Legals-Privacy Notice
Opoplan Data Protection Policy – v3 30 June 2019
Contents
1. Introduction
2. Purpose
3. Definitions
4. Categories of Personal Data
5. Data Protection Principles
6. Roles and Responsibilities
7. Data Access Requests
8. Data Rectification
9. Retention of Personal Data
10. Personal Data Storage/Security
11. Data Processors
12. Transfer of Personal Data outside EU
13. Policy Review
1. Introduction
BFLM Limited (trading as Opoplan) needs to collect and use personal data for a variety of purposes relating to its customers, contributing architects, business subscribers, employees and other individuals who come into contact with Opoplan in the course of its work.
Where this Policy applies to employees of Opoplan, it should be read in conjunction with the associated the Employee Handbook.
2. Purpose
This policy is a statement of Opoplan’s commitment to protect the rights and privacy of customers, Contributing Architects, business subscribers, employees and other individuals in accordance with the Data Protection Acts and to ensure compliance with the Data Protection
Acts.
3. Definitions
Personal data means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factures specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject is an individual who is the subject of Personal Data.
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
Sensitive personal data is Personal Data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life or sexual orientation, genetic data or biometric data, data relating to criminal offences and
convictions.
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Processor means a natural or legal person, public authority, agency or another body which processes Personal Data on behalf of the Data Controller.
4. Categories of Personal Data
The personal data records held by Opoplan may include:
Customer Data and Information relating to use of the Opoplan Website and Services (including end customers and sbscribers):
- Registration and Contact Information to include: username, first and last name, title, address, email, phone number, tax number.
- Payment information to include: credit/debit card information, billing and shipping address.
- Design information to include: site location, customer uploaded photographs and plans, addresses, site descriptions, design requirements and budgetary information.
- Technical Usage and Location Information to include: IP address, date and time of website access, browser information, operating system and device, pages viewed, items clicked and location information including such information automatically provided by your device.
- Third Party and advertising information created through interaction with advertisements and third party hosted content to include: ‘likes’, profile information from social media and other data confirming interaction with our website, content and services.
Employee Records
- Title, name, address, contact details, email address, PPS number, date of birth, etc.of employees.
- Original records of application, references, resumé, qualifications, transcripts, psychometric testing results, etc.
- Record of appointments to promotion posts.
- Details of approved absences (annual leave, career breaks, parental leave, study leave etc.).
Details of work record. - Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress
Achitects (suppliers of seed designs) /design authors)records:
- Personal details of contributing architects to include: title, name, business address, contact details, email address, professional accreditation details
- Financial details required for the payment of fees to include: bank account details, tax number
5. Data Protection Principals
Opoplan will administer its responsibilities under the legislation in accordance with the data protection principals outlined as follows:-
- Opoplan will obtain and Process the Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject.
- Opoplan will collect and Process the Personal Data for specified, explicit and legitimate purposes and not further Process the Personal Data in a manner that is incompatible with those purposes and Opoplan will use and disclose such data only in ways compatible with these purposes.
- Opoplan will Process the Personal Data in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Opoplan will keep the Personal Data accurate and when necessary up to date; take reasonable steps to ensure that Personal Data that is inaccurate is erased and or rectified without delay.
- Opoplan will ensure that the Personal Data collected and Processed is adequate, relevant and limited to what is necessary in relation to the purpose for which it is Processed.
- Opoplan will not retain the data for longer than is necessary for the purpose for which the personal data is Processed.
- Opoplan will have procedures in place to ensure that Data Subjects can exercise their rights to access their personal data upon request. See Clause 7 below.
6. Roles and Responsibility
Opoplan has overall responsibility for ensuring compliance with the Data Protection Acts. However, all employees who Process Personal Data in the course of their employment are also responsible for ensuring compliance with the Data Protection Acts. Opoplan will provide support, assistance, advice and training to appropriate individuals who are handling such data in order to ensure that they are in a position to comply with the legislation.
