Menu
22 Sep 16 16 Mar 23

MSF Ireland Privacy Notice

About this Policy 

At Médecins Sans Frontières we make sure we protect the information you give us.  
References to “we” or “us” are to Médecins Sans Frontières (Charity Registration Number:  20069360).
We collect information that helps us make informed decisions, fundraise more efficiently and give you the best possible experience on our websites and from our communications.
This privacy policy is written in accordance with relevant data protection legislation including the Data Protection Acts 1998 and 2003, ePrivacy Regulations 2011 (S.I. 336 of 2011) and the General Data Protection Regulation (2016). 
This privacy policy sets out how Médecins Sans Frontières collects, uses and stores personal data, including via its website, www.msf.ie and its associated sites, including secure.msf.ie.

When MSF was established in Ireland we made a commitment to match the dedication and versatility of our skilled teams in the field. As part of delivering on that promise we’re continually working to ensure our supporters in Ireland can continue to engage with MSF’s work across the world.
isabel simpson dIRECTOR

If you’ve any questions please contact us using the details below. 


When do we collect information about you?

We collect information:

when you give it to us directly
when you give it to us indirectly
when you give it to us via social media
when you use our websites or apps
 
Directly
 
You may give us personal information when you: donate, sign up for one of our events, communicate with us, request a speaker, sign up for email newsletters and leave a comment on our social media accounts.  
 
Indirectly 
 
We may get your personal information via a fundraising organisation or platform (e.g. Just Giving) if you’ve told them that you’re supporting Médecins Sans Frontières and with your consent. Please check their privacy policies when you give them your information.
 
Social media
 
We may get information about you from your social media accounts or services. Facebook and Twitter are examples. We can do this if you’ve set your account settings to give us permission. Please check your settings and their privacy policies for more details.
 
In some cases we hold publicly available information from social media channels (such as social media handles or number of followers) on our social customer relationship management system ‘Prezly’. This provides us with an overview of who drives the conversation on topics that relate to our work. Should we want to reach out to a particular social media handle we would do so using the contact information they have provided publicly. 
 
Our websites and apps 
 
We use “cookies” to help us improve the performance of our websites and campaigns.
Cookies are small text files that websites send to your computer (or phone or tablet). They save and store information about how you use the website. 
 
We use them to give you a tailored experience on our website. They make using our sites faster and easier. For example, when you donate on Médecins Sans Frontières, a cookie helps the site ‘remember’ which kind of donation you’ve chosen as you move through the site.
 
Our website also uses web third-party cookies that allow us to track conversions and activity on our website as well as generate advertisements that appear on Facebook, for example, and other search engines like Google for you and other potential users. Such third party cookies may collect or receive information through your use of our websites to provide advertisements and allow it to create lookalike audiences. We do not collect personal information via these cookies.
 
Find out more on our cookies page
 
If you enter your details onto one of our online donation forms, and you don’t complete the donation, we may contact you via email to see if we can help with any problems you may be experiencing.
 
Similarly if you receive an email, open it, don’t open it, select a link, browse our website, we collect this information so we can see which stories are popular and which aren’t. This data is not used to identify you personally.
What information do we collect?

If you contact us for any reason we'll usually collect your:

name
email
phone number
address
 
When you donate we may also ask for:
 
your bank or credit card details where necessary in accordance with PCI Compliance regulations.
date of birth through our face-to-face fundraising to check you’re over 18.
 
We may also record:
 
Your PPS number if you have sent us a completed and signed CHY Tax Relief Certificate.  
 
When you sign up for a survey or fundraise for us we may also ask:
 
what your interests are e.g. medical interests or countries we work in
which age bracket you’re in
what social media channels you use
 
If you sign up for our Access campaign website your data will be collected by our Geneva office. Please read their policy to find out more about how they look after your data.
How do we use your information?

We use your data to:

Respond to your enquiries and requests
process and acknowledge your donations
keep a record of your engagement with us
send you updates, marketing and fundraising communications 
understand how we can improve our services and information
analyse our fundraising activity
 
We won’t sell your details to any third parties or other charities. Read our donor promise for more information.
 
How we use your data depends on why you’re providing it:
 
Online forms and feedback
 
We’ll use your personal information to respond to your questions, requests or register you for events.
 
Surveys 
 
We use surveys to understand our supporters, helping us to communicate more effectively.
If you are happy to be involved in future surveys we may ask for your contact information. 
 
