Opoplan Data Protection Policy
4. Categories of Personal Data
5. Data Protection Principles
6. Roles and Responsibilities
7. Data Access Requests
8. Data Rectification
9. Retention of Personal Data
10. Personal Data Storage/Security
11. Data Processors
12. Transfer of Personal Data outside EU
13. Policy Review
Open Plan Limited (trading as Opoplan) needs to collect and use personal data for a variety of
purposes relating to its customers, contributing architects, business subscribers, employees and
other individuals who come into contact with Opoplan in the course of its work.
Where this Policy applies to employees of Opoplan, it should be read in conjunction with the
associated the Employee Handbook.
This policy is a statement of Opoplan’s commitment to protect the rights and privacy of
customers, Contributing Architects, business subscribers, employees and other individuals in
accordance with the Data Protection Acts and to ensure compliance with the Data Protection
Personal data means any information relating to an identified or identifiable natural person
(Data Subject); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as name, an identification number,
location data, an online identifier or to one or more factures specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject is an individual who is the subject of Personal Data.
Processing means any operation or set of operations which is performed on Personal Data or
on sets of Personal Data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaption or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
Consent of the Data Subject means any freely given, specific, informed and unambiguous
indication of the Data Subject’s wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of Personal Data relating to him or
Sensitive personal data is Personal Data, revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership, data concerning health or sex life
or sexual orientation, genetic data or biometric data, data relating to criminal offences and
Data Controller means the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the Processing of
Data Processor means a natural or legal person, public authority, agency or another body
which processes Personal Data on behalf of the Data Controller.
3. Categories of Personal Data
The personal data records held by Opoplan may include:
Customer Data and Information relating to use of the Opoplan Website and Services
(including end customers and sbscribers):
Registration and Contact Information to include: username, first and last name, title,
address, email, phone number, tax number
Payment information to include: credit/debit card information, billing and shipping
Design information to include: site location, customer uploaded photographs and plans,
addresses, site descriptions, design requirements and budgetary information
Technical Usage and Location Information to include: IP address, date and time of
website access, browser information, operating system and device, pages viewed, items
clicked and location information including such information automatically provided by
Third Party and advertising information created through interaction with advertisements
and third party hosted content to include: ‘likes’, profile information from social media
and other data confirming interaction with our website, content and services.
Title, name, address, contact details, email address, PPS number, date of birth, etc.of
Original records of application, references, resumé, qualifications, transcripts,
psychometric testing results, etc.
Record of appointments to promotion posts
Details of approved absences (annual leave, career breaks, parental leave, study leave etc.)
Details of work record
Details of complaints and/or grievances including consultations or competency
discussions, action/improvement/evaluation plans and record of progress
Achitects (suppliers of seed designs) /design authors)records:
Personal details of contributing architects to include: title, name, business address,
contact details, email address, professional accreditation details
Financial details required for the payment of fees to include: bank account details, tax
4. Data Protection Principals
Opoplan will administer its responsibilities under the legislation in accordance with the data
protection principals outlined as follows:-
1. Opoplan will obtain and Process the Personal Data lawfully, fairly and in a transparent
manner in relation to the Data Subject.
2. Opoplan will collect and Process the Personal Data for specified, explicit and legitimate
purposes and not further Process the Personal Data in a manner that is incompatible
with those purposes and Opoplan will use and disclose such data only in ways
compatible with these purposes.
3. Opoplan will Process the Personal Data in a manner that ensures appropriate security of
the Personal Data, including protection against unauthorised or unlawful Processing and
against accidental loss, destruction or damage, using appropriate technical or
4. Opoplan will keep the Personal Data accurate and when necessary up to date; take
reasonable steps to ensure that Personal Data that is inaccurate is erased and or rectified
5. Opoplan will ensure that the Personal Data collected and Processed is adequate, relevant
and limited to what is necessary in relation to the purpose for which it is Processed.
6. Opoplan will not retain the data for longer than is necessary for the purpose for which
the personal data is Processed.
7. Opoplan will have procedures in place to ensure that Data Subjects can exercise their
rights to access their personal data upon request. See Clause 7 below.
5. Roles and Responsibility
Opoplan has overall responsibility for ensuring compliance with the Data Protection Acts.
However, all employees who Process Personal Data in the course of their employment are also
responsible for ensuring compliance with the Data Protection Acts.
Opoplan will provide support, assistance, advice and training to appropriate individuals who are
handling such data in order to ensure that they are in a position to comply with the legislation.
