Data Protection Policy – FDC Group
All policies, guideline and procedures of FDC Group reflects the firm’s commitment to the protection of the rights and privacy of individuals (including customers, staff and others) whose personal information is held by the firm. The firm has in place a range of systems and procedures, which it reviews on a regular basis, in order to protect these rights and to be compliant with the provisions of the General Data Protection Regulation and the Data Protection Act 2018.
In order to carry out its core functions, FDC Group needs to collect and use personal data about its customers, staff and other individuals who come into contact with the firm. The firm needs to process such data for purposes that include the advice and administration of financial transactions, recruitment and payment of staff and compliance with statutory and regulatory obligations.
The firm is legally obliged to safeguard the privacy rights of individuals in relation to the processing of their personal information for such purposes. The General Data Protection Regulation and the Data Protection Act 2018 provides for this by conferring rights on individuals as well as responsibilities on those persons processing personal data. Personal data, both automated and manual is data relating to a living individual who is or can be identified, either from the data itself or from the data in conjunction with other information held by the firm.
Principles of Data Protection
FDC Group undertakes to perform its responsibilities under the regulation in accordance with the following Data Protection Principles;
- Obtain and process information fairly:
The firm obtains and processes personal data fairly and in accordance with its statutory and other legal obligations.
- Keep it only for one or more specified, explicit and lawful purposes / Use and disclosure only in ways compatible with these purposes;
The firm keeps personal data for purposes that are specific, lawful and clearly stated.
Personal data will only be processed in a manner compatible with these purposes. The firm only uses and discloses personal data in circumstances that are necessary for the purpose, for which it collects and keeps the data.
- Keep it safe and secure:
To ensure confidentiality the firm takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of data and against accidental loss or destruction.
- Keep it accurate, complete and up-to-date:
The firm operates procedures that ensure high levels of data accuracy, completeness and consistency.
- Ensure it is adequate, relevant and not excessive:
Personal data held by the firm is adequate, relevant and not excessive in both the gathering of the information and in data retention terms.
- Retain for no longer than is necessary:
The firm has a policy on retention periods for personal data and a specific rationale for each chosen retention period.
Roles & Responsibilities
The firm has overall responsibility for ensuring compliance with Data Protection legislation as the Data Controller of personal data. However, all employees of the firm who separately collect and / or control the content and use of personal data are individually responsible for compliance with the regulation and legislation.
FDC Group provides support, assistance, advice and training to all staff to ensure that they are in a position to comply with the regulation and legislation. FDC Group has responsibility for coordination and compliance relating to all Data Protection matters, including responding to general queries and SAR requests (subject access request) received from Data Subjects relating to personal data as well as requests for assistance from firm employees involved in collecting, storing and processing personal information.
Procedures & Best Practice Guidelines
There are clear procedures in place at the firm for the collection, processing and maintenance of personal information, required by the firm to carry out its core functions. This Data Protection Procedures manual and Best Practice Guidelines set out these procedures in order to raise general awareness of the systems and procedures that are in place and to assist the firm’s employees to comply with the firm’s regulatory and legislative requirements under GDPR. The firms Data Protection Procedures and Best Practice Guidelines identify the areas of work in which Data Protection issues arise and outline best practice in dealing with these issues.
Obtaining and processing personal data
Personal data is obtained fairly if the data subject is aware of the purpose for which the firm is collecting the data, of the categories of person/organisations, to which the data may be disclosed/shared, of non-obligatory or optional answers in forms, of the right of access to the data and of the right of rectification of the data.
- Obtain personal data only when there is a clear purpose for so doing, obtain only whatever personal data is necessary for fulfilling that purpose and ensure data is used only for that purpose.
- The use of firm data processing facilities in capturing and storing personal data for non- business purposes must not take place.
- Inform data subjects of what personal information is held by the firm, what it will be used for and to whom it may be disclosed/shared.
- Obtain explicit consent in writing for processing sensitive data and retain a copy of that consent. Consent cannot be inferred from non response in the case of sensitive data.
Disclosing personal data
Personal data should only be disclosed in ways that are necessary or compatible with the purpose for which the data is kept. Special attention should be paid to the protection of sensitive personal data.
- Except where there is a statutory obligation to comply with a request for personal data, or where a data subject has already been made aware of disclosures, do not disclose to any third party any personal data without the consent of the data subject.
- Disclosure of personal data to a third party is not permitted unless there is a statutory obligation to disclose, or the information is released, to the Gardaí for example, for the prevention of crime and if informing the subject of the disclosure would prejudice the enquiries, or unless it is in the vital interest of the data subject.
- Personal data should only be disclosed to work colleagues where they have a legitimate interest in the data in order to fulfil administrative functions. Be satisfied of the need to disclose.
- Personal data should not be disclosed outside of the EU unless written consent has been obtained, unless disclosure is required for the performance of a contract to which the data subject is a party, or unless disclosure is necessary for the purpose of legal proceedings.
Securing personal data
The firm protects personal data from unauthorised access when in use and in storage or being destroyed and such data is protected from inadvertent destruction, amendment or corruption. Personal electronic data is be subject to appropriate stringent controls, such as passwords, encryption, restricted access / access logs, backup, etc. Screens, printouts, documents, and files showing personal data are not visible to unauthorised persons. Personal manual data is held securely in locked cabinets, locked rooms or rooms with limited / controlled access. Special care is taken where laptops and PCs containing personal data are used outside the firm. Special care is also taken to ensure the safety and security of any personal data held on mobile storage media.
Accuracy and completeness of personal data
Administrative procedures include review and audit facilities so that personal data is accurate, complete and kept up-to-date.
