Gencat Ltd necessarily collects, processes and stores personal data from our customers, staff and service providers.
In accordance with the EU General Data Protection Regulation, 2016/679 (GDPR), Gencat Ltd is a ‘Data Controller’ and, as such, has responsibilities for ensuring the privacy of data subjects and the protection of personal data processed.
Definitions
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘main establishment’ means:
as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
‘supervisory authority’ means an independent public authority which is established by a Member
‘cross-border processing’ means either:
processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Scope
This policy applies to Gencat Ltd and is available to all staff of the Gencat Ltd to apply to data processing for which they act as ‘Data Controller’.
This policy applies to all personal data collected, processed and stored by Gencat Ltd in respect of all individuals, (i.e. staff, customers and service providers) by whatever means including paper and electronic records.
Data Protection Principles
The six principles of the General Data Protection Regulation (GDPR) require that personal data is:
- Processed in a way that is lawful, fair and transparent
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- Processed in a manner that ensures appropriate security of the data.
Article 5(2) of the GDPR also obliges Gencat Ltd to “be responsible for, and be able to demonstrate, compliance with the principles”.
Application of Data Protection Principles in the GDPR requires that the processing of personal data is conducted in accordance with the data protection principles set out above.
Personal data must be processed in a way that is lawful, fair and transparent
Article 6 of the GDPR sets grounds on which personal data processing is lawful. These grounds include:
‘processing is necessary for compliance with a legal obligation …….. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller …….
Section 38(1) of the Data Protection Act, 2018 further states that processing is lawful where it is required for:
‘……… the performance of a function of a controller conferred by or under an enactment or by the Constitution…….’
The functions of the Gencat Ltd are set out in our mission statement. Public interest activities carried out by the Gencat Ltd for which we may process personal data are as follows:
Gencat Ltd may also process personal data in accordance with contracts it has put in place and, in limited circumstances, where it has a legitimate interest in processing specified personal data.
In certain circumstances, we may seek consent to process personal data. In such cases, we will ensure that the consent was ‘freely given’. In such cases, consent will be sought at the time that the data is collected and the data subject will be advised that they can withdraw their consent at any stage during processing.
Gencat Ltd will be fully transparent in relation to how personal data collected is used, in particular ensuring that it is not used in a way that a data subject would not expect. Gencat Ltd will provide the required information to data subjects when the personal data are collected. E
Personal data can only be collected for specific, explicit and legitimate purposes
Gencat Ltd processes personal data only for the purposes for which it is collected. Where it processes personal data for archiving purposes in the public interest; scientific or historical research purposes or statistical purposes we will put measures in place to ensure the principle of minimisation. Data subjects will not be identifiable and appropriate safeguards will be put in place with regard to information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Personal data must be adequate, relevant and limited to what is necessary for processing
Gencat Ltd will ensure that the data collected and held is the minimum amount required for the specified purpose. Gencat Ltd will not collect personal data not necessary to the purpose for which personal data is being collected.
Personal data must be accurate and kept up to date
Gencat Ltd will ensure that, where possible, that all personal data held is kept accurate and up to date. All staff in Gencat Ltd that access or hold personal data are responsible for ensuring that all manual / computer procedures are adequately maintained and that, where notified of inaccuracies, the personal data will be corrected in a timely manner.
Personal data is only held for as long as is necessary
Gencat Ltd will establish the length of time that personal data is required to be retained and the purpose of its retention. Gencat Ltd will ensure that the personal data is properly destroyed/deleted when the retention period expires. Where personal data must be retained in to comply with legal requirements, Gencat Ltd will ensure that the data is held securely and inaccessible for normal processing.
Personal data is processed in a manner that ensures appropriate security of the data
Security systems, measures and policies pertaining to the storage and processing of personal data are constantly reviewed and, where necessary, updated. Gencat Ltd staff avail of ongoing training in relation to their personal responsibilities for the protection of personal data.
