Data Protection Policy
Dublin Moves Made Easy (DMME – “the organisation”)
Statement of Policy
The processing of assignee and customer data by Dublin Moves Made Easy is required for the provision of services and/or the completion of contractual requirements. The organisation must also process the data of customers, assignee, staff, suppliers, and any individual or organisation that comes in contact with Dublin Moves Made Easy in order to complete work duties, comply with regulatory requirements, and to have adequate record-keeping of business activities. The processing of this personal data must meet the requirements of the Data Protection Acts, 1988 and 2003 and the General Data Protection Regulation 2016. Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection Acts confer rights on individuals as well as responsibilities on those persons processing personal data.
Purpose of Policy
This policy is a(n):
-
Statement of the DMME's commitment to protect the rights and privacy of data subjects in accordance with the Data Protection Acts.
-
Information point on the appropriate measures and precautions to be taken by staff to ensure compliance with Data Protection Acts.
Responsibilities
The management official with the overall responsibility for the application of the Data Protection Policy is Thalia Maree, Proprietor
All employees hold a responsibility to remain compliant with this policy and the failure of an individual to comply with this policy may lead to disciplinary action, up to and including dismissal in the case of staff. Failure of a third-party contractor/subcontractor to comply with this policy may lead to termination of the contract and/or legal action.
Key Definitions
'Personal Data' means any information relating to an identified or identifiable natural person (' Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, stodestruction.tion or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law:
‘Processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Protection
Dublin Moves Made Easy's data protection ethos is characterised by the following key guidelines:
-
Obtain and process personal data fairly.
-
Keep personal data only for one or more specified, explicit, and lawful purposes.
-
Process personal data only in ways compatible with the purposes for which it was initially given.
-
Keep personal data safe and secure.
-
Keep personal data accurate and up to date.
-
Keep data in a format which is easily transferable.
-
Ensure that personal data is adequate, relevant, and not excessive.
-
Retain personal data no longer than is necessary for the specified purpose or purposes.
-
Give a copy of his/her personal data to any individual, on request.
-
Delete personal data upon request from the individual.
-
Notify the appropriate parties within the specified timeframe in the event of a personal data breach.
Data Processing
The processing of personal data is only permitted under the following reasons:
-
Legal Purposes- The processing of personal data in order to remain compliant with regulatory requirements.
-
Contractual Obligations- The processing of personal data is required to complete contractual obligations.
-
Explicit Consent The processing of personal data with the explicit consent of the data subject.
Personal data shall only be processed for the purpose by which the data subject or Proprietor originally disclosed the data for. Explicit consent must be obtained for any processing activity outside of what is required for contractual obligations and regulatory requirements. Data subjects hold the right to withdraw consent for processing at any time. Under certain circumstances, other legal requirements shall hold primacy over restrictions set out in Data Protection Acts (e.g., retention of assignee name on invoices for tax purposes). These legal requirements are subject to strict conditions and should only be availed of where authorised by the Data Protection Officer.
During the data collection process Dublin Moves Made Easy shall explicitly outline the processing activities involved in the service delivery process in order to remain transparent as to the purpose of the data gathering. Dublin Moves Made Easy shall ensure that the consent of the data subject is obtained wherever required for the collection process. The data being obtained shall never exceed what is required for contractual obligations and regulatory requirements, hence a strict policy is in place dictating that the minimum amount of required data possible is what shall be gathered by Dublin Moves Made Easy.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is prohibited. The processing of such data may only occur with the explicit consent of the data subject and only for the purpose of meeting contractual obligations, and Dublin Moves Made Easy policy dictates that such processing should always be avoided whenever possible. The Data Protection Officer shall
be notified immediately of any instance where the processing of such data is suggested, requested, or required.