Donations
 
We use your information to process and keep a record of your donations. We also use it to claim Tax Relief if you have sent us a CHY Tax Relief Certificate.
 
Direct marketing
 
We use direct marketing to let you know what MSF is doing and how your support makes a difference. We may use it for emergency fundraising or to ask for other support. We will always respect your preferences and endeavour to send you information that you’ll find interesting, in the format you prefer.
 
We may send you direct marketing unless you indicate that you do not want to hear from us this way. We send these communications on the basis of it being within our legitimate interests to do so or if you have consented to receive this. Please see the “Legal Basis for Processing Data” section below for more information on this.
 
The types of marketing that you can expect to receive from Médecins Sans Frontières include:
 
Our ‘Dispatches’ magazine
Email updates 
Emergency appeals
Event or meeting invites
Reports on our operational activities
 
Our email direct marketing has ways to opt out in the footer of each email. You can opt out at any time. It may however take up to twenty working days for us to process a unsubscribe request so please excuse any errors over this period.
 
If you don’t want to hear from us just let us know on 01 6603337 or at fundraising@dublin.msf.org. Please note it may take up to 30 working days to process such requests.
 
Social media
 
We may use publicly available information from your profile to target you with specific posts that may interest you.
 
We’ll never ask for personal or sensitive information on social media. We may repost or share your posts on social media if it relates to MSF and our work.
 
We may respond to questions, queries or comments left on our social media channels. We may use information found on your profile to help us answer these.
 
Check your social media accounts if you want to change the information you make public. 
 
Our websites use sharing buttons which share our web pages to social media platforms. Use these buttons at your own discretion.
 
Social media platforms may track these shares through your accounts.
Who has access to my data?

Trained staff

Your information is only accessible by trained staff, volunteers and contractors. We regularly review who has access to your information.

We carry out comprehensive checks on any contractors before we work with them. 

We always put a contract in place that sets out how staff, volunteers and contractors manage the personal data they collect or have access to. 

Data Processors 

We use other companies to help us manage and store personal data and to carry out certain activities on our behalf.  Our main data processors are listed below, but we may enlist the services of others from time to time: ​

  • Fretwell – a direct mail partner
  • Sooner Than Later – a direct mail partner
  • Survey Monkey – surveys and competitions
  • Taleo – Office staff recruitment portal
  • Hero – Field staff recruitment and HR database
  • CPM – our door to door recruitment agency
  • Like Charity – our donor recruitment partner
  • Dynamics - our in-house fundraising database
  • Mango - our inbound call centre
  • Contact Centre - our outbound call centre

We may disclose your personal data to third parties, without your consent, when we have to by law, for example to authorised statutory agencies or authorities. 

How do we keep your information safe?

We use appropriate technical and organisational measures and precautions in order to protect your personal data and to prevent the loss, misuse or alteration of your personal data.

We have lots of technical measures e.g. we encrypt our online forms and routinely monitor our network and we use industry standard SSL certificates and PCI compliance.

While we make sure to keep your data safe, no data transmission over the Internet is 100% secure. We cannot guarantee the security of any information you send us and you do so at your own risk.

How long do we keep your information?

We keep your information for as long as it is necessary. E.G. we keep your financial data for at least seven years. 

If you request to receive no further contact from us, we will keep some basic information about you on our suppression list in order to avoid sending you unwanted materials in the future.

Our legal basis for processing personal data

Organisations need a lawful basis to collect and use personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Four of these are relevant to the types of processing that MSF carries out.

This includes information that is processed on the basis of:

(a) A person’s consent (for example to send you direct marketing by e-mail or SMS);
 
(b) Processing that is necessary for compliance with a legal obligation. (For example, the retention of financial records for tax declaration and audit); and 
 
(c) Our legitimate interests (please see below for more information). 
 
Personal data may be legally collected and used if it is necessary for a legitimate interest of the organisation using the data, as long as its use is fair and does not adversely impact the rights of the individual concerned. Our legitimate interests include:
 
Charity Governance, including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes;
 
Administration and operational management, including responding to solicited enquires, providing information and services, research, events management, the administration of volunteers and employment and recruitment requirements. 
 
Fundraising and Campaigning, including administering campaigns and donations, and sending direct marketing and thank you letters by post or email. 
 
If you would like to change our use of your personal data in this manner, please get in touch with us using the details below. 
How do I change my information and can I access it?

Contact us at fundraising@dublin.msf.org or 01 6603337 if you would like to update your personal information and/or change your contact preferences.

