Website Privacy and Data Protection Policy

Introduction

DEBRA Ireland is committed to respecting your privacy and protecting any personal information we hold on individuals.  The purpose of this privacy policy is to outline how, when and why we collect and use the personal information you give us while you use this site regardless of how you access or use our site (the “Site”), whether via personal computers,  mobile devices or otherwise. Our aim is to be transparent about what we do and to make it easy for individuals to control the use of their data based on their preferences.

This website is not intended for children and accordingly we do not collect data relating to children.

DEBRA Ireland is the national charity established to provide patient support services to those families living with EB in Ireland and will be principally responsible for your personal data as data controller.

Our full details are:

DEBRA Ireland

8 Clanwilliam Terrace

Grand Canal Quay

Dublin 2

D02 R240

CHY: 8703

Email: info@debraireland.org

Phone: 01 412 6924

In the case of our events e.g. the Kerry Challenge and the Wicklow Mountains Challenge participant information e.g. names and essential health information is passed on to the ground handlers managing the event (Adventure Ireland and Red Tag Timers).

In order to ensure the success of activities within DEBRA Ireland we need to collect and retain up to date (relevant, but not excessive) information, which therefore allows us to commit to future fundraising. Such information is only collected from you if you voluntarily submit it to us via our Site/ via post / over the phone.

Please also see our Cookie Policy here (https://debraireland.org/cookie-policy/) for further details about the ways in which we collect and use your personal data.

If you make a Donations or pay a registration fee on the Site you will be asked to provide your credit/debit card number, we do not receive these details, they are encrypted using Secure Sockets Layer (“SSL Software”) and are transmitted directly to our payment provider Realex.

If setting up a direct debit we will require your BIC and IBAN numbers.

Please note that this Privacy Policy is a dynamic document and we will share any updates to this document.

The privacy policy explains:

  • Where your information is stored
  • Whose data do we collect over our website
  • What information we collect and store about you
  • What we do with the information collected
  • How we cleanse your data and source additional information
  • Who we share your information with
  • How we keep your information secure
  • Your legal rights including how to access and amend your data
  • How your data is used online

You have the right at any time to make a compliant to the Data Protection Commissioner (DPC), the Irish supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before your approach the DPC so please contact our data protection officer in the first instance:

Data Protection Officer

Kim Sargent
DEBRA Ireland
8 Clanwilliam Terrace
Grand Canal Quay
Dublin 2
Phone: 014126924

Where your information is stored

  • The information you provide, including your marketing preferences, will be processed on our Raiser Edge (CRM) system.
  • Data held on the system is cleansed regularly and will be archived and/or removed after a period of time if not accessed regularly.
  • Paper Files are stored in the DEBRA Office in locked filing cabinets.
  • Mailchimp is used to store data for short periods to assist with delivering certain types of email marketing communications (https://mailchimp.com/legal/forms/data-processing-agreement/eu-eea/).

Whose data we collect

The list below outlines the types of ‘association’ an individual may have with DEBRA. This list is not exhaustive.

  • Current donors
  • Eventers
  • Corporates
  • Fundraising supporters
  • Service Users

The Personal Information we collect and store about you may include:

In order to enable our fundraising team to fulfil its purpose we need to collect and process personal data about you. The types of personal data that are processed may include:

Category Types of Data Collected
 

Demographic data

 

·         Title, Name

 

Contact Details ·         Postal address, email address, contact phone numbers (home / work landline phone number, personal / work mobile number)
Financial Data (to help the fundraising team to fulfil its function) ·         Donations made to DEBRA Ireland

·         Bank details for regular donors to DEBRA Ireland including account numbers

Employment Information ·         Employer

·         Position

Special Data  

For event registration, we may require

·         next of kin

·         medical condition information if any (where relevant to participation in an event such as a race).

·         Dietary Requirements

 

Other Information ·         Attendance at DEBRA Ireland events

·         Communications sent to you and / or received by you.  

 

What we do with the information collected

 

We may use your personal data for the following purposes:

 

Purpose of the Processing Legal Basis for the Processing
We use your banking details to process SO/DD donations you made to us. We send you receipts for such donations. We also use your personal data to claim tax back, if applicable.

 

The processing of your processing is necessary to support our legitimate interests in managing the business of DEBRA Ireland provided such interests are not overridden by your interests and rights.

 

We may send you communications via post, telephone or electronically, which can include, but is not limited to, the following:

 

·         Information on fundraising events and activities

·         Information on our campaigns and advocacy work

·         Other relevant communications depending on your relationship with the Fundraising Team

 

The processing of your processing is necessary to support our legitimate interests in managing the business of DEBRA Ireland provided such interests are not overridden by your interests and rights.

 

Special categories of data Any health details will be collected with your express consent are not recorded on our CRM system and are deleted after the event from the excel sheet it was recorded on.

We are committed to only contacting you based on the contact preferences we hold for you, which you can amend at any time.

If you would like to opt out from communications from us at any time, you can do so by contacting info@debraireland.org or call 01 412 6924.

Legitimate Interest

Some communications we are required to send, where there is a legitimate interest, regardless of your contact preferences, so that we can fulfil our obligation to you. This may include communications regarding your direct debit, credit card/ online donation, thank you letters and enquiries about returned mail.

How we cleanse your data

Data Cleansing

We will endeavour to keep your information up to date. There are a number of means by which we may cleanse your data, not limited to but including:

  • Address, contacts or information about someone’s death received by email, phone or post
  • Returned mailings and bounced email addresses
  • Information provided via online registrations and donations

We are required to ensure your personal data is accurate and maintained in a secure environment for a period of time no longer than necessary for the purposes for which we are processing your personal data. We generally retain your personal data for a period of up to six years or such other periods in line with our retention policy. [Note: can we refer to a separate retention policy and make this available?]

