This Privacy Policy explains how Dairygold Co-Operative Society Limited and all of its subsidiaries (together “we”, “us” or “Dairygold” and in each case “we” refers to the entity within the Dairygold group who is your relevant employer) use Personal Data which we collect about employees and other staff. “Personal Data” is information about living individuals, being information that relates to them or which identifies them directly or indirectly. This Privacy Policy is in accordance with Dairygold’s legal obligations in particular the General Data Protection Regulation (“GDPR”) that will come into force on the 25th May 2018.
The purpose of this Privacy Policy is to explain to you what information we hold about you and others, how we use this information, on what legal basis we are permitted to use this information, how long we will hold it and how we keep it secure. This Privacy Policy also describes your rights under data protection legislation and how you can exercise these rights.
Responsibilities
Dairygold has a responsibility to ensure that Personal Data is:
Employees have a responsibility to inform Dairygold if there is any change to their Personal Data.
Associated or Relevant Documentation
Number | Title | Location |
Dairygold Closed Circuit Television (CCTV) Policy | Sharepoint | |
Dairygold I.T. Users Policy | Sharepoint | |
Dairygold Data Breach Standard Operating Procedure (“SOP”) | Sharepoint |
“Personal Data” is information about you or another living individual from which you or they are identifiable. Our aim is responsible handling of Personal Data and this Privacy Policy describes how we use Personal Data that we collect in the course of hiring staff and employees. Personal Data may be provided to us by you directly or by a third party. This Privacy Policy covers Personal Data obtained from a variety of online and paper sources, including:
We hold Personal Data relating to:
The Personal Data we hold about you and other individuals may differ depending on our relationship, including the type of communications between us and the services we provide.
Examples of the Personal Data we may hold and process is described in detail in Appendix I and includes:
We use Personal Data to administer the operations of Dairygold on a day to day basis. The purposes for which we use your Personal Data may differ based on our relationship.
We will use the Personal Data to:
These more sensitive or “special” categories of Personal Data include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning an individual’s sexual orientation.
We only process data concerning health to ensure your safety while at work and where required to assess your fitness for work and/or to process benefits (e.g. sick pay). Such data may also be processed in the context of legal proceedings or claims or for the purpose of carrying out our (and your) obligations and rights under employment law (for example, through the use of biometric data for time and attendance, health and safety, and compliance with the Organisation of Working Time Act 1997 (as amended)). We may process Sensitive Personal Data where required for reporting on our obligations, on an anonymous, aggregate basis, pursuant to employment equality legislation and it is your choice whether you share any additional special categories of Personal Data with us for this purpose in which case we shall not process this data for any other purpose.
Dairygold does not process data concerning criminal convictions or offences unless required to do so in the context of a legal obligation.
Dairygold are responsible for looking after your Personal Data in accordance with this Privacy Policy, our internal standards and procedures, and the requirements of data protection law. Dairygold shall apply suitable and specific safeguards which are designed to ensure that the requirements of data protection legislation are applied to our processing operations.
As much of the Personal Data we hold is stored electronically we have implemented appropriate IT security measures to ensure this Personal Data is kept secure. For example, we use anti-virus protection systems, firewalls, and data encryption technologies. We have procedures in place at our premises to keep any hard copy records physically secure. We also train our staff regularly on data protection and information security.
When Dairygold provides Personal Data to a third party (including our service providers) or engages a third party to collect Personal Data on our behalf, the third party will be required to use appropriate security measures to protect the confidentiality and security of Personal Data and will assume certain responsibilities under data protection law for looking after the Personal Data that they receive from us.
Unfortunately, no data transmission over the Internet or electronic data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any Personal Data you might have sent to us has been compromised), please immediately notify us.
Dairygold utilises the security measures mentioned above to ensure a data breach does not occur which may include a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. Where a data breach does occur, we will follow our internal Data Breach SOP procedure to manage the breach and notify the relevant supervisory authority and any employees if necessary.