Data Retention
Data shall only be retained for the period of time required by contractual obligations or regulatory requirements, whichever of the two is longer. The standard data retention period for DMME for tax purposes is seven years from the date of invoicing. The category of data retained shall only be relevant to the intended and agreed specific purpose(s), all data outside of the above scope or that is no longer required shall be routinely deleted. Certain circumstances specific to the Relocation industry may require extended retention periods, such as the retention of Employment Permit data in order to facilitate future permit renewals and household information on properties being managed on the behalf assignees who have repeated lease renewals. In any case, explicit consent shall be obtained for any of these scenarios which lie outside of contractual obligations or regulatory requirements.
Data Security
DMME must take appropriate security measures against unauthorised access to, or alteration, disclosure, or destruction of, personal data and their accidental loss or destruction in particular where the processing involves transmission of data over a network, and against all other unlawful forms of processing. Hence,
-
All mobile phones, computers and laptops have full disk encryption with up-to-date security software.
-
All email accounts are individually password protected and hosted on a large-scale international platform that has up to date data security protocols in place.
-
All external emails are monitored and protected by SafeSend to ensure accidental data leakage is stopped.
-
All assignee personal data is stored exclusively on a single secure platform on which staff only hold access permissions to data they have been assigned to work on.
-
All intranet data is hosted on a single secure platform on which staff only hold access permissions to data drives linked to their work duties.
-
Data backups are completed in real-time as a risk reduction strategy to avoid data loss.
-
The transfer to a third party of personal data shall only occur over secure networks/platforms.
Data Accuracy
DMME shall always ensure that personal data is kept as up to date and accurate as possible based on the information submitted by the data subject. As data subjects hold the right to request a copy of their personal data at any time, they too hold the right to request that any inaccurate or outdated data be amended or updated. Such a request should be immediately reported to the Data Protection Officer who will then provide instructions as to what activities are to be completed in order to comply and by whom these activities should be completed. Company policy dictates that such a request should be completed within 30 days of its receipt.
Data Transfer
All assignee personal data is kept in individually consolidated folders, in readily transferable format, and using commonly availed software enabling even household computer user to access the data upon secure transfer.
Data Request
Data Subjects at any time may request a copy of his/her personal data, such a request should be immediately communicated via email to the Data Protection Officer, who will then provide guidance
on what data is to be shared, method of delivery, and the individual responsible for the delivery. Company policy dictates that such a request should be completed within 30 days of its receipt.
Data Deletion
Data deletion takes place under the following circumstances.
-
The data subject avails itself of the "Right to be Forgotten', whereby they request to have all personal data removed from the organisation's database and servers. (to be completed within 30 days of its receipt)
-
Where the data is no longer relevant to the intended and agreed purpose(s)
-
The expiry of the set/agreed data retention period.
In respect of such, individual assignee files are kept consolidated in a single folder to facilitate data transferability, data deletion and data accuracy. Deletion of expired files is done by or under the direct supervision of, the Data Protection Officer on a bi-annual basis. Emails are deleted automatically in conjunction with the retention period.
Data Breach
In the event of a personal data breach, employees (staff, contractors, and/or any party acting as processors on behalf of Dublin Moves Made Easy) shall immediately notify the Data Protection Officer once aware of the breach. The Data Protection Officer shall notify the relevant supervisory authority of the breach within 72 hours of having become aware of it unless the breach poses no risk to the rights and freedoms of natural persons. The notification shall outline the:
-
Nature of the breach
-
Category of the breach
-
Number of data subjects involved.
-
Category and approximate number of personal data records involved.
-
Name and contact details of DPO.
-
Description of the likely consequences of the breach
-
Description of measures taken/proposed by the controller to address the breach and mitigate the effects.
The Data Protection Officer shall accompany notifications not made within the 72-hour timeframe with the reason(s) for the delay.
In the event of a personal data breach where Dublin Moves Made Easy is acting as data processor, the Data Protection Officer shall notify the Proprietor immediately once aware of the breach. In the event of a personal data breach where DMME is acting as Proprietor, and where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Protection Officer shall notify the data subject with undue delay. The notification shall outline the:
-
Nature of the breach
-
Name and contact details of DPO.
