Privacy Notice

Summary:

DataRep may receive and hold your data, and may share it with those organisations about which you have submitted a data request. DataRep will hold that data securely and will not share your data with any other organisation or person. By contacting DataRep, you accept that we will need to use your personal information to respond to you.

Detail:

• The personal data held by DataRep:

  • DataRep holds:

    1. the personal contact details of the commercial contact person(s) (‘Client Contact’) at our current and prospective clients (‘Clients’) (including, but where appropriate not limited to, name, company email address, company phone number) (‘Client Contact Data’), and

    2. on their application (a ‘Data Request’, including, but not limited to, a subject access request, a request to be forgotten etc), the individuals (‘Individuals’) about whom a Client of DataRep holds personal data (including name, address, contact information – email address, phone number(s), personal concerns around data use, which may potentially refer to sensitive personal data) (‘Individual Data’), (together, the Client Contact Data and the Individual Data are the ‘Processed Data’).

• DataRep do not hold any Individual Data which may be under the control of our Clients, other than to the extent that an Individuals contacts DataRep with a Data Request in respect of a Client.

• DataRep is the data controller of the personal data of its employees.

• The processes carried out on this data:

  1. Client Contact Data:

     • Contacting the Client Contact at an existing Client for performing the role of Data Protection Representative for the Client.

     • Transmission between DataRep companies to enable the above.

     • Contacting the Client Contact at a prospective Client, for the purposes of marketing the activity of DataRep as a Data Protection Representative.

     • Storage of the Client Contact Data.

  2. Individual Data:

     • Storage and transmission of the Individual Data between Individual and Client in relation to a Data Request pursuant to the role of Data Protection Representative.

     • Transmission between DataRep companies to enable the above.

     • Storage of the Individual Data.

• The identity and contact details of the controller, the controller’s Data Protection Representative and their data protection officer:

  • For all the Processed Data the Client is the controller in each case; DataRep is appointed by the Client, who acts as data controller in respect of that data and has appointed DataRep as processor of that Processed Data with a limited remit as to processing permissions (as set out in this Privacy Notice).

  • Assuming they are a current Client (i.e. that the contract appointing DataRep as that Client’s Data Protection Representative has not expired or been terminated), the controller’s representative is DataRep.

  • Because DataRep has many Clients, please contact us for details of a particular Client’s contact details (noting that these are likely to be different from the Client Contact Data) and that Client’s Data Protection Officer (if any).

  • DataRep does not have a Data Protection Officer, as it is not required under GDPR to have one. Adherence to GDPR and other data protection obligations is the responsibility of DataRep’s senior executive directors.

• The purpose and legal basis for the processing:

  1. Client Contact Data:

     • Purpose – performing the role of Data Protection Representative in respect of the Client’s obligations under Article 27 of GDPR.

     • Legal basis – contractual fulfilment, instruction to process by Client.

  2. Individual Data:

     • Purpose – performing the role of Data Protection Representative in respect of a Data Request, enabling the Individual to gain access to the Client to enquire about the use of their personal data (including, but not limited to, the Individual Data).

     • Legal basis –

       • From the Individual: DataRep process Individual Data under the instructions of DataRep (as controller of that data) under a written processing agreement appointing DataRep as their Data Protection Representative. The Individual accepts this processing by submitting their Data Request.

       • From the Client: contractual fulfilment, instruction to process by Client, obligation under Article 27 of GDPR.

• The legitimate interests of the controller or third party:

  • The Clients’ interest in the processing of the Processed Data by DataRep is the fulfilment of their regulatory obligation under Article 27 GDPR to appoint a Data Protection Representative, and to enable DataRep to undertake that appointment.

• Categories of personal data:

  1. Client Contact Data:

     • Standard category of personal data only.

  2. Individual Data:

     • Standard category of personal data mainly.

     • Potential that occasionally an Individual may disclose sensitive personal data to DataRep further to a Data Request in respect of the Client’s controlling or processing of that sensitive data.

