SOLAS is committed to ensuring the Lawful, Fair and Transparent processing of Data Subjects Personal Data through the use of appropriate technical and organisational measures. SOLAS will take all reasonable steps to secure and protect Data Subjects personal Data while complying with Data protection Law.
The purpose of the EU General Data Protection Regulation 2016/679 (the "GDPR") and other related regulations and delegated national legislation (such as the Data Protection Act 2018) (together "Data Protection Law") are to protect the privacy of individuals whose personal data is processed. Personal data means any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data or online identifier.
1. WHAT IS DATA PROTECTION
The purpose of “Data Protection Law” is to protect the privacy of individuals whose personal data is being processed. Processing data includes the collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission or dissemination and restriction, erasure or destruction. It relates to both automated data (i.e. computer held records) and manual data.
Personal data is information relating to a living individual who can be identified from the data itself or in conjunction with other information held.
Sensitive Personal Data is information relating to a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life, biometric data, and genetic data. Sensitive Personal Data can only be processed under strict conditions.
Criminal Data is information relating to criminal convictions and offences. Criminal Data can only be processed in accordance with EU or Irish law and subject to appropriate safeguards put in place for the purposes of processing this type of data.
Data Subjects have a number of rights under the GDPR to address any concerns or queries they may have regarding the processing of their Personal Data (see section 3 below). SOLAS will deal with any legitimate request from Data Subjects exercising their rights without undue delay, within 30 days of receiving the request, unless there are exceptional circumstances attaching to the request. SOLAS may extend this period for up to 2 months if absolutely necessary and will inform the Data Subject if an extension is required.
Data Subjects can exercise their rights under the GDPR by completing the relevant form and submitting it, with proof of their identity that they are the Data Subject,* to the Data Protection Officer, SOLAS, Castleforbes House, Castleforbes Road, Dublin 1 or by emailing the request to: firstname.lastname@example.org
If the request is being made on behalf of a Data Subject by a third party, an authorising letter signed by the Data Subject with proof of their identity should be submitted. In order to process a request, SOLAS may need to contact the Data subject to request additional information or to seek clarification.
*Data Subject is the individual who has a right to request access to their Personal Data and is the person who is the subject of the Personal Data in question.
A Data Subject has the right to lodge a complaint with the Data Protection Commissioner (email@example.com
) with regards to SOLAS' processing of their Personal Data.
2. DATA PROTECTION PRINCIPLES
There are a number of principles under the GDPR which must be satisfied when handling, disclosing and storing Personal Data.
As a Data Controller, SOLAS shall be responsible for, and must be able to demonstrate compliance with Data Protection Law. This means SOLAS must comply with and demonstrate that the key principles of Data Protection are met when it comes to all Personal Data for which SOLAS is responsible.
2.2 LAWFULNESS, FAIRNESS AND TRANSPARENCY
Personal Data can only be processed lawfully, fairly and in a transparent manner. This means SOLAS must inform Data Subjects about the kind of processing their personal data will be subjected to (transparency), that the processing must match the description given to the Data Subjects (fairness) and that the processing must be for one of the purposes specified to the Data Subjects at time of collection (lawfulness).
2.3 PURPOSE LIMITATION
Personal Data shall be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes. This means SOLAS should specify exactly what the Personal Data collected will be used for and limit the processing of that Personal Data to only what is necessary to meet the specified purpose. Further processing for archiving purposes in the public interest; scientific or historical research purposes or statistical purposes shall not be incompatible with the specified purpose.
2.4 DATA MINIMISATION
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. This means SOLAS should not retain any Personal Data beyond what is strictly required to achieve the purposes for which the Personal Data was collected.
Personal Data shall be accurate and kept up to date. This means SOLAS shall have in place a procedure for identifying and addressing out-of-date, incorrect and redundant Personal Data when they become aware of it.
2.6 STORAGE LIMITATION
Personal Data shall be kept for no longer than is necessary for the purposes for which the Personal Data is collected and shall be kept in line with the SOLAS retention policy. Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest; scientific or historical research purposes or statistical purposes.
2.7 SECURITY/INTEGRITY AND CONFIDENTIALITY
Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. SOLAS will use appropriate technical and organisational measures to protect the integrity and confidentiality of Personal Data.
