Photo by Jill Dimond

Data Protection Policy

Organic Trust CLG - Data Protection Policy

Introduction:

The purpose of this document is to provide a concise policy statement regarding the data protection obligations of the Organic Trust CLG regarding their obligations in dealing with personal data and to ensure that the business complies with the requirements of the EU General Data Protection Regulation.

Rationale:

The Organic Trust CLG must comply with the Data Protection principles set out in the relevant legislation. This Policy applies to all personal data collected, processed and stored by the Organic Trust CLG in relation to its staff, service providers and clients in the course of its activities. Organic Trust makes no distinction between the rights of Data Subjects who are employees, and those who are not.

Scope:

The policy covers both personal and special categories of data held in relation to data subjects by the Organic Trust CLG. The policy applies equally to personal data held in manual and automated form.

All Personal and Special Categories of Data will be afforded the highest level of security by the Organic Trust CLG. All categories will be equally referred to as Personal Data in this policy, unless stated otherwise.

The Organic Trust CLG are identified as Data Controllers in the course of its daily organisational activities, the business, acquires, processes and stores personal data in relation to employees, board members, contractors, clients and visitors.

In accordance with the EU General Data Protection Regulation this data must be acquired and managed fairly, lawfully and transparently. The Organic Trust CLG is committed to ensuring that its staff have sufficient awareness of the legislation to be able to anticipate and identify a data protection issue, should one arise. In such circumstances, staff must ensure that the CEO is informed, in order that appropriate corrective action is taken.

Due to the nature of the services provided by the Organic Trust CLG there is regular and active exchange of personal data between the Organic Trust CLG and its Data Subjects. In addition, Organic Trust DAC exchanges personal data with Data Processors on the Data Subject’s behalf. This is consistent with the Organic Trust CLG obligations under the terms of its contract with its Data Processors and legal obligations in accordance with the EU General Data Protection Regulation. This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a staff member is unsure whether such data can be disclosed. In general terms the staff member should consult with the CEO to seek clarification.

Definitions

For the avoidance of doubt and for consistency in terminology, the following definitions will apply within this policy.

“Personal Data” means any information relating to an identified or identifiable natural person (Data Subject): an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Categories of Data” means the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Processing of the above category of personal data shall be prohibited unless the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.

Processing is carried out in the course of the company’s legitimate activities with appropriate safeguards in place to protect the Data Subjects rights and freedoms.

Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Data Controller or of the Data Subject in the field of employment and social security.

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

“Data Subject,” means the living individual about whom the personal data relates to.

Data Protection Principles

The following key principles are enshrined in the EU General Data Protection Regulation and are fundamental to the Organic Trust CLG, Data Protection Policy. In its capacity as Data Controller Organic Trust ensures that all data shall:

  1. Be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (lawfulness, fairness and transparency). For data to be obtained fairly, the Data Subject will, at the time the data are being collected, be made aware of:
  2. The identity of the Data Controller: Organic Trust CLG, Office A1 Town Centre House, Naas Town Centre, Naas, County Kildare.
  3. The purpose (s) for which the data is being collected.
  4. The person (s) to whom the data may be disclosed by the Data Controller.
  5. Any other information that is necessary so that processing may be fair.

The Organic Trust CLG will meet this obligation in the following way:

Where possible, the informed consent of the Data Subject will be sought before their data is processed.

Where it is not possible to seek consent the Organic Trust CLG will ensure that collection and further processing of the data is justified under one of the other lawful processing conditions - legal obligation, contractual necessity, vital interest, legitimate interest, public interest.

Processing of the personal data will be carried out only as part of Organic Trust CLG lawful activities including legal obligation and Organic Trust DAC will safeguard the rights and freedoms of the Data Subject.

The Data Subjects personal data will not be disclosed to a third party other than to a party contracted to the Organic Trust CLG and operating on its behalf, or when the Organic Trust CLG are legally obliged to disclose personal information.

  1. Be obtained only for one or more specified, explicit and legitimate purposes (Purpose Limitation) the Organic Trust will obtain data for purposes which are specific, lawful and clearly stated. Person data will not be further processed in a manner which is incompatible with those purposes.
  2. The personal information that is collected by the Organic Trust will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data Minimisation).
  3. Personal information will be accurate and where necessary kept up to date, every reasonable step will be taken to ensure that personal data that is inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay (Accuracy).
  4. Personal Information will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed: (Storage Limitation).
  5. Personal Information will be processed in a manner that ensures appropriate security of the personal data, including protection against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed (Integrity & Confidentiality).
  6. The Organic Trust as Data Controller shall be responsible for and be able to demonstrate compliance with the legal principle of Accountability by ensuring that all appropriate technical and operational measures have been implemented and affords the highest level of security to protect all categories of personal data.

Implementation: As a Data Controller the Organic Trust ensures that any entity which processes personal data on its behalf as a Data Processor does so in a manner compliant with the EU General Data Protection Regulation and processes personal data under the explicit instructions of the Data Controller: Organic Trust CLG, Office A1 Town Centre House, Naas Town Centre, Naas, County Kildare.

Failure of a Data Processor to process Organic Trust CLG personal data in a compliant manner will be viewed as a breach of contract and will be pursued through the courts.

Policy Review: This data protection policy will be subject to review in accordance with the Legal Principle of Accountability enshrined in the EU General Data Protection Regulation.