• Recipients or categories of recipients of the personal data:

  • The only recipient of the Processed Data will be the Client in respect of the Individual Data provided by Individuals to DataRep in respect of Data Requests for that Client.

  • The only personal information provided to the Individual will be their own Individual Data, and any Client Contact Data which the Client instructs DataRep to provide to the Individual.

• Transfers to third country and safeguards:

  • When storing of the Processed Data, DataRep uses password-protected locations with reputable public cloud storage providers. Those public cloud storage providers may transfer that data to third countries, but only where adequate protections are in place.

• Retention period and criteria used to determine the retention period:

  • DataRep retain data in our email archive for 10 years to evidence Data Requests of Individuals and responses of Clients in the event of claims made during that later period.

  • Criterion for data retention is the period over which potential for claims exists, to ensure the rights of Individuals are enforceable by way of ensuring their ability to evidence the actions taken in respect of their personal data, to ensure our Clients’ (and DataRep) have adequate evidence of the proper undertaking by DataRep of the role of Data Protection Representative.

• The data subject’s rights:

  • Individuals are notified at each stage of their rights in respect of their data, by way of communications with links to this Privacy Notice.

  • The rights of an Individual as a data subject under existing data protection law and GDPR are:

    • The right to be informed

    • The right of access

    • The right to rectification

    • The right to erasure

    • The right to restrict processing

    • The right to data portability

    • The right to object

    • Rights in relation to automated decision making and profiling

  • For more information on your rights as an Individual and/or data subject, please contact the authority responsible for data protection in your jurisdiction. For persons in the European Union, please follow this link to locate the relevant data protection authority: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

• The right to withdraw consent at any time:

  • Client Contacts and Individuals may withdraw their consent to the use by DataRep of their personal data. However, it should be noted that this may impact the ability of DataRep to perform their role as Data Protection Representative.

  • DataRep will retain, and may process, the Processed Data to the extent it is required to by law or otherwise as set out in this Privacy Notice,

• The right to lodge a complaint with a supervisory authority:

  • As data subjects, both Client Contacts and Individuals may lodge a complaint with their local data protection authority if they have concerns about how DataRep uses their personal data.

  • Where you (the data subject) are based in the EU, use this link to locate the relevant data protection authority: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

  • Where you (the data subject) are based outside the EU, because DataRep is registered as a company in the Republic of Ireland, please contact the Data Protection Commissioner in Ireland at info@dataprotection.ie, more information available at https://www.dataprotection.ie/docs/complaints/1592.htm.

• The source of the personal data (including publicly accessible sources):

1. Client Contact Data:

   • Direct from potential and existing Clients in respect of the commercial activities of DataRep.

   • Indirectly from persons and organisations who refer potential Clients to DataRep as part of their commercial activities.

   • From publicly accessible sources where directly marketing to that potential Client.

2. Individual Data:

   • Directly from the Individual in respect of their Data Request.

   • From the Client to enable DataRep’s undertaking of the role of Data Protection Representative.

• Is the provision of personal data part of a statutory or contractual requirement or obligation? What are the possible consequences of failing to provide the personal data?

  • DataRep provide the Processed Data as set out in this Privacy Notice pursuant to contractual obligations with the Client, the Client having regulatory obligations under GDPR to appoint a Data Protection Representative and to respond adequately to Data Requests.

  • If DataRep fails to provide personal data to relevant parties as required by the undertaking of the role of Data Protection Representative, the consequences may be a failure of DataRep in that regulatory role, a corresponding failure of the Client to meet their obligations under GDPR, and a failure to meet the Individual’s rights under GDPR.

• Is the personal data used for any automated decision making, including profiling and information about how decisions are made?

  • The Individual Data may be considered by DataRep when making decisions on the appropriate response to a Data Request.

  • Other than above, the Processed Data will not be used in any processing or information gathering processes and, except where otherwise required or permitted, will not be passed to any third party without the consent of the relevant data subject.