3. DATA SUBJECTS RIGHTS
Data Subjects have a number of rights under the GDPR. These rights can be applied by making the appropriate request to SOLAS using the forms included in section 6 below. In processing a Data Subject request, SOLAS will:
- Check whether the organisation holds Personal Data on the Data Subject
- Check the validity of the request by confirming the identity of the person making the access request
- Decide if the request is excessive or manifestly unfounded or if the request will be refused
- Determine if a charge may be applied if the request is deemed to be unjustified or excessive
- Determine if additional information or clarification is required from the Data Subject in order to process the request
- Determine if the request can be answered within 30 days or if an extension is required
- Determine if the request complies with the specific requirements of the GDPR
- Determine if any exemptions are to be applied to the request
Where SOLAS is legally permitted to do so, SOLAS may decline a Data Subject's request. Such a refusal will be explained to the Data Subject in writing. Please note that Data Subject rights are not absolute. Exceptions or limitations relating to certain of the rights conferred by the GDPR are noted below in the relevant section.
3.1 Data Subjects have the following rights under the GDPR:
RIGHT OF ACCESS
Under the General Data Protection Regulation 2016/679, Data Subjects have a right to request access to a copy of their Personal Data. In addition, other information relating to the processing; sharing and retention of their Personal Data must also be provided to the Data Subject when processing a Subject Access Request.
RIGHT TO RECTIFICATION
Under the General Data Protection Regulation 2016/679, article 16, Data Subjects have a right to have their Personal Data rectified if it is inaccurate or incomplete. If this Personal Data has been shared with third parties, SOLAS must notify such third parties about the rectification request from the Data Subject unless this is impossible or involves disproportionate effort. Where it is deemed reasonable for SOLAS not to comply with a Data Subject request for rectification, this decision will be explained to the Data Subject in writing.
RIGHT TO ERASURE
Under the General Data Protection Regulation 2016/679, article 17, Data Subjects have a right to erasure of their Personal Data where one of the following grounds apply:
- The Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- The Data Subject withdraws consent and there is no other legal basis for the processing
- The Data Subject objects to the processing pursuant to article 21(1)
- The Personal Data have been unlawfully processed
- The Personal Data have to be erased for compliance with a legal obligation
- The Personal Data have been collected in relation to the offer of information society services of a child; article 8(1)
A request for Erasure of Personal Data can be refused where processing is necessary:
- For exercising the right to freedom of expression and information
- For compliance with legal obligation or for the performance of a public interest task or exercise of official authority
- For Public Health reasons
- For archiving interests in the public interest, scientific, historical research or statistical purposes
- For the exercise or defence of legal claims
RIGHT TO RESTRICTION OF PROCESSING
Under the General Data Protection Regulation 2016/679, article 18, Data Subjects have a right to Restrict the Processing of their Personal Data where one of the following grounds apply:
- Where the Data Subject contests the accuracy of their personal Data (processing should be restricted for a period enabling SOLAS to verify the Data’s accuracy)
- Where the processing is unlawful and the Data Subject opposes erasure and requests restriction instead
- Where the controller no longer needs the personal Data but the Data Subject requires the Personal Data to exercise or defend a legal claim
- Where the Data Subject has objected to the processing; processing should be restricted pending verification of whether the legitimate interests of the controller override those of the Data Subject. Article 18(1).
When a Data Subject exercises their right to restrict processing, SOLAS will only continue to process the Personal Data if:
- The Data subject consents
- The processing is necessary for the exercise or defence of legal claims
- The processing is necessary for the protection of the rights of other individuals or legal persons
- The processing is necessary for Public Interest reasons under EU/Member State law
SOLAS will inform the Data Subject before the processing restriction is lifted/enforced.
RIGHT TO DATA PORTABILITY
Under the General Data Protection Regulation 2016/679, article 20, Data Subjects have a right to receive the Personal Data they have provided to SOLAS in a structured, commonly used and machine readable format. Data Subjects have the right to have their Personal Data transmitted to another controller. The right applies to Personal Data a Data Subject has provided to SOLAS and to Personal Data generated by an individual’s activity but does not extend to data generated by SOLAS. The right to Data Portability only applies if:
- The processing is based on the Data Subject’s consent or for the performance of a contract and
- The processing is carried out by automated means
The right to Data Portability will not apply to processing necessary for the performance of a task carried out in the Public Interest, or in the exercise of official authority vested in SOLAS. In addition, the right to Data Portability must not adversely affect the rights and freedoms of others. Data Portability does not automatically trigger the erasure of the Data Subjects Personal Data from SOLAS systems/processes and does not affect the original retention period applying to the Personal Data.
Please note that SOLAS may keep a record of a Data Subject’s communications to resolve any issues which a Data Subject raises.
RIGHT TO OBJECT
Under the General Data Protection Regulation 2016/679, article 21, Data Subjects have a right to object to the processing of their Personal Data on the following grounds:
- Direct marketing; where Personal Data are processed for direct marketing purposes, the Data Subject has the right to object at any time to such processing; there are no grounds to refuse to comply with such a request. When a Data Subject objects to processing for direct marketing purposes, the Personal Data can no longer be processed for that purpose.