Brian O’Brien has been appointed Data Compliance Administrator and her principal duties are
o Process and respond to formal Data Access Requests
o Initiate regular reviews of data protection policies and procedures and ensure
documentation is updated as appropriate
o Liaise with the Office of the Data Protection Commissioner where necessary
o Organise training and briefing sessions for staff as required
o Provide advice and guidance to staff and students on data protection matters
All members of staff are expected to acquaint themselves with and abide by the rules of Data
Protection as set out in this policy, read and understand this policy document, understand what
is meant by Personal Data and Sensitive Personal Data and know how to handle such data, not
to jeopardise individuals rights or risk a contravention of the Data protection Acts and contact
the Data Compliance Administrator if in any doubt.
All staff have an obligation to report data protection breaches or contact the Data Compliance
Administrator if they have concerns of such a breach. This will allow the appropriate personnel
to investigate further and take the appropriate steps to fix the issue in a timely manner.
Failure of an individual staff member to comply with this policy may lead to disciplinary action
in accordance with Opoplan’s Disciplinary Procedures.
6. Your Rights in Relation to your Personal Data
You have the right to obtain a copy of any Personal Data we hold on you or have it removed,
save in circumstances where we much retain it to comply with Opoplan policies or any law or
regulation to which we are subject. You can also inform us of any changes you wish to have
applied to the Personal Data we hold on your behalf. Certain privileged information may be
exempted from disclosure under Data Protection legislation. For requests in relation to the
access, deletion or changes to your Personal Data Request please email the Data Compliance
Administrator at email@example.com and you will be provided with the detail.
6. Retention of personal data
Personal Data Processed or kept for any purpose will not be kept for longer than is necessary for
that purpose. Opoplan occasionally needs to make a judgement about how long is “necessary” and
this may vary on a case by case basis. Personal Data retained by us is regularly reviewed and
updated if it is found to be out of date. If no longer required, it will be deleted and/or disposed
Please contact the Data Compliance Administrator if in any doubt.
7. Data Storage/Security
These rules describe how Opoplan ensure the safe storage of a Personal Data. All employees are
expected to follow these storage rules.
When not required, paper or manual files should be kept in a locked drawer or filing
cabinet and Employees should make sure paper and printouts containing personal data
are not left where unauthorised people could see them, like on a printer.
Printouts containing Personal Data should be shredded and disposed of securely when
no longer required.
Personal data should never be saved directly to laptops or other mobile devices like
tablets or smart phones. If Personal Data is saved to a laptop or device it must be
All servers and computers containing Personal Data are protected by approved security
software and a firewall and kept in a secure location.
When working with Personal Data, employees should ensure the screens of their
computers are always locked when left unattended.
Personal Data should not be shared informally. In particular, it should never be sent by
email unless appropriate encryption is applied, as this form of communication is not
When an email is being sent to a number of individuals this should be done using BCC
(blind carbon copy) rather than CC. This prevents the unnecessary disclosure of all the
intended recipients email addresses to others.
Personal Data should be held in as few places as necessary. Staff should not create any
unnecessary additional data sets.
When data is stored electronically, it must be protected from unauthorised access,
accidental deletion and hacking.
8. Disclosure to Third Parties / Data Processors
There are times when, rather than discharge a service itself, Opoplan may wish to outsource the
supply of a service to an external supplier. Opoplan will not disclose your Personal Data to third
parties unless you have specifically consented or it is necessary to carry out certain functions on
your behalf. In addition Opoplan need to comply with the law and various regulations from
time to time and in this regard may need to send personal Data to third parties for certain
services. If the service involves the Processing of Personal Data on behalf of Opoplan there will
be a written contract in place between Opoplan and the Data Processor outlining the Data
Processor’s obligations in relation to personal data, the specific purpose or purposes for which
they are engaged, and the understanding that they will process the data in compliance with the
Data Protection Acts. These third party suppliers include:
Accounting and Auditor services
9. Transfer of Data outside the EEA
The Data Protection Acts restricts the transfer of Personal Data outside of the European
Economic Area. Opoplan will not transfer any Personal Data outside the EEA without the Data
Subjects express consent. The Data Compliance Administrator should be contacted in the event
that a transfer of personal data outside of the EU is necessary or anticipated.
10. Privacy Shield
Opoplan will be self certified as compliant with Privacy Shield in respect of any of its operations
which are carried out in the jurisdiction of the United States and relating to the collection use
and retention of personal information from EU member countries and Switzerland.
11. Policy Review
This policy has been approved by the Management Team and will be reviewed annually by the
Data Compliance Administrator in light of any legislative or other relevant developments.