Data Protection is the means by which the privacy rights of individuals are safeguarded when their personal data is being processed. The General Data Protection Regulation (“GDPR”) imposes obligations on collectors and holders of personal data in relation to the collection, maintenance, security and processing of personal data.
Under GDPR, DEW must ”implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. These measures include the implementation of appropriate data protection policies.
This document sets out DEW’s data protection policy. Its purpose is to establish a framework under which DEW will seek to ensure that it protects the privacy of information acquired from and about individuals through complying with the requirements of GDPR and other relevant legislation.
This policy relates to all personal data acquired, processed and stored by DEW in relation to all data subjects. It applies to all personal data whether held in a manual or electronic form.
The Data Protection Principles
DEW aims to ensure that its data processing activities are open, transparent and up-front so that data subjects are aware of our activities and the use we will make of their information. We seek to achieve this by complying with the principles relating to the processing of personal data set out in GDPR. These are:
Personal data shall be:
Processed lawfully, fairly and in a transparent manner;
Collected for specified, explicit and legitimate purposes;
Adequate relevant and limited to what is necessary;
Accurate and kept up to date;
Kept in a form which permits identification of data subjects for no longer than is necessary;
Processed in a manner that ensures appropriate security of personal data.
DEW as a Data Controller and Processor
In the course of its activities, DEW acquires data on conference attendees (data subjects)
DEW has a responsibility to ensure that the personal data of data subjects data is processed fairly. Data subjects must be fully advised of their rights and how we will use their data when they provide it. The organisers must be sufficiently aware of data protection requirements to be able to anticipate, seek to prevent and identify any potential or actual data protection breach should one arise. In such circumstances DEW must ensure that relevant procedures are adhered to and, where a breach occurs, that appropriate corrective action is taken.
We will ensure that all data processing is justified through the informed consent of the data subject or through any other lawful processing condition such as legal obligation or contractual necessity.
Processing of personal data will only be carried out to facilitate our lawful activities which is the organisation of conferences in relation to economic policy. This entails the collection data of conference attendees.
DEW will only use or disclose data when necessary to satisfy legitimate interests or legal obligations.
DEW employs appropriate security measures to protect the personal data of data subjects against unauthorised access to, alteration, disclosure or destruction of their data. This applies to all data stored both electronically and physically.
DEW will monitor our data protection policies and procedures to ensure that they remain appropriate and up to date.
The information obtained from individuals is collected solely for the purposes of the organisation of the conference. We do not collect personal data which is not relevant to the services we provide.
DEW only retains personal data for the period specified in the legislation under which we operate or as defined by a regulatory authority. Once the mandatory retention period for personal data has elapsed, DEW undertakes to destroy, erase or otherwise put this data beyond use unless a legal basis exists for retaining it. All other personal data, not subject to mandatory retention periods, will be continuously monitored and disposed of when no longer needed.
Data Protection Impact Assessments
Where DEW proposes to conduct a change to its personal data processing activities, such as deploying new technology or introducing a new product or service, we will conduct a data protection impact assessment to identify risks to personal data arising from any such change and ensuring that processes are in place to mitigate any risks that may be identified by the privacy impact assessment.
Data Subject Access Requests
All formal valid requests by data subjects for a copy of their personal data will be processed as soon as possible within the timeframe set out in GDPR and in accordance with our established procedures. All valid requests from data subjects to amend or erase personal data will be complied with as soon as practicable and within any specified timeframes.
Personal Data Breaches
In the case of a personal data breach, DEW will, without undue delay and, not later than 72 hