What is the Purpose of this Privacy Statement?
DPCC Privacy Statement refers to our commitment to our compliance to data protection legislation including the Irish Data Protection Acts and the EU General Data Protection Regulation.
Who does this Privacy Statement refer to?
This policy refers to all parties (job candidates, employees, clients, contractors, suppliers and other parties etc.) whose personal data is processed by us.
Who must follow this Privacy Statement?
Employees of DPCC must follow this policy. Contractors, consultants, partners and any other external entity are also required to comply.
What data is included?
As part of our services, we need to obtain and process data. This data includes any offline physical data or online data that makes a person identifiable such as names, addresses, usernames and passwords, IP addresses, any online identifier, CCTV, digital footprints, photographs, social security numbers, financial data etc. It also may include one or more factors specific to the physical, physiological, genetic, mental, cultural or social identity of that person.
Ensure your organisation has provided all the relevant information applicable from this table below
|Types of Personal Data (i.e. any information relating to an identified or identifiable person)
|Name, surname, date of birth
|For employment Purposes
|Home landline phone number, personal/work mobile, home postal address, personal/work email address
|For employment purposes
|Start date, pay type, employment type, fours per FN, cost centre, centre, job title, salary, payroll no. name, surname, address, personal & work e-mail address, home and mobile phone number, PPS no, DOB, bank details, gender, medical card holder
|To process payroll
|IP Address, MAC Address, meta data, cookie identifier, , advertising IDs, pixel tags, account handles
|1-3 months depending on backups
|To control information inbound to the service and outbound to the internet
|Twitter Account, URL Facebook, URL Instagram,
|Special Categories Data
|Trade union membership
|For payment purposes
|Personal public service number
|For processing Payroll
|Car registration number, insurance policy number, motor tax and NCT Certificates.
|To process out of milage expenses.
How DPCC collect your data?
We collect this data in a transparent way and only with the full knowledge of interested parties. Once this information is available to DPCC, the following rules apply. Our data will be:
- Accurate and kept up-to-date
- Collected fairly and for lawful purposes only
- Processed by DPCC on the basis of either a valid contract, consent, legal compliance or legitimate interest
- Protected against any unauthorised access or illegal processing by internal or external parties.
Our data will not be:
- Communicated to any unauthorised internal or external parties
- Stored for more than a specified amount of time
- Transferred to organisations, states or countries outside the European Economic area without adequate safeguards being put in place as required under Data Protection law.
Where consent is relied upon as a basis for processing of any personal data, you will be presented with an option to agree or disagree with the collection, use or disclosure of personal data. Explicit consent will be required for the processing of any special category and/or data belonging to a person under the age of 16 of personal data.
What are the 7 principles we comply to?
- Lawful, Fair and Transparent – Ensuring valid obtaining and processing of personal data
- Purpose Limitation – Ensuring data is kept for one or more specified, explicit and lawful purposes
- Data Accuracy – Ensuring the data processed is accurate, complete and up-to-date
- Data Minimisation – Ensuring the data processed is adequate, relevant and not excessive
- Storage Limitation – Ensuring personal data is kept for no longer than necessary
- Integrity and Confidentially – Ensuring the safety & security of data
- Accountability – Ensuring correct records are maintained
Disclosure of data
Your personal information may also be processed by other organisations on our behalf for the purposes outlined above. We may disclose your information to the following:
- Revenue, Social Welfare. Data Protection Commission, outsourced Employment Law advisors, auditors, pension brokers & trustees, financial institutions, debt collectors, consultants, IT providers, couriers, shredding company, security company, printing company, accountant/auditors, insurers, partners, associates, agents or subcontractors and to possible successors to our business
- Transmission of personal data within a group of undertakings for internal administrative purposes including the processing of clients’ or employees’ personal data
Some of these parties may reside outside the European Economic Area (which currently comprises the Member states of the European Union plus Norway, Iceland and Liechtenstein). If we do this, your information will be treated to the same standards adopted in Ireland. We may also disclose your information for the prevention and detection of crime and to protect the interests of DPCC or others, or if required to do so by law or other binding request.
Information we provide before processing the data
Prior to processing any data DPCC will always provide, via this Privacy Statement, the following information:
- Which of their data is collected
- How DPCC process their data
- The purpose for DPCC processing their data
- Who has access to their information
- Provisions in cases of lost, corrupted or compromised data
- Information relating to the right to request that we modify, erase, reduce or correct data contained in our systems
- Information relating to data subjects rights in relation to their data.
How we protect your data
DPCC’s commitment to protect your data:
- Restrict and monitor access to sensitive data
- Develop transparent data collection procedures
- Train employees in data protection and security measures
- Build secure networks to protect online data from cyberattacks
- Establish clear procedures for reporting privacy breaches or data misuse
- Include contract clauses or communicate statements on how we handle data
- Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorisation etc.).
What is the legal basis for holding your data?
We collect your data based on the following legal basis
- Consent- where you have explicitly agreed to us processing your information for a specific reason such as marketing or explicit consent for us to process any special category of data about you;
- Contract-where you have entered into a service with us and the processing is necessary to perform this service
- Compliance -the processing is necessary for compliance with a legal obligation we have such as keeping records for revenue or tax purposes or providing information to a public body or law enforcement agency; we may be required to process certain data to carry out our obligations under employment, social security or social protection law; the processing is necessary for the establishment, exercise or defence of legal claims. We are required by law to process that data in order to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations; we may be required to process certain data to carry out our obligations under employment, social security or social protection law; the processing is necessary for the establishment, exercise or defence of legal claims
- Legitimate interest-the processing is necessary for the purposes of a legitimate interest pursued by us to provide our services to you or our clients and other third parties and ensure that our client engagements are well-managed or to ensure that complaints are managed effectivity, to prevent fraud, to enhance our service offerings and to keep you and our clients informed about the service we are currently providing to you and our clients.so.
