DATA PROTECTION POLICY
1.1 The Glens Centre is a cultural centre committed to the development of the arts in North West Ireland. We provide artistic resources for artists of all genres whilst actively supporting touring partners and collaborators. Our purpose is effect positive impact on the community of North Leitrim in particular.
1.2 In performing its functions, The Glens is required to process “Personal Data” within the meaning of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (together “DP Law”), and as further defined below.
1.3 The Glens respects the privacy rights of those about whom we process Personal Data and we are conscious of our obligations under DP Law. In order to ensure a compliant and consistent approach to The Glens’ obligations under DP Law, The Glens has instituted this Policy.
2.1 The objectives of the Policy are to:
(a) Set the guidelines to ensure The Glens complies with the provisions of DP Law;
(b) Establish ongoing compliance measures;
(c) Identify key compliance requirements; and
(d) Ensure that any shortfalls in compliance are identified and communicated to The Glens as required.
2.2 This Data Protection Policy is also intended to provide evidence of The Glens’ accountability for compliance with DP Law as required by Article 5(2) GDPR.
2.3 This Policy is also intended to ensure that staff at The Glens are aware of their rights and responsibilities under DP Law.
3.3 Key Principles
3.1 In order to understand The Glens’ obligations under DP Law, it is necessary to first set out some explanations of key principles under, and terms used in, DP Law.
3.2 The Office of the Data Protection Commission (the “DPC”) is responsible for monitoring compliance with DP Law.
3.3 While The Glens is not required to appoint a data protection officer under DP Law, The Glens Compliance Officer(the “Compliance Officer”) is responsible for establishing an appropriate framework within which The Glens can comply with the provisions of DP Law.
3.4 It is important to remember that DP Law apply only to Personal Data, defined in DP Law. This means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3.5There is a second sub-category of Personal Data referred to as “Special Categories of Personal Data” which is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and also includes genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. There are enhanced compliance requirements under DP Law on controllers, such as The Glens, who may process Special Categories of Personal Data. For example, subject to specific exemptions in DP Law, explicit consent is usually required.
3.6 DP Law places obligations on those who process information (“Data Controllers” or “Controllers”) while giving rights to those who are the subject of that data (“Data Subjects”). A person who processes data may either be a Controller or where Personal Data is processed on behalf of a Controller by another person (other than an employee) a data processor (“Data Processor” or “Processor”).
3.7 Processing is defined very widely under DP Law. DP Law applies to both data stored electronically and manually i.e. on paper.
4.4 Use of Data Processors by The Glens
4.1 In the context of The Glens’ activities any party processing the personal information on behalf of The Glens would be within the definition of a Processor under DP Law. For example, where The Glens engages a third party to provide payroll services, that third party service provider is a “Processor”.
4.2 The Glens is required to ensure that Processors it engages provide sufficient guarantee(s) to implement appropriate technical and organisational measures to ensure that the Processing meets the requirements of DP Law and that the rights of the Data Subjects are protected. In addition, the Processing must be underpinned by a contract with The Glens which includes the data protection provisions prescribed in DP Law in order to safeguard the Personal Data.
5.5 Types of Personal Data held by Us
5.1 The Glens would typically retain the following types of Personal Data, usually about clients, directors, audiences and employees:
(a)name, address, phone numbers, email address, date of birth, occupation, bank account details, PPSN (directors, and employees only).
6.6The Glens Role as Controller
6.1For the purpose of DP Law, The Glens is a Controller of certain Personal Data relating to clients, directors, audiences and employees as we control the contents and use of certain Personal Data provided to us by clients, directors, audiences and employees. Consequently, we are obliged to comply with the data protection principles set out in Article 5 GDPR. These seven principles are summarised as follows:
(a)Lawfulness, fairness and transparency: Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
(b)Purpose limitation: Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c)Data minimisation: Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d)Accuracy: Personal Data shall be accurate and, where necessary, kept up to date;
(e)Storage limitation: Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed;
(f)Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
(g)Accountability: The Glens, as a Controller, shall be responsible for, and be able to demonstrate compliance with the GDPR.
