Identity of the Data Controller
“Data controllers” are the people or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed, and make independent decisions in relation to the Personal Data and/or who/which otherwise control that Personal Data.
Purpose and Scope
Laws that apply to us:
• General Data Protection Regulation (EU Regulation 679/2016)
• Irish Data Protection Acts 1988 to 2018
• Regulations flowing from DPA 2018
• ePrivacy Regulations 2011 implementing EU Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD)
Why and how do we ensure compliance?
Data protection and privacy laws provide rights to individuals with regard to the use of their Personal Data by organisations, including our organisation. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of Personal Data.
We must comply with data protection and privacy laws because the law requires us too but we also would like you to have confidence in dealing with us, and compliance with data protection law helps us to maintain a positive reputation in relation to how we handle Personal Data.
We need to demonstrate accountability for our data protection obligations. This means that we must be able to show how we comply with the applicable data protection and privacy laws, and that we have in fact complied with the laws. We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our systems and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by acting if our representatives, including employees or contractors, fail to follow the rules. We also have certain obligations in relation to keeping records about our data processing.
Who must comply?
What are the data protection principles and rules?
- Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose Limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation – Personal Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.
- Retention – Personal data should be kept in an identifiable format for no longer than is necessary.
- Integrity and confidentiality – Personal data should be kept secure.
- Accountability – Under the GDPR, we must not only comply with the above six general principles but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.
What types of personal data will we process?
We will collect personal data with you in accordance with the purposes outlined in this document. This will be basic or regular personal data used to facilitate a consultant/client type relationship usually your name and email address and from time to time billing information. If you are a sole trader or partnership, we would consider your address to be personal data.
Special Category Personal Data
We will not collect special category data from you.
Criminal Conviction Data
We will not collect criminal conviction data from you.
Children’s Personal Data
Who has access to or processes personal data?
Directors and Employees of the Organisation
Directors and employees of the Organisation who are bound by confidentiality agreements will process personal data on behalf of the Organisation.
We may use trusted service providers who could be considered data processors, sub-processors or third parties. We need to have written agreements in place with all of our service providers and, before we sign each agreement, we need to have vetted and be satisfied with the service provider’s data security. The agreements also need to contain specific clauses that deal with data protection. We require all third parties to have appropriate technical and operational security measures in place to protect your Personal Data, in line with Irish and EU laws on data protection. Any such organisation or individual will have access to Personal Data needed to perform these functions but may not use it for any other purpose.
We use the following service providers:
- Wandsoft Limited
- Blacknight Solutions
- Spiral Web Hosting
- Cath Jenkin
- The Social Network
- Data Influence
- Social Media Networks: LinkedIn, Facebook (Instagram), Twitter
- PHPList (self-hosted)
- Matomo (self-hosted)
- Microsoft (Office) 365 including Skype, Teams, Planner, and SharePoint
- Self-Hosted on Website: WordFence, Blackhole for Bad Bots, Bloom, BirchPress Scheduler, WooCommerce, YITH Request a Quote Premium, WP Mail SMTP Pro, Smush, Author Box for Divi, WP User Avatar, Delete Me, Blubrry PowerPress, Modern Tribe The Events Calendar, Event Tickets, Event Tickets Plus, Yoast SEO, and WP Rocket.
- Modern Tribe Tickets Scanner App (API to Website)
- Surf Accounts
- Wave Accounting (historic records)
- Derek Madden and Co Accountants
- Marie Ford Solicitor
- Three Mobile
- Podcast Subscription Services who have received our RSS Feed: Google Podcasts, Spotify, TuneIn, Subscribe on Android, Stitcher, iHeartRadio, Deezer, Pandora, and Apple Podcasts.
We may pass on your details if we are
- under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or
- in order to enforce or apply any contract or other agreements with you, or
- to protect our rights, property, or safety of our employees, customers, or others.
This includes reporting information about incidents (as appropriate) to the law enforcement authorities and responding to any requirements from law enforcement authorities to provide information and/or Personal Data to them for the purposes of them detecting, investigating and/or prosecuting offences or in connection with crime sentencing.
Other than the above, or captured herein or in another agreement with you, we will not disclose personal information to any third party without your consent or prior knowledge except in incidences where an individual is potentially at risk or where the law requires it.
Where does your data travel to?
Currently, we do not engage in regular international transfers of personal data outside of the EEA.
- If you make use PayPal, your data is transferred under the PayPal Binding Corporate Rules available at https://www.paypal.com/uk/webapps/mpp/ua/bcr.
- If you make use of Freshdesk, your data is transferred under the Standard Contractual Clauses available at https://www.freshworks.com/data-processing-addendum/.