You have a number of rights under data protection legislation: 
 
You can request the personal data we hold on you. Email us at fundraising@dublin.msf.org.  and ask for it in writing. We will supply any information you ask for as soon as possible, but this may take up to 30 days.  You may be asked for proof of identity.
 
You have the right to ask us to stop using or to restrict the processing of your personal data in certain cases, for example where it is not needed to do what you provided it to us for, or if there is some disagreement about its accuracy or legitimate use.
 
You can withdraw your consent to us processing your data at any time (where such processing is based on consent e.g. to send you electronic direct marketing).
 
If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. To update your records please get in touch with us using the details above.
 
In some cases, you have the right to be forgotten (i.e. to have your personal data deleted from our database), or transferred to another organisation (“data portability”). Where you have requested that we do not send you marketing materials we will need to keep some limited information in order to ensure that you are not contacted in the future.
 
Isabel Simpson is our data protection lead. You can contact her if you’ve any queries about data protection.
 
If you have any concerns about the way your data is being used or if you’d like to make a complaint please contact us using the details above. You are also entitled to make a complaint to the Data Protection Commissioner. 
When do you update this notice?

We change this Privacy Notice when we need to.  If we make any significant changes in the way we treat your personal information we’ll make this clear on our websites or by contacting you directly.

This privacy notice was prepared to be as comprehensive as possible, but it does not include an exhaustive list of every aspect of our collection and use of personal information. However, we would be happy to provide any further information or explanation about our practices. 

If you’ve any questions, comments or suggestions, please let us know by contacting us.

Privacy Policy for MSF staff

Médecins Sans Frontières (the Companywe, usour) is committed to protecting the privacy and security of your personal information.  

The Company is a "data controller" within the meaning of the GDPR. This means that we are responsible for deciding how we hold and use personal information about you. This Employee Privacy Notice (the Notice) details how we collect and use personal information about you during and after your working relationship with us in accordance with the GDPR. 

For the purposes of this Notice: 

GDPR means the General Data Protection Regulation (EU 2016/679) and any national implementing laws, as amended or updated from time to time; 

Group Company means a company which is a Subsidiary or Holding Company of the Company or any Subsidiary of such Holding Company from time to time (and for this purpose Subsidiary and Holding Company have the meanings given to them respectively in sections 7 and 8 of the Companies Act 2014). 

Please read the following carefully to understand how and why we are using such information and what your rights are under the applicable data protection legislation. 

Scope  

This Notice applies to you, whether you are a current (or former) employee, intern, agency worker, consultant, individual contractor or director of the Company. It also applies to third parties whose information you provide to us e.g. emergency contacts, beneficiaries of pension etc. Please ensure that you provide a copy of this Notice to any third parties whose personal data you provide to us. 

Where we refer to 'employee personal data' or 'employment' in this Notice we do so for convenience only and this should in no way be interpreted as purporting to confer employment status on non-employees to whom this Notice also applies. This Notice does not form part of any contract of employment and does not confer any contractual rights on you or place any contractual obligation on us.   

This Notice applies to all personal data collected, maintained, transmitted, stored, retained, or otherwise used (i.e. processed) by us regardless of the media on which that personal data is stored. We may update this Notice at any time and will notify you in writing of any changes as soon as reasonably practical. 

Data Protection Principles 

The Company is committed to complying with the GDPR. Any personal information that we hold about you must be: 

  1. Used lawfully, fairly and in a transparent way; 
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes; 
  3. Relevant to the purposes that we have told you about and limited only to those purposes; 
  4. Accurate and kept up to date; 
  5. Kept only as long as necessary for the purposes we have told you about; and 
  6. Kept securely. 
     

What is Personal Data? 

'Personal Data' is defined as any information relating to a living individual from whom that individual can be identified directly from that data or indirectly in conjunction with other information. It does not include data where the identity has been removed (anonymous data). We will collect, hold and use the following categories of Personal Data about you as set out in Appendix 1 of this Notice.  

Purpose and Basis for Processing 

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information for the following purposes: 

  1. To perform the contract we have entered into with you. 
  2. To comply with a legal obligation
  3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. In this instance a legitimate interest assessment (LIA) will have been conducted to (i) identify a legitimate interest; (ii) show that the processing is necessary to achieve it; and (iii) balance it against your interests, rights and freedoms. You may request a copy of this LIA from the Senior Information Risk Owner (email office@dublin.msf.org). 
     