Rights of ‘data subjects’
GDPR specifies the following rights for data subjects:
- right to be informed/right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object to processing
- rights in relation to automated decision making and profiling.
Data Subjects may contact the Gencat Ltd Data Protection Officer with regard to all issues related to processing of their personal data and to the exercise of their rights. support@gencat.ie
Right to be informed and right of access
Data subjects have the right to be informed by Gencat Ltd about the collection and use of their personal data. In addition, they have the right to access their personal data and other supplementary information, as appropriate.
Right to rectification
Data subjects have the right to have inaccurate personal data held by Gencat Ltd rectified and to have incomplete personal data updated so that it is complete. On receipt of a request from a data subject for rectification of their personal data, Gencat Ltd will take reasonable steps to ensure that the data held are accurate and will ensure that data are rectified, where necessary and appropriate.
Right to erasure
Article 17 of the GDPR provides for the right of data subjects in certain circumstances to have their personal data erased (‘right to be forgotten’). These circumstances include:
- the personal data are no longer necessary in relation to the purposes for which they were collected or processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation.
Gencat Ltd will notify the recipients of that particular data so that it can be erased unless this requires disproportionate effort.
The right to erasure is not an absolute right and does not apply in circumstances where Gencat Ltd’s processing of personal data is necessary in particular:
- for the performance of a function of our duties carried out in the public interest
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
- where the data are required for the establishment, exercise or defense of legal claims.
Where a data subject is of the opinion that elements of personal data held by Gencat Ltd are incorrect, they may make a request in writing to have such data permanently erased. Gencat Ltd will review all such requests and, where appropriate, will erase the data in question.
Right to restriction of processing
A data subject has the right to obtain a restriction in relation to the processing of their personal data where any one of the following applies:
- the data subject contests the accuracy of their data. The restriction will apply for a period enabling Gencat Ltd to verify the accuracy of the personal data;
- the processing is unlawful and the data subject does not wish to have the data erased, but rather wishes to restrict its’ use;
- Gencat Ltd no longer requires the data in question but the data subject seeks its’ retention in order to establish, exercise or defend a legal claim; or
- the data subject has objected to the processing of their data by Gencat Ltd. The restriction will apply pending verification on whether Gencat Ltd’s legitimate grounds for processing overrides the data subjects concerns.
As a matter of good practice, Gencat Ltd will restrict the processing of personal data to ‘strictly necessary processing’ whilst a review of the accuracy of the data and/or the legitimate grounds for processing the data is carried out.
Right to data portability
The collection of a significant proportion of personal data by Gencat Ltd is lawful in accordance with Article 6.1(c) or 6.1(e) of the GDPR i.e. ‘necessary for compliance with a legal obligation’ or ‘necessary for a task carried out in the public interest’.
In cases where Gencat Ltd has collected personal data from a data subject by consent (in exceptional circumstances) or by contract, that data subject can request Gencat Ltd to provide the data in electronic format in order to provide it to another Data Controller. Gencat Ltd will comply with all such legitimate requests.
It should be noted that this right does not apply to processing necessary for the performance of a task carried out in the public interest.
Right to object to processing
Under Article 21 of the GDPR, data subjects have a right to object to the processing of their personal data in specific circumstances. Where such an objection is received, Gencat Ltd will assess each case on its’ individual merits.
Right not to be subjected to automated decision making
Data subjects have the right not to be subjected to a decision based solely on automatic processing, including profiling, that have a legal or similarly significant effect on them.
Gencat Ltd will ensure that no decision issued to a data subject is based on automatic processing alone.
Complaints
Data subjects who may be concerned that their rights under the GDPR are not upheld by Gencat Ltd can contact the Gencat Ltd’s Data Protection Officer (DPO). The DPO will engage with the data subject in order to bring their complaint to a satisfactory conclusion.
The DPO can be contacted at support@gencat.ie.
Where the complaint to the DPO cannot be resolved, the data subject will be informed in writing and will be further informed of their right to bring their complaint to the Data Protection Commission.
