries/territories lacking adequate legal protection; or,
The explicit consent of the data subject is required to allow Third Party transfer or transfer is authorised by law; and
All reasonable, appropriate and necessary steps have been taken to maintain the required level of personal data protection.

Subject to the provisions above, including any necessary funder approvals, spunout may transfer personal data to a Third Party outside the EEA where any of the following apply:

The transfer is necessary to protect the data subject’s vital interests; or
The data subject has given explicit consent to the proposed transfer; or
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between spunout and a Third Party; or
The transfer is necessary or legally required for the establishment, exercise, or defence of legal claims; or
The transfer is required by law; or
The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest.

The Data Protection Officer must assess whether any of the above exceptions apply prior to any personal data transfer and must record the determination in writing.

5.2 Third Parties Relationships Policy

Where spunout engages a Third Party for processing activities, this Data Processor must protect personal data through sufficient technical and organisational security measures and take all reasonable GDPR compliance steps.

When engaging a Third Party for personal data processing, spunout must enter into a written contract, or equivalent. This contract or equivalent shall:

Clearly set out respective parties’ responsibilities;
Ensure compliance with relevant European and national data protection requirements and legislation;
Establish that, at the expiry of the data processor contract, the data processor is contractually obliged to return the full dataset to spunout and provide unequivocal evidence that their copy of the data set is erased.

spunout must ensure that all Third Party relationships are established and maintained. Data processors who are processing data on behalf of spunout must secure approval from spunout if they wish to engage further data processors.

5.3 Joint Controller Agreements

In some cases, spunout may engage in peer-to-peer relationships with other organisations in which data is shared between both parties, and both become responsible for the proper use and protection of that data.

All such relationships require a Joint Controller Agreement (otherwise known as a Data Sharing Agreement) to be agreed and in place before any data can be shared. A Joint Controller Agreement must clearly set out:

Which party is responsible for which particular elements or phases of data processing;
Which party is responsible for responding to requests from data subjects regarding their rights, e.g. for data access requests;
The point of contact with whom data subjects can communicate in relation to certain aspects of processing.

6. Data Retention and Destruction

Personal data held by spunout must be destroyed once it has served the purpose for which it was collected. Different categories of personal data must be retained by spunout for different periods of time in order to fulfil their purpose; sometimes, this is governed by legislation or contractual obligations.

The appropriate retention and subsequent deletion of personal data is essential for spunout to fulfil the requirements of GDPR.

6.1. Data Storage

All personal data held by spunout, both physically and electronically, must be stored in a secure manner. Data should only be accessible to members of staff with a clear rationale for doing so, based on the processes for which the data was collected, or for unavoidable reasons relating to legal compliance, oversight or data security.

6.2. Right to Data Erasure

All individuals with personal data held by spunout may request, at any time, that all or some of the data held on them by the organisation be destroyed.

Data subjects are free to exercise this right, except in cases where destroying such data would violate spunout’s legal obligations, such as in cases where the Data Retention Schedule requires records to be kept indefinitely or for a fixed period of time. For instance, employee contractual information must be held for a period of years even in the event of an employee ceasing their period of employment with the organisation.

6.3. Data Destruction

Personal data held by spunout, which has served the purpose for which it was collected, must be destroyed in line with spunout’s Data Retention Schedule. Likewise, personal data on which a legitimate right of erasure claim has been made must also be destroyed.

All projects which involve the collection or processing of personal data must establish at the beginning of their operation the type of data being collected and the terms under which the data will be deleted in line with the Data Retention Schedule, the member of staff responsible for carrying out the deletion, and a clear recording of the time and date on which the deletion occurred.

The destruction of personal data stored in paper form must be conducted by shredding. Where personal data is stored electronically, care must be taken to ensure data is properly and entirely deleted from all sources and by all employees of spunout.

In the event of legal proceedings or inquiry or request by the DPC being undertaken against spunout, the CEO and or DPO may instruct members of staff to cease any data destruction operations currently underway. Destruction should resume as soon as legal proceedings or an inquiry or request by the DPC have come to a close.

6.4. Data Retention Schedule

Different categories of personal data must be retained by spunout for different periods of time in order to fulfil their purpose, which may be set by law or contract.

Personal data must not be retained if there is no clear and vital basis for doing so.

The following table sets out the standard schedule for deletion for types of personal data held by spunout. More granular detail is provided in the organisation’s Record of Processing Activities.

Data Type	Retention Period
HR information: personnel files, payroll, staff contact persons, references, records of training, disciplinary records	7 years post-employment (or longer if specified in grant agreement funding role)
Contractual and Audit data	Retain up to seven years from year of issue, as established in the written contract
Garda Vetting data	Retain until the individual’s involvement with organisation ends
Recruitment documentation	Retain for one year from the date on which the position is filled (for unsuccessful candidates); retain for 7 years post-employment (for successful candidates)
Records of Annual/Sick Leave	Retain for four years (Organisation of Working Time Act 1997)
Records of Parental/Force Majeure Leave	Retain for eight years (Parental Leave Acts 1998-2007)
Unsubstantiated allegations or complaints against employees	Delete documentation as soon as complaint is found to be untrue or unwarranted, retain note that a complaint was made and a record of the outcome but not details
Minutes of Board, sub-committee, Leadership and Team meetings, Director details	Until 6 years after the Company is dissolved; otherwise retain indefinitely
Service contracts	Retain for six years after the conclusion of the contract, or 12 years for sealed contracts (Statute of Limitations Act 1957)
Volunteer data, including Garda Vetting information	Until the volunteer ceases involvement with the organisation
Survey data	Destroy as soon as the purposes for collection expires (data which has been anonymised may be retained indefinitely). Survey data must be processed within 6 months of collection.
Data gathered for prize distribution	Destroy as soon as the prize in question has been distributed
Service user conversation data	Up to 7 years from date of conversation
Merchandise order information	Until order has been filled (no more than 6 months)
“Ban List” information for service users/volunteers in serious breach of code of conduct	Destroy 2 years from the issuing of the ban
Child Protection documentation (including Mandatory Reporting information)	Retain indefinitely (15 years for Tusla letters of acknowledgement)
Insurance data	Retain 7 years from date of issue, or longer/indefinite if required by policy
Data gathered via sign up or mailing lists for marketing spunout services and information	24 months or delete when purpose for collection expires, whichever is sooner
Withholding documentation (written records of decisions by spunout not to release personal data as requested)	Retain indefinitely
Other data	Retain until purpose for collection expires, or consent is withdrawn

7. Data Breaches

A “personal data breach” is defined in Article 4 of the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

7.1 Reporting a Potential Data Breach to the DPO

Data breaches can be large or small in scale. Once any member of staff becomes aware of a potential data breach, they must inform the Data Protection Officer (DPO) at [email protected] without delay.

Time is a major factor in the satisfactory reporting and resolution of potential data breaches of all kinds, and decisions to inform the Data Protection Commission must be made by the DPO within 72 hours of the breach being discovered.