In particular, we will hold, process and may disclose personal data provided by you for the following purposes: 

Category of Personal Data 

Purpose/Basis for Processing 

  • Recruitment/appointment including assessing your job application; 
  • Maintain work email address and phone number in the MSF Active Directory; 
  • Providing you with building and IT access; 
  • Payroll and finance including paying salary, reimbursing expenses and other payments;  
  • Keeping attendance and working time records; 
  • Performance appraisals and management of performance; 
  • Benefit payments and administration; and 
  • Administering employment termination. 
  • This processing of your data is necessary to process job applications submitted by, or on your behalf, and for performance of your contract of employment (or engagement). 
  • Monitoring and promotion of equal opportunities, including the review of gender breakdown and progression; 
  • Monitoring use of IT and communications in accordance with our IT, email and internet policy; 
  • Provision of references; 
  • Investigating and responding to complaints from personnel, patients, business partners, regulators;  
  • Maintaining emergency contact details; and 
  • Exercising our right to conduct legal proceedings. 
  • Having conducted an LIA, the processing of your data is necessary for our legitimate business interest in managing our business including legal, personnel, administrative and management purposes and for the prevention and detection of crime, provided our interest is not overridden by your interest.  
  • Please note that you have a right to object to processing of your personal data where that processing is carried on for our legitimate interest.  
  • Where we rely on our "legitimate interest" as a reason for processing personal data, we have considered whether those interests are overridden by employees' rights and freedoms and have concluded that they are not.  You have a right to request information on the balancing test we use. 
  • Managing health and safety at work and incident reporting; 
  • Criminal offence data and specified information required to comply with our Garda Vetting obligations.   
  • Compliance with our regulatory (for example disclosing tax data to the office of the revenue commissioners) and professional requirements; and 
  • Exercising our right to defend, respond or conduct legal proceedings. 
  • This processing of your data is necessary in order for us to comply with any legal or regulatory obligations


If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety or our workers). 

 

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may process your personal information without your knowledge or consent, in compliance with this Notice, where this is required or permitted by law. 

Special Categories of Personal Data  

Certain categories of your personal data are regarded as 'special' including information relating to an individual's: 

  • Physical or mental health, including any medical condition, health and sickness records;Religious, philosophical or political beliefs; 
  • Trade union membership; 
  • Ethnic or racial origin; 
  • Biometric or genetic data; and 
  • Sexual orientation. 

We only process such data where necessary for the purpose of carrying out the obligations, and exercising specific rights, of the Company or of an employee under employment law or for the assessment of your working capacity. See Appendix 1. 

Information about Criminal Convictions 

Information about criminal convictions warrants a higher level of protection under data protection legislation. We will only process data relating to your criminal convictions or involvement in criminal proceedings when permitted by law, or where provided voluntarily by you.  We may engage a third party to conduct background checks on candidates, to the extent permitted by law and as required by the Company.  

Garda vetting procedure 

The Company is a "relevant organisation" within the meaning of the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 – 2016 (the Vetting Act) and is therefore required to complete vetting checks on individuals engaged by the Company who will be working or carrying out activities with children or vulnerable adults (the Relevant Activity).  We therefore envisage that we will hold and process information about criminal convictions in relation to persons working and volunteering for us who are engaged in a Relevant Activity. As such, where your role involves a Relevant Activity, we may be required by law to process criminal offence data relating to you. We will only collect criminal offence data where permitted by law or where provided voluntarily by you. We process your personal information in this way to comply with our legal obligations under the Vetting Act. If you do not provide us with the requested information, we may not be able to continue to work with you.   

The vetting procedure is conducted by the National Vetting Bureau to establish whether there is any criminal record or specified relevant information relating to the individuals engaged in the Relevant Activity.  Following completion of the vetting process by the Bureau, a disclosure will be made to the authorised liaison person (email HRAdministrator@dublin.msf.org) in the Company of details of all convictions and pending prosecutions and a statement of specified information or a statement that there is no criminal record or specified information relating to the person being vetted. Specified information can include any information which leads to a bona-fide belief that the person poses a threat to children or vulnerable people.   

For more information on the vetting process, see a copy of the Company's Vetting policy which is available from  hradministrator@dublin.msf.org

Consent 

In principle, we do not rely on your consent for data use. We may, however, from time to time, (i) ask for your consent to use your personal data for a specific purpose; and/or (ii) process your personal data (including "special data") in order to protect your vital interests or the interests of another. If we do so, we will provide you with full details of the data that we would like and the reason we need it so you can carefully consider whether you wish to consent. We will also inform you about the fact that you can revoke your consent at any time and how you should do that.  