- We use Otter.ai to transcribe interviews which means that your data is transferred under a Privacy Shield certification which has been declared invalid. We have cleared all personal data from our account with Otter and we have queried their stance. In future, we will obtain your explicit consent for these transfers.
- We make use of Slack as a core team tool to discuss development. If you are part of this team, your data is transferred under the Standard Contractual Clauses available which we have executed and is generally available at https://slack.com/intl/en-ua/terms-of-service/data-processing.
- We will not make use of the Bitly service until there is guarantee for sufficient safeguarding of your data.
- We may meet you on social media platforms where your data has already been transferred outside of the EEA. We prefer to take all communications out of social media inboxes onto platforms we use such as email or MS Teams.
If we transfer your Personal Data out of the EEA, we ensure an adequate degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give Personal Data the same protection it has in Europe.
Automated Decision-Making and Profiling
We do not use automatic decision-making or profiling.
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes.
We have a documented data retention schedule. Generally, we will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for and for up to seven (7) years afterwards (for purposes related to Revenue requirements) or otherwise permitted by applicable laws. We may also retain your information during the period of time needed to complete our legitimate business operations, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
WooCommerce Retention Settings:
- Retain inactive accounts for one year.
- Retain pending orders for seven days.
- Retain failed orders for seven days.
- Retain cancelled orders for seven days.
- Retain completed orders for seven years.
- Retain ended subscriptions for seven years.
We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising. Where appropriate, you will be asked whether you wish to receive any marketing communications from us.
We will not share your Personal Data with any third party for marketing purposes. You may object to direct marketing by using the provided links or the contact details herein to opt-out or make use of the opt-out links on communications.
We make use of Facebook Ads from time to time. We do base our ads on interests and do not use re-marketing techniques. You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/help/164968693837950. To opt-out from Facebook’s interest-based ads follow these instructions from Facebook: https://www.facebook.com/help/568137493302217. Facebook adheres to the Self-Regulatory Principles for Online Behavioral Advertising established by the Digital Advertising Alliance.
You can also opt-out from Facebook and other participating companies through
- the Digital Advertising Alliance in the USA http://www.aboutads.info/choices/,
- the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca/, or
- the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu/.
For more information on the privacy practices of Facebook, please visit Facebook’s Data Policy: https://www.facebook.com/privacy/explanation.
We make use of Google Ads from time to time. We do base our ads on keywords and do not use re-marketing techniques. You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads. Google also recommends installing the Google Analytics Opt-out Browser Add-on – https://tools.google.com/dlpage/gaoptout – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: http://www.google.com/intl/en/policies/privacy/.
Cookies, Tracking and Other Technical Personal Data
Cookies are small text files that are transferred to your computer’s hard drive through your web browser to enable us to recognise your browser and help us to track visitors to our site for different purposes. Most web browsers automatically accept cookies, but, if you wish, you can set your browser to prevent it from accepting cookies. The “help” portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
Technical Personal Data
Like most websites, we gather statistical and other analytical information collected on an aggregate basis of all visitors to our website. We may gather technical information for security reasons. We will make no attempt to identify individual visitors, or to associate the technical details listed below with any individual. We will only use the technical information for statistical and other administrative purposes.
We may collect this technical information from you when you visit our website and accept cookies. This information may include standard information from you (such as browser type and browser language), your Internet Protocol (“IP”) address, and the actions you take on our website (such as the web pages viewed and links clicked). We do note that your IP address is considered personal data under the GDPR.
Certain information in relation to web usage is revealed via our internet service provider or hosting provider who records some of the following data. Whilst we do not access this information regularly, the technical information may be used to inform our security measures, to allow us improve the information we are supplying to our users, to find out how many people are visiting our sites and for statistical purposes. The information we receive depends upon what you do when visiting our site:
- The IP address you are using.
- The date and time you access our site.
- The pages you have accessed and the documents downloaded.
- The previous Internet address from which you linked directly to our site.
- The user agent used to accessed our site.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy
, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
Sale of Organisation
Information on Consent
You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of Personal Data relating to you. If you have any queries relating to withdrawing your consent, please contact our Data Protection Coordinator using the contact details set out below.
Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.
