Introduction
This document provides a concise policy regarding the data protection obligations of Uplift and is part of our commitment to data protection by design and default.
Uplift is a data controller with reference to the personal data which it manages, processes and stores.
Uplift commitment to data protection
Transparency and accountability are core principles at Uplift, which is why we respect your rights to privacy and data control. Participants and members can expect full compliance with both General Data Protection Regulations (GDPR) and Ireland’s own data protection laws.
As a data controller, Uplift and its staff (hereafter referred-to collectively as Uplift) must comply with the data protection Principles set out in the relevant Irish and EU legislation.
This Policy applies to all personal data collected, processed and stored by Uplift in the course of its activities. This Policy is designed to ensure Uplift’s compliance with the following legislation:
The GDPR confers rights on individuals as well as additional responsibilities on those persons and organisations processing personal data and Uplift will ensure that all policies and activities are done in compliance with this legislation.
Definitions
For the purpose of this Policy:
‘Personal data‘ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
‘Processing‘ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller‘ means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘Processor‘ means a natural or legal person, which processes personal data on behalf of the controller;
‘Consent‘ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Supervisory authority‘ means the Irish Data Protection Commissioner, as an independent public authority established by Ireland pursuant to Article 51 of the GDPR.
Uplift, as a data controller, collects, processes and stores significant volumes of personal and sensitive personal data on an ongoing basis – only when a member permits us to do so. Uplift collects data about its staff, donors, partners and programme participants who come into contact with the organisation through our community organising work. We process personal data for the following reasons:
Uplift also contracts other companies to act as data processors for the personal data collected by Uplift.
This Policy applies to all data collected, both manually and automated, held by the Uplift. This includes electronic and paper records; it also includes all CCTV images.
Ownership
The Data Protection Policy is maintained by Uplift’s Admin and Organising Worker, supported the Uplift Director and is approved by the Board. Any material changes to this Policy will require approval by Uplift’s board of directors.
Employers
In its role as an employer, Uplift may keep information relating to a staff member’s physical, physiological or mental well-being, as well as their economic, cultural or social identity.
Uplift will ensure that all staff members receive awareness raising and training on data protection.
Failure of Uplift staff to process personal data in compliance with this Policy may result in disciplinary proceedings.
The use of third-party data processors
In the course of its role as data controller, Uplift engages third-party service providers, or data processors, to process personal data on its behalf.
In each case, a formal, written contract is in place with the processor, outlining their obligations in relation to the personal data, the security measures that they must have in place to protect the data, the specific purpose or purposes for which they are engaged, and the understanding that they will only process the data
The contract will also include reference to the fact that the data controller is entitled, from time to time, to audit or inspect the data management activities of the data processor, and to ensure that they remain compliant with the relevant legislation, and with the terms of the contract.
Regular audit trail monitoring will be carried out to ensure compliance with this Agreement by any third-party entity which processes personal data on behalf of Uplift.
Failure of a data processor to manage Uplift’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts if necessary.
The following key Principles are enshrined in EU legislation and are fundamental to Uplift’s Data Protection Policy.
In its capacity as data controller, Uplift ensures that all data shall:
Be obtained and processed fairly and lawfully
Uplift will only processes personal data in line with one of the lawful basis enshrined in Article 7 of the GDPR. Uplift will fulfil its obligation in this regard by ensuring that:
Be obtained only for one or more specified, legitimate purposes
Uplift will obtain data for purposes which are specific, lawful and clearly stated. A data subject will have the right to question the purpose(s) for which Uplift holds their data, and Uplift will be able to clearly state that purpose or purposes.
Not be further processed in a manner incompatible with the specified purpose(s)
Any use of the data by Uplift will be compatible with the purposes for which the data was acquired and Uplift will take steps to ensure that no personal data will be further processed in a manner that is incompatible with those purposes in line with the principles laid down in Article 5 of the GDPR.
Be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed
Uplift will ensure that the data it processes in relation to data subjects is adequate, relevant and limited to what is necessary in relation to the purposes for which the data is collected, in line with the principles laid down in Article 5 of the GDPR. Data which is not relevant to such processing will not be acquired or maintained, in line with the principle of data minimisation.
Be kept accurate, complete and up-to-date where necessary
Uplift has adopted a Data Quality Policy, in line with the principles laid down in Article 5 of the GDPR, to:
Not be kept for longer than is necessary to satisfy the specified purpose(s)
Uplift will ensure that personal data is not kept for longer than what is strictly necessary for the purpose for which the data is processed, in line with the principles laid down in Article 5 of the GDPR.
To fulfil this commitment, Uplift has developed a Data Retention and Destruction Policy and associated schedule to ensure Uplift fulfills its obligation in regards to retention periods for all categories of personal data processed by the organization.
Once the respective retention period has elapsed, Uplift undertakes to destroy, erase or otherwise put this data beyond use, in line with its Data Retention and Destruction Policy.
Be kept safe and secure
Uplift will ensure that the personal data it collects will be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. To this end, Uplift will employ high standards of security in order to protect the personal data under its care. Uplift’s Password Policy and Data Retention & Destruction Policies guarantee protection against unauthorised access to, or alteration, destruction or disclosure of any personal data held by Uplift in its capacity as data controller.
In the event of a data breach likely to result in a risk to the rights and freedoms of the data subject or other persons, Uplift will notify the Irish Data Protection Commissioner without undue delay and, where feasible, within 72 hours after having become aware of the breach, in line with Article 33 of the GDPR.
In the event of a data security breach affecting the personal data being processed on behalf of the data controller, the relevant third party processor will notify the data controller without undue delay.
Data subject rights:
Clear and easily accessible communication
Uplift will take appropriate measures to ensure any and all communication with a data subject is conducted in a concise, transparent, intelligible and easily accessible from, using clear and plain language that is easily for the data subject to understand.
Information provided to data subjects
Uplift will ensure that all data subjects will be made aware, at the time their data is being collected, of:
Right of access by data subjects
Upon receipt of a valid, formal request by a data subject in relation to the personal data held by Uplift which relates to them, Uplift will provide the data subject with the following information, free of charge, in line with Article 15 of the GDPR:
Uplift will ensure that all subject access requests receive a response within 30 days. Further details can be found in the Uplift’s Subject Access Request Policy.
Right to rectification and the right to be forgotten
As covered above in point 5 of this Policy, Uplift has put in place processes to ensure the complete and accurate nature of the personal data it collects. However, in the even that a data subject submits a valid request for correction or completion of incorrect or incomplete data, Uplift will ensure that any such data will be rectified or completed without undue delay, in line with Article 16 of the GDPR, and that the data subject is informed of the correct or completion of data.
Uplift will ensure that, upon request of the data subject, and where one of the specific grounds listed in Article 17 of the GDPR applies, all personal data related to the data subject in question is erased without undue delay, and that the data subject is informed of the erasure.
The right to restriction of processing and the right to object
Uplift will put in place processes that ensure respect for a data subject’s right to object or have restriction put in place against processing of their data. Uplift will ensure these processes comply fully with Articles 19 and 21 of the GDPR.
This Policy will be reviewed at least annually by the Board of Directors to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.
Supervisory authority
Uplift’s headquarters is in Ireland. Should you wish to contact the relevant supervisory authority in relation to a data protection issue involving Uplift, you should contact:
The Irish Data Protection Commissioner
Telephone | +353 57 8684800
+353 (0)761 104 800 |
Fax | +353 57 868 4757 |
Postal Address | Data Protection Commissioner Canal House Station Road Portarlington |
Dublin Office | 21 Fitzwilliam Square Dublin 2 D02 RD28 Ireland. |
Portarlington Office | Canal House Station Road Portarlington R32 AP23 Co. Laois |
If you have any enquiries, please get in touch with Uplift’s Data Protection Officer Clodagh Schofield at clodagh@uplift.ie.