7.2 DPO Response to a Potential Data Breach

Upon being notified of a potential personal data breach, the DPO must determine the following:

Whether there has been a breach of personal data held by spunout or, if this cannot be definitively proven, whether it is likely such a breach has occurred.
Whether this breach or likely breach is potentially damaging to the individuals whose personal data has been compromised.
As far as possible; determine who accessed what data and when, how that data is being used, and which individuals are likely to be affected.

7.3 Reporting Data Breaches to the Data Protection Commissioner

The DPO must assess whether the data breach is significant enough to bring to the attention of the Data Protection Commission based on A, B and C, and if so must inform the Commission within 72 hours.

If, for whatever reason, the Data Protection Commission is not notified within 72 hours, the DPO must include reasons for the delay with their submission.

The DPO’s notification must include the following information:

A description of the nature of the breach including, if possible, the categories and approximate numbers of individual data subjects and/or data records involved;
The name and contact details of the DPO or another person who can be contacted for more information;
The likely consequences arising from the breach;
A summary of the measures taken and proposed to be taken to address the breach and, where possible, to mitigate its possible effects.

7.4 Informing Data Subjects and Next Steps

Once the facts have been ascertained and a decision made regarding whether or not to inform the Data Protection Commission, the DPO will ensure steps are taken to inform the affected individuals whose personal data has been compromised.

Once all relevant parties have been informed, the DPO will work with relevant staff to develop and implement a plan to:

Mitigate the impact of the current data breach;
Ensure, as far as possible, that the breach will not be repeated, including through the revision of policy and practices, as necessary;
Implement, where received, recommendations and instructions from the Data Protection Commission;
Inform all affected parties of their rights, and ensure these rights are vindicated;
Take steps to brief the Board of Directors of the data breach, the organisation’s response, and the steps taken to reduce the likelihood of future data breaches. Depending on the severity of the breach, the Board may be informed immediately or at its next scheduled meeting. ‘Near misses’ where data breaches were narrowly avoided should also be brought to the attention of the Board.

8. Subject Access Requests

Any individual whose personal data is held by spunout is entitled to access a copy of that data through a Subject Access Request.

Data Subjects have the right under GDPR to receive a copy of all their personal data currently held by spunout within one month of their initial request. The process for responding to a Subject Access Request is set out here:

Making a Subject Data Access Request

All requests relating to making a Subject Access Request should be addressed or redirected to the Data Protection Officer (DPO) at [email protected]. Other staff who receive a Subject Access Request should inform the DPO as soon as possible, preferably immediately.

Confirmation of Data Subject Identity

Upon receipt of a Subject Access Request, the DPO will acknowledge the request in writing and request means to verify the Data Subject’s identity. This is to ensure that a person’s data is only released to them, or someone with legal authority to request their data. The DPO may request copies of state-issued identification documents and/or proof of address or other personal data held by spunout.

Data Identification

Once satisfied of their identity, the DPO will engage with the Data Subject to determine more information about the specific data they are seeking, in order to aid the organisation in locating their data quickly and efficiently.

Data Location and Collection

Data Subjects will be given a timeframe of no more than one month in which to expect a final response. Following this, the DPO will direct the most appropriate staff within the organisation to locate, copy and prepare the relevant data in an easily accessible format, as quickly and thoroughly as possible.

Data Redaction

Where necessary, document copies will be redacted to protect the confidentiality of the spunout and of other persons whose personal data may be contained in the document(s) being prepared for release to the Data Subject.

Data Release

Once a copy or copies of all requested data have been gathered and compiled, and appropriately redacted where necessary to protect the data rights of others and the confidentiality of spunout, the document(s) will be released by the DPO to the Data Subject. Where any data cannot be provided, for any reason, the DPO will provide a clear explanation. In all cases, Data Subjects will be informed of their right to make a complaint to the Data Protection Commission.

9. Training and Awareness

spunout will provide ongoing data protection training to all spunout personnel as necessary to ensure compliance with GDPR. spunout personnel will be made aware of their responsibilities and the importance of data protection.

All new and existing spunout personnel will be provided the following, as appropriate:

Workshops & training sessions
Access to GDPR policies, procedures, checklists and supporting and guidance documents
Access to the Data Protection Officer for support, assistance with questions and guidance.

In line with GDPR, the Data Protection Officer will be provided sufficient training, access and resources to fully carry out their function within the organisation.

10. Enforcement, Monitoring and Compliance

10.1 Enforcement

spunout reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy. spunout staff who breach this policy may be subject to disciplinary action as outlined in the Employee Handbook. Breaches of this policy by volunteers may result in removal from spunout systems.

If a breach occurs due to reckless behaviour, and if a breach occurs and is knowingly not reported, the person responsible may be held accountable via disciplinary action and/or civil or criminal penalties.

Where a breach of this policy is committed by contractors, sub-contractors, agency staff and authorised third party commercial service providers, spunout reserves the right to remedy via the contracts in existence and/or civil or criminal penalties.

10.2 Monitoring and Compliance

spunout will regularly review and update this Data Protection Policy to ensure compliance with evolving data protection laws and best practices. Compliance will be monitored through regular audits and assessments.

The Data Protection Policy will be reviewed no less than once every three years by the Board of Directors, or as necessary subject to new legislative developments.

Appendix A: Definitions

“Automated processing” is processing carried out without human intervention, for instance by AI, and which produces legal or otherwise significant effects on a person. Under GDPR, individuals have a right not to be subject to decision-making based entirely on automated processing

“Biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

“Binding Corporate Rules” means personal data protection policies which are adhered to by spunout for transfers of personal data to a controller or processor in one or more third countries or to an international organisation.

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

“Cross Border Processing” means processing of personal data which: –

takes place in more than one Member State; or
which substantially affects or is likely to affect data subjects in more than one Member State

“Data controller” means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Data protection laws” means for the purposes of this document, the collective description of the GDPR and any other relevant data protection laws that spunout complies with.

“Data subject” means an individual who is the subject of personal data

“GDPR” means the General Data Protection Regulation (EU) (2016/679)

“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“Supervisory Authority” means an independent public authority which is established by a Member State

“Third Party” means a natural or legal person, public authority, agency or body other than the data subject, under our direct authority

Appendix B: Examples of Personal Data

The following is a list of some of the types of information which are considered to be ”Personal Data”. This list is not exhaustive.

People’s names
Contact Details (incl. Home address, home phone/mobile nos., email addresses)
Date of Birth/Age
Birthplace/citizenship/nationality
Gender
Marital Status
PPS Numbers
National ID Card details/Nos.
Next of kin / dependent / family details
Photographs
Curriculum Vitaes/Resumes
Personal financial data (e.g. Bank account details, credit card Nos.)
Details of gifts/donations made
Income / salary
CCTV images
Video images containing identifiable individuals
Voice recordings
Employment History
Sick leave details/medical certificates
Other leave data (excl. sick leave)
Qualifications/Education Details
Work performance
References for staff/volunteers
Grievance/Disciplinary Details
Membership of Professional Associations
Signatures (incl. Electronic)
Passwords & PINS
Car registration details
Online identifiers (e.g. IP address)
Location data
Data relating to children

Appendix C: Special Category Data

The GDPR sets out conditions for processing Special Categories of personal data. spunout must satisfy a lawful condition of processing personal data under Article 6 of the GDPR as well as one under Article 9 to process these categories of data.

