top of page

GDPR and Your Data

How we protect your information

GDPR logo

Handling of Personal Data

Consent information on data subjects will always be stored together with their data, to allow quick confirmation of their consent.

We only continue to handle and process personal data with the express consent of a data subject. When the subject indicates in any manner that they have withdrawn consent, handling and processing of their data will be ceased immediately.

​

Data Subject Rights

Access to Personal Data (Article 15)

Upon receipt of a Subject Access Request from a data subject, we shall review what data, if any, we hold on the subject and respond to their request within one month from time of receipt. Specifically, we shall:

  • confirm whether or not we are processing personal data concerning them;

  • provide a copy of the personal data we hold about them in an accessible format;

  • provide information about the processing (such as purposes, categories of personal data, recipients, etc.)

​

Data Portability (Article 20)

Upon request by a data subject, we will provide personal data in structured, commonly used, and machine readable format. PDF will be the default given the small amounts of data we normally process, but for larger amounts of data a highly portable format such as XML, JSON, or CSV would be more appropriate and will be used.

​

Deletion and Rectification (Articles 16 and 17)

It is our policy to allow personal data to be deleted or rectified upon request of the data subject or when we discover some error in the data. Data would not be deleted only in the case of a legal obligation not to do so.

​

Right to Restriction of Processing (Article 18)

When a data subject has requested that processing of their data be restricted, we will immediately halt the processing of such data by flagging their information in their files and notifying all relevant staff not to use or process the restricted information until further notice.

​

Right to Object to Processing (Article 21)

When an individual has objected to the processing of their data, we will immediately comply with their request and take measures necessary to remove the data from any processing by flagging it in our files for any employee that might handle their data.

​

Profiling and Automated Processing (Article 22)

Our organization does not engage in any automated decision making based on the data we collect and retain. 

​

Restriction to Data Subject Rights (Article 23)

No instances of lawful restrictions of data protection rights have been identified. The full existence of data protection rights is considered appropriate for our business practices.

​

Accuracy and Retention of Personal Data

We retain personal data under the following principles:

  • Purpose limitation - personal data of data subjects is only used for the purposes for which it was originally collected, as detailed in either the contract or the consent form.

  • Data minimisation - the collection of personal data is limited to what is necessary for the purposes for which it is processed. Generally, data retained is adequate, relevant, and limited to what is necessary for the purpose. We do not collect any information that is considered sensitive, such as information about religious, racial, or political information.

  • Accuracy - personal data is kept up-to-date and accurate through a process of verifying basic data with the data subject upon contact with them every several months or when any information leads us to believe that their data may have changed. Where a correction is required, the necessary changes are made without delay.

  • Retention - data is held for no longer than is necessary for the purposes for which it was collected. This involves removal or destruction of data upon the end of the period of consent or upon the expiration of any contractual obligation to keep the data. The nature of our business does not generally subject us to other rules that require a minimum retention period.

  • Destruction of data - in accordance with retention policies, data is destroyed either by physical destruction of the paper record or by deletion and periodic wiping of the digital record, or both when necessary.

  • Duplication of records - no unnecessary duplication of records is carried out. The principal copy of the record may be either electronic or paper, but additional copies are never kept.

​

Transparency

Transparency to customers and employees (Articles 12, 13 and 14)

Our consent documents and contractual clauses involving personal data are written in a concise, transparent, intelligible and easily accessible form using clear and plain language. This is to allow any data subjects to clearly understand what information we collect and why, as well as their rights regarding such data.

​

Where personal data is collected directly from the data subject, the information listed at Article 13 of the GDPR is provided to data subjects, including:

  • the identity and the contact details of the controller and, where applicable, of the controller's representative;

  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

  • the legitimate interests pursued by the controller or by a third party;

  • the recipients or categories of recipients of the personal data, if any;

  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

  • where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

  • the right to lodge a complaint with a supervisory authority;

  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

​

Where personal data is not collected from the subject but instead from a third party, the information listed at Article 14 of the GDPR shall be provided to the data subject within one month of receiving it, in the first communication with the subject, or prior to any disclosures of the data to any other party, whichever is soonest. Any further processing of the data beyond the original scope will be communicated to the data subject in a transparent manner. Where personal data is collected directly from a third party, the following additional information listed at Article 14 shall be provided:

  • the source from which the personal data originate, and if applicable, whether it came from publicly accessible sources;

​

Individuals are proactively informed of their GDPR rights at the time their consent is obtained to ensure they are able to freely exercise those rights in full understanding of the data that are being collected.

​

We facilitate individuals exercising their GDPR rights in an easily accessible and readable format, which will be made available on our website.