- Processing based on public interest or legitimate interest grounds, including profiling.
- Processing for scientific, historical research or statistical purposes (unless the processing is necessary for the performance of a public interest).
When a Data Subject objects to the processing of their Personal Data, SOLAS will stop processing the Personal Data unless SOLAS can demonstrate that there are compelling legitimate grounds for the processing which override the rights of the Data Subject; the processing is necessary for the exercise or defence of legal claims or the Personal Data is processed for scientific, historical research or statistical purposes, the processing of which is necessary for the performance of a public interest/task.
RIGHT TO OBJECT TO AUTOMATED DECISION-MAKING, INCLUDING PROFILING
Under the General Data Protection Regulation 2016/679, article 22, Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effect concerning the Data Subject.
Where a decision based solely on automated processing, including profiling, occurs on the basis that it is necessary for the performance of a contract or with the explicit consent of the Data Subject; the Data Subject will be given “at least the right” to express their point of view and to contest the decision. Article 22(3).
Automated Decision Making involving sensitive data is only allowed where the Data Subject has given their explicit consent or it is necessary for the public interest. Article 22(4).
SOLAS will inform Data Subjects at the time the Personal Data is collected of the existence of Automated Decision Making, including profiling.
SOLAS may not comply with the objection if the processing is necessary for the performance of a contract; the processing is authorised by EU or Member State law or the processing is based on a Data Subjects explicit consent
Profiling per se which does not result in solely automated decisions is not prohibited
RIGHT TO WITHDRAW CONSENT
Under the General Data Protection Regulation 2016/679, articles 4; 7 and 9, outline the Data Subjects rights regarding Consent and explicit consent. While SOLAS may have obtained consent from Data Subjects to process their Personal Data for certain activities, Data Subjects may withdraw their consent at any time. Article 7(3).
A withdrawal of consent may still allow the processing of their Personal Data if:
- Processing is necessary for the performance of a contract to which the Data Subject is party
- Processing is necessary for compliance with a legal obligation
- Processing is necessary in order to protect the vital interest of the Data Subject or another natural person
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
4. TRANSFERRING PERSONAL DATA TO OTHER AGENCIES
Organisations that transfer Personal Data from Ireland to third countries and other organisations for processing, i.e., places outside of the European Economic Area (EEA) need to ensure that there are adequate levels of data protection provided.
If a Data Controller retains the services of an agent to process Personal Data on its behalf: a Data Processor: then it must put in place a contract in writing (or equivalent form) which deals adequately with issues of security, confidentiality and other data protection matters
With regard to the level of security measures that organisations must have in place to protect Personal Data, generally organisations must take all necessary and reasonable steps having regard to the state of current technology, and to the sensitivity of the Personal Data in question.
The GDPR applies to all Data Controllers established in Ireland; this may include a foreign Data Controller which operates through an Irish intermediary. The GDPR will also apply to Data Controllers established outside the EEA which use equipment in Ireland to process Personal Data. These non EEA data controllers must designate a representative in Ireland.
When Personal Data is processed by a controller, the Data Subject must consent to the processing. However, there are a number of other methods for legitimising the processing of Personal Data such as processing necessary for the performance of a contract to which the Data Subject is party.
5. WHO TO CONTACT IN SOLAS WITH REGARD TO DATA PROTECTION MATTERS
Data Protection Officer
Phone: (01) 533 firstname.lastname@example.org
6. HOW TO EXERCISE YOUR DATA PROTECTION RIGHTS
As previously noted, Data Subjects have a number of rights under the GDPR. These rights can be applied by making a request to SOLAS using the appropriate form below.
Subject Access Request
Right to Rectification
Right to Erasure
Right to Restrict Processing
Right to Data Portability
Right to Object to Processing
Right to Object to Automated Decision Making, including profiling
Right to Withdraw Consent
7. HOW SOON WILL I GET A RESPONSE TO MY REQUEST
Data Subject requests will be responded to within 30 days as required by the GDPR. SOLAS may extend this period for up to 2 months if absolutely necessary and will inform the Data Subject if an extension is required.
SOLAS will provide you with the personal information in a form which will be clear to the ordinary person (e.g., codes explained).
SOLAS will provide personal information only to the individual concerned or someone acting on their behalf or with their authority. Personal information will not be given over the phone.
If no personal information is held about you, you will be informed of this within the 30 days.
8. COST OF A REQUEST
As per the GDPR, no fee applies to a request made by a Data Subject. However, SOLAS may charge a reasonable fee for any further copies requested by the Data Subject or where requests are manifestly unfounded or excessive.This information is intended only as a general guide and not as a detailed legal analysis. The information should not be used as a substitute for professional advice based on the facts of a particular case.