- Your rights under GDPR
- How do I make a data access request?
- How soon will I receive a reply?
- Can someone else make a request on my behalf?
- How do I make a request to have my personal data corrected or erased?
- How can I make a complaint or appeal a decision in relation to my data access request?
- Our Data Protection Officer (DPO)
General Data Protection Regulation (GDPR)
DCCI fully respects your right to privacy and will not collect any personal data about you without your clear permission. Any personal data which you volunteer to us will be treated with the highest standards of security and strictly in accordance the General Data Protection Regulation (GDPR). GDPR is designed to give individuals more control over their personal data and came into force across the European Union on 25th May 2018
Your personal data will be:
- Obtained fairly and with your knowledge.
- Used only for the purpose for which it was collected.
- Handled and stored securely.
- Kept only as long as is absolutely necessary.
- Never shared with third parties without your consent.
Your rights under GDPR
Under the GDPR individuals have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure, (right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
What is personal data
“Personal Data” is information relating to any living person that can identify that person (the “Data Subject”). Personal data can include personal contact details, biographical information, payment information and photos of you.
Our personal data protection notice is available to view here.
How do I make a data access request?
You can make a data access request either in writing or by email to obtain a copy of the personal data that the DCCI holds about you.
To enable us to process your request as quickly as possible, it would be helpful if you could:
- Provide as much information as possible to allow us to identify your data.
- State the format in which you wish to receive your data (for example, paper copy or electronic copy).
- Include a daytime telephone number so we can contact you if we have any queries in relation to your request.
- Provide your permission if someone else is making a request on your behalf, for example, a friend, relative or solicitor. Permission is usually in the form of a signed letter by you authorising the person to write to us for your data and to receive a reply and proof of identity for both you and your nominated representative.
Please note: We will require proof of identity when making a request, for example, a copy of your passport. This is to make sure that personal information is not given to the wrong person. Certain requests may incur a fee.
- Requests by email should be sent to: [email protected].
- Requests by post should be sent to: The Data Protection Officer, Design & Crafts Council Ireland, Castle Yard, Kilkenny, R95 CAA6, Ireland.
How soon will I receive a reply?
The GDPR requires that we issue a response within 1 month of receipt of your request.
We may extend this timeframe by a further 2 months in certain circumstances and you will be informed of any such extension, where applicable, within 1 month of receipt of your request. However, we will always do our best to respond to your request as quickly as possible.
Can someone else make a request on my behalf?
Yes. You can ask someone else to request data on your behalf, for example, a relative, friend or solicitor.
We must have your permission to do this. This is usually a signed letter authorising the person to write to us for your data and to receive a reply and proof of identity for both you and your nominated representative.
How do I make a request to have my personal data corrected or erased?
You have the right to have the personal data we hold about you corrected where it is incorrect or completed where it is incomplete. You also have the right to have it erased in certain circumstances.
Requests by email should be sent to: [email protected].
Requests by post should be sent to: The Data Protection Officer, Design & Crafts Council of Ireland, Castle Yard, Kilkenny, R95 CAA6, Ireland.
How can I make a complaint or appeal a decision in relation to my data access request?
If you are unhappy with how we handle your data access request or the outcome of a decision by us, complaints and appeals can by submitted directly to the Data Protection Commission via web form on their website www.dataprotection.ie.
Our data protection officer (DPO)
Our DPO reports directly to the CEO and DCCI Board and is responsible for GDPR and data protection compliance. The DPO does not receive any instructions regarding the exercise of duties from the Board of the DCCI or its senior management team.
DCCI Personal Data Protection Notice
The Design & Crafts Council Ireland (DCCI, we, us, our) is committed to protecting and respecting your privacy. This Data Protection Notice tells you about your privacy rights and sets out how we, as a Controller, collect, use, process and disclose your personal data relating to your interactions with us.
Information we may collect and process
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect and process any type of personal data you provide to us in the course of your interactions with us.
If you do not provide us with your personal data, we may not be able to provide you with our services or respond to any questions or requests you submit to us. When we ask for personal data, we will tell you whether it is needed to perform our functions or information that is required to comply with our legal obligations.
How we use personal data we collect
We will only use your personal data for the purposes and legal basis set out at the time of collection and only for the purpose(s) for which it was obtained.
Recipients of your personal data
Your personal data will only be shared with relevant staff in line your permissions as set out at the time of collection and only in relation to the purpose(s) for which it was obtained.
