Privacy / Data Protection Policy

Fingal Chamber is strongly committed to protecting personal data in our possession. This privacy statement describes why and how we collect and use personal data and provides information about the rights of the data subjects.  It applies to personal data provided to us, both by individuals themselves or by others.  We will only use personal data provided to us for the purposes described in this privacy statement or as otherwise stated at the point of collection.

Key Definitions

Personal Data Information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as; a name, an identification number, location data, an online identifier, or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Data Subject The identified or identifiable natural person

Special (often referred to as sensitive) data racial or ethnic origin, political opinions, religious or philosophical beliefs, or trades union membership, or that includes genetic data, biometric data to reveal the identity of a person, or data concerning health, sex life or sexual orientation. Personal data relating to criminal convictions is also considered sensitive.

Controller The natural or legal person, or body which, alone or jointly determines the purpose and means of the processing of personal data.

We may need to obtain and use information about people with whom we work including employees, members, clients, customers, suppliers or others, and will treat such personal data lawfully and correctly.

The obtaining and processing of personal data creates substantial risks to an organisation and there are differing data privacy laws across different jurisdictions which govern the management of this type of data. This policy is constructed in in the context of General Data Protection Regulation GDPR (EU Regulation) and relates to the treatment of Personal Data in the context of the material rules, laws and regulations regarding the collection, processing and usage of such data.

The term Data Privacy is often used collectively to refer to both Data Privacy and Data Protection. This policy covers both.

This document provides a framework for the protection of personal data in the possession of Fingal Chamber to;

• Minimise risk to data subjects
• Enable compliance to regulatory requirements
• Protect the integrity and reputation of the Chamber

Fingal Chamber will maintain a data protection process that is consistent with the nature and scale of the organisation with particular attention to the handling of privacy risks that are most likely to affect data subjects. These types of risks may occur during the collection, usage, processing and deletion of Personal Data and/or the mishandling of Privacy & Data Protection Incidents.

2.2 Applicability

This policy applies to the business as a whole including all branches and subsidiaries in which the Group has at least a 50% share of capital or voting rights. All employees, partners, suppliers, service providers and third parties are subject to governance under this policy to the extent they perform services to the business. Accordingly, appropriate provisions should be incorporated into third party service agreements and contractor agreements.

2.3 Data Privacy Policy variations for international locations

The creation of country-specific privacy policies and/or key operating manuals is optional and shall only be used to cover local requirements, exceptions and other specific topics not addressed by this Data Privacy Policy.

Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

a) processing will be fair, lawful and transparent

b) data is collected for specific, explicit, and legitimate purposes

c) data collected will be adequate, relevant and limited to what is necessary for the purposes of processing

d) data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay

e) data is not kept for longer than is necessary for its given purpose

f) data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures

g) we will comply with the relevant GDPR procedures for international transferring of personal data

3.1 Fair, Lawful and Transparent processing

Processing of Personal Data shall be in compliance with GDPR and this policy. Personal Data shall be obtained from subjects in a fair lawful manner and where information is obtained directly from the subject they shall be informed of the name of the organisation and representative and contact details, the purpose of processing, where appropriate the legitimate interest applicable, the categories of recipients, and of any transfers to an international company or location., together with details on the retention period and an explanation of their rights.

We acknowledge that processing may be only be carried out where a lawful basis for that processing exists and we shall assign a lawful basis against each processing activity. Such basis currently include,

• The performance of a contract,
• Consent,
• A requirement of law
• The legitimate interest of Fingal Chamber

Where we rely on consent, we recognise the high standard attached to its use. Consent shall be freely given, be specific, informed and unambiguous. Where consent is to be sought, we shall do so on a specific and individual basis where appropriate. Subjects will be given clear indication of the processing activity, informed of the consequences of their consent and of their clear right to withdraw consent at any time.

Subjects shall at all times have transparent access to their personal data. Such rights are described in section 3.8.

3.2 Processing Limitation

Personal Data shall be processed exclusively for specified and legitimate purposes known to the data subject when collecting the Personal Data. Under no circumstances shall Personal Data be used for a secondary purpose that is incompatible with the legitimate purposes for which the Personal Data was originally collected.

3.3 Data Minimisation

Data processing shall be guided by the principle of data minimisation. The aim shall be to collect,

process and use only the Personal Data required to facilitate the processing purpose, i.e. as little

Personal Data as possible to comply with the principal of privacy by design and default. In particular options and techniques to facilitate anonymous or pseudonymous data processing should be used, provided that the cost and effort involved is commensurate with the desired purpose.

3.4 Data Accuracy

Personal Data must be factually correct and if applicable, kept up to date. Appropriate procedures and mechanisms shall be provided to ensure that inaccurate or incomplete data is corrected or erased.

3.5 Retention

Personal Data which is no longer required for the legitimate purposes must be erased. If a statutory

retention period applies, the data should be restricted rather than erased, i.e. operational access

permissions are to be revoked except for archiving and backup purposes only.

Fingal Chamber acknowledges the historical value to certain forms of personal data in it’s possession and the value of more recently obtained information to future generations. Special conditions shall be applied to the retention of this category of data.

3.6 IT security

The processing of Personal Data must be protected in accordance with regulation to ensure that Personal Data remains confidential and secure against un authorized access and against accidental loss, destruction or damage. Technical and organisational measures for data safeguarding shall be constructed to protect the confidentially and integrity of personal data. Such measures shall take account of technologies that are currently available and shall be appropriate for the nature of the operation.

3.7 Accountability

The business shall document adherence to the principals and obligations of GDPR in a manner that is both lawful and consistent with the scale and nature of the operation.

3.8 Rights of Data Subjects over their personal data

We respect the rights if persons over their personal data. In general, Data Subjects may request the following:

1. Information about Personal Data stored in relation to him/her, its origin and the purpose of the processing, e.g. Right of Access by the Data Subject [Article 15 GDPR]
2. Rectification if Personal Data is found to be incorrect or incomplete, e.g. Right of Rectification [Article 16 GDPR]
3. Restricted processing of Personal Data if it is not possible to establish whether the data iscorrect or incorrect, e.g. Right of Restriction of Processing [Article 18 GDPR]
4. Erasure of Personal Data if the data processing was unlawful or has become unlawful in the

interim or when the data is no longer required for the purpose of the processing unless retained for a compelling reason, e.g. statutory retention periods. Right of Erasure [Article 17GDPR]

Subjects also have the right to;

5. Restrict the processing of the data;

6. Transfer the data we hold on you to another party. This is also known as ‘portability’;

7. Object to the inclusion of information;

8. Make a submission on any automated decision-making and profiling of personal data.

4.1 Data Subject Access Requests

All Access Requests (i.e. the right of a natural person to know what Personal Data is storedby a company about him/her pursuant to applicable laws and regulations) and Rectification Requests must be communicated to the Data Protection Representative. Fingal Chamber shall respond to such requests in a timely manner.

4.2 Complaints

Fingal chamber respects the rights and views of individuals with whom it engages and shall respond to complaints received. All Data Privacy related complaints received from customers, employees, governments or supervisory bodies must be communicated to the Data Protection Representative.

4.3. Data Privacy Incidents (Breaches)

A Data Privacy Incident is defined as an event which may violate Data Privacy Laws. This includes the unauthorised collection, processing, use or disclosure of Personal Data (e.g. loss of confidential customer data, transfer of customer/employee data to an unauthorised third party) in general.

Some examples of Data Privacy Incidents include:

• Reports containing Personal Data sent to unintended recipients through email or post
• The inappropriate disposal of equipment or hardcopy documentation containing Personal Data
• The unintended or incorrect transfer of Personal Data to customers, service providers or other third parties like credit reference agencies and authorities (e.g. tax authorities)
• Sharing of data containing Personal Data within the business however not consistent with the purpose for which the data was collected or violating the need to know principle

The ability to successfully respond to potential Data Privacy Incidents is dependent on timely detection and notification of these incidents.

All data breaches shall be recorded on our Data Breach Register. Where legally required, we will report a breach to the Data Protection Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach.

Such events shall be reported to the Data Protection Representative immediately upon discovery, or in the absence to a senior manager.

Processes shall be documented for the operations above in sections 4.1, 4.2 & 4.3

5.1 Cross border transfer.

We may transfer personal data outside the European Economic Area. These countries do not always afford an equivalent level of privacy protection and in such circumstances we take specific steps, in accordance with data protection law to protect your personal information. In particular, for transfers of personal data, outside the EEA where there is no adequacy decision by the European Commission we may rely on contractual protection approved by the European Commission or the applicable safeguards under data protection law.

5.2 The Personal Data of minors

The processing of personal data relating to minors receives special attention under GDPR and we shall treat this information with particular care. Children are defined as under 16’s however some countries may reduced this to under 13. Information obtained about children shall comply with the requirement for parental consent and shall receive additional consideration while planning an operational process.

5.3 Special (Sensitive) Data

The business recognises special categories of data, specifically personal data revealing racial or ethnic origin, political opinion, religious of philosophical beliefs, trades union membership, genetic or biometric data, or a subject’s health or sexual life. The processing of these categories of information shall typically require consent

5.2 Suppliers, customers and other parties

Where we hold personal data provided by others, we shall;

1. seek assurance from the providing party that such information has been obtained fairly,
2. process such data in a manner that is consistent with GDPR, including but not limited to our obligation to co-operate with access requests received by such parties.

6.1 Sub contractors;

As part of our service delivery it is necessary for us to use sub-processors. Elements of our IT support is provided by external parties and elements of these are cloud based. Our need to rely upon those systems varies depending upon the services we deliver to you and may change as technology evolves. All sub-processors shall provide at least the same level of protection for your data as we do.

6.3 Transfer and Disclosure of Personal Data

The business may only disclose or share Personal Data to/with other companies within the group or third-party suppliers or partners, where disclosure is required by law or has been appropriately communicated to the subject.

6.5 Data Protection judgement calls

Any contracts the subject matter of which involves the use of personal data, or manuals, or any data protection statements, shall be approved by the Data Protection Representative.

7.1 Data Protection representative

The responsibilities of the Data Protection Representative DPR are, but are not limited to:

• Evaluate and manage privacy related events
• Evaluate Data Subject Access Requests or complaints and initiate appropriate response
• Maintain knowledge of Data Protection and stay abreast of developments that may affect the organisation
• Act as the liaison with relevant Data Protection supervisory bodies

• Keep the board informed through regular updates
• Take ownership for all aspects of the good management of this policy
• Create and maintain a Data Privacy Policy
• Act as the primary contact for a Data Protection Business Partner
• Assess all external-facing Data Privacy statements for compliance with policy and law
• Implement Data Privacy training
• Implement and manage a Data Protection control process to demonstrate compliance.
• Assess frequent or repetitive privacy issues and re define the control process as necessary.

7.2 Data Protection Business Partner

The business may appoint a data protection business partner to provide independent and professional advice on issues relating to Data Protection. Their responsibilities include but are not limited to:

• Act as partner to the Data Protection Representative regarding privacy related processes
• Become familiarised with the Personal Data processing activity of the business
• Advise and assess, prior to implementation, to activities impacting Personal Data to assess compliance with privacy requirements as applicable
• Participate directly in large or high-risk projects or events
• Advise on critical events.