-
Description of the likely consequences of the breach
-
Description of measures taken/proposed by the controller to address the breach and mitigate the effects.
Such a notification will not be required if the personal data in question has been rendered unintelligible by security measures (e.g., encryption), measures have been taken that guarantee the risk to rights and freedoms are no longer present, or it would involve disproportionate effort.
DATA RETENTION POLICY
Scope
This policy outlines how Dublin Moves Made Easy retains the personal data of any data subject, outlining.
-
The method of retention
-
The retention periods.
-
The safeguards in place during this period
-
Actions to be taken upon the expiry of the retention period.
Responsibilities
The management official with the overall responsibility for the application of the Data Retention Policy is Thalia Maree, Proprietor.
All employees hold a responsibility to remain compliant with this policy and the failure of an individual to comply with this policy may lead to disciplinary action, up to and including dismissal in the case of staff. Failure of a third-party contractor/subcontractor to comply with this policy may lead to termination of the contract and/or legal action.
Data Protection
Dublin Moves Made Easy's data protection ethos is characterised by the following key guidelines:
-
Obtain and process personal data fairly.
-
Keep personal data only for one or more specified, explicit, and lawful purposes.
-
Process personal data only in ways compatible with the purposes for which it was initially given.
-
Keep personal data safe and secure.
-
Keep personal data accurate and up to date.
-
Keep data in a format which is easily transferable.
-
Ensure that personal data is adequate, relevant, and not excessive.
-
Retain personal data no longer than is necessary for the specified purpose or purposes.
-
Give a copy of his/her personal data to any individual, on request.
-
Delete personal data upon request from the individual.
-
Notify the appropriate parties within the specified timeframe in the event of a personal data breach.
Data Retention
Data shall only be retained for the period of time required by contractual obligations or regulatory requirements, whichever of the two is longer. The standard data retention period for DMME for tax purposes is seven years from the date of invoicing. The category of data retained shall only be relevant to the intended and agreed specific purpose(s), all data outside of the above scope or that is no longer required shall be routinely deleted. Certain circumstances specific to the Relocation industry may require extended retention periods, such as the retention of Employment Permit data in order to facilitate future permit renewals and household information on properties being managed on the behalf assignees who have repeated lease renewals. In any case, explicit consent shall be obtained for any of these scenarios which lie outside of contractual obligations or regulatory requirements.
Data Security
Dublin Moves Made Easy must take appropriate security measures against unauthorised access to, or alteration, disclosure, or destruction of, personal data and their accidental loss or destruction in particular where the processing involves transmission of data over a network, and against all other unlawful forms of processing. Hence,
-
All mobile phones, computers and laptops have full disk encryption with up-to-date security software.
-
All email accounts are individually password protected and hosted on a large-scale international platform that has up to date data security protocols in place.
-
All assignee personal data is stored exclusively on a single secure platform on which staff only hold access permissions to data they have been assigned to work on.
-
All intranet data is hosted on a single secure platform on which staff only hold access permissions to data drives linked to their work duties.
-
Data backups are completed in real-time as a risk reduction strategy to avoid data loss.
-
The transfer to a third party of personal data shall only occur over secure networks/platforms.
Data Deletion
Data deletion takes place under the following circumstances.
-
The data subject avails itself of the "Right to be Forgotten', whereby they request to have all personal data removed from the organisation's database and servers. (to be completed within 30 days of its receipt)
-
Where the data is no longer relevant to the intended and agreed purpose(s)
-
The expiry of the set/agreed data retention period.
In respect of such, individual assignee files are kept consolidated in a single folder to facilitate data transferability, data deletion and data accuracy. Deletion of expired files is done by or under the direct supervision of, the Data Protection Officer on a bi-annual basis. Emails are deleted automatically in conjunction with the retention period.