The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
Processing relates to personal data which are manifestly made public by the data subject;
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Personal data may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

Note: There will be a number of additional grounds for processing ‘special categories of personal data’ (such as health data) under Irish law, in addition to those contained in Article 9 of the GDPR. Notably, these include a legal basis to process health data for insurance, pension or mortgage purposes.

Appendix D: Sample Structure of a Data Protection Impact Assessment (DPIA)

DPIAs are mandatory for any new high risk processing projects. A DPIA is not required where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons”.

The Data Protection Commission guidance note for DPIAs can be found here.

The following is a sample structure for DPIA, based on work previously commissioned by spunout from Castlebridge:

Sample DPIA

Executive Summary

1.1 Background

1.2 Findings

The Need for a DPIA

DPIA Methodology

Business Need and Approach

Information Environment

5.1 Description of the system, processes and dataflows

Data Protection Principles

6.1 Privacy Principle: Lawfulness, Fairness and Transparency

6.2 Privacy Principle: Data Minimisation

6.3 Privacy Principle: Accuracy

6.4 Privacy Principle: Storage Limitation

6.5 Privacy Principle: Integrity and Confidentiality

6.6 Privacy Principle: Accountability

6.6.1 Notification to the Data Protection Commissioner

Assessment of Necessity vs Proportionality

Table of Risks

Appendix E: Texter Privacy Statement

Important notices:

If you’re at serious risk to yourself or others, we will need to reach out to emergency services to keep you and/or others safe.
If you’re under 18 and you tell us you are at risk of abuse or neglect, we will need to reach out to emergency and/or TUSLA to keep you safe.
If you give us information about an alleged abuser, where other children may be at risk, we will need to reach out to Ireland’s child protection agency TUSLA.

Who are we?

spunout (“we” or “us”) is a charity based in the Republic of Ireland. We provide active listening and information services, including Text About It and Youth Information Chat. Our registered charity number is 20057923.

We are independent, but receive financial support from the Irish state through the Health Service Executive (HSE), the Department of Children, Equality, Disability, Integration and Youth, the Department of Community and Rural Development, the City of Dublin Youth Services Board, and Pobal.

What is personal information?

Personal information is any information that can identify you in some way. It can include things like your name, address, data of birth and computer’s IP address. This information is considered to be normal or non-sensitive data.

Some personal information needs to be more protected because it is sensitive. This is known as ‘sensitive data’ or ‘special category data’. Sensitive data includes information about your health, ethnicity, sexuality, sex life, religious or political beliefs, or trade union membership.

Legal reasons for using your personal information

In order to use your personal information, we need to have a legal reason for doing so. This is known as our ‘legal basis’ for using your personal information.

When you first message us, we use your non-sensitive personal information to provide you with our services. Our legal basis for using your personal information in this way is ‘legitimate interest’. This means that we need to use your personal information in order to provide you with the services you need, and to provide, maintain and improve those services for you and others.

If your messages to us include sensitive personal information, we must have an additional legal basis for using that information. Our legal bases for using your sensitive data are:

Vital interests: We may also share your personal information (including your sensitive data) with third parties, such as emergency services (for example, the National Ambulance Service), where we think there is an imminent risk of harm to you or someone else. The lawful basis for this is your ‘vital interests’, to keep you safe. For more information, please see ‘What do we use your personal information for’ below.

Substantial public interest: We rely on the ‘substantial public interest’ legal basis to use your sensitive data and this data is required to provide our confidential support services in the public interest.

We may rely on your consent to use your personal information (including your sensitive data), such as for our post-conversation texter surveys. Where this is the case, we will always tell you when we collect your personal information and the reason we need it. Where you give us your consent, you can change your mind and withdraw consent at any time.

What personal information do we collect?

When you first contact our services, we will have access to your mobile telephone or WhatsApp number. We keep this in order to be able to have a conversation with you and provide you with our service. Our volunteers will not be able to see your phone number.

We keep the content of your message, including any personal information you may have included in your conversation, including sensitive data. We also keep notes that our volunteers might take during your conversation.

Once you have finished speaking with us, you will have the option to complete a feedback survey. Any personally identifying information will be removed from any feedback you provide before it is shared with any third party.

Your data rights and how to exercise them

Irish and European Union law provides you with certain rights in relation to your personal information. These include the right to:

Access and receive a copy of your personal information;
Object to the processing of your personal information;
Restrict (or limit) the processing of your personal information;
Port your personal information (this means to move, copy or transfer personal information easily from one location to another, in a safe and secure way);
Correct your personal information if you think it is inaccurate; and
Erase or delete your personal information.

In some cases, your ability to exercise these rights may be limited. For example, we may not always be able to delete your personal information when we are required by law to retain it, or where it is essential to retain personal information for reasons of business continuity.

If you wish to exercise any of your rights, please contact us at [email protected] or at our postal address below in the ‘How to contact us’ section.

If you make a request relating to any of the rights listed above, we will consider each request in line with data protection law. No fee will be charged for considering and/or complying with your request to exercise your rights.

If you would like to access a copy of all the personal information we hold about you, please email [email protected] with the subject line ‘Data Access Request’. Please include your name in the body of the email and, if possible, the most recent time you used spunout services. You will be asked to confirm your request and, once you do, we will action your request within 30 days.

If you would like us to erase any personal information that we may hold about you, please text ‘ERASE’ to 50808 or email [email protected] with the subject line ‘Data Erasure’. You will be asked to confirm your request and, once you do so, we will delete your personal information within 30 days, unless we are required to keep it under the law.

If you start a conversation with one of our services and decide you no longer wish to receive messages, you may opt out at any time by texting the word STOP. We will confirm receipt of your STOP message and will not contact you further after this.

What do we use your personal information for?

To provide spunout services

We use your personal information for the purpose of providing you with spunout services. If you decide to use our services again, our staff may need to look back at your previous conversations to make sure that we are giving you the best support possible. They might also need to look back at conversations for legal reasons, or to review the quality of our services.

To share your details with the emergency services or other appropriate third parties to keep you (or someone else) safe

We take your confidentiality very seriously and your conversations are confidential, unless we are concerned about your safety or the safety of another person. If we think you or someone else is in immediate physical danger or that you or someone else’s life is at imminent risk, we will try to work with you to form a safety plan. If this is not possible or if we think you are at risk of what are called ‘safeguarding issues’ (for example abuse or neglect), we may share your details with the emergency services or appropriate authorities, including police, ambulance/medical and social services, in order to keep you (or anyone else) safe and as necessary to protect your vital interests.

If you tell us about any abuse or potential abuse of children, either ongoing or in the past, we are obliged to share your personal information with Tusla, the Child and Family Agency.

To anonymise conversations for data analytics and research purposes (including sharing information with selected partners)

We effectively anonymise and aggregate data from your conversations to ensure you cannot be identified from such information. We analyse anonymised conversation data to help us understand the needs of our texters and to improve spunout services. We sometimes share anonymised data with carefully selected partners (including academic partners) for research purposes and/or to help improve people’s lives across Ireland. We use this information for our legitimate interests in improving spunout services and to better understand mental health trends.

