1. Objective of Policy
This Data Protection policy is a statement whereby we at O’Dwyer Power (“the business”) commit to protecting the rights and privacy of individuals in accordance with the Data Protection Act, 2018 (“the Act”) requirements and the General Data Protection Regulation 2016/679 (“GDPR”). It ensures that O’Dwyer Power:
- Is compliant with the relevant data protection legislation and follow what is considered industry good practice in protecting the personal data collected, stored, and processed;
- Protects the rights of our staff, customers and any other relevant third-parties as they relate to data protection and privacy;
- Is open and transparent in relation to how we collect, store and process individuals’ personal data; and
- Protects the organisation from the risks of a data breach.
The policy covers both personal and special categories of personal data held in relation to data subjects by O’Dwyer Power as defined by the Act and GDPR. The policy applies equally to personal data held in both manual and automated forms. All personal data and special categories of personal data will be treated with equal care by O’Dwyer Power. Both categories will be equally referred to as Personal Data in this policy, unless specifically stated otherwise.
At O’Dwyer Power we need to collect and use certain personal information from the following persons:
- Business Contacts
- Third-party data received from our clients
These guidelines set out the requirements of the Act and GDPR. and the steps to be taken by us when processing personal data. These guidelines will be updated, as required, to allow for any legislative changes. These guidelines apply to all staff of the Business and any other parties who are authorised to access Personal Data held by the Business.
Data Protection law safeguards the privacy rights of individuals in relation to the processing of their personal data. The Act and GDPR. confers rights on individuals as well as responsibilities on those persons processing personal data. Personal data is data relating to a living individual who is or who can be identified, either from the data or from the data in conjunction with other information available.
2. Roles and Responsibility
All employees of the Business who collect and / or control the contents and use of personal data are responsible for compliance with the Data Protection Policy.
3. Data Protection Principles
O’Dwyer Power undertakes to perform our responsibilities under the regulation, as follows:
- Personal data shall be collected and processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with the Act and GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the Act and GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
4. Rights of Data Subjects
O’Dwyer Power will also endeavour to uphold the rights of data subjects as laid out in the Act and GDPR as follows:
- Provide transparent information and communication to data subjects on how to exercise their rights;
- Provide information about our processing activities to the data subject;
- Provide the data subject with the right to obtain from us confirmation as to whether or not we are processing personal data concerning him or her and, where that is the case, access to the personal data;
- Provide the right of rectification for the data subject to correct inaccurate personal data concerning him or her;
- Provide the data subject with the right to obtain from us the erasure of personal data concerning him or her without undue delay and we shall have the obligation to erase personal data without undue delay unless we have overriding legitimate grounds for continued processing. This will be handled on a case by case basis under the circumstances listed in the Act and GDPR;
- Allow the data subject to restrict the processing of their data unless we have an overriding legitimate lawful purpose for continuing to process the data;
- Provide the data subject with the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller under the conditions listed in the Act and GDPR; and
- The data subject shall have the right to object to processing concerning them and to have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Please note that the above rights are not always absolute and there may be some limitations.
5. Key Definitions
O’Dwyer Power collects and maintains Personal Data and are therefore subject to the provisions of the Act and GDPR as a Data Controller. Personal Data includes automated data (e.g. information held on computer systems) as well as manual data (e.g. paper based filing systems).
The Key definitions are set out in the Act and GDPR. are summarised below.
The term “personal data” is information related to a living individual who is or who can be identified:
- from the data, or
- from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The term “special categories of personal data” means personal data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data for the purposes of uniquely identifying a natural person;
- any form of health information; and
- a natural person’s sex life or sexual orientation.
Data “processing” includes obtaining, recording or holding information and carrying out any operation on the information such as organising, altering, using, disclosing, erasing or destroying it.
A “data subject” is an individual who is the subject of personal data. This includes partnerships and groups of individuals, but not limited companies. In terms of O’Dwyer Power, all Business members, employees, officers and volunteers are data subjects.
A “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
A “data processor” means any person (other than an employee of O’Dwyer Power) who processes the data on behalf of O’Dwyer Power.
“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
6. Types of Personal Data Held
O’Dwyer Power collects and uses Personal Data such as the following:
- Contact data: name, address, email, telephone numbers;
- Correspondence data: Emails, letters, general records of phone calls;
- Financial data: bank account details, financial status and history, banking details and transactions;
- Details for compliance with Anti Money Laundering: identification documents, proof of address
- Employment data: occupation, place of employment, salary, payslips;
- Other data: date of birth, Tax Identification/PPS numbers, tax residency details, beneficial, tax clearance access number;
- Recruitment candidate data: contact information, data contained in a CV (eg. employment history, educational history), references;
- Website data: IP addresses, operating system, use of our website, duration of sit visit.
7. Purpose of Processing Personal Data
O’Dwyer Power will use personal data in order to carry out the following functions:
- To provide you with the services you have requested;
- To provide you with details about our services (unless you have opted not to receive such communications);
- To contact you in relation to our services;
- To maintain a business relationship with you;
- To invoice you for our services or collect a payment from you;
- To enter into a contract with you to provide our services;
- To comply with our legal or regulatory obligations, for example anti-money laundering;
- To comply with our Institute/Association compliance obligations; and
- To maintain our website and use it to provide you with details of our services.
8. Data Sharing and Data Transfers
We do not sell any personal information, nor do we share it with unaffiliated third parties unless we are required to do so by law. We will ensure that any information passed to third parties conducting operational functions on our behalf will be done with respect for the security of personal data and will be protected in line with data protection law.
Ways in which we may share personal information include:
- With official bodies such as the Revenue Commissioners where we carry our reporting on your behalf;
- To engage external IT providers so as to ensure the security of our IT systems in order to protect all personal data;
- With our insurers or assessors when providing or reviewing information in the event of an incident occurring;
- To engage professional services of third parties, such as solicitors or any other such business advisers. Any such parties are bound by confidentiality and are employed under contract;
- We reserve the right to report to law enforcement any activities that we, in good faith, believe to be illegal;
- To provide information to An Garda Síochána or other Government bodies or agencies when required to do so by law;
- To transfer your data to another business where we have received a request, authorised by you, from another business to do so;
- In connection with, or during negotiations of a business merger or sale or similar business transfer provided that such party agrees to use such Personal Information in a manner consistent with this Policy.
There may be circumstances where we transfer your personal data outside the EEA, such as when we use the services of online platforms or where we use a cloud-based IT system to hold your data. We safeguard your data by ensuring a minimum of one of the following safeguards is in place:
- a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal data; or
- with companies located in a third country approved by the European Commission under an adequacy decision;.
9. Lawful Basis for Processing Personal Data
- Article 6.1(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
Examples of where this lawful basis is applicable include the following:
- the processing is necessary for us to provide services to our clients;
- when we contact you regarding invoicing or payments; and
- to perform any part of the service you have contracted us to provide to you.
- Article 6.1(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”Examples of where this lawful basis is applicable include the following:
- to comply with our regulatory reporting obligations such as reporting suspicious business activities or fraud;
- to fulfil reporting obligations to Revenue;
- to comply with anti-money laundering and combating terrorist financing obligations under The Money Laundering provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by Part 2 of the Criminal Justice Act 2013; and
- to meet our legislative and regulatory duties to maintain audited financial accounts;
- Article 6.1(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”Examples of where this lawful basis is applicable include the following:
- When promoting our services. Our legitimate interest: we want to ensure that our clients are aware of the services we offer and that they are kept up to date.
- Any form of correspondence with you. Our Legitimate interest: To ensure a good quality of service, to assist in training, to ensure that correct instructions were given or taken due to the nature of our business and to quickly and accurately resolves any disputes;
- During a recruitment process when we need to communicate with candidates. Our Legitimate interest: to update candidates on the recruitment process for the purposes of considering them for employment or for future positions;
- Article 6.1(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”Examples of where this lawful basis is applicable include the following:
- Marketing and Research: to provide our clients or potential clients with details of our services provided they have not opted out of receiving such communications and to carry our market research. Individuals can opt-out of receiving marketing communications at any time;
- Cookies on our website: we may obtain information about general Internet usage by using a cookie file which is stored on an individual’s browser or the hard drive of their computer. Visitors to our website can choose not to consent to cookies or disable cookies in their browser settings at any time.
10. Subject Access Request (SARs)
You have the right to be informed whether we hold information/data about you and to be given a description of the data together with details of the purposes for which your data is being kept. Should you wish to exercise this right, we would ask you to please make this request to us in writing and we will accede to the request within one month having first verified your identity to ensure the request is legitimate.
No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and, where it has not been possible to redact the data to ensure that the third party is not identifiable, we must refuse to furnish the request.
11. Security of Personal Data
O’Dwyer Power must ensure the confidentiality, integrity, availability, and resilience of personal data when in use, transit and storage. We are obliged to protect the data from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing.
- Appropriate security controls, including technical and non-technical are utilised to protect O’Dwyer Power personal data;
- Computer screens, printouts, files or documents displaying personal data are only visible to authorised personnel;
- Personal data held in manual (paper) files is held securely in locked cabinets, locked rooms or rooms with restricted access;
- Data printouts are shredded and disposed of securely when no longer required;
- Staff are instructed to always keep information strictly confidential and not to disclose or discuss an employee’s or customer’s information or circumstances with any unauthorised outside parties;
- Our IT partners ensure that our systems are protected and that backups are done in real time and stored securely;
- Staff are given regular training on how best to protect the personal data they handle during the course of their work;
- Any third parties who process personal data on our behalf are contractually bound to process personal data in line with current data protection law practices and principles thus ensuring the security of the data. This processing is done under a Data Processing Agreement;
12. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. Where possible we record how long we will keep your data, where that is not possible, we will explain the criteria for the retention period. Once the retention period has expired, the respective data will be permanently deleted.
We have a regulatory requirement to retain all accounting and taxation details for 6 years. Should certain information be required to establish, exercise and defend our legal rights, we may retain documentation for extended periods.
13. Privacy by Design and Default
The regulation requires that all O’Dwyer Power systems and processes are compliant in nature. In O’Dwyer Power the use of Data Protection Impact Assessments (DPIA) will be conducted on any new project that involves the collection of personal data or special categories of personal data as well as any changes to existing projects where there are risks to the data.
14. Notification of Data Breaches
Article 4(12) GDPR defines a ‘personal data breach’ as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Staff at O’Dwyer Power are trained to recognise a breach and are instructed to inform a company director if they suspect a breach has occurred or have evidence of a potential breach.
O’Dwyer Power has a Personal Data Breach Procedure in place which will be in the event of a breach being reported either internally or from a third-party processor.
15. Contact Details
O’Dwyer Power, 1st Floor, 9 Adelphi Quay, Waterford.
Tel: 051 364034
You have a right to complain to the Data Protection Commissioner (DPC) in respect of any processing by using the details below (or completing a webform by going to: https://www.dataprotection.ie):
Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
Tel: 0578 684 800