How do we use personal data?
We will only process your personal data where we have a valid legal basis for doing so. Most commonly, we will use your personal data on the following legal bases:
- Where we need to comply with a legal or regulatory obligation; and
- Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Change of Purpose - We will only use your personal data for the purposes for which we collected it and were notified to you at the time that we collected the data. We are permitted to use for another purpose where we reasonably consider that the other purpose is compatible with the original purpose. If we intend to use your personal data for an unrelated purpose, we will first notify you and either seek your consent to such further processing or inform you of the valid legal basis upon which we process your data for this new purpose. There may be circumstances where we are required to further process your personal data, without informing you of this fact, in compliance with EU or Irish law.
Will we share your personal data with anyone else?
We may share your personal data with third parties in connection with our processing of your personal data.
We require all third parties to enter into a data processing agreement with us which complies with our obligations under the GDPR. This agreement requires third parties to have appropriate security systems in place and only to use your personal data on our instructions and in accordance with data protection law.
Security of your personal data
We take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. We limit access to your personal data to those employees, agents and other third parties who are required to have access to your personal data and where they have agreed that they are subject to a duty of confidentiality.
We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We have procedures in place to deal with actual and suspected data breaches which include an obligation on us to notify the supervisory authority and/or you, the data subject, where legally required to do so.
Transferring personal data abroad
There may be circumstances in which we will have to transfer your personal data out of the European Economic Area for the purposes of carrying out the services we provide to you. Where the need for such a transfer arises we will always ensure that there are appropriate safeguards in place to protect your personal data such as:
- The European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects' rights and freedoms;
- Appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Data Protection Officer; or
- The personal data is being transferred to a company in the US which has self-certified its compliance with the EU-US Privacy Shield which has been found by the European Commission to provide an adequate level of protection to the personal data of EU citizens.