To prioritise those most at risk of harm

When you first message us, we analyse the information you provide in order to prioritise those most at risk of harm. We use this information for our legitimate interests in ensuring we respond more quickly to those in need of urgent support and in order to keep you safe (to protect your vital interests).

To protect against, identify and prevent abuse of spunout services and our policies, and other unlawful activity

If we think someone is abusing our services, we may share your data with third parties for the purposes of discouraging this behaviour. This might include where someone is using the service to break the law, misusing the service or is communicating in a threatening way with spunout volunteers or staff. We use this information for our legitimate interests in keeping our services safe and secure for both texters and volunteers.

To improve spunout services and understand mental health trends

We effectively anonymise and aggregate data from your conversations to ensure you cannot be identified from such information. We use this information to improve our services and to understand mental health trends. We are always trying to make our services better and create new features that improve how the service operates. Anonymised conversation data helps us do this by better understanding how spunout operates, developing and testing new service features and products, and advancing the technology we use. We use this information for our legitimate interests in improving our services by providing a better service to texters and better understanding mental health trends.

To conduct post-conversation texter surveys

Once you have finished a conversation with us, you will have the option to complete a feedback survey. This survey includes questions relating to your experience of using our services and questions that help us to understand more about our texters. Completion of the survey is entirely optional and based on your consent. Any personally identifying information will be removed from any feedback you provide before it is shared with any third party.

To comply with our legal obligations

We may disclose your personal information to comply with the law or in response to a court order, government request, or other legal process, including criminal investigations, or to protect the interests, rights, safety, or property of spunout.

How we share your personal information

We respect and seek to preserve the confidentiality of people who use spunout services. However, in certain circumstances, we may share your personal information with third parties, including with:

An Garda Síochana, social and ambulance/medical services to keep you safe and protect you from harm;
Tusla, the Child and Family Agency, if you tell us about any abuse or potential abuse of children, either ongoing or in the past;
Researchers at universities and other institutions to help us understand the mental health needs of our texters and to improve our services. As outlined above, we will only share anonymised data with research partners;
Service providers that perform services on our behalf, such as IT service providers, hosting providers and our advisers. For example, we have engaged with Crisis Text Line who provide certain IT services, including technology that allows us to prioritise incoming messages; and
Other third parties, as necessary, to comply with the law or in response to a court order, government request, or other legal process, including criminal investigations, and to protect the interests, rights, safety, or property of spunout, its employees or agents, including but not limited to our volunteers.

How long do we keep your information?

Your information is securely stored. We will keep information such as your telephone number and the record of the text messages that you exchange with us for up to seven years after you contact spunout. Then we will permanently delete this information from our records. If you contact us again after this time, you will appear to be a new service user. We will not have any record of our previous conversations with you.

Effectively anonymised and aggregated data from your conversations, from which you cannot be identified, will be retained indefinitely.

Do we transfer personal information to other countries?

We hold all of your data securely in Ireland and Germany, and any companies who do work for us are obliged to keep your personal data in the European Economic Area (EEA).

spunout engages service providers that perform services on our behalf, such as IT service providers, hosting providers and our advisers, some of which may be based outside of the EEA. For example, we have engaged with Crisis Text Line who provide certain IT services, including technology that allows us to prioritise incoming messages.

In order to transfer your data outside the EEA, we rely on relevant “adequacy regulation” from the European Union (EU) by which they recognise certain countries outside of the EEA to ensure an adequate level of protection for personal information. For example, the UK in 2024 is not part of the EEA, but is recognised as providing adequate protection for personal data under EU law.

For personal data to be transferred to recipients located in countries that have not been recognised as providing an adequate level of data protection (such as the USA), spunout will put in place appropriate safeguards with the data recipients to ensure full compliance with EU data protection law.

Protecting your data

Always be careful and responsible regarding your personal information and sensitive data. You might want to delete conversations with our services from your phone. You might even want to clear us from your history and make sure we are not saved in your contact list.

Changes to this Privacy Statement

We may update this Privacy Statement at any time. If we make significant changes to the way we use your personal information, we will bring these to your attention by posting a link to an updated version of the Privacy Statement in a clear and prominent location on our websites. The date this Privacy Statement was last updated is indicated at the top of this page.

How can you make a complaint?

If you have any question or concerns about this Privacy Statement and our privacy practices or if you wish to file a complaint, please contact us by emailing [email protected] or by writing to our Data Protection Officer at the address below.

If we fail to satisfactorily resolve your concerns or complaint, or you otherwise consider it necessary, you have the right to lodge a complaint with the Data Protection Commission of Ireland. Contact information for the Data Protection Commission is listed below.

Webpage: www.dataprotection.ie

Email: [email protected]
Telephone: (01) 765 0100 or 1800 437 437, Monday-Friday from 9:30am-5pm
Address: Data Protection Commissioner, 21 Fitzwilliam Square, Dublin 2, D02 RD28

How can you contact us? 
If you have any general questions, you can email us at [email protected].

If you have any questions about how we use your data, you can email our Data Protection Officer at [email protected].

Our postal address is spunout, 48 Fleet Street, Dublin 2.

Appendix F: Marketing Privacy Statement

The type of personal information we collect 
We currently collect and process the following information:

Full name
Email address
We may ask for your postal address for specific purposes
We may ask for your marketing preferences

How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:

To sign up to our mailing list, to receive information on our events, campaigns, participate in surveys and to receive notifications.
To fundraise for, or donate to, our charity.

We work with third parties on some campaigns and they may pass sign-up data to us. However, the purposes will be made clear on the sign-up form.

How we get the personal information and why we have it
If a user decides to opt-in to our mailing list, they will receive emails that may include spunout news, updates, related product or service information, etc. If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email or you may contact us by emailing [email protected].

We may use third party service providers to help operate our campaigns or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes, provided that you have given us your permission.

Basis for processing your personal information
Under the General Data Protection Regulation (GDPR), the lawful basis we rely on depends on the information we are collecting and the specific context:

Your consent; You are able to remove your consent at any time. You can do this by emailing us at [email protected]
Legitimate interests; for example, where applying for a prize draw, we need your name and address to send this out to you.

How long do we keep your information?

Your information is securely stored. We will keep information such as your full name and telephone number for up to 24 months; after this, we may require you to refresh your consent for your information to be stored. If you do not give consent for your personal information to continue to be stored by spunout, then we will permanently delete this information from our records. In cases where we hold your personal information based on legitimate interests, we will hold your information until the purpose for which it was gathered has been fulfilled, and then permanently delete your information.

Your data rights and how to exercise them

Irish and European Union law provides you with certain rights in relation to your personal information. These include the right to:

Access and receive a copy of your personal information;
Object to the processing of your personal information;
Restrict (or limit) the processing of your personal information;
Port your personal information (this means to move, copy or transfer personal information easily from one location to another, in a safe and secure way);
Correct your personal information if you think it is inaccurate; and
Erase or delete your personal information.

In some cases, your ability to exercise these rights may be limited. For example, we may not always be able to delete your personal information when we are required by law to retain it.

If you wish to exercise any of your rights, please contact us at [email protected] or at our postal address below in the ‘How to contact us’ section.

