This policy covers our processing activities as a controller of Personal Data. In instances where we act as a Data Processor we will always do so under contract with a Data Controller and will ensure to comply with our obligations as defined in Article 28 GDPR.
Board of Directors:
The Board of Directors has overall responsibility for ensuring compliance with the Data Protection legislation. The Board of Directors will approve, review and update the Data Protection Policy at least annually.
All employees of Eolas who collect and / or control the contents and use of personal data are responsible for compliance with data protection legislation.
The Data Protection Officer (DPO):
Eolas has appointed a DPO with the relevant professional qualities and, in particular, expert knowledge of data protection law and practices as is required under data protection legislation. The DPO will undertake a number of tasks that will include, but not necessarily be limited to the following:
Principles of Data Processing
Article (5)(1) of the GDPR covers the principles of data processing. We are mindful of these principles at all times, both when processing data as a Data Controller and a Data Processor. We ensure that Personal Data is:
As per Article (5)(2) of the GDPR we will ensure that we are able to demonstrate compliance with the above listed principles and be held accountable at all times.
Rights of Individuals
We are responsible for ensuring that processing does not infringe on the rights as laid down in data protection legislation. Please note that these are not absolute rights and certain exemptions, restrictions and limitations may apply. The following are the rights afforded to individuals:
Right to be informed: Individuals should always be informed about the use of their personal information; this is done by way of this Privacy Notice.
Right of access: Individuals have the right to access any information we hold about them by submitting an access request to us giving enough details so as we can process the request.
Right to rectification: Individuals have the right to have their information rectified if that information is inaccurate or incomplete.
Right to erasure: Individuals have the right to request that we erase their personal data.
Right to restrict processing: Individuals have the right to request that we restrict the processing of their personal information.
Right to data portability: Individuals have the right to be provided with a copy of the information we have on them in a structured, machine-readable and commonly used format.
Right not to be subject to automated decision making/profiling: In certain cases, individuals have the right not be subject to automated decision making or profiling.
Right to complain: Individuals have the right to complain to the Data Protection Commission (www.dataprotection.ie) about our collection and use of their Personal Data.
To exercise any of the above rights, individuals are asked to email us at firstname.lastname@example.org, we may ask verification of their identity before responding to such requests.
How data is collected
Data is collected through the following channels:
Types of data collected
We must collect certain information from individuals in order to provide our services. The table below relates solely to data that we process as a Data Controller. Details of data we process as a Data Processor will be documented in individual contracts with our clients.
|Personal Data Type||Description|
|Contact & Identity||Name, address, email, phone number, occupation, job title|
|Communication & correspondence||Email correspondence, phone communications, video conferencing calls|
|Financial data||Invoicing and payment information|
|Web & social media||Website: a device’s IP address, referring website, what pages a device visited, date and time of visit. Analytical information through Google Analytics
Social Media: photo, contact details, occupation, job title, qualifications
|Recruitment||Identity, contact details, date of birth, nationality, employment history, education and training details, salary expectations, work permit details, residency status, hobbies, references|
|Employee Data||Details can be found in our internal policies|
Use of Personal Data
We will use the collected data for the following purposes:
As a Data Controller, we will determine the appropriate lawful basis for all processing of personal data. Here we provide further information about the legal grounds we have for processing Personal Data as a Data Controller:
|Performance of a contract||– to contact clients in connection with our products/services under the contract
– to contact clients regarding payments
– to manage the products/services we provide, and
– to process payments to and from our business
|Consent||– to operate cookies on our website|
|Legitimate Interests||When using this lawful basis, we will ensure that the legitimate interest pursed does not infringe on any privacy right. Our legitimate interests include:
– providing the best services to our customers
– running recruitment campaigns for our clients
– facilitating individuals to apply for roles advertised
– interacting with applicants
– conducting analytics and research on our products and services so that we can continuously improve
– protecting our intellectual property rights
– promoting and growing our business
– sourcing and recruiting the best staff possible
– ensuring the security of our website and our products and services
|Legal Obligation||– to meet our legislative and regulatory requirements
– to maintain proper accounts
– to fulfil our obligations as an employer
– to report to law enforcement any actions we deem to be illegal
We do not sell any personal information, nor do we share it with unaffiliated third parties unless we are required to do so by law. We will ensure that any information passed to third parties conducting operational functions on our behalf will be done with respect for the security of personal data and will be protected in line with data protection law.
Ways in which we may share personal information include:
We do not transfer personal data outside the EEA (European Economic Area).
We will always ensure the confidentiality, integrity, availability, and resilience of personal data we store. We are obliged to protect the data from inadvertent destruction, amendment, loss, disclosure, corruption, or unlawful processing. We have appropriate technical and organisational measures in place to protect all data. However, please be aware that the transmission of data over the internet will never be fully without risk.
Personal Data will be retained securely by us for as long as it is relevant and necessary for the purpose for which it was collected.
In certain instances when providing our services, we will process personal data on behalf of our clients, and they will be the Data Controller. If personal data is provided to us at any time or we have access to the data, we are obliged to comply with the current data protection laws.
Where we are acting as a Data Processor, we act solely on the instruction of the Data Controller, we do not change the purpose and the means in which the data is used. At the commencement of each engagement, we will determine whether personal data will be provided and, if so, what type and the purposes for which we may process that data. We also have the right to object to receiving any personal data if we believe that such data has been collected or is being used in breach of the law.
As a Data Processor, we will:
An individual has the right to be informed whether we hold data/information about them and to be given a description of the data together with details of the purposes for which their data is being kept. The individual must make this request to us in writing, and we will accede to the request within one month having first verified the identity of the requester to ensure the request is legitimate.
Where a subsequent or similar request is made soon after a request has just been dealt with, it is at the discretion of the controller whether or not it needs to comply with the second request. This will be determined on a case-by-case basis. In cases where we process a large quantity of information concerning the data subject, we may request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable, we must refuse to furnish the data to the applicant.
Once we have verified the identity of the requester and the request is not deemed to be manifestly unfounded or excessive, we will comply with the request at no charge to the data subject and within one month.
Article 4(12) GDPR defines a ‘personal data breach’ as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Staff at Eolas are trained to recognise a breach and are instructed to inform their management immediately if they suspect a breach has occurred or have evidence of a potential breach. It will then be escalated to senior management and the DPO as required.
Eolas has a Data Breach Response Plan in place which will be followed by the DPO and relevant staff members in the event of a breach being reported either internally or from a third-party.
We do not knowingly collect Personal Data from children and none of our Services are targeted at children. If individuals are a parent or guardian and individuals are aware that their child has provided us with personal data, they must contact us and we will take steps to remove that information from our systems.