close

1.0. Introduction

ComplyPro collects, processes and stores sensitive and personal sensitive data on an ongoing basis. The Data Protection Acts 1988, 2003 and 2018, confer rights on individuals as well as additional responsibilities on those persons and organisations processing personal data.

2.0. Scope

This policy applies to all data held by ComplyPro including that which is held in manual or electronic form. All staff have a personal responsibility to ensure compliance with the principles of Data Protection law and to adhere to the company’s Data Protection Policy.

3.0. Policy

3.1. Data Protection Principles

Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Under Article 30 of the GDPR, all data controllers are “responsible for, and be able to demonstrate, compliance with the principles”.

3.2. Basis for Holding Personal Data

As part of it’s work in the provision of occupational health & safety consultancy and training services, ComplyPro must process personal data. In complying with the General Data Protection Regulation, ComplyPro must set out the legal basis on which we process such data.

The legal basis’s for processing data are as follows –

  1. Consent: the member of staff, contractor or learner has given clear consent for the company to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for the member of staff’s employment contract or in the completion of a contract with a contractor or other business.
  3. Legal obligation: the processing is necessary for the company to comply with it’s legal obligations.
  4. Legitimate Interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

A full list of the type of personal data and the legal basis under which it is processed is contained in Appendix III.

3.3. Rights of the Data Subject

The GDPR provides the following rights for individuals:

  1. The Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data.
  2. The Right of Access: Individuals have the right to access their personal data and supplementary information.
  3. The Right to Rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  4. The Right to Erasure: the GDPR introduces a right for individuals to have personal data erased. The right is not absolute and only applies in certain circumstances.
  5. The Right to Restriction: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances.
  6. The Right to Data Portability: The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  7. The Right to Object: Individuals have the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
  8. Rights in relation to automated decision making and profiling: Individuals have rights in respect of automated decision making and profiling: to be informed and to request human intervention or review of automated decisions.

3.4. Fair Processing of Personal Data

We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, learners and others to the processing their individual personal data.

There may be circumstances where the company is required either by law or in the best interests of our learners or staff to pass information onto external authorities, for example an Garda Síochána, the Child and Family Agency (TUSLA), the Revenue Commissioners, etc. Where possible any such processing of an individual’s personal data shall be notified to them and will be carried out only in accordance with the law.

3.5. Securing Personal Data

In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.

The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data (e.g. information management certification to ISO 27001, robust security procedures under a data sharing agreement, etc.)