If you would like us to erase any personal information that we may hold about you, please email [email protected] with the subject line ‘Data Erasure’. You will be asked to confirm your request and, once you do so, we will delete your personal information within 30 days, unless we are required to keep it under the law.

How can you make a complaint?

If you have any question or concerns about our privacy practices or if you wish to file a complaint, please contact us by emailing [email protected] or by writing to our Data Protection Officer at the address below.

Webpage: www.dataprotection.ie

Email: [email protected]
Telephone: (01) 765 0100 or 1800 437 437, Monday-Friday from 9:30am-5pm
Address: Data Protection Commissioner, 21 Fitzwilliam Square, Dublin 2, D02 RD28

How can you contact us? 
If you have any general questions, you can email us at [email protected].

If you have any questions about how we use your data, you can email our Data Protection Officer at [email protected].

Our postal address is spunout, 48 Fleet Street, Dublin 2.

Appendix G: Volunteer Privacy Statement

Who are we?

We will process the personal information you provide for our legitimate charitable interests and to enhance the experience of our volunteers. This includes contacting you about relevant volunteering opportunities, news and events.

In brief

We respect your personal data and store it securely.
We will never sell your personal data.
We will remove your data if you ask us to.
We will use your data to maintain contact with you, in order to facilitate your volunteering work with us
We may send you content we think is relevant or interesting to you but you can unsubscribe or change your contact preferences at anytime.
We may use your data to contact you about information you request or to allow you to access our services.

What is the purpose of this policy?

We collect and process personal information about you during and after your relationship with us in order to manage that relationship. We are committed to being transparent about how we collect and use your data to meet our obligations under the General Data Protection Regulation (GDPR).

What personal information we collect and how it is used

Personal information means any information about an individual from which that person can be identified. The information that we collect includes details such as your name, email address, physical address, postal code. The information does not include data where the identity has been removed (anonymous data).

Please view below for a list of the purposes for which we use your personal data:

Data we collect	What we use it for	Legal basis for processing
Names, addresses, telephone number, email addresses	To contact you to discuss volunteering opportunities or to keep you updated on our services, activities or events; to record your location in order to understand where our volunteers come from	Justified on the basis of legitimate interest in ensuring the proper functioning of our business operations and ensuring proper communication and emergency handling. Justified on the basis of your consent.
Curriculum Vitae or other profiles	To assess and determine your skills, experience and interests in order to assess your suitability for volunteering opportunities or specific projects	Justified on the basis of legitimate interest in ensuring the recruitment of appropriate volunteers. Justified on the basis of your consent.
Demographic information	To capture information which will help us to identify the demographics most interested in volunteering to assist future marketing campaigns. To capture demographic information to ensure a broadly diverse volunteer population and to seek to rectify any under-representation of a particular demographic amongst our volunteer population, to help us better understand or serve all members of the public who reach out to our services	Justified on the basis of legitimate interest in ensuring the recruitment of appropriate volunteers. Justified on the basis of your consent.
Information gathered from business and social media sources in the public domain, eg LinkedIn, Facebook	To build a picture of your skills, experience and interests in order to assess your suitability for volunteering projects	Justified on the basis of legitimate interest in ensuring the recruitment of appropriate volunteers. Justified on the basis of your consent.
References and Garda Vetting information	To assess your suitability for volunteering with us, and for being utilised on specific projects	Justified on the basis of compliance with the law. Justified on the basis of legitimate interest in ensuring the recruitment of appropriate volunteers. Justified on the basis of your consent.
Information on special requirements, health or medical conditions	To assess your suitability for volunteering with us, and for being utilised on specific projects; to carry out our legal duties (eg to ensure health and safety)	Justified on the basis of compliance with the law. Justified on the basis of legitimate interest in ensuring the recruitment of appropriate volunteers. Justified on the basis of your consent.
Information related to project monitoring such as hours spent on a project	To assess your suitability for being utilised on specific projects; to use such data for statistical analysis and reporting	Justified on the basis of legitimate interest in ensuring the proper functioning of our business operations. Justified on the basis of your consent.
Information related to availability and the reasons for periods of unavailability	To assess your suitability for volunteering with us, and for being utilised on specific projects	Justified on the basis of legitimate interest in ensuring the proper functioning of our business operations. Justified on the basis of your consent.
IP Addresses	As an extra cybersecurity measure, we may log the IP address of the computer used to email us a contact form as part of our registration process.	Justified on the basis of legitimate interest in ensuring the proper functioning of our business operations. Justified on the basis of your consent.
Content of volunteers’s conversations arising out of or concerning our services	To monitor the quality of the service provided to texters, to support volunteers in the execution of their role, and to analyse trends and operational considerations for the improvement of the service.	Justified on the basis of legitimate interest in ensuring the proper functioning of our business operations and ensuring proper communication and emergency handling. Justified on the basis of your consent.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. If you fail to provide certain information when requested, we may not be able to register you for volunteering opportunities, or we may be prevented from meeting our legal obligations (such as to ensure your health and safety).

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How is your personal information collected?

We collect information through our volunteer registration process, either directly from you or the references you will be asked to provide. We may sometimes collect additional information from third parties including business and social media searches such as LinkedIn. We may collect personal information in the course of volunteering activities throughout the period of you volunteering for us.

How we use particularly sensitive personal information

We do not need your consent if we use special categories of your personal information to carry out our legal obligations. We ask you for your consent to allow us to process certain particularly sensitive data. We may gather sensitive information within our application form. We ask for details that allow us to understand the background and experience of our volunteers. We also ask about your experiences of mental health and related services. This is to allow us to consider whether working with people in crisis might cause you any emotional harm. You should carefully consider whether you wish to consent to us holding this data.

Automated Decision Making

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Who has access to your data?

Your information may be shared internally, including with staff members responsible for managing and administering projects, HR, health and safety, insurances, events and marketing activities.

We share your data with third parties, including third-party service providers, for example in connection with supporting our CRM system and IT network (including remote support) and professional advisers where necessary, who may be party to confidential discussions related to an individual. In providing our services we are supported by technical staff who are based in the United States. In order to provide support, in some cases they may have to access material which includes our volunteer personal data. The United States of America does not have data protection laws which are equivalent to those we have in the European Union, but we have ensured that our third party based here have complied with relevant security and data protection standards.

We require third parties to respect the security of your data and treat it in accordance with the law. We will share your information with third parties where required by law, where it is necessary to administer our relationship with you or where we have another legitimate interest. All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data Security

Spunout takes the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, or subject to unauthorised access. Where necessary, we implement appropriate network access controls, user permissions and encryption to protect data.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements. Details of retention periods, archiving and destruction policies for different aspects of your personal information are available in our retention policy which is available from the person responsible for data protection.

Your legal rights

As a data subject, you have a number of rights, details of which can be found at https://www.dataprotection.ie/en/individuals/rights-individuals-under-general-data-protection-regulation

If you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent at any time. Once confirmed, we will no longer process your information for the purpose you originally agreed to, unless we have another legitimate basis for doing so in law.

If you believe that the organisation has not complied with your data protection rights, you can complain to the Data Protection Commissioner.