In connection with the purposes described above, we may need to share your Personal Data with third parties (this may involve third parties disclosing Personal Data to us and us disclosing Personal Data to them). These third parties may include:
Type of third party
|
Examples |
Our service providers | External third party service providers, such as security professionals, accountants, auditors, experts, lawyers and other professional advisors; travel assistance providers; IT systems, support and hosting service providers; banks and financial institutions that service our accounts; payroll providers; document and records management providers; profiling service providers; recruitment providers; employment advisory providers, pension trustees and pension providers; training providers and other third party vendors and outsourced service providers that assist us in carrying out our activities. |
Occupational health providers | Internal and external medical professionals and health insurance providers. |
Government authorities and third parties involved in court action | We may share Personal Data with: (a) government or other public authorities (including, but not limited to, courts, regulatory bodies, law enforcement agencies, tax authorities and criminal investigations agencies); and (b) third party participants in legal proceedings and their accountants, auditors, lawyers, and other advisors and representatives, as we believe to be necessary or appropriate. |
Other third parties | Trade unions, insurers, retirement planners or a purchaser or prospective purchaser of a business of Dairygold.
|
We reserve the right to monitor electronic communications (for example, emails) pursuant to the Dairygold IT Users Policy which is in our legitimate interests to protect you, our organisation and IT infrastructure.
We will keep Personal Data for as long as is necessary for the purposes for which we collect it. The retention period for each type of data is documented in our Dairygold Data Classification Retention and Destruction Policy.
Where we hold Personal Data to comply with a legal or regulatory obligation, we will keep the information for at least as long as is required to comply with that obligation.
For further information about the period of time for which we retain your Personal Data, please contact us using the details below.
The following is a summary of the data protection rights available to individuals in the EEA in connection with their Personal Data. These rights may only apply in certain circumstances and are subject to certain legal exemptions.
Description | When is this right applicable?
|
Right of access to Personal Data
You have the right to receive a copy of the Personal Data we hold about you and information about how we use it.
|
This right is applicable at all times when we hold your Personal Data (subject to certain exemptions). |
Right to rectification of Personal Data
You have the right to ask us to correct Personal Data we hold about you where it is incorrect or incomplete.
|
This right is applicable at all times when we hold your Personal Data (subject to certain exemptions). |
Right to erasure of Personal Data
This right entitles you to request that your Personal Data be deleted or removed from our systems and records. However, this right only applies in certain circumstances. |
Examples of when this right applies to Personal Data we hold include (subject to certain exemptions):
|
Right to restrict processing of Personal Data
You have the right to request that we suspend our use of your Personal Data.
Where we suspend our use of your Personal Data we will still be permitted to store your Personal Data, but any other use of this information will require your consent, subject to certain exemptions.
|
You can exercise this right if:
|
Right to data portability
This right allows you to obtain your Personal Data in a format which enables you to transfer that Personal Data to another organisation.
You may have the right to have your Personal Data transferred by us directly to the other organisation, if this is technically feasible. |
This right will only apply:
o your consent; or o the fulfilment by us of a contract with you; and
|
Right to object to processing of Personal Data
You have the right to object to our use of your Personal Data in certain circumstances. However, we may continue to use your Personal Data, despite your objection, where there are compelling legitimate grounds to do so or we need to use your Personal Data in connection with any legal claims.
|
|
Right to withdraw consent to processing of Personal Data
Where we have relied upon your consent to process your Personal Data, you have the right to withdraw that consent.
|
This right only applies where we process Personal Data based upon your consent. |
Right to complain to the relevant data protection authority
If you think that we have processed your Personal Data in a manner that is not in accordance with data protection law, you can make a complaint to the data protection regulator. If you live or work in an EEA member state, you may complain to the regulator in that state. |
This right applies at any time. |
If you wish to exercise your rights, please contact us using the details below. Please note that it may not be possible for Dairygold to always comply with your request as some of these rights are limited by legislation. Where this is the case we will always respond within the statutory period of one month and inform you of the reasons why we cannot fully comply with your request.