6.2As The Glens only stores and processes Personal Data in fulfilment of its operational obligations in line with the Glens’ mission, and given the security measures engaged by The Glens to protect the confidentiality of this Personal Data, The Glens complies with these principles.
7.7 What we do with Personal Data?
7.1The Glens processes Personal Data provided to us only for the purposes of providing services to artists, audiences, clients and promoting the arts in Ireland.
7.2The Glens will not disclose Personal Data to third parties unless the Data Subject has consented to this disclosure or unless the disclosure to the third party is required to provide The Glens’ services (in such circumstances, the third party is bound by similar data protection requirements). However, The Glens will disclose Personal Data to third parties if we believe in good faith that we are required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other statutory requirement.
7.3These uses of Personal Data by the Glens are supported by Article 6 GDPR requires that all processing of personal data should be supported by at least one of the following lawful basis. The main bases relied upon by The Glens are:
(a)Contractual Necessity: Article 6(1)(b) permits processing that is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(b)Legal Obligation: Article 6(1)(c) permits processing that is necessary for compliance with a legal obligation to which the Controller is subject;
(c)Legitimate Interests: Article 6(1)(f) permits processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. By adopting the measures in this Policy, The Glens strives to ensure that the right balance is struck between the legitimate interests of The Glens in administering its operations and the rights and interests of individuals whose data may be processed by The Glens in relation to that purpose.
8.1In light of changes to DP Law under the GDPR, The Glens has introduced a new Data Protection Statement, available for perusal on our website. This is intended to ensure that all Data Subjects are aware of the nature of the processing of personal data undertaken by the Glens as required by DP Law.
9.1The Glens will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed.
9.2In the case of The Glens staff data, this will usually be retained for the duration of the employment relationship plus a maximum of five years thereafter. Where personal data is required for future benefits or claims purposes, it will be retained for the duration of the period within which a benefit or claim may arise.
10.1The Glens is required to ensure that appropriate technical and organisational measures are in place to protect Personal Data. These measures are designed to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.
10.2Personal Data is held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets and restricted access to documents on network drives.
10.3DP Law requires The Glens, as a Controller, to notify the DPC and affected Data Subjects in the case of certain types of Personal Data Breaches. The notification to the DPC must occur within 72 hours of becoming aware of the Personal Data Breach.
11.1DP Law provides certain rights in favour of Data Subjects (“Data Subject Rights”), which allow a Data Subject to make certain requests to PI as a Controller in respect of their Personal Data. The rights in question are as follows:
(a)the right of a Data Subject to receive detailed information on the Processing (by virtue of the transparency obligations which are dealt with in the Data Protection Notice in Appendix 1);
(b)the right of access to Personal Data (exercised by way of a subject access request). This includes knowing whether or not Personal Data are being processed and, if so, having access to the Personal Data plus information about the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed, retention periods etc.;
(c)the right to rectify Personal Data;
(d)the right to erase Personal Data (“right to be forgotten”);
(e)the right to restrict Processing;
(f)the right of data portability. i.e. the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine readable format and have the right to transmit those data to another Controller.
(g)The right of objection; and
(h)The right to object to automated decision making, including profiling.
11.2The Glens is normally obliged to respond to all Data Subject Rights within one calendar month of receipt. No fee may be charged.
12.1Personal Data shall not be transferred to a country or territory outside the European Economic Area (EEA), unless that country or territory ensures an adequate level of protection for the processing of Personal Data. The Glens does not transfer personal data outside of the EEA but if this changes it will adopt measures provided for under DP Law, for example, the use of “model contract clauses” approved by the EU Commission.
13.1Each Data Subject has the right to:
(a)lodge a complaint with the DPC if the Data Subject considers that The Glens’ Processing of Personal Data infringes DP Law;
(b)an effective judicial remedy against The Glens where he or she considers his or her rights under DP Law have been infringed as a result of The Glens’ Processing of Personal Data being non-compliant with DP Law;
(c)receive compensation from The Glens for any material or non-material damage as a result of non-compliance with DP Law.
13.2The DPC may also impose administrative fines in respect of infringements of DP Law.