Accessing your data

As a matter of course, you will not have to pay a fee to access your personal information. However, if we think that your request is unfounded or excessive, we may charge a reasonable fee or refuse to comply with the request.

We may need to confirm your identity or ensure your right to exercise your legal rights. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Changes to this policy

We reserve the right to update this policy at any time, and we will provide you with a new privacy notice when we make substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

How can you contact us? 
If you have any general questions, you can email us at [email protected].

If you have any questions about how we use your data, you can email our Data Protection Officer at [email protected].

Our postal address is spunout, 48 Fleet Street, Dublin 2.

Appendix H: Websites Privacy Statement and Cookies Policy

What are cookies?

A “cookie” is a small file that may be stored on your computer or mobile device by a website you visit. Cookies can allow sites to record your activities or preferences, or contain data useful for the proper functioning of the site itself. Cookies can be set by the owner of the website, or by third party services authorised by the website owner, to carry out functions such as web analytics.

There are two main types of cookie: “session” cookies are deleted as soon as you close your web browser, while “persistent” cookies remain on your device after you go offline and allow sites you visit to “remember” you and your preferences.

Why do we use cookies on our website?

spunout uses cookies that track user behaviour. Through analysis, the information gathered is used to improve our service and user experience. Visitors to spunout are prompted with a notification asking them to give clear consent to the site’s use of cookies via an opt-in checkbox.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, you can deny or withdraw your consent if you wish, though this may reduce the overall quality of your experience using the spunout website. By clicking the ‘Accept All Cookies’ button on the cookie bar to give us permission for all the cookies we wish to use.

What types of cookies do we use?

Strictly necessary cookies. These cookies are necessary for the websites to work, and enable you to move around our sites and use their services and features. It is not possible to disable these cookies, as doing so may make certain features or content unavailable and/or impact the security of the sites. If you use your browser setting to block them, we cannot guarantee your security or predict how the website will perform during your visit.

Analytics cookies. These cookies are used to analyse how you use our websites, including which pages you view most often, how you interact with the content, measure how many errors that occur and test different design ideas. The information is used to report and evaluate your activities and patterns as a user of our website. These cookies may include persistent cookies which are used to remember your actions on the websites. These cookies will only be set with your consent and may be provided by our third party analytics tool providers and the information obtained through these cookies will be disclosed to, or collected directly by, these third party service providers. For example, we use Google Analytics to analyse usage of our websites, including the number of page views and unique visitors. You can find out more about Google Analytics cookies on their website. Google Analytics Cookies can be opted out of by clicking ‘Use necessary cookies only’.

- Stripe cookies. Our donation management system, Stripe, utilises cookies to enable website visitors to make a donation to spunout through our website. You can find out more about Stripe cookies on the Stripe website. Stripe Cookies can be opted out of by clicking ‘Use necessary cookies only’.

Third party cookies. As well as spunout’s own cookies, you may also experience third-party services that set their own cookies to monitor usage statistics and personalise adverts. These cookies help us understand if our advertisements are effective and enables us to reach the right people with our adverts. These include cookies set by Facebook, Twitter, YouTube (Google), TikTok, Snapchat, and Google Ads. All of these cookies can be opted out of by clicking ‘Use necessary cookies only’.

Managing consent for cookies

We use strictly necessary cookies to make our site work. You are automatically opted out of all cookies that are not necessary for the site to function. You can have our website remember your opt-out by clicking the ‘Use necessary cookies only’ button on the cookie bar on our website. You can change your consent or withdraw your consent here.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and mintori your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

How can you make a complaint?

If you have any question or concerns about our cookies policy and our privacy practices or if you wish to file a complaint, please contact us by emailing [email protected] or by writing to our Data Protection Officer at the address below.

Webpage: www.dataprotection.ie

Email: [email protected]
Telephone: (01) 765 0100 or 1800 437 437, Monday-Friday from 9:30am-5pm
Address: Data Protection Commissioner, 21 Fitzwilliam Square, Dublin 2, D02 RD28

How can you contact us? 
If you have any general questions, you can email us at [email protected].

If you have any questions about our use of cookies or how we use your data, you can email our Data Protection Officer at [email protected].

Our postal address is spunout, 48 Fleet Street, Dublin 2.

Full list of cookies we use

Necessary cookies

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Name	Provider	Purpose	Expiry
__stripe_mid	Stripe	This cookie is necessary for making credit card transactions on the website. The service is provided by Stripe.com which allows online transactions without storing any credit card information.	1 year
__stripe_sid	Stripe	This cookie is necessary for making credit card transactions on the website. The service is provided by Stripe.com which allows online transactions without storing any credit card information.	0 day
_ab	m.stripe.com	This cookie is necessary for making credit card transactions on the website. The service is provided by Stripe.com which allows online transactions without storing any credit card information.	Session
_grecaptcha	Google	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	Persistent
_GRECAPTCHA [x2]	Google www.recaptcha.net	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	179 days
_mf	m.stripe.com	This cookie is necessary for making credit card transactions on the website. The service is provided by Stripe.com which allows online transactions without storing any credit card information.	Session
1.gif	Cookiebot	Used to count the number of sessions to the website, necessary for optimizing CMP product delivery.	Session
auth	SurveyMonkey	Registers whether the user is logged in. This allows the website owner to make parts of the website inaccessible, based on the user’s log-in status.	Session
cf_clearance	Donorbox	This cookie is used to distinguish between humans and bots.	1 year
CookieConsent	Cookiebot	Stores the user’s cookie consent state for the current domain	1 year
id	m.stripe.com	Pending	Session
object(#-#-##:#:#.#)	prod.smassets.net	Holds the users timezone.	Persistent
rc::a	Google	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	Persistent
rc::b	Google	This cookie is used to distinguish between humans and bots.	Session
rc::c	Google	This cookie is used to distinguish between humans and bots.	Session
rc::d-15#	Google	This cookie is used to distinguish between humans and bots.	Persistent
rc::f	Google	This cookie is used to distinguish between humans and bots.	Persistent
sc_anonymous_id	widget.sndcdn.com	Used in context with the 3D-view-function on the website.	10 years
test_cookie	Google	Used to check if the user’s browser supports cookies.	0 day
uc_session	Dropbox	Used to implement or transfer content through Dropbox.	Session

Preference cookies

Preference cookies enable a website to remember information that changes the way the website behaves or looks, such as your preferred language or the region that you are in.