Summary of Data Processing Activities
|Categories of Data||Purpose/Activity||Possible Lawful Basis for Processing (we will confirm with you per specific activity queried)|
|Name and Contact Details||To manage our relationship with you as our customer, supplier, or contractor||(a) Performance of a contract with you|
(b) Necessary to comply with our legal obligation
|Name and Contact Details, at times including Billing and/or Shipping Address, Website URL (if personal data contained therein), Usernames (if personal data contained therein)||To provide you with services and access to services such as those that form part of our online offerings, provide quotes, make appointment bookings, give access to training, and run workshops||(a) Performance of a contract with you|
(b) Necessary to comply with our legal obligation
|Name and Contact Details||To send you marketing material||(a) Necessary for our legitimate interests (ensure sales continue)|
|Name and Contact Details (and other personal data you might include in an email, text or voice message)||To respond to requests or queries that you provide to us via email, text or voice message||(a) Necessary for our legitimate interests (customer service)|
(b) Necessary steps to prior to entering into a contract with you
|Name and Contact Details||Notifying you about changes to our terms or this policy where you may have signed up to receive such updates.||(a) Consent|
(b)Necessary to comply with our legal obligation
|Name and Contact Details||Asking you to leave a review or take a survey||(a) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)|
|Name and Contact Details, Video Footage and Transcripts of Conversations||Live streaming video interviews for marketing purposes||(a) Consent|
(b) Necessary for our legitimate interests (to study how customers use our products/services)
|Name and Contact Details, Video Footage and Transcripts of Conversations||Video interviews for marketing purposes||(a) Consent|
(b) Necessary for our legitimate interests (to study how customers use our products/services)
|Name and Contact Details, Voice Recordings and Transcripts of Conversations||Voice interviews for marketing purposes||(a) Consent|
(b) Necessary for our legitimate interests (to study how customers use our products/services)
|Name and Contact Details, Video Footage and Transcripts of Conversations||Training||(a) Performance of a contract with you|
|Name and Contact Details; IP Address||To administer and protect our business and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)|
(b) Necessary to comply with a legal obligation
|IP Address||To use data analytics to improve our website, products/services, marketing and customer relationships and experiences||(a) Consent|
(b) Necessary for our legitimate interest (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
|Name and Contact Details||To respond to your enquiry, feedback or complaint||(a) Necessary to comply with a legal obligation|
(b) Performance of a contract with you
|Name and Contact Details (Invoices and Order Details)||To comply with our tax obligations||(a) Necessary to comply with a legal obligation.|
|Cookies (IP Address)||Cookies can be managed on this link.||(a) Necessary to comply with a legal obligation|
|Name and Social Media Handles||To build an online community, disseminate information and to respond to your queries directly.||(a) Necessary for our legitimate interests (customer service)|
What rights do you have?
Under certain circumstances, and dependent on legal basis under which your personal data is processed, by law you have the right to:
- Request information about whether we hold Personal Data about you, and, if so, what that Personal Data is and why we are holding/using it.
- Request access to your Personal Data (commonly known as a “Data Subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
- Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your Personal Data or profiling of you.
- Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request transfer of your Personal Data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.
How do you exercise your rights?
We have appointed a Data Protection Coordinator to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the Data Protection Coordinator.
If you wish to exercise your rights please contact our Data Protection Coordinator who will respond to the request within 30 days.
We are obliged to comply with exceptions to your requests where laid out in law. Such exceptions relate to health data, disclosures that would be likely to cause serious harm to your physical or mental health or emotional condition and opinions given in confidence.
If you wish to self-manage your newsletter and other subscriptions, please visit: https://phplist.proprivacy.ie/
If you wish to self-manage your user account, please visit: https://www.proprivacy.ie/my-account/
If you wish to delete your user account, please visit: https://www.proprivacy.ie/delete-account/
If you wish to erase all of your personal data without deleting your account yourself or from appointments, quotes, and orders, please email the data protection coordinator from your registered email address. Your email address and erasure request will be deleted from the system once the process is complete.
Your Right to Lodge a Complaint
You as the Data Subject have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. As our organisation is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner.
You can contact the Data Protection Commissioner as follows:
Phone: +353 57 8684800 or +353 (0)761 104 800
Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland
Policy and Notice Approval
- Original 20 June 2018
- Updated 09 September 2018
- Updated 05 March 2019
- Updated 08 April 2019
- Updated 12 June 2019
- Updated 26 July 2019
- Updated 10 August 2019
- Updated 03 November 2019
- Updated 07 December 2019
- Updated 25 January 2020
- Updated 27 January 2020
- Updated 09 February 2020
- Updated 10 February 2020
- Updated 17 February 2020
- Updated 26 February 2020
- Updated 26 March 2020
- Updated 15 May 2020
- Updated 18 May 2020
- Updated 05 June 2020
- Updated 24 June 2020
- Updated 05 July 2020
- Updated 06 July 2020
- Updated 08 July 2020
- Updated 14 July 2020
- Updated 22 July 2020
- Updated 23 July 2020