Brian O’Brien has been appointed Data Compliance Administrator and her principal duties are as follows:
- Process and respond to formal Data Access Requests
- Initiate regular reviews of data protection policies and procedures and ensure documentation is updated as appropriate
- Liaise with the Office of the Data Protection Commissioner where necessary
- Organise training and briefing sessions for staff as required
- Provide advice and guidance to staff and students on data protection matters
All members of staff are expected to acquaint themselves with and abide by the rules of Data Protection as set out in this policy, read and understand this policy document, understand what is meant by Personal Data and Sensitive Personal Data and know how to handle such data, not
to jeopardise individuals rights or risk a contravention of the Data protection Acts and contact the Data Compliance Administrator if in any doubt.
All staff have an obligation to report data protection breaches or contact the Data Compliance Administrator if they have concerns of such a breach. This will allow the appropriate personnel to investigate further and take the appropriate steps to fix the issue in a timely manner. Failure of an individual staff member to comply with this policy may lead to disciplinary action in accordance with Opoplan’s Disciplinary Procedures.
7. Data Access Requests
Your Rights in Relation to your Personal Data.
You have the right to obtain a copy of any Personal Data we hold on you or have it removed, save in circumstances where we much retain it to comply with Opoplan policies or any law or regulation to which we are subject. You can also inform us of any changes you wish to have applied to the Personal Data we hold on your behalf. Certain privileged information may be
exempted from disclosure under Data Protection legislation.
8. Data Rectification
For requests in relation to the access, deletion or changes to your Personal Data Request please email the Data Compliance Administrator at admin@opoplan.com and you will be provided with the detail.
9. Retention of Personal Data
Personal Data Processed or kept for any purpose will not be kept for longer than is necessary for that purpose. Opoplan occasionally needs to make a judgement about how long is “necessary” and this may vary on a case by case basis. Personal Data retained by us is regularly reviewed and
updated if it is found to be out of date. If no longer required, it will be deleted and/or disposed of.
Please contact the Data Compliance Administrator if in any doubt.
10. Personal Data Storage/Security
These rules describe how Opoplan ensure the safe storage of a Personal Data. All employees are expected to follow these storage rules.
- When not required, paper or manual files should be kept in a locked drawer or filing cabinet and Employees should make sure paper and printouts containing personal data are not left where unauthorised people could see them, like on a printer.
- Printouts containing Personal Data should be shredded and disposed of securely when no longer required.
- Personal data should never be saved directly to laptops or other mobile devices like tablets or smart phones. If Personal Data is saved to a laptop or device it must be encrypted.
- All servers and computers containing Personal Data are protected by approved security software and a firewall and kept in a secure location.
- When working with Personal Data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal Data should not be shared informally. In particular, it should never be sent by email unless appropriate encryption is applied, as this form of communication is not secure.
- When an email is being sent to a number of individuals this should be done using BCC (blind carbon copy) rather than CC. This prevents the unnecessary disclosure of all the intended recipients email addresses to others.
- Personal Data should be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- When data is stored electronically, it must be protected from unauthorised access, accidental deletion and hacking.
11. Data Processors/ Disclosure to Third Parties
There are times when, rather than discharge a service itself, Opoplan may wish to outsource the supply of a service to an external supplier. Opoplan will not disclose your Personal Data to third parties unless you have specifically consented or it is necessary to carry out certain functions on
your behalf. In addition Opoplan need to comply with the law and various regulations from time to time and in this regard may need to send personal Data to third parties for certain services. If the service involves the Processing of Personal Data on behalf of Opoplan there will be a written contract in place between Opoplan and the Data Processor outlining the Data Processor’s obligations in relation to personal data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Data Protection Acts.
These third party suppliers include:
- Accounting and Auditor service(s)
- Solicitor(s)
- Insurance broker(s)
- Revenue
12. Transfer of Data outside the EEA
The Data Protection Acts restricts the transfer of Personal Data outside of the European Economic Area. Opoplan will not transfer any Personal Data outside the EEA without the Data Subjects express consent. The Data Compliance Administrator should be contacted in the event
that a transfer of personal data outside of the EU is necessary or anticipated.
Privacy Shield
Opoplan will be self certified as compliant with Privacy Shield in respect of any of its operations which are carried out in the jurisdiction of the United States and relating to the collection use and retention of personal information from EU member countries and Switzerland.
13. Policy Review
This policy has been approved by the Management Team and will be reviewed annually by the Data Compliance Administrator in light of any legislative or other relevant developments.