Name	Provider	Purpose	Expiry
#:state	Livechat	Necessary for the functionality of the website’s chat-box function.	Persistent
@@lc_ids	Livechat	Necessary for the functionality of the website’s chat-box function.	Persistent
__lc_cid	LiveChat	Necessary for the functionality of the website’s chat-box function.	399 days
__lc_cst	LiveChat	Necessary for the functionality of the website’s chat-box function.	399 days
__oauth_redirect_detector	LiveChat	Allows the website to recoqnise the visitor, in order to optimize the chat-box functionality.	0 day
last_pys_utm_campaign	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
last_pys_utm_medium	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
m	Stripe	Determines the device used to access the website. This allows the website to be formatted accordingly.	399 days
maps/gen_204	Google	Used in context with the website’s map integration. The cookie stores user interaction with the map in order to optimize its functionality.	Session
#:state	Livechat	Necessary for the functionality of the website’s chat-box function.	Persistent
@@lc_ids	Livechat	Necessary for the functionality of the website’s chat-box function.	Persistent
__lc_cid	LiveChat	Necessary for the functionality of the website’s chat-box function.	399 days
__lc_cst	LiveChat	Necessary for the functionality of the website’s chat-box function.	399 days

Statistic cookies

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Name	Provider	Purpose	Expiry
ga [x2]	Google	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.	2 years
_ga_# [x2]	Google	Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.	2 years
_gat	Google	Used by Google Analytics to throttle request rate	0 day
_gid	Google	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.	0 day
_hjCookieTest	Hotjar	Collects data on the user’s navigation and behavior on the website. This is used to compile statistical reports and heatmaps for the website owner.	Session
_hjSession_#	Hotjar	Collects statistics on the visitor’s visits to the website, such as the number of visits, average time spent on the website and what pages have been read.	0 day
_hjSessionUser_#	Hotjar	Collects statistics on the visitor’s visits to the website, such as the number of visits, average time spent on the website and what pages have been read.	1 year
_livechat_has_visited	Livechat	Identifies the visitor across devices and visits, in order to optimize the chat-box function on the website.	Persistent
_tldtest_# [x2]	prod.smassets.net	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
_tt_enable_cookie	Tiktok	Used by the social networking service, TikTok, for tracking the use of embedded services.	1 year
1	m.stripe.com	Registers data on visitors’ website-behaviour. This is used for internal analysis and website optimization.	Session
amp_#	prod.smassets.net	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Persistent
amplitude_unsent_#	prod.smassets.net	Registers data on visitors’ website-behaviour. This is used for internal analysis and website optimization.	Persistent
amplitude_unsent_identify_#	prod.smassets.net	Registers data on visitors’ website-behaviour. This is used for internal analysis and website optimization.	Persistent
apex__sm	SurveyMonkey	Gathers information on the user’s interaction with the SurveyMonkey-Widget on the website, for statistical analysis and website optimization.	Session
collect	Google	Used to send data to Google Analytics about the visitor’s device and behavior. Tracks the visitor across devices and marketing channels.	Session
hjActiveViewportIds	Hotjar	This cookie contains an ID string on the current session. This contains non-personal information on what subpages the visitor enters – this information is used to optimize the visitor’s experience.	Persistent
hjViewportId	Hotjar	Saves the user’s screen size in order to adjust the size of images on the website.	Session
last_pys_landing_page	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	6 days
last_pysTrafficSource	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	6 days
number(#)	widget.sndcdn.com	Used to track user’s interaction with embedded content.	Session
pys_bingid	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_fbadid	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_first_visit	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	6 days
pys_gadid	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_landing_page	spunout.ie	Detects and stores which landing page was presented to the user.	6 days
pys_padid	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_session_limit	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	0 day
pys_start_session	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_utm_campaign	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_utm_content	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_utm_medium	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_utm_source	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pys_utm_term	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	Session
pysTrafficSource	spunout.ie	Registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator.	6 days
S	Google	Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.	0 day
sentryReplaySession	embed-cdn.spotifycdn.com	Registers data on visitors’ website-behaviour. This is used for internal analysis and website optimization.	Session
sm_rec	SurveyMonkey	Gathers information on the user’s interaction with the SurveyMonkey-Widget on the website, for statistical analysis and website optimization.	Session
u_scsid	sc-static.net	Registers data on visitors’ website-behaviour. This is used for internal analysis and website optimization.	Session
X-AB	sc-static.net	This cookie is used by the website’s operator in context with multi-variate testing. This is a tool used to combine or change content on the website. This allows the website to find the best variation/edition of the site.	0 day

Marketing cookies

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Name	Provider	Purpose	Expiry
#-#	YouTube	Pending	Session
_fbc	spunout.ie	This cookie is used by Facebook to target advertisement based on user behavior and preferences across multiple websites. The cookie contains an encrypted ID which allows Facebook to identify the user across websites.	6 days
_fbp	spunout.ie	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.	6 days
_gcl_au	Google	Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.	3 months
_schn1	sc-static.net	Sets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.	0 day
_scid	sc-static.net	Sets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.	13 months
_scid_r	sc-static.net	Sets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.	13 months
_screload	sc-static.net	Used by Snapchat to implement advertisement content on the website – The cookie detects the efficiency of the ads and collects visitor data for further visitor segmentation.	Session
_ttp [x2]	Tiktok	Used by the social networking service, TikTok, for tracking the use of embedded services.	1 year
-2eb4da-5abd2eb8	YouTube	Pending	Session
-6d296d68-1ea847	YouTube	Pending	Session
ads/ga-audiences	Google	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor’s online behaviour across websites.	Session
COMPASS	Google	Pending	0 day
ep#	SurveyMonkey	Saves user states across page requests when completing a web-based survey.	3 months
fr	Meta Platforms, Inc.	Pending	3 months
GFE_RTT	Google	Used to implement the content through Google Docs.	Session
i/adsct [x2]	Twitter Inc.	The cookie is used by Twitter.com in order to determine the number of visitors accessing the website through Twitter advertisement content.	Session
IDE	Google	Used by Google DoubleClick to register and report the website user’s actions after viewing or clicking one of the advertiser’s ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.	399 days
iU5q-!O9@$	YouTube	Registers a unique ID to keep statistics of what videos from YouTube the user has seen.	Session
last_pys_bingid	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
last_pys_fbadid	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
last_pys_gadid	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
last_pys_padid	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
last_pys_utm_content	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
last_pys_utm_source	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
last_pys_utm_term	spunout.ie	Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.	Session
LAST_RESULT_ENTRY_KEY	YouTube	Used to track user’s interaction with embedded content.	Session
lastExternalReferrer	Meta Platforms, Inc.	Detects how the user reached the website by registering their last URL-address.	Persistent
lastExternalReferrerTime	Meta Platforms, Inc.	Detects how the user reached the website by registering their last URL-address.	Persistent
LogsDatabaseV2:V#\|\|LogsRequestsStore	YouTube	Pending	Persistent
muc_ads	Twitter Inc.	Collects data on user behaviour and interaction in order to optimize the website and make advertisement on the website more relevant.	399 days
nextId	YouTube	Used to track user’s interaction with embedded content.	Session
NID	Google	Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads.	6 months
pagead/1p-conversion/#/	Google	Pending	Session
pagead/1p-user-list/#	Google	Tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.	Session
pagead/landing [x2]	Google	Collects data on visitor behaviour from multiple websites, in order to present more relevant advertisement – This also allows the website to limit the number of times that they are shown the same advertisement.	Session
personalization_id	Twitter Inc.	This cookie is set by Twitter – The cookie allows the visitor to share content from the website onto their Twitter profile.	399 days
PREF	YouTube	Registers a unique ID that is used by Google to keep statistics of how the visitor uses YouTube videos across different websites.	8 months
remote_sid	YouTube	Necessary for the implementation and functionality of YouTube video-content on the website.	Session
requests	YouTube	Used to track user’s interaction with embedded content.	Session

Unclassified cookies

Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.