Where lawful basis is a statutory or contractual requirement, state if individual is obliged to provide the personal data and possible consequences of failure to provide such data.
How long will be hold your personal data?
We will only retain personal data for as long as necessary for the purposes for which it was collected; as required by law or regulatory guidance to which we are subject or to defence any legal actions.
We will retain personal data about job applicant candidates for no more than one year
Right to Erasure
When have I the right to all my personal data being deleted by DPCC?
You have the right to have your personal data deleted without undue delay if:
- The personal data is no longer necessary in relation to the purpose(s) for which it was collected/processed
- You are withdrawing consent and where there is no other legal ground for the processing
- You object to the processing and there are no overriding legitimate grounds for the processing
- The personal data has been unlawfully processed
- The personal data must be erased so that we are in compliance with legal obligation
- The personal data has been collected in relation to the offer of information society services with a child.
What happens if DPCC has made my personal data public?
If we have made your personal data public, we, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform those who are processing your personal data that you have requested the erasure.
What happens if DPCC has disclosed my personal to third parties?
Where we have disclosed your personal data in question to third parties, we will inform them of your request for erasure where possible. We will also confirm to you details of relevant third parties to whom the data has been disclosed where appropriate.
Right to Data Portability
When can I receive my personal data in machine readable format from DPCC?
You will receive your personal data concerning you in a structured, commonly used and machine-readable format if:
- processing is based on consent
- processing is carried out by automated means.
Would DPCC transfer the personal data to another service provider if I requested this?
We can transfer this data to another company selected by you on your written instruction where it is technically feasible taking account of the available technology and the feasible cost of transfer proportionate to the service we provide to you.
Under what circumstances can DPCC refuse?
You will not be able to obtain, or have transferred in machine-readable format, your personal data if we are processing this data in the public interest or in the exercise of official authority vested in us.
Will DPCC provide me with my personal data if the file contains the personal data of others?
We will only provide you with your personal data, ensuring we protect the rights and freedoms of others. Where personal data of another person may be on the same files as yours, we will redact the full details of the other person. Contact us at email@example.com.
Right for Automated Individual Decision Making including Profiling. What are my rights in respect of Automated Decision making?
DPCC does not have any automated decision-making processes. Where any such processes are introduced, we will provide you with the relevant information required under the “General Data Protection Regulation”.
- Right to Object
Have I already been informed about my right to object?
We have informed you of your right to object prior to us collecting any of your personal data as stated in our privacy notice.
When can I object to DPCC processing my personal data?
You can object on grounds relating to your situation.
DPCC will stop processing your personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms
- the processing is for the establishment, exercise or defence of legal claims.
What are my rights to object for direct marketing purposes?
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, we will no longer process this data for such purposes.
What are my rights to object in the use of information society services?
In the context of the use of information society services, you may exercise your right to object by automated means using technical specifications.
Contact us at firstname.lastname@example.org
Right to Restriction of Processing. When can I restrict processing?
You may have processing of your personal data restricted:
- While we are verifying the accuracy of your personal data which you have contested
- If you choose restricted processing over erasure where processing is unlawful
- If we no longer need the personal data for its original purpose but are required to hold the personal data for defence of legal claims
- Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override.
What if DPCC has provided my personal data to third parties?
Where we have disclosed your personal data in question to third parties, we will inform them about the restriction on the processing, unless it is impossible or involves disproportionate effort to do so.
How will I know if the restriction is lifted by DPCC and/or relevant third parties?
We will inform on an individual basis when a restriction on processing has been lifted.
Contact us at email@example.com
Right of Rectification Policy
What can I do if DPCC is holding incorrect personal data about me?
Where you suspect that data we hold about you is inaccurate, we will on demand rectify any inaccuracies without undue delay and provide confirmation of same.
What happens if DPCC has disclosed my personal to third parties?
Where we have disclosed inaccurate personal data to third parties, we will inform them and request confirmation that rectification has occurred. We will also provide you with details of the third parties to whom your personal data has been disclosed.
Contact us at Sandra.firstname.lastname@example.org
I.VII Right to withdraw Consent. Under what circumstances could I withdraw consent?
You can withdraw consent if we are processing your personal data based on your consent.
When can I withdraw consent?
You can withdraw consent at any time.
If I withdraw consent what happens to my current data?
Any processing based on your consent will cease upon the withdrawal of that consent. Your withdrawal will not affect any processing of personal data prior to your withdrawal of consent, or any processing which is not based on your consent.
Contact us at Sandra.email@example.com
Right to lodge a complaint
Can I lodge a complaint with the Data Protection Commission?
You can lodge a complaint with the Data Protection Commission in respect of any processing by or on behalf of DPCC of personal data relating to you.
How do I lodge a complaint?
Making a complaint is simple and free. All you need to do is write to the Data Protection Commission giving details about the matter. You should clearly identify the organisation or individual you are complaining about. You should also outline the steps you have taken to have your concerns dealt with by the organisation, and what sort of response you received from them. Please also provide copies of any letters between you and the organisation, as well as supporting evidence/material.
What happens after I make the complaint?
The Data Protection Commission will then take the matter up with DPCC on your behalf.