Data Protection Privacy Notice
This Data Protection Privacy Notice provides information about the ways in which Mayo Roscommon Hospice Foundation (“the Hospice”) collects, stores and uses personal data relating to individuals (i.e. data subjects). The Hospice fully respects your right to privacy, and your data protection rights. The Hospice is fully committed to compliance with the General Data Protection Regulation (“GDPR”) and the Irish Data Protection Acts, 1998 – 2018 (the “Law’).
Under GDPR, Personal Data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’).” Such data may include, but is not limited to, a person’s name and address; fundraisers’ and donors’ details, or records relating to a person’s employment relationship.
“Processing” means any action performed on personal data, including collection, recording, storage, erasure or destruction. The Hospice is the ‘Data Controller’ in respect of the Personal Data processed. The Hospice is registered with the Charities Regulatory Authority (Charitable Status No: 10980 and CRA: 20029098).
The Hospice has introduced a range of policies and procedures, which it reviews regularly, in order to ensure it complies with the requirements as defined by the law to ensure that Personal Data we process is:
• processed in a way that is fair, lawful and transparent;
• collected for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary;
• accurate, complete and up-to-date;
• retained no longer than is necessary for the purpose(s) for which it was obtained, taking into account legislative or audit requirements; and
• processed in a manner that ensures appropriate security.
Fair Processing Policy
The Hospice processes your Personal Data for a specific purpose which depends on your category of Data Subject – note following the categories of Data Subjects, how their Personal Data will be used and retained for:
• If you are a Volunteer, we process your Personal Data for the purpose of organising volunteer events and we do so on the basis of your consent. Your information is retained for as long as you remain an active volunteer for the Hospice, plus 3 years.
• If you are a Donor, we process your Personal Data for the purpose of requesting and accepting donations and we do so for direct marketing processing which is a legitimate interest of the Hospice. We also seek your explicit consent for future marketing. Processing for direct marketing purposes will continue only for as long as you give your consent. Your information is retained for as long as you remain an active Donor, plus 3 years.
• If you are a member of staff, we process your Personal Data for the purpose of employing and paying you. In doing so, we fulfil our legal contract with you and comply with our legal obligation to pay tax on your behalf. Your information is retained for the current financial year, plus six years, as required under tax law.
• If you are an individual supplier of goods or services to the Hospice, we process payment to you for the purpose of fulfilling our legal contract with you. Your information is retained for the current financial year, plus six years, as required under tax law.
• CCTV – the Hospice shops have CCTV in operation. We have a legitimate interest and purpose to ensure the security of our staff, premises and property. CCTV footage is routinely held for 30 days, unless preserved for a particular purpose and we have notices within our premises so that users are fully informed.
How do we process, store and protect your Personal Data
The Hospice collects and stores your Personal Data in a database on our computer systems i.e. electronically. We also hold hard copies i.e. paper of any Personal Data you provide to us in a safe filing cabinet. We use your Personal Data to communicate with you, to process your donations, to pay tax on behalf of employees, to claim back tax from Revenue on donations and to organise fundraising events.
Appropriate technical and organisational measures have been put in place to ensure the safety of Personal Data. We take due care to protect the information we hold electronically and in hard copy form from any unauthorised access or disclosure and we carry out regular reviews to monitor compliance with our policies in relation to Data Protection. All staff members involved with processing of Personal Data are required to complete training to ensure they are fully aware of their responsibilities in relation to the safeguarding of Personal Data.
We will not send you any electronic communications (email, text) unless we have received the appropriate consent from you. In addition, all electronic communications you receive from us will include clear instructions on how you can opt-out of receiving any further communications.
We respect your privacy and do not sell, trade, or otherwise transfer your personal data to outside parties for any purpose including marketing purposes. We do work with trusted third parties who assist us in operating our website, supporting our IT systems, platforms and databases. We require them by contract to only process data in accordance with our instructions. We also require that such third parties, who are our data processors, keep this information confidential, safe, secure and to comply with the Law as we do. A general exception to this rule is where we believe in good faith that we are required to disclose your personal data in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order or other statutory or legal requirement.
Transfers outside the EEA
Other than where necessary as a result of our use of third party services, we do not transfer personal data outside the European Economic Area. Any such transfers to third party services will be made in compliance with the requirements of the Law. This website is hosted within the European Economic Area.
As Data Subjects, you have certain rights under the Law:
• You have the right to certain information relating to the processing of your personal data. This Data Protection Privacy Notice provides this information;
• You have the right to request access to the Personal Data, the Hospice holds on you; This is referred to as a Subject Access Request (SAR); We would encourage you to submit written access requests where possible, to avoid disputes over the details, extent, or timing of an access request.
• You have the right to have information held about you corrected if it is not accurate or is out-of-date;
• You have the right to request the erasure of your personal data which we hold where the personal information is no longer necessary, where you have withdrawn your consent or where you feel that there is no lawful reason for us to process your personal data. Where data still needs to be kept, e.g. for a legal obligation or for legitimate purposes we will automatically delete it as soon as the retention period ends;
• You have the right to object to the processing of your personal data. You have the right to object to processing for direct marketing purposes. This right can be exercised by opting out of direct marketing using the means provided;
• You have the right to request a restriction of the processing of your information, and;
• You have the right to ask the Hospice to provide your information in a portable format or, where technically feasible, to port that information to another provider, provided it does not result in a disclosure of information relating to other people;
If you wish to exercise one of your rights, please contact our Data Protection Officer by using one of the following contact mediums:
o Email: firstname.lastname@example.org;
o Letter: Mayo Roscommon Hospice Foundation, Main Street, Knock, County Mayo, Ireland;
o Phone: + 353 (0) 94 9388666
Following receipt of your request, you may be asked for additional data to verify your identity. This will only be used for verification purposes, not stored, and securely destroyed once the request has been processed.
If you submit a SAR, we will respond to you within one month of receipt of your request, where possible. If this is not possible, we will keep you informed. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Note that certain data is exempt from disclosure under the Law, including certain privileged and confidential information, however we will advise you if we are unable to grant your request and why.
You also have the right to make a complaint to the Data Protection Commission if you are unhappy with any aspect of our Data Protection Policy. Their contact details can be found at https://www.dataprotection.ie/
Changes to our fair processing policy
We reserve the right to make changes to this policy at any time and without prior consultation. Any such changes will be posted on our website.
We welcome any comments / feedback on our website and or policies
Please contact email@example.com or the CEO firstname.lastname@example.org