​

Other Data Protection Obligations

Supplier Agreements (Articles 27 to 29)

All agreements with suppliers and other third parties processing personal data on our behalf are reviewed to ensure all appropriate data protection requirements are included. This includes:

  • Defining the responsibilities of the data controller and data processor and ensuring that processing is only carried on the basis of a written agreement that details the appropriate technical security and organisational measures to be applied by the data processor;

  • Obtaining sufficient guarantees regarding the security measures applied by processors acting on our behalf and annual reviews to ensure that the terms of the written agreement are being adhered to;

  • Using only data processors that have vendor certification, appropriate IT qualifications and/or certification, or the appropriate certification from a relevant certifying body such as the International Organization for Standardization;

  • Requiring formal sign off to ensure that appropriate security measures are implemented and that changes/updates are performed in a timely manner;

  • Having data processors provide quarterly reports on the management of IT systems and following up to ensure that work is carried out;

  • Reviewing security measures annually to ensure they are up to date

​

Data Protection Officer (DPO) (Articles 37 to 39)

We do not need to appoint a DPO, since our core activities do not consist of processing operations that require regular and systematic monitoring on a large scale, we are not a public authority, and we do not handle large scales of special categories of data given in Article 9 (racial and ethnic data, etc.) 

​

Data Protection Impact Assessments (DPIAs) (Article 35)

Currently none of our data processing is considered high risk, and the nature of our business practice makes it unlikely that we would ever need to engage in such processing. However, we will identify the need for such assessments in future by considering whether our processing comes to involve a systematic and extensive evaluation of personal aspects based on automatic processing, the extensive use of special categories of data given in Article 9 (racial and ethnic data, etc.), or the systematic monitoring of public areas on a large scale.

​

Data Security

Appropriate technical and organisational security measures (Article 32)

We have assessed the risks involved in processing personal data and put measures in place to mitigate against them. We shall consistently implement the following IT security measures:

  • ensure that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date operating system;

  • ensure all computing devices are regularly updated with manufacturer’s software and security patches;

  • use antivirus software on all devices;

  • implement a strong firewall;

  • review vendor supplied software and updating default system, administrator, and root passwords and other security parameters to ensure defaults are not left in place;

  • ensure data backups are taken and are stored securely in a separate location;

  • ensure that data backups are periodically reviewed and tested to ensure they are functioning correctly;

  • ensure that industry standard encryption technologies are employed for transferring, storing, and receiving individuals' sensitive personal information;

  • ensure that mobile devices (such as laptops and mobile phones and tablets) are encrypted;

  • ensure that two-factor authentication is enabled for remote access;

  • ensure that websites have TLS (transport layer security) in place to securely collect personal data via webforms (such as for newsletter subscriptions) or on e-commerce websites.

​

We shall consistently implement the following physical security measures:

  • keep offices and storage units locked;

  • keep server rooms or cabinets locked;

  • cable desktop machines and laptops to desks;

  • implement clean desk policies;

  • ensure that fire and burglar alarms are in place and that they are functioning correctly;

  • ensure that ICT equipment such as hard drives and old laptops, computers and mobile devices are securely disposed of at end of life.

​

We shall consistently implement the following training/HR security measures:

  • communicate the importance of company data and all the measures they can take to protect it to employees;

  • conduct ongoing staff training on, but not limited to, social engineering attacks, crypto ransomware, and data protection;

  • document data collection and retention policies;

  • ensure the use of strong passwords by having a password policy in place that is enforced;

  • ensure remote access is supported by a remote access policy;

  • document a data breach incident response plan and testing it periodically to ensure a data breach can be effectively responded to;

  • document data back-up policies;

  • periodically review contracts with 3rd party ICT providers to ensure the security measures documented are still appropriate and up to date.

​

Our main process for resolving security related complaints and issues is to direct such issues to our main point of contact, Kathy O'Dwyer, who shall decide based on the severity and nature of the issue whether the issue can be resolved using existing resources or whether outside professional services may be required. Kathy O'Dwyer is also responsible for preventing and investigating security breaches and ensuring that access to personal data be restored in a timely manner in the event of a physical or technical incident.

​

Data Breaches

Data Breach response obligations (Article 33 and 34)

In response to a security incident that indicates some private data may have been breached, we will take all necessary steps to ensure that the negative impacts of the incident are mitigated, that the appropriate authorities are notified, and that the data subject is made aware where applicable.

Unless the breach is unlikely to result in a risk to the data subjects whose information has potentially been exposed, we will notify the Data Protection Commissioner within 72 hours of the incident. The notification shall:

  • describe the nature of the data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

  • communicate the name and contact details of the contact point where more information can be obtained;

  • describe the likely consequences of the personal data breach;

  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

​

The incident shall in all cases be reviewed and documented to help prevent future incidents.

These procedures will be reviewed and revised at least annually and more frequently in light of new technology, risks, and incidents.

​

Cooperation procedures will be put in place between our organization and any data processors that we are in partnership with to coordinate our efforts to meet any obligations under the GDPR's data breach provisions.

​

​

​

​

bottom of page