Please be assured that withholding your consent will never have an impact on your employment with us or otherwise negatively affect you. 

Where you do not provide us with your Personal Data 

If you do not provide us with your personal data we may not be able to process your job application, suitability for a particular role, your pay or other benefits, comply with our legal obligations or manage our business. We will tell you when we ask for information which is a statutory or contractual requirement or needed to comply with our legal obligations.   

Security and Storage of Personal Data 

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, sued or accessed in an unauthorised way, altered or disclosed.  

We securely store your personal data in a centralised database and the MSF HR System (HERO), with controlled access to such database. Access to personal data (including special data) in both electronic and paper form is restricted to members of the Human Resources Team and employees who have a legitimate and justifiable reason to view such data. 

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure. 

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

Recipients of Your Personal Data 

We may disclose your personal data to a Group Company including, without limitation, for the following reasons: in order to run global processes, carry out group wide reporting, or take decisions about hiring or promotion. 

It may be necessary from time to time for us to disclose personal data to third parties or agents, including without limitation to the following: 

  • Third parties to assist in the administration, processing and management of certain activities, for example payroll processing, pertaining to past, current and prospective employee;  
  • Individuals or companies employed by the Company to carry out specific services, functions or consultancy work including external reference agencies and other financial institutions;  
  • An Garda Síochána where necessary for Garda vetting purposes;  
  • The MSF Association UK/IE; 
  • The Company's fundraising team; 
  • Partners within the MSF Movement; 
  • Relatives or legal representatives of past, current and prospective employees; 
  • Regulatory bodies to whom we are obliged or required to disclose information including Workplace Relations Commission, Courts and Court-appointed persons;  
  • Insurance or assurance companies and health insurance providers or trade unions; 
  • Legal and medical practitioners; 
  • Pension providers; 
  • Potential purchasers or bidders; 
  • Relevant Government departments and agencies; and 
  • Other support service providers necessary to assist the Company with the above. 

We will inform you in advance if we intend to further process or disclose your personal data for a purpose other than the purposes set out above. We take all reasonable steps, as required by law, to ensure the safety, privacy and integrity of such data and information and, where appropriate, enter into contracts with such third parties to protect the privacy and integrity of such data and any information supplied.  

Transfer of Personal Data outside the EEA 

The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA), for the purposes described above. Due to the global nature of our work, your personal data may be disclosed to Group Companies outside the EEA, including the USA. It may also be processed by personnel operating outside the EEA who work for us or for one of our suppliers who act on our behalf. We will ensure suitable safeguards are in place to protect the privacy and integrity of your personal data in such circumstances including standard contractual clauses under Article 46.2 or adequacy decision under Article 45 of the GDPR. You can obtain information and a copy of documentation pertaining to these safeguards from the Human Resources Team (email HRAdministrator@dublin.msf.org) where applicable. 

Data Retention 

Data will be stored for as long as required to satisfy the purpose for which the data was collected and used, unless a longer period is necessary for our legal, accounting or reporting obligations or for the exercise or defence of legal claims. Usually, we retain your data for the duration of your employment with us. 

Statutory retention periods apply to certain records (for example, per legislation, employers are obliged to keep records of their employees' working time for a period of three years). As statutory retention periods can vary depending on the type of data, please refer to our Information and Records Management Policy available from hradminstrator@dublin.msf.org.to find out more. Our retention practices are reviewed and updated from time to time in line with legal requirements and best practice.  

Your Data Rights  

You have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions such as when the processing of your data is necessary to comply with a legal obligation or for the exercise or defence of legal claims. 

Under certain circumstances, by law you have the right to: 

Your Right 

What this Means 

Right to Withdraw Consent 

If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time (see Contact Us below). However, the withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent. 

Right of Access 

You can request a copy of the personal data we hold about you (a data subject access request). 

Right to Rectification 

You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.  

Right to Erasure (‘Right to be Forgotten’) 

You have the right to request that your personal data be deleted in certain circumstances including: 

  • The personal data is no longer needed for the purpose for which it was collected; 
  • You withdraw your consent (where the processing was based on consent); 
  • You object to the processing and there are no overriding legitimate grounds justifying us in processing the personal data (see Right to Object below); 
  • The personal data has been unlawfully processed; or 
  • To comply with a legal obligation.  

However, this right does not apply where, for example, the processing is necessary: 

  • To comply with a legal obligation; or 
  • For the establishment, exercise or defence of legal claims. 