Responsibilities of Gencat Ltd
Gencat Ltd is responsible for the following:
Implementing and maintaining appropriate technical and organisational measures for the protection of personal data.
Gencat Ltd has implemented appropriate technical and organisational measures to ensure that all data held under its control is secure and is not at risk from unauthorised access, either internal or external. Measures for the protection of personal data are reviewed and upgraded, where appropriate, on an ongoing basis.
Maintaining a record of data processing activities
Gencat Ltd maintains a written record of all categories of processing activities for which it is responsible in accordance with GDPR Article 30 and the Data Protection Act 2018 section 81.
Data Protection agreements with personal data recipients
On an ongoing basis, Gencat Ltd puts in place appropriate contracts with third parties where personal data are shared. This includes state agencies, industry bodies and companies that share similar aims to ours.
The contracts specify the purpose of sharing the data, the manner in which data subject rights are upheld, the requirements for security of the data, the requirements for termination of the agreement and the steps necessary for the return/deletion of the data shared.
Data Protection by design and default
In accordance with Article 25 of the GDPR, Gencat Ltd implements technical and organisational measures to give effect to the principles of the protection of personal data and to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed.
Such measures include the introduction of organisational policies and procedures such as Acceptable Usage Policy and Digital Communications Policy and the implementation of security measures to secure the data.
Data Protection Impact Assessment (DPIA)
Where Gencat Ltd considers that proposed processing (in particular processing that involves new technology), poses a high risk to the rights and freedoms of the data subjects involved, Gencat Ltd will carry out a DPIA.
Gencat Ltd’s Data Protection Officer will be consulted in relation to each DPIA completed.
Where technical and/or organisational measures proposed will not mitigate the high risks previously identified, the Data Protection Commission will be consulted as appropriate.
Transfer of personal data outside of the European Union
Gencat Ltd will ensure that appropriate safeguards are in place prior to transferring any personal data outside of the European Union.
Personal data breaches
The GDPR defines a personal data breach as
‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
Staff in the Gencat Ltd will notify the Gencat Ltd’s Data Protection Officer where they identify or suspect a breach of personal data. The DPO will notify the Data Protection Commission without undue delay where a breach is likely to result in a risk to the rights and freedoms of the data subject(s) involved.
The DPO will also assess if the breach is likely to result in a high risk to the data subject(s) involved. Where a high risk is identified, the DPO will arrange for the data subjects to be notified.
Data Protection Governance
Compliance with the GDPR is a key requirement for Gencat Ltd. Gencat Ltd’s Board of Directors will detail the arrangements in place to oversee, monitor and ensure compliance with data protection legislation.
Data Protection Officer
In compliance with Article 37.1(a) of GDPR and Data Protection Act (section 88), Gencat Ltd has a designated Data Protection Officer (DPO). Gencat Ltd will involve the DPO in a timely manner in all issues which relate to the protection of personal data and will support the DPO in performing their tasks as set out in the legislation. The tasks assigned to Gencat Ltd’s Data Protection Officer include the following:
- Informing and advising Gencat Ltd and staff who process personal data, of their obligations under data protection legislation;
- Monitoring compliance with the GDPR and the Data Protection Act, 2018 and the policies of Gencat Ltd in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff and the related audits;
- Providing advice where requested as regards the data protection impact assessment and monitoring its performance;
- Cooperating with the Data Protection Commission;
- Acting as a contact point for the Data Protection Commission on issues relating
- to processing and prior consultation.
Data Protection Contacts
Data Protection Officer
Mr Andy Slane
Gencat Ltd
Unit 5 Glasnevin Business Centre
Ballyboggan Road
Dublin 11
Email: support@gencat.ie
If you have a query, concern or complaint regarding a data protection matter, you can also engage with the Data Protection Commission in the following ways:
DPC Website: https://www.dataprotection.ie/en/contact/how-contact-us
By post.
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland