Close close

Privacy Policy

Data Protection Policy – FDC Group

Background

All policies, guideline and procedures of FDC Group reflects the firm’s commitment to the protection of the rights and privacy of individuals (including customers, staff and others) whose personal information is held by the firm. The firm has in place a range of systems and procedures, which it reviews on a regular basis, in order to protect these rights and to be compliant with the provisions of the General Data Protection Regulation and the Data Protection Act 2018.

In order to carry out its core functions, FDC Group needs to collect and use personal data about its customers, staff and other individuals who come into contact with the firm. The firm needs to process such data for purposes that include the advice and administration of financial transactions, recruitment and payment of staff and compliance with statutory and regulatory obligations.

The firm is legally obliged to safeguard the privacy rights of individuals in relation to the processing of their personal information for such purposes. The General Data Protection Regulation and the Data Protection Act 2018 provides for this by conferring rights on individuals as well as responsibilities on those persons processing personal data. Personal data, both automated and manual is data relating to a living individual who is or can be identified, either from the data itself or from the data in conjunction with other information held by the firm.

Principles of Data Protection

FDC Group undertakes to perform its responsibilities under the regulation in accordance with the following Data Protection Principles;

  • Obtain and process information fairly:

The firm obtains and processes personal data fairly and in accordance with its statutory and other legal obligations.

  •  Keep it only for one or more specified, explicit and lawful purposes / Use and disclosure only in ways compatible with these purposes;

The firm keeps personal data for purposes that are specific, lawful and clearly stated.

Personal data will only be processed in a manner compatible with these purposes. The firm only uses and discloses personal data in circumstances that are necessary for the purpose, for which it collects and keeps the data.

  •  Keep it safe and secure:

To ensure confidentiality the firm takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of data and against accidental loss or destruction.

  •  Keep it accurate, complete and up-to-date:

The firm operates procedures that ensure high levels of data accuracy, completeness and consistency.

  •  Ensure it is adequate, relevant and not excessive:

Personal data held by the firm is adequate, relevant and not excessive in both the gathering of the information and in data retention terms.

  •  Retain for no longer than is necessary:

The firm has a policy on retention periods for personal data and a specific rationale for each chosen retention period.

Roles & Responsibilities

The firm has overall responsibility for ensuring compliance with Data Protection legislation as the Data Controller of personal data. However, all employees of the firm who separately collect and / or control the content and use of personal data are individually responsible for compliance with the regulation and legislation.

FDC Group provides support, assistance, advice and training to all staff to ensure that they are in a position to comply with the regulation and legislation. FDC Group has responsibility for coordination and compliance relating to all Data Protection matters, including responding to general queries and SAR requests (subject access request) received from Data Subjects relating to personal data as well as requests for assistance from firm employees involved in collecting, storing and processing personal information.

Procedures & Best Practice Guidelines

There are clear procedures in place at the firm for the collection, processing and maintenance of personal information, required by the firm to carry out its core functions. This Data Protection Procedures manual and Best Practice Guidelines set out these procedures in order to raise general awareness of the systems and procedures that are in place and to assist the firm’s employees to comply with the firm’s regulatory and legislative requirements under GDPR. The firms Data Protection Procedures and Best Practice Guidelines identify the areas of work in which Data Protection issues arise and outline best practice in dealing with these issues.

Obtaining and processing personal data

Personal data is obtained fairly if the data subject is aware of the purpose for which the firm is collecting the data, of the categories of person/organisations, to which the data may be disclosed/shared, of non-obligatory or optional answers in forms, of the right of access to the data and of the right of rectification of the data.

  •  Obtain personal data only when there is a clear purpose for so doing, obtain only whatever personal data is necessary for fulfilling that purpose and ensure data is used only for that purpose.
  • The use of firm data processing facilities in capturing and storing personal data for non- business purposes must not take place.
  •  Inform data subjects of what personal information is held by the firm, what it will be used for and to whom it may be disclosed/shared.
  •  Obtain explicit consent in writing for processing sensitive data and retain a copy of that consent. Consent cannot be inferred from non response in the case of sensitive data.

Disclosing personal data

Personal data should only be disclosed in ways that are necessary or compatible with the purpose for which the data is kept. Special attention should be paid to the protection of sensitive personal data.

  •  Except where there is a statutory obligation to comply with a request for personal data, or where a data subject has already been made aware of disclosures, do not disclose to any third party any personal data without the consent of the data subject.
  •  Disclosure of personal data to a third party is not permitted unless there is a statutory obligation to disclose, or the information is released, to the Gardaí for example, for the prevention of crime and if informing the subject of the disclosure would prejudice the enquiries, or unless it is in the vital interest of the data subject.
  •  Personal data should only be disclosed to work colleagues where they have a legitimate interest in the data in order to fulfil administrative functions. Be satisfied of the need to disclose.
  •  Personal data should not be disclosed outside of the EU unless written consent has been obtained, unless disclosure is required for the performance of a contract to which the data subject is a party, or unless disclosure is necessary for the purpose of legal proceedings.

Securing personal data

The firm protects personal data from unauthorised access when in use and in storage or being destroyed and such data is protected from inadvertent destruction, amendment or corruption. Personal electronic data is be subject to appropriate stringent controls, such as passwords, encryption, restricted access / access logs, backup, etc. Screens, printouts, documents, and files showing personal data are not visible to unauthorised persons. Personal manual data is held securely in locked cabinets, locked rooms or rooms with limited / controlled access. Special care is taken where laptops and PCs containing personal data are used outside the firm.  Special care is also taken to ensure the safety and security of any personal data held on mobile storage media.

Accuracy and completeness of personal data

Administrative procedures include review and audit facilities so that personal data is accurate, complete and kept up-to-date.

Retention of personal data

Data is not be kept for longer than is necessary for the purpose for which it was collected. Data already collected for a specific purpose, is not be subject to further processing that is not compatible with the original purpose. All data held by the firm is  stored and catalogued in accordance with a Data Retention Schedule and destroyed in accordance with that schedule and in compliance with regulatory and statutory obligations.

Disposal of personal data

Personal data is disposed of when it is no longer needed for the effective functioning of the firm and its employees. The method of disposal is appropriate to the sensitivity of the data. Shredding is appropriate in the case of manual data and reformatting or overwriting in the case of electronic data. Please contact FDC Group for any shredding requirements. FDC Group is informed immediately when PCs are transferred from one person to another or outside the firm or are being disposed of.

Rights of the Individual

The Data Protection Acts provide for the right of access by a Data Subject to his or her personal information. Data subjects must be made aware of how to gain access to their personal data. A Data Subject is entitled to be made aware of his or her right of access and to the means by which to access the data. A Data Subject is entitled to the following on written application within 30 days;

  •  a copy of his or her personal data;
  •  the purpose of processing the data;
  •  the persons to whom the firm discloses the data;
  • an explanation of the logic used in any automated decision-making (where applicable);
  • a copy of recorded opinions about him or her, (all staff should be conscious of this when making notes on a customer’s file or sending internal communications which relate to the data subject)

The right of access is restricted where the data are:

  • required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing moneys due to the State;
  •  subject to legal professional privilege;
  •  kept only for statistical or research purposes and the results are not made available in a way that identifies data subjects;
  • back-up data.

Provision of access to third parties

A Data Subject is entitled to access his or her own personal data only. The personal information of a Data Subject, including confirmation of attendance at the firm or contact details, is not be disclosed to a third party, be they civil partner or spouse, potential employer, another employer, professional body, sponsor, etc., without the consent of the individual concerned. An agreement may be made to forward a communication to a Data Subject on behalf of a third party, but no information is disclosed about the Data Subject. In the case of research surveys where there is an agreement to forward documentation to Data Subjects, a notice would be included to the effect that no personal information has been released.

Limitations on the use of personal data for research / analysis

If research data is retained in personally identifiable format it may be subject to an access request from a data subject but would only be used where consent was freely given by the data subject.

Right of rectification or erasure

Data subjects have a right to have personal data rectified or blocked from being processed or erased where the Data Controller has contravened the Act. In order to comply with the above rights of access, rectification or erasure, FDC Group ensures that personal data can be located and collated quickly and efficiently;

  • Personal data is in a format that is easy to locate and collate;
  • The access request is verified and the personal data released to the same individual;
  • Know exactly what data is held on individuals, where and in some circumstances by whom;
  • Personal data is held in a secure central location.

Responsibilities of Data Subjects

The firm is dependent on Data Subjects themselves for maintaining the accuracy and currency of records held about them. The firm cannot be responsible for any inaccuracies resulting directly from the submission of such information by Data Subjects nor can it be accountable for any subsequent changes to such information unless notified. All Data Subjects have the right to review personal information, about themselves, recorded and stored by the firm and to have it amended if necessary. All Data Subjects (including staff and others) are entitled to be informed as to how their personal data can be kept up to date and accurate by the firm.

All staff and other data subjects are responsible for;

  • checking that any information that they provide to the firm is accurate and up to date;
  • informing the firm of any changes of information, that they have provided, e.g. a change of address;
  • checking / reviewing the information the firm sends out from time to time, giving details of information kept and processed, to ensure it remains accurate;
  • informing the firm of any errors or changes (the firm cannot be held responsible for any errors unless previously informed).

Where any such changes have been advised to the firm, these must be updated and corrected immediately or as soon as is reasonably possible.

Risk and Control Review / Assessment

FDC Group will effectively and periodically assess any gaps in our DP Policies; ensuring any and all revisions applicable to GDPR are updated. We will review our firm’s framework and best practices at least annually and make any necessary changes and/ or provisions in order to fill any identified gaps. We will sustain Data management through the monitoring, reviews and communication specific to our firm’s data protection framework e.g. recording, monitoring, retention of personal information, monitoring of clear desks, regular data protection training and awareness. We will align our processes with the Data Protection Principles for any information requests, incident handling and legal compliance e.g. complaints, subject access request, breach reporting processes. We will routinely review and assess both Internal and external threats to the firm’s data security. We will annually review, however the Policy may be reviewed between such intervals in the event of any legislative or other relevant developments.

The timeline for each review cycle should be determined by the firm but should take account of the level of risk associated with each process, ad hoc reviews resulting from a process failure, but also any regulatory or legislative updates as and when they occur. The outcome of the review will be a decision to revise, amend, consider recommendations or reconfirm and approve the existing process document.

Training

We will train our staff annually, and further training and communications will be provided if the policy changes/or if there are any legislative or other relevant developments.

Queries

FDC Group has responsibility for coordination and compliance relating to the administration of all data protection matters, including responding to general queries and requests by Data Subjects relating to personal data as well as requests for assistance from firm employees involved in collecting, storing and processing personal information.

Any queries relating to data protection issues, including requests by individuals for access to and/or correction of any personal data held by the firm and relating to such individuals should be directed to the Jessica Perrott, FDC House, Wellington Road, Cork. Tel 021-4509022 gdprqueries@fdc.ie

The most effective and efficient way to contact the Data Protection Commission regarding queries or complaints is by means of the webforms.

If you have a query, concern or complaint regarding a data protection matter, you can engage with the Data Protection Commission in the following ways:

  • By webform on our website
  • By telephone to our Helpdesk
  • By post.

It is important to note that the Data Protection Commission is not a public office and therefore we are not in a position to provide face-to-face meeting. If however, you are not in a position to engage with this office by the above mentioned means, please contact our Access Officer

Information on contacting the DPC concerning the EU-US Privacy Shield

Postal Address Data Protection Commission

21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland

Offices Dublin Office

21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland.

Portarlington Office

Canal House
Station Road
Portarlington
R32 AP23 Co. Laois

Last Updated: March 2019

FDC is committed to protecting and respecting your privacy. This Privacy Statement sets out how we, as a Data Controller, collect, use, process and disclose the personal data  (“Data”) that we collect from you, or that you provide to us, on our website www.fdc.ie (“Site”). This Privacy Statement should be read in conjunction with our Cookie Policy.

Please read the following carefully to understand our use of your Data.

1. Information we may collect from you

We only collect Data about you on the Site which you volunteer when you email us or by using our online Contact Us or other forms; or if you report a problem with our Site. When you contact us, we may keep a record of that correspondence. We also collect Data automatically when you navigate through our Site, as explained in our Cookie Policy.

We may collect and process the following data about you:

  • your name;
  • your phone number;
  • your email address;
  • your address;
  • information that you provide by filling in forms on our Site;
  • the time and date of your visit;
  • your IP address;
  • your browser type; and
  • your referring URL

Unless subscribing to a service, the provision of your Data is not a statutory or contractual requirement and you may refuse to disclose same.

2. Uses made of your data

We may use your Data where necessary for our legitimate business interests, including to:  

  • improve the content of our Site and the services we offer;
  • ensure the Site is presented in the most effective manner for you and for your computer;
  • compile statistical data on the use of our Site;
  • allow you to participate in interactive features of our service, when you choose to do so; and
  • notify you about changes to our service.

We make no attempt to identify individual visitors, or to associate the technical details we collect with any individual, unless required to disclose such information by law. We may use your Data to comply with any legal obligations.

We will store your personal Data only for as long as necessary for the purposes of providing access to our Site and related services to you; as required by law, and for the exercise or defence of any legal claims.

3. Disclosure of your information

We will not disclose your Data to third parties unless you have consented to this disclosure or unless the third party is required to fulfil a request you have made or contract that you have entered into.  Where appropriate, Data may also be processed by our service providers in which case we will take steps to ensure that the processing complies with applicable data protection and confidentiality laws. We will also disclose your Data if we believe in good faith that we are required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order or other statutory or legal requirement.

We may provide Non-Personal Data to third parties, where such information is combined with similar information of other users of our Site.  For example, we might inform third parties regarding the number of unique users who visit our Site, the demographic breakdown of our community users of our Site or the activities that visitors to our Site engage in while on our Site.  The third parties to whom we may provide this information may include web developers, server providers, providers of advertising services (including website tracking services), commercial partners, sponsors, licensees, researchers and other similar parties.

4. Links to other sites

Our Site may, from time to time, contain links to and from other websites. If you follow a link to any of those websites, please note that those websites have their own privacy policies and we do not accept any responsibility or liability for those policies. Please check those policies before you submit any Data to those websites.

5. Your rights

You may request access to, rectification, erasure or restriction of your Data, or object to the processing of your Data or Data portability at any time. We will respond to your request in writing, or orally if requested, as soon as practicable and in any event within one month of receipt of your request. We may request proof of identification to verify your request. All requests should be addressed to info@fdc.ie​​​​.

You have the right to lodge a complaint with the Data Protection Commissioner if you are unhappy with how we are processing your Data.

6. Security and where we store your personal data

We are committed to protecting the security of your Data. We use a variety of security technologies and procedures to help protect your Data from unauthorised access and use. As effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our database, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. We have implemented strict internal guidelines to ensure that your privacy is safeguarded at every level of our organisation.  We will continue to update policies and implement additional security features as new technologies become available. Where we have given you a password which enables you to access certain parts of our Site, you are responsible for keeping that password confidential.  We ask you not to share your password with anyone.

Although we will do our best to protect your Data, we cannot guarantee the security of your Data transmitted to our Site. Any transmission of Data is at your own risk. Once we receive your Data, we will use appropriate security measures to seek to prevent unauthorised access or disclosure.

7. Changes to this Privacy Statement

We reserve the right to change this Privacy Statement from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Statement. Your continued use of this Site after we make changes is deemed to be acceptance of those changes, so please check this Statement periodically for updates.

8. Contact Us

Any queries relating to data protection issues, including requests by individuals for access to and/or correction of any personal data held by the firm and relating to such individuals should be directed to the Jessica Perrott, FDC House, Wellington Road, Cork. Tel 021-4509022 gdprqueries@fdc.ie

 

Last Updated: February 2018