Why do I need to provide personally identifiable data to dcci when applying for membership or funding?
When applying for funding, membership or to participate in DCCI events or workshops, DCCI may request personally identifiable information including your date of birth, gender, nationality, etc. The purpose of collecting this data is to avoid duplication of records and ensure that we can link any additional forms directly to you. This data will not be shared with third parties without your prior consent.
Retention of your personal data
We will store your personal data only for as long as necessary for the purpose(s) for which it was obtained. The criteria used to determine our retention periods include.
- the length of time we have an ongoing relationship and/or provide our services.
- whether there is a legal requirement to which we are subject.
- whether the retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
Please contact us if you wish to obtain further information concerning our retention periods, details below.
Disclosure of your Personal Data
We may disclose your personal data to third parties who provide a service to us in the normal course of our business and in line with the purpose for which we collected the data. In the event of any future changes to legislation which may change the way in which we operate we may be under a duty to disclose or share your personal data in order to comply with any legal obligation, or where necessary for our legitimate business interests to protect the rights, property, or safety of DCCI, or others or for the purposes. Such disclosure may, as appropriate, include exchanging information with other organisations, companies, auditors, Government Departments, Institutes of Technologies, recruiters, Semi State Agencies, universities and public bodies, where any such body provides a service to DCCI and we are satisfied that it complies with the GDPR requirements.
The personal data that we collect may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”), for the purposes described above. To the limited extent that it is necessary to transfer your personal data outside of the EEA, we will ensure appropriate safeguards are in place to protect the privacy and integrity of such personal data, including standard contractual clauses under Article 46.2 or adequacy decision under Article 45. Please contact us if you wish to obtain information concerning such safeguards (see Contact details for our DPO below).
You have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions.
We will respond to any valid requests within one month, unless it is particularly complicated or you have made repeated requests in which case we will respond, at the latest, within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay.
You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request.
If you wish to exercise any of these rights, please contact us. We will request proof of identification to verify your request.
Your Rights & What it Means
Right to withdraw consent
If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time. However, the withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent.
Right of access
You can request a copy of the personal data we hold about you.
Right to rectification
You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.
Right to erasure (‘right to be forgotten’)
You have the right to request that your personal data be deleted in certain circumstances including:
- The personal data is no longer needed for the purpose for which it was collected.
- You withdraw your consent (where the processing was based on consent).
- You object to the processing and there are no overriding legitimate grounds justifying us processing the personal data (see Right to Object below)
- The personal data have been unlawfully processed.
- To comply with a legal obligation.
However, this right does not apply where, for example, the processing is necessary.
To comply with a legal obligation or for the establishment, exercise or defence of legal claims.
Right to restriction of processing
You can ask that we restrict your personal data (i.e. keep but not use) where:
- The accuracy of the personal data is contested.
- The processing is unlawful but you do not want it erased.
- We no longer need the personal data but you require it for the establishment, exercise or defence of legal claims.
- You have objected to the processing and verification as to our overriding legitimate grounds is pending.
We can continue to use your personal data:
- Where we have your consent to do so.
- For the establishment, exercise or defence of legal claims.
- To protect the rights of another.
- For reasons of important public interest.
Right to Data Portability
Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance, but in each case only where:
The processing is carried out by automated means
The processing is based on your consent or on the performance of a contract with you.
Right to object
You have a right to object to the processing of your personal data in those cases where we are processing your personal data in reliance on our legitimate interests, for the performance of a task carried out in the public interest or in the exercise of our official authority.
In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate grounds which override your interests and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes.
Right to complain
You have the right to lodge a complaint with the Data Protection Commission if you consider that the processing of your personal data infringes on the GDPR.
Security and where we store your personal data
DCCI is committed to protecting the security of your personal data. A variety of security technologies and procedures are used to help protect your personal data from unauthorised access and use.
Strict internal guidelines have been implemented to ensure that your privacy is safeguarded at every level of our organisation. DCCI will continue to revise policies and implement additional security features as new technologies become available.
Changes to this Data Protection Notice
We reserve the right to change this Data Protection Notice from time to time at our sole discretion.
Questions, comments, requests and complaints regarding this Data Protection Notice and the personal data we hold are welcome and should be addressed to:
The Data Protection Officer, Design & Crafts Council Ireland, Castle Yard, Kilkenny R95 CAA6, or submitted by email to [email protected].