This privacy statement covers the following topics:
- Rights for individuals
- Data controller
- Legal basis for processing personal data
- Types of personal data we collect
- Why we need your information
- How we collect your personal data
- How we use your personal data
- What we ask from you
- Disclosure of personal data
- How long we retain personal data
- Data matching
- Data Protection Notification
- Monitoring of email
- Information Commissioner’s Office
- Notification of changes to our privacy statement
- Further information
Tinnnelly Group (we) delivers a wide range of services. To do this in an effective way, we are required to collect and use personal data.
The General Data Protection Regulation (GDPR) regulates the processing of personal data and replaces the Data Protection Act 1998. It became law on 25 May 2018 and places legal obligations on us to comply with a number of data protection principles.
These principles are there to protect your personal data and they make sure that we:
- processes all personal information lawfully, fairly and in a transparent manner.
- collects personal information for a specified, explicit and legitimate purpose.
- ensures that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
- ensures the personal information is accurate and up to date.
- retains personal data for no longer than necessary for the purpose for which it is processed.
- keeps your personal information safe and secure and protect its integrity and confidentiality.
The following information will explain how we collect and manage personal data about you.
Rights for individuals
The GDPR gives you rights relating to the processing of your personal information, which are:
- right to be informed – obligation to provide ‘fair processing information’ through privacy notices. There must be transparency at the point of collection on how the information will be used and there is an emphasis on providing you with a clear and concise notice.
- right of access – individuals must be able to access their data to ensure that it is being processed lawfully. This is commonly referred to as a subject access request. If you wish access to your personal data you must submit a request in writing and we will respond within 28 days. We may seek clarification as to your identity and there is no fee for this service.
- right to be forgotten (is not absolute and only applies in certain circumstances) erasure or rectification of personal data – this right arises in the event of inaccurate or incomplete data and has been expanded to cover more circumstances than those set out in the current Data Protection Act 1998.
- right to data portability – this is a new right enabling individuals to reuse and transfer their personal data (held in electronic form) for their personal use to another data controller without affecting its usability.
- right to object – where the processing of personal data is subject to consent, individuals can object to certain types of processing such as direct marketing or processing for research or statistical purposes.
- right not to be subject to a decision based solely on automated processing, including profiling that significantly affect the individual.
We are the ‘data controller’ for the personal data that it gathers from members of the public, internal staff, external contractors and other individuals who interact with us.
Tinnelly Group, Cloughoge House, 46 Forkhill Road, Newry, County Down, BT35 8LZ.
Legal basis for processing personal data
We process personal data for specific purposes and these purposes will determine the legal basis for the processing. This is addressed under Article 6 of GDPR. The legal bases for processing by the council as a public authority will be one or more of the following:
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which we are subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
- Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.
There may be occasions when consent is the only legal basis we have to process your personal data. When this occurs, we will endeavour to seek your consent at the time it gathers your personal data. You will normally be asked to provide a signature or indicate consent by ticking a box but this will only be carried out after a full explanation has been provided and you are clear as to what you are consenting to.
Consent is a core principle of data protection law and GDPR sets a high standard for this. It must be freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the individual.
Type of personal data we collect
We collect the following type of personal data and this list is not exhaustive but provides a general guide:
- First name
- Name of organisation
- Organisation address
- Email address
- Organisations’s website
- Organisation’s twitter handle
- Telephone numbers
Why we need your information
- to provide you with a public service in compliance with its legal responsibilities
- contact you by post, email or telephone
- update your records
- establish your needs and subsequently provide you with the assistance that you require
- obtain your opinion about our services
- inform you of other relevant council services and benefits
How we collect your personal data
The following are examples of how we collect your personal data:
- through submission of contact forms online or via email
The personal data may be held in paper and electronic format, but will always be managed in a safe and secure manner.
Some areas of our website require you to actively submit personal data in order for you to benefit from specific features, such as our range of online services, for example, email, online forms or online payments. You will be informed at each of these personal data collection points what data is required and what data is optional.
Some of this personal data may uniquely identify you, such as your name, address, email address, phone number, but we will only collect the personal data it needs.
Personal data may be gathered without you actively providing it, through the use of various technologies and methods such as Internet Protocol (IP) addresses and cookies. An IP address is a number assigned to your computer by your Internet Service Provider (ISP), so you can access the internet. We collect IP addresses for the purposes of system administration and to audit the use of our site. Each time you log onto our site and each time you request one of our pages, our server logs your IP address.
Although we log your session, it will not normally link your IP address to anything that can enable us to identify you. However, we can and will use IP addresses to identify a user when we feel it is necessary to enforce compliance with our rules or terms of service or to protect our service, site, users or others.
How will we use your personal data
All the personal data processed by us is held within the UK or on computer servers within the European Economic Area. No outside organisation is allowed access to your personal data unless the law permits this to happen.
We will use the personal data we collect to ensure you receive a proper service and to improve your interaction with us on a wide range of matters.
The data is used to manage your specific needs and inform you about changes to services, initiatives and events, dealing with complaints, employing contractors and dealing with enforcement action. We will endeavour to inform you at the time your data is gathered why it is required, what it will be used for, which will be explained to you.
We will ensure that there is effective safeguards and systems in place to make sure personal information is kept safely and securely and provides awareness training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly.
What we ask from you
- That you provide us with accurate and up to date personal data.
- That you do not abuse staff when providing or seeking personal data.
- That you inform us of any changes to your personal data.
- That you inform us if you find any error or inaccuracies.
Disclosure of personal data
We will not disclose your personal data to any external organisation or person unless it is satisfied that it has a legal basis to do so and proper measures are in place to protect the data from unlawful and unauthorised access.
We may also use external organisations to carry out services on its behalf and this requires providing them with access to personal data. These organisations will act as Data Processors for us and they are legally obliged to keep your personal data secure and only process it under the specific direct instructions of us and in line with the GDPR.
We will not supply your information to any other organisation for marketing purposes without your prior consent.
How long we retain personal data
We are required to keep personal data for specified time periods to meet its statutory obligations and business needs and to comply with GDPR. Personal data is held for different time periods due the specific purpose it was gathered for or because the law compels we to do so in this manner.
We may also retain personal data solely on the basis that you have provided your consent for this to happen. If you wish to withdraw your consent, you can to do so and request we delete and destroy your data, by writing to the relevant department (if known) or directly to our Data Protection Officer asking for this to happen. Your personal data will be reviewed to establish if the law permits its destruction and deletion.
Your personal data will only be held as long as necessary and permitted by law and will be disposed of in a secure manner when no longer needed.
Monitoring of email
We may monitor your email and other online communications it receives (including members of staff). Any such monitoring will take place in accordance with the law.
Information Commissioner's Office
The Information Commissioner’s Office (ICO) regulates compliance with GDPR within the UK. If you consider us to have breached any of the requirements of the GDPR, you may contact the ICO who may carry out an assessment, audit or investigation to establish whether we are compliant with the GDPR.
The ICO can be contacted at:
Information Commissioner’s Office
14 Cromac Place
Notification of changes to our privacy statement
We will post details of any changes to our privacy statement on this website to help make sure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.
This privacy statement was updated in November 2018.
If you require further information about the use of your data or wish to make a subject access request for copies of your personal data held by us, please contact firstname.lastname@example.org.