This document sets out dlr Leisure’s Policy for responding to an Individuals rights as defined within the Act and to ensure compliance with requests made under the provisions of the Act.
This Policy applies to the Board of Management Team, Employees and all persons or providers contracted or appointed to conduct business on behalf of dlr Leisure. In the event of any further changes to the Act or GDPR, this policy will be updated accordingly. The rights include
- Right to Erasure
- Right to Data Portability
- Right for Automated Individual Decision Making including Profiling
- Right to Object
- Right to Restriction of Processing
- Right of Rectification Policy
- Right to withdraw Consent
- Right to lodge a complaint
- Right of Access Policy
The objective of the Policy is to ensure that all employees understand their obligations under the Act for respond to the rights of individuals.
Right to Erasure
dlr Leisure must delete without delay an individual’s personal data deleted without undue delay if:
- The personal data is no longer necessary in relation to the purpose(s) for which it was collected/processed
- The individual is withdrawing consent and where there is no other legal ground for the processing
- The individual objects to the processing and there are no overriding legitimate grounds for the processing
- The personal data has been unlawfully processed
- The personal data has to be erased so in compliance with legal obligation
- The personal data has been collected in relation to the offer of information society services with a child.
If dlr Leisure has made the individual’s personal data public, we, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform those who are processing the individual’s personal data that the individual have requested the erasure.
Where dlr Leisure has disclosed the individual’s personal data in question to third parties, we will inform them of the individual’s request for erasure where possible. We will also confirm to the individual details of relevant third parties to whom the data has been disclosed where appropriate.
Right to Data Portability
An individual will receive their personal data concerning them in a structured, commonly used and machine-readable format if:
- processing is based on consent
- processing is carried out by automated means.
dlr Leisure can transfer this data to another company selected by the individual on their written instruction where it is technically feasible taking account of the available technology and the feasible cost of transfer proportionate to the service we provide to the individual.
An individual will not be able to obtain, or have transferred in machine-readable format, their personal data if dlr Leisure are processing this data in the public interest or in the exercise of official authority vested in us.
dlr Leisure will only provide the individual with their personal data, ensuring we protect the rights and freedoms of others. Where personal data of another person may be on the same files as the individual requesting their information, we will redact the full details of the other person.
Right for Automated Individual Decision Making including Profiling
dlr Leisure must state if they have or do not have any automated decision-making processes. If not applicable now, where any such processes are introduced, we will provide individuals with the relevant information required under the “General Data Protection Regulation”.
Right to Object
dlr Leisure informs all individuals of their rights in the privacy statement including the right to object prior to us collecting any of individual’s personal data.
dlr Leisure will stop processing an individual’s personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
- the processing is for the establishment, exercise or defence of legal claims.
Where an individual’s personal data is processed for direct marketing purposes, the individual has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where an individual object’s to processing for direct marketing purposes, we will no longer process this data for such purposes.
In the context of the use of information society services, an individual may exercise their right to object by automated means using technical specifications.
Right to Restriction of Processing
An individual may have processing of their personal data restricted:
- While we are verifying the accuracy of your personal data which you have contested
- If the individual chooses restricted processing over erasure where processing is unlawful
- If we no longer need the personal data for its original purpose but are required to hold the personal data for defence of legal claims
- Where the individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override.
Where we have disclosed the individual’s personal data in question to third parties, we will inform them about the restriction on the processing, unless it is impossible or involves disproportionate effort to do so.
We will inform on an individual basis when a restriction on processing has been lifted.
Right of Rectification Policy
Where an individual suspect’s that data we hold about them is inaccurate, we will on demand rectify any inaccuracies without undue delay and provide confirmation of same.
Where we have disclosed inaccurate personal data to third parties, we will inform them and request confirmation that rectification has occurred. We will also provide the individual with details of the third parties to whom the individual’s personal data has been disclosed.
Right to withdraw Consent
An individual can withdraw consent if we are processing their personal data based on their consent. An individual can withdraw consent at any time.
Any processing based on an individual’s consent will cease upon the withdrawal of that consent. The individual’s withdrawal will not affect any processing of personal data prior to their withdrawal of consent, or any processing which is not based on their consent.
Right to lodge a complaint
An individual can lodge a complaint with the Data Protection Commission in respect of any processing by or on behalf of [Organisation Name] of personal data relating to them. This right is informed to individuals prior to processing their data, we also provide information on how to lodge a complaint and the steps to follow.
Right of Access Policy
Where dlr Leisure process any personal data relating to an individual, such individual has the right to obtain confirmation of same from us, and to have access to their data.
If we are processing an individual’s personal data such individual is entitled to access a copy of all such personal data processed by us. We will also provide the following information including the full rights under Data Protection:
- why we are processing your personal data
- the types of personal data concerned
- the third parties or categories of third parties to whom the personal data have been or will be disclosed. We will information you if any of the third parties are outside the European Economic Area (EEA)or international organisations
- how your personal data is safeguarded where we provide your personal data outside the European Economic Area or to an international organisation
- the length of time we will hold your data or if not possible, the criteria used to determine that period
- your rights to:
- request any changes to inaccurate personal data held by us
- have your personal data deleted on all our systems
- restriction of processing of personal data concerning you
- to object to such processing
- data portability
- your right to lodge a complaint with the Data Protection Commission –
- where we have collected your personal data from a third party, we will provide you with the information as to our source of your personal data
- any automated decision-making, including profiling which includes your personal data. We will provide you with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
We will provide an individual with a copy of the personal data we are currently processing within one month of request. In rare situations if we are unable to provide the individual with the data within one month we will notify you within 10 days of the request explaining the reason for the delay and will commit to delivery within a further two months.
We will not charge for providing the personal data unless we believe the request is excessive and the cost of providing this data is disproportionate to the services provided.
If additional copies are required, we will charge €20 to cover our administrative costs.
An individual can request their personal data by electronic means and we will provide this personal data in a commonly used electronic form if technically feasible.
We will only provide an individual with their personal data, ensuring we protect the rights and freedoms of others. Where personal data of another person may be on the same files as the individual requesting the information, we will redact the full details of the other person.
This policy will be reviewed and updated annually or earlier as required and approved by the Board of Management to ensure it accurately reflects legal and regulatory requirements.