Right to Restriction of Processing 

You can ask that we restrict your personal data (i.e. keep but not use) where: 

  • The accuracy of the personal data is contested; 
  • The processing is unlawful but you do not want it erased; 
  • We no longer need the personal data but you require it for the establishment, exercise or defence of legal claims; or 
  • You have objected to the processing and verification as to our overriding legitimate grounds is pending.  

We can continue to use your personal data: 

  • Where we have your consent to do so; 
  • For the establishment, exercise or defence of legal claims;  
  • To protect the rights of another; or  
  • For reasons of important public interest. 

Right to Data Portability 

Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where: 

  • The processing is carried out by automated means; and 
  • The processing is based on your consent or on the performance of a contract with you.  

Right to Object 

You have a right to object to the processing of your personal data in those cases where we are processing your personal data in reliance on our legitimate interests. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate interests which override your interests and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes. 

Right to Complain 

You have the right to lodge a complaint with your local supervisory authority, the Office of the Data Protection Commission, Canal House, Station Road, Portarlington R32 AP23, Co. Laois. 

The Irish Office of the Data Protection Commission can also be contacted at info@dataprotection.ie 

If you wish to exercise any of your rights in this regard please contact the Human Resources Team. We will respond to your request as soon as practicable. We may request proof of identification to verify your request. 

We will respond to any valid requests within one month, unless it is particularly complicated or you have made repeated requests in which case we will respond, at the latest, within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request. 

Further Information 

If you require any further clarification regarding this Notice, please contact the Human Resources Team. 

Appendix 1 

General Personal Data 

  • Personal- contact/identifying details including name, address, email address, date of birth, photograph, civil status, gender, nationality, domestic partners, dependents; 
  • Emergency Contact - name and contact details of emergency contacts (as set out above, you must provide a copy of this Notice to any third parties whose personal data you provide to us); 
  • Professional - Curriculum Vitae and/or application form, previous employment background, references from previous employers, record of interview/interview notes, selection and verification records, educational details, professional and/or academic transcripts, professional certifications, special skills including (driver) licenses, language skills, memberships of committees or other bodies; 
  • Financial - salary and benefit details including bank details, PPS number, tax information;  
  • Employment - work contact details (corporate email address and telephone number), identification number, photograph, details regarding the job function, primary work location, working hours, employment status, your terms and conditions of employment or engagement, contract of employment, signed confidentiality agreement, immigration status, work permit details, job description, history and details of current position;   
  • Premises and IT access -  information required to access company systems and applications such as email account and system passwords, login and access records ,download and print records, call recordings, records of email and internet usage in accordance with our email and internet policy 
  • Fees, remuneration and benefits – fees/payment and benefits package, base salary, bonus, compensation type, long term incentives, pension scheme, PRSA, health insurance scheme (and any third party beneficiaries), company credit card data, salary reviews; 
  • Leave - including documentation which may be provided in connection with any statutory leave, sick leave, holiday and family related leave records, garden leave, and any other type of leave such as unpaid leave and study leave; 
  • Performance management - performance assessments/meetings (including probationary assessments), colleague and manager feedback, appraisals, outputs from talent programs and formal and informal performance management processes;  
  • Training and development - such as data relating to training and development needs or training received;  
  • Disciplinary and grievance - such as any personal data contained in records of allegations, investigation and proceeding records and outcomes; 
  • General correspondence/meetings - relating to grievance and/or disciplinary processes, misconduct or performance issues, data arising in connection with litigation and complaints, involvement in incident reporting and disclosures; 
  • Termination - for example, dates and reason for leaving, termination agreements and payments, exit interviews and references; and 
  • Incapacity - any accommodations or adjustments in connection with any incapacity.  

Special Categories of Personal Data 

We may also collect, hold and use the following "special categories" of more sensitive personal information: 

  • Physical or mental health data - such as information about your physical or mental health or condition; for example, we record your days of sickness, or workplace adjustments due to health reasons. 
  • Other special categories of personal data - such as racial or ethnic origin; religious or similar beliefs; membership of a trade union; the commission or alleged commission of any offence; and any proceedings for any offence committed or alleged to have been committed, the disposal of those proceedings or the sentence of any court in those proceedings. 

Special categories of personal data will only be collected and used in so far as such is necessary for the purposes of carrying out an obligation in the field of employment/social security/social protection law, or exercising specific rights or when the use is authorized by law or for the assessment of working capacity.