If you have any questions or concerns about the way your Personal Data is used by us, you can contact a member of the HR team or e-mail us at: dataprotection@dairygold.ie
This Privacy Policy was last updated on 21st May 2018.
We review this Privacy Policy regularly and reserve the right to make changes at any time to take account of changes in our organisation, legal requirements, and the manner in which we process Personal Data.
Type of Personal Data | Examples
|
Lawful Basis |
Contact information | Name, address, email and telephone number | Necessary for the performance of a contract (Art 6(1)(b)) |
General information | Gender, civil and family status, date and place of birth, details of next of kin, employment contract, salary and benefit details (for employees)
Vehicle registration number and insurance (for the purpose of processing expense claims) for employees and independent contractors
|
Legitimate interest in administering personnel functions of Dairygold and ensuring up-to-date contact information for the employee in the case of an accident (Art 6(1)(f))
Necessary for the performance of a contract (Art 6(1)(b)) Necessary to comply with employment or social protection law (Art 9(2)(b)) Necessary to protect the vital interests of the data subject (Art 9(2)(c)) |
Education and employment information | Educational background, employer details and employment history, skills and experience and references. Professional memberships and affiliations and any other relevant information e.g. employment status. This applies for both employees and independent contractors to the extent relevant.
|
Necessary for the performance of a contract (Art 6(1)(b))
Legitimate interest in determining the skill and experience of an employee (Art 6(1)(f)) |
Government and other official identification numbers | PPS number, passport number, tax identification number, driver’s licence number, or other government issued identification number. This applies for both employees and independent contractors to the extent relevant. | Necessary for the performance of a contract (Art 6(1)(b))
Necessary for compliance with a legal obligation (Art 6(1)(c)) |
Financial information and account details | Bank account number, or other financial account number and account details, other financial information for processing wages. | Necessary for the performance of a contract (Art 6(1)(b)) |
Pension-related information and information related to other employee benefits | PPS number, salary and bonus, names of family members, dates of employment, civil status and type of pension fund chosen. | Necessary for the performance of a contract (Art 6(1)(b))
Necessary for compliance with a legal obligation (Art 6(1)(c)) Necessary for the establishment, exercise or defence of a legal claim (Art 9(2)(f)) (where sensitive Personal Data is processed in order to assess eligibility for benefits) |
Sensitive information | Occupational health form on commencement of work, doctor’s reports, occupational health nurse reports, physiotherapist reports on fitness to work or workplace accommodation needs to be made during term of employment, sick notes.
|
Necessary for the purpose of assessing the working capacity of the employee (Art 9(2)(h))
Necessary to comply with employment or social protection law obligations (Art 9(2)(b)) Necessary for the establishment, exercise or defence of a legal claim (Art 9(2)(f)) |
Personality assessments | Reports from service providers on employee’s personality, emotional intelligence, reasoning, aptitude and potential. | Legitimate interest in determining the suitability of an employee (Art 6(1)(f)) |
Biometric data | Template of employee’s or agency worker’s fingerprint. | Necessary for compliance with employment law or social protection law obligations specifically the Organisation of Working Time Act 1997 (Art 9(2)(b)) |
Time and attendance data, | Time data is collected through fobs and swipe cards. | Necessary for compliance with a legal obligation specifically the Organisation of Working Time Act 1997 (Art 6(1)(c)
Legitimate interest in monitoring time and attendance and access to restricted areas. |
CCTV | CCTV images | Legitimate interest in ensuring security, safety and work processes standards (Art 6(1)(f)) |
When we process Personal Data for the purpose of our legitimate interests, we must inform of you of those legitimate interests. In addition to those set out above, the following legitimate interests of Dairygold may be relied upon to process your Personal Data (where they are not otherwise covered by one of the other legal bases specified in this Policy):