Retention of personal data
Data is not be kept for longer than is necessary for the purpose for which it was collected. Data already collected for a specific purpose, is not be subject to further processing that is not compatible with the original purpose. All data held by the firm is stored and catalogued in accordance with a Data Retention Schedule and destroyed in accordance with that schedule and in compliance with regulatory and statutory obligations.
Disposal of personal data
Personal data is disposed of when it is no longer needed for the effective functioning of the firm and its employees. The method of disposal is appropriate to the sensitivity of the data. Shredding is appropriate in the case of manual data and reformatting or overwriting in the case of electronic data. Please contact FDC Group for any shredding requirements. FDC Group is informed immediately when PCs are transferred from one person to another or outside the firm or are being disposed of.
Rights of the Individual
The Data Protection Acts provide for the right of access by a Data Subject to his or her personal information. Data subjects must be made aware of how to gain access to their personal data. A Data Subject is entitled to be made aware of his or her right of access and to the means by which to access the data. A Data Subject is entitled to the following on written application within 30 days;
- a copy of his or her personal data;
- the purpose of processing the data;
- the persons to whom the firm discloses the data;
- an explanation of the logic used in any automated decision-making (where applicable);
- a copy of recorded opinions about him or her, (all staff should be conscious of this when making notes on a customer’s file or sending internal communications which relate to the data subject)
The right of access is restricted where the data are:
- required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing moneys due to the State;
- subject to legal professional privilege;
- kept only for statistical or research purposes and the results are not made available in a way that identifies data subjects;
- back-up data.
Provision of access to third parties
A Data Subject is entitled to access his or her own personal data only. The personal information of a Data Subject, including confirmation of attendance at the firm or contact details, is not be disclosed to a third party, be they civil partner or spouse, potential employer, another employer, professional body, sponsor, etc., without the consent of the individual concerned. An agreement may be made to forward a communication to a Data Subject on behalf of a third party, but no information is disclosed about the Data Subject. In the case of research surveys where there is an agreement to forward documentation to Data Subjects, a notice would be included to the effect that no personal information has been released.
Limitations on the use of personal data for research / analysis
If research data is retained in personally identifiable format it may be subject to an access request from a data subject but would only be used where consent was freely given by the data subject.
Right of rectification or erasure
Data subjects have a right to have personal data rectified or blocked from being processed or erased where the Data Controller has contravened the Act. In order to comply with the above rights of access, rectification or erasure, FDC Group ensures that personal data can be located and collated quickly and efficiently;
- Personal data is in a format that is easy to locate and collate;
- The access request is verified and the personal data released to the same individual;
- Know exactly what data is held on individuals, where and in some circumstances by whom;
- Personal data is held in a secure central location.
Responsibilities of Data Subjects
The firm is dependent on Data Subjects themselves for maintaining the accuracy and currency of records held about them. The firm cannot be responsible for any inaccuracies resulting directly from the submission of such information by Data Subjects nor can it be accountable for any subsequent changes to such information unless notified. All Data Subjects have the right to review personal information, about themselves, recorded and stored by the firm and to have it amended if necessary. All Data Subjects (including staff and others) are entitled to be informed as to how their personal data can be kept up to date and accurate by the firm.
All staff and other data subjects are responsible for;
- checking that any information that they provide to the firm is accurate and up to date;
- informing the firm of any changes of information, that they have provided, e.g. a change of address;
- checking / reviewing the information the firm sends out from time to time, giving details of information kept and processed, to ensure it remains accurate;
- informing the firm of any errors or changes (the firm cannot be held responsible for any errors unless previously informed).
Where any such changes have been advised to the firm, these must be updated and corrected immediately or as soon as is reasonably possible.
Risk and Control Review / Assessment
FDC Group will effectively and periodically assess any gaps in our DP Policies; ensuring any and all revisions applicable to GDPR are updated. We will review our firm’s framework and best practices at least annually and make any necessary changes and/ or provisions in order to fill any identified gaps. We will sustain Data management through the monitoring, reviews and communication specific to our firm’s data protection framework e.g. recording, monitoring, retention of personal information, monitoring of clear desks, regular data protection training and awareness. We will align our processes with the Data Protection Principles for any information requests, incident handling and legal compliance e.g. complaints, subject access request, breach reporting processes. We will routinely review and assess both Internal and external threats to the firm’s data security. We will annually review, however the Policy may be reviewed between such intervals in the event of any legislative or other relevant developments.
The timeline for each review cycle should be determined by the firm but should take account of the level of risk associated with each process, ad hoc reviews resulting from a process failure, but also any regulatory or legislative updates as and when they occur. The outcome of the review will be a decision to revise, amend, consider recommendations or reconfirm and approve the existing process document.
We will train our staff annually, and further training and communications will be provided if the policy changes/or if there are any legislative or other relevant developments.
FDC Group has responsibility for coordination and compliance relating to the administration of all data protection matters, including responding to general queries and requests by Data Subjects relating to personal data as well as requests for assistance from firm employees involved in collecting, storing and processing personal information.
Any queries relating to data protection issues, including requests by individuals for access to and/or correction of any personal data held by the firm and relating to such individuals should be directed to the Jessica Perrott, FDC House, Wellington Road, Cork. Tel 021-4509022 firstname.lastname@example.org
The most effective and efficient way to contact the Data Protection Commission regarding queries or complaints is by means of the webforms.
If you have a query, concern or complaint regarding a data protection matter, you can engage with the Data Protection Commission in the following ways:
- By webform on our website
- By telephone to our Helpdesk
- By post.
It is important to note that the Data Protection Commission is not a public office and therefore we are not in a position to provide face-to-face meeting. If however, you are not in a position to engage with this office by the above mentioned means, please contact our Access Officer
|Postal Address||Data Protection Commission
21 Fitzwilliam Square South
21 Fitzwilliam Square South
Last Updated: March 2019