DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION
This Policy sets out the obligations of Connecting Women in Technology Initiative (“the Organisation?”) regarding data protection and the rights of members, service providers (contractors/sole traders) and business contacts (“data subjects”). This includes obligations in dealing with personal data, in order to ensure that the organisation complies with the requirements of the relevant legislation, namely the General Data Protection Regulation (GDPR) and the Irish Data Protection Acts.
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified directly or indirectly, by reference to an identifier such as a name, and identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The Organisation is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by the members, agents, contractors or other parties working on behalf of the members. The policy covers both personal and sensitive personal data held in relation to data subjects by the Organisation and applies equally to personal data held in manual and automated form. All personal and sensitive personal data will be equally referred-to as personal data in this policy, unless specifically stated otherwise.
3. The Data Protection Principles
This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. Article 5 in the GDPR states that all personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed is erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- Article 5(2) states that the Controller (Organisation) is responsible for and must be able to demonstrate compliance with the Data Protection Principles.
3.a. Lawful, Fair and Transparent Data Processing
- The Regulation seeks to ensure that personal data is processed lawfully, fairly and transparently, without adversely affecting the rights of the data subject. The Regulation states that processing of personal data shall be lawful if at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject ;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The Organisation will ensure that at least one of the conditions outlined above will be satisfied whenever any processing activities take place. The Organisation will place a Fair Processing Notice in a highly visible position, if it intends to record activity on CCTV, camera or video. The Data Subject’s data will not be disclosed to a third party other than to a party contracted to the Organisation and operating on its behalf.
3.b. Processed for Specified, Explicit and Legitimate Purposes
The Organisation follows this purpose limitation principle and only collects and processes personal data for the specific purposes of Connecting Women in Technology initiative. The purposes for which we process personal data will be informed to data subjects at the time their personal data is collected or not more than a month if obtained from a third party.
3.c. Adequate, Relevant and Limited Data Processing
The Organisation follows this data minimisation principle and only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to data subjects.
3.d. Accuracy of Data and Keeping Data Up to Date
The Organisation will ensure that all personal data collected and processed is kept accurate and up-to- date where possible. Members of the Organisation will be reminded at meetings of their obligations to ensure their records are up to date.
3.e. Secure Processing
The Organisation will ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. The state of technological development, the cost of implementing the measures, the nature of the data concerned and the degree of harm that might result from unauthorised or unlawful processing are all taken into account when the Organisation are determining the security measures that are put in place.
Under the GDPR, organisations are obliged to demonstrate that their processing activities are compliant with the Data Protection Principles. The principle of accountability seeks to guarantee the enforcement of the Principles.
4. The Rights of Data Subjects
The Organisation has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the Regulation. (30 Days) As part of the day-to-day operation of the organisation, the members and agents engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by the Organisation, such a request gives rise to access rights in favour of the Data Subject, the Regulation sets out the following rights applicable to data subjects:
- The right to be informed;
- The right of access;
- The right of rectification;
- The right to erasure (also known as the “right to be forgotten”);
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights with respect to automated decision-making and profiling.
- The right to withdraw consent
The Organisation will ensure that such requests are dealt with in a timely manner, and they are processed as quickly and efficiently as possible.
5. Transferring Personal Data to a Country Outside the EEA
The Organisation may from time to time transfer (“transfer” includes making available remotely) personal data to countries outside the Economic European Area (EEA). The transfer of personal data to a “third country” i.e. outside the EEA, will only take place if appropriate transfer mechanisms including model contracts are in place.
6. Data Breach Notification
The Organisation treats data breaches very seriously and any agent, representative or contractor who becomes aware of a likely data breach and fails to notify the Data Protection Officer or a member of the Data Privacy Officer may be subject to the Organisations disciplinary procedure depending on the severity of the breach.
7. Organisational Measures
The Organisation shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
All members, agents, contractors, or other parties working on behalf of the Organisation handling personal data:
- Will be appropriately trained to do so;
- Must ensure that any and all of their representatives who are involved in the processing of personal data are held to the same conditions as those relevant to the Organisation arising out of this Policy and the Regulation;
The Organisation ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Regulations.