Uplift’s Privacy and Data Protection PolicyIntroduction This document provides a concise policy regarding the data protection obligations of Uplift and is part of our commitment to data protection by design and default. Uplift is a data controller with reference to the personal data which it manages, processes and stores. Uplift commitment to data protection Transparency and accountability are core principles at Uplift, which is why we respect your rights to privacy and data control. Participants and members can expect full compliance with both General Data Protection Regulations (GDPR) and Ireland’s own data protection laws.
Purpose of this PolicyAs a data controller, Uplift and its staff (hereafter referred-to collectively as Uplift) must comply with the data protection Principles set out in the relevant Irish and EU legislation. This Policy applies to all personal data collected, processed and stored by Uplift in the course of its activities. This Policy is designed to ensure Uplift’s compliance with the following legislation:
- The European General Data Protection Regulation (GDPR)
- The EU Electronic Communications Regulations (2011)
Uplift’s use of personal dataUplift, as a data controller, collects, processes and stores significant volumes of personal and sensitive personal data on an ongoing basis - only when a member permits us to do so. Uplift collects data about its staff, donors, partners and programme participants who come into contact with the organisation through our community organising work. We process personal data for the following reasons:
- The collection and management of petition signatures;
- The collection and management of survey results;
- The facilitation of communication between Uplift members and individuals related to campaigns;
- The facilitation of community events;
- The facilitation of sharable community content for social media;
- The notification of members, regarding relevant activities, via SMS;
- The communication between members of the public, staff, and volunteers;
- The collection and management of donations;
- The operations, monitoring and evaluation of our work;
- The recruitment, management and payment of staff;
- Ensuring the security of staff and premises;
- Compliance with statutory obligations.
- as instructed by Uplift, and
- in compliance with the European General Data Protection Regulation and the EU Electronic Communications Regulations.
The Data Protection PrinciplesThe following key Principles are enshrined in EU legislation and are fundamental to Uplift’s Data Protection Policy. In its capacity as data controller, Uplift ensures that all data shall:
- Be obtained and processed fairly and lawfully
- Where possible, the informed consent of the data subject will be sought before their data is processed. Uplift will ensure that the request for consent is presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Uplift will also ensure that the data subject is made aware of his or her right to withdraw his or her consent at any time
- Where it is not possible to seek consent, Uplift will ensure that collection of the data is justified under one of the other lawful processing conditions listed in Article 7 of the GDPR (compliance with legal obligation, contractual necessity, vital interests of data subject, public interest, or the legitimate interests of the data controller);
- Where the data processed by Uplift can be considered sensitive personal data, as defined in Article 9 of the GDPR, Uplift will not collect, process and store such data, unless permissible under the exemptions listed in Article 2 (a-j) of the GDPR;
- Where Uplift intends to record activity on CCTV or video, a Fair Processing Notice will be posted in full view, prior to the recording and purpose, storage and the conditions for viewing the data will be laid out clearly and communicated to staff;
- Processing of the personal data will be carried out only as part of Uplift’s lawful activities, and it will safeguard the rights and freedoms of the data subject;
- The data subject’s personal data will not be disclosed to a third party other than to a party contracted by Uplift and operating on its behalf, or where Uplift is required to do so by law.
- Be obtained only for one or more specified, legitimate purposes
- Not be further processed in a manner incompatible with the specified purpose(s)
- Be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed
- Be kept accurate, complete and up-to-date where necessary
- Ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
- Conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. Uplift conducts a review of sample data every twelve months to ensure accuracy;
- Ensure that staff contact details and details on next-of-kin are reviewed and updated every two years, or on an ‘ad hoc’ basis where staff members inform the office of such changes;
- Conduct regular assessments in order to validate the need to keep certain personal data;
- Ensure that every reasonable step is taken to ensure that inaccurate personal data is erased or rectified without delay.
- Not be kept for longer than is necessary to satisfy the specified purpose(s)
- Be kept safe and secure
- The identity of the data controller (Uplift);
- The purpose(s) for which the data is being processed;
- The legitimate interests pursued by the controller (if processing is based on Article 6 (1)(f) of the GDPR)
- The person(s) to whom the data may be disclosed by the data controller;
- Any other information that is necessary so that the processing may be considered fair.
- The purposes for processing the data.
- The categories of personal data concerned.
- To whom the data has been or will be disclosed.
- Whether the data has been or will be transferred outside of the EU.
- The period for which the data will be stored, or the criteria to be used to determine retention periods.
- Information about the right to make a complaint to the Irish Data Protection Commissioner.
- Information about the right to request rectification or deletion of the data.
- Whether the individual has been subject to automated decision making.
ReviewThis Policy will be reviewed at least annually by the Board of Directors to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations. Supervisory authority Uplift’s headquarters is in Ireland. Should you wish to contact the relevant supervisory authority in relation to a data protection issue involving Uplift, you should contact: The Irish Data Protection Commissioner
|Telephone||+353 57 8684800 +353 (0)761 104 800|
|Fax||+353 57 868 4757|
|Postal Address||Data Protection Commissioner Canal House Station Road Portarlington|
|Dublin Office||21 Fitzwilliam Square Dublin 2 D02 RD28 Ireland.|
|Portarlington Office||Canal House Station Road Portarlington R32 AP23 Co. Laois|