Who we share your information with

We will never disclose your data to third parties unless we require a third party data processor to carry out work on our behalf and for the purposes outlined in the table above. These third parties may include (but are not limited to):

  • Innovative Print, our mailing house, who sends our bulk mailings such as our Thank You Mailing and EB Awareness Campaign
  • Email marketing platforms used for sending bulk emails (Mailchimp)
  • We use DMS for Data cleansing and help with large imports of files to our CRM system.

Should we appoint a third party processor to handle your data, we will ensure that this arrangement subject to a formal agreement with the selected service provider. We do not allow third parties to use your personal data for their own purposes any only permit them to process your personal data for specified purposes and in accordance with our instructions.

How we keep your information secure

All our employees who have access to, and are associated with the processing of personal data, are legally obliged to respect the confidentiality of any data they need to access in order to carry out their work.

We take our information security responsibilities very seriously and employ the most appropriate physical and technical measures, including staff training and awareness, to ensure that your information is safe. These measures are regularly reviewed.

Training

  • All members of the DEBRAIreland team have received training relating to data security and the processing of personal information. Individuals have been additionally provided with training relating to the processing of data specific to their roles within DEBRA

Physical Security

  • All of the data provided to DEBRA Ireland in either physical (paper) form or by digital means is stored securely on premise in the DEBRAIreland offices.

Encryption

  • All data provided to DEBRAIreland by digital means are encrypted in transit and also at rest.  Encryption in transit is achieved by the use of SSL certificates, while encryption at rest is achieved on multiple levels, using both network level and application level encryption.

Electronic Data

  • All computers and laptops are protected by a username and password, which will only be issued to authorised personnel.
  • Staff username and password details are de-activated once a staff member has completed their last day of work in DEBRA Ireland.

Hard Copy Data

  • All hard copy files are stored in a locked filing system in the DEBRA Ireland office.
  • Hard copy files that are no longer in use will be shredded after a certain period of time. Some hard copy files may be stored in our secure archives if they contain financial information, which may need to be kept for a period 6 years respective of current laws.

What are your data subject rights if you are in the EEA?

For information on data subjects’ rights under the GDPR, including the right to be forgotten and the right to data portability, see Practice notes, Overview of EU General Data Protection Regulation: Rights of data subject and Data subject rights under the GDPR.

If you wish to exercise any of these rights, please contact the Data Protection Officer at the details set out below.

How to access and amend your data

Subject Access Requests

This ‘Subject Access Request’ statement is applicable to all subsidiaries of DEBRA Ireland.

You have the right to get a copy of the information that is held about you. This is known as a Subject Access Request. Subject Access Requests should be made in writing. To make a Subject Access Request please follow the guidelines below or your request may be delayed if we are required to seek additional information.

You can ask us if we are keeping any personal data about you and you may request to receive a copy of that personal data. Please provide as much information as possible about the data you are requesting. We will not accept Subject Access Requests that do not contain the following:

  • Cover letter including name, address, email and contact phone number (we may request further documentation if we are not satisfied that we can verify the identity of the requester)
  • A written explanation of the data you would like to request
  • Proof of identity such as a copy of your passport, birth certificate or driving licence
  • Whether you would like to receive your information electronically, by post or both.

Subject access requests should be sent to:

Data Protection Officer

Kim Sargent
DEBRA Ireland
8 Clanwilliam Terrace
Grand Canal Quay
Dublin 2

Email: kim@debraireland.org

Amending your data

You may wish to amend the data we hold for you at any time. We will endeavour to comply with your preferences. If you would like to amend any of your information, please contact info@debraireland.org

Honouring the right to be forgotten

The right to erasure or ‘the right to be forgotten’ enables you to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances.

We may refuse to comply with a request for erasure if your personal data contains financial contribution to our charity that we must keep on our system for accounting purposes.

How your data is used online

The Internet is not a secure environment we cannot guarantee that the security of any information you transmit to us via the Internet to be 100% secure. While we take reasonable measures to keep your information secure, we cannot guarantee your online data security. However, once we receive your personal data we take all reasonable technical and organisational measures to protect personal data from loss, misuse, alteration or destruction and to prevent any unauthorised or unlawful disclosure or processing.

Details of transfers outside the European Economic Area (EEA) and safeguards

Some of our service providers lie outside the EEA (e.g. Mailchimp – sending bulk emails). Therefore, sometimes we transfer your data outside the EEA. Whenever we transfer your personal data outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details please see European Commission: Adequacy of the protection of personal data in non EU countries.
  • When we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details see European Commission: Model contract for the transfer of personal data to third countries.

Social Media Sites

The Fundraising Team manage the following social media pages:

Facebook

Our Facebook page (https://www.facebook.com/DEBRA.Ireland) is used to share news articles and both old and recent photographs. Our Facebook page is open to the public therefore comments made on our posts will be visible to the public. You are responsible for the privacy setting on your personal Facebook profile at all times. We moderate all comments made on our Facebook posts and may remove/hide a comment if we feel it is inappropriate.

Twitter

Our Twitter page (https://twitter.com/debraireland) is used to share news articles and both old and recent photographs. If tweets directed to @debraireland are deemed inappropriate and do not follow twitter’s rules (https://support.twitter.com/articles/18311#) we may report such instances.

Instagram

Our instagram page (https://www.instagram.com/debraireland) is used to share news articles and both old and recent photographs. Our page is open to the public therefore comments made on our posts will be visible to the public. We moderate all comments made on our instagram posts and may remove/hide a comment if we feel it is inappropriate.

Third party websites

Our social media sites (as listed above) may contain links to the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these third party websites.