Name	Provider	Purpose	Expiry
@@lc_auth_token:217ed45c-7f5d-461a-b333-fd7908c7784a	Livechat	Pending	Persistent
_hjLocalStorageTest	spunout.ie	Pending	Persistent
amp_cookie_test	prod.smassets.net	Pending	1 year
pbid	spunout.ie	Pending	179 days
side_storage_217ed45c-7f5d-461a-b333-fd7908c7784a	Livechat	Pending	Persistent
sm_dc	SurveyMonkey	Pending	Session

Appendix J: Minors’ Data Access Policy

Purpose

This policy has been created as an appendix to the spunout Data Protection Policy.

This policy outlines the procedures and legal considerations for handling requests to access a minor’s data for spunout, Text About It. Our organisation is committed to safeguarding the privacy and confidentiality of all individuals who engage with our services while complying with applicable Irish data protection laws, including the Data Protection Act 2018 and GDPR (EU 2016/679).

This policy is intended to balance confidentiality with legal and ethical responsibilities, ensuring a safe and trustworthy environment for all users.

Scope
This policy applies to all data requests concerning minors (individuals under 18 years of age) and governs how such requests are assessed and responded to.

TABLE OF CONTENTS

Appendix J1: Draft Correspondence for Parents/Guardians who Request Access 62

1. Overview of Policy

For Text About It, given the nature of the data we hold, our policy is generally not to release minors’ data unless compelled by a court order or other exceptional circumstances, notwithstanding our obligations under GDPR and other applicable laws.

2. Principles of Confidentiality and Anonymity

Text About It’s messaging service is designed to be fully anonymous to protect the privacy and confidentiality of users who seek support.

We do not collect or store personally identifiable information in a way that can be straightforwardly linked to the verifiable identity of an individual texter, except in certain limited circumstances in line with legal and safeguarding requirements.
Any communication with our service is treated as confidential unless there is an immediate risk of harm, in which case we may take necessary action.

3. Legal Framework

We operate in compliance with Irish data protection laws, including:

The General Data Protection Regulation (GDPR) (EU 2016/679)
The Data Protection Act 2018
The Children First Act 2015 (where child safeguarding is a concern)

4. Who Can Request Access?

The following individuals may request access to a minor’s data:

A parent or legal guardian (with proof of parental responsibility)
The minor themself, if they are deemed competent under GDPR’s “age of digital consent” (16 years in Ireland)
A law enforcement agency or authorised legal authority (with the necessary legal basis)

5. Verification Process

To ensure compliance with privacy laws, we require:

A formal written request detailing the reason for data access.
Proof of parental or legal guardianship (e.g., birth certificate, court order).
A valid legal basis for the request.

Requests from parents or guardians will not be granted if:

The minor has explicitly requested confidentiality, provided they are of an age to exercise data protection rights.
The request conflicts with the minor’s best interests or well-being.
The request has not come from a legal basis.

5. Situations Where Data May Be Disclosed

We may disclose data only in the following cases:

If compelled by a court order or legal directive.
If there is an immediate risk of harm to the minor or others.
If child safeguarding concerns arise, in which case we will follow mandated reporting procedures to the appropriate authorities.

6. Legal Basis for Denying Access Requests

Under Irish data protection laws, access to anonymous or confidential communications is strictly regulated and generally requires legal intervention, such as a court order or other legal mandate. Without such authorisation, we are unable to provide any information to third parties, including parents or legal guardians, even if the individual in question is a minor.

7. Exceptions and Safeguarding Procedures

While we cannot disclose data to parents or guardians without legal authority, we are committed to ensuring the safety of all users. If a minor using our service is deemed to be at immediate risk of harm, we will take necessary steps, including:

If our trained volunteers or staff identify an immediate risk of harm to the minor or others, we will take appropriate action, including notifying emergency services as necessary.
Any child safeguarding concerns will be addressed in accordance with our legal and ethical reporting obligations, including notifying Tusla (the Child and Family Agency) or other relevant authorities where required.

8. Verification and Handling of Requests

If a parent or guardian contacts us requesting access to a minor’s data:

They will be informed that our service is anonymous and confidential and that we do not retain personally identifiable records.
They will be advised that access to any data, if it exists, would require a court order or other legal authorisation.
They will be directed to our Frequently Asked Questions (FAQs) section and our data protection policies for further clarification.
They will be provided with the above in writing (See Appendix J1)

9. Appeals & Complaints

If a request for data access is denied, the requester may appeal by:

Contacting our Data Protection Officer (DPO) at [email protected]
Seeking legal advice on further actions under data protection laws.

10. Contact and Further Information

For additional inquiries regarding our data protection policies, individuals may refer to our FAQ section:https://www.textaboutit.ie/data-faq. For further concerns, our Director of Clinical Support can be contacted directly at [email protected].

11. Policy Review and Updates

This policy will be reviewed periodically to ensure compliance with relevant laws and best practices. Any updates will be published in the FAQ section on our website and communicated as necessary.

spunout.ie Data Policy

About Us

Support

People

Data Protection Policy

Purpose

Scope

Definitions

1. Principles of Data Protection

2. Types of Personal Data

2.1 Personal Data

2.2 Special Categories of Personal Data

3. Roles and Responsibilities

3.1 Data Protection Officer (DPO)

3.2 Data Processors and Controllers

4. Data Processing Procedures

4.1 Data Collection

4.2 Data Access

4.3 Data Security

4.4 Data Subject Rights

4.5 Data Storage Limitation

4.6 Data Anonymisation and Pseudonymisation

4.7 Information Security

4.8 Unauthorised Disclosure or Access

4.9 Privacy and Data Protection by Design and Default

4.10 Data Protection Impact Assessments

5. Data Sharing

5.1 Third Party Transfer Policy

5.2 Third Parties Relationships Policy

5.3 Joint Controller Agreements

6. Data Retention and Destruction

6.1. Data Storage

6.2. Right to Data Erasure

6.3. Data Destruction

6.4. Data Retention Schedule

7. Data Breaches

7.1 Reporting a Potential Data Breach to the DPO

7.2 DPO Response to a Potential Data Breach

7.3 Reporting Data Breaches to the Data Protection Commissioner

7.4 Informing Data Subjects and Next Steps

8. Subject Access Requests

9. Training and Awareness

10. Enforcement, Monitoring and Compliance

10.1 Enforcement

10.2 Monitoring and Compliance

Appendix A: Definitions

Appendix B: Examples of Personal Data

Appendix C: Special Category Data

Appendix D: Sample Structure of a Data Protection Impact Assessment (DPIA)

Appendix E: Texter Privacy Statement

Appendix F: Marketing Privacy Statement

Appendix G: Volunteer Privacy Statement

Appendix H: Websites Privacy Statement and Cookies Policy

Appendix J: Minors’ Data Access Policy

1. Overview of Policy

2. Principles of Confidentiality and Anonymity

3. Legal Framework

4. Who Can Request Access?

5. Verification Process

5. Situations Where Data May Be Disclosed

6. Legal Basis for Denying Access Requests

7. Exceptions and Safeguarding Procedures

8. Verification and Handling of Requests

9. Appeals & Complaints

10. Contact and Further Information

11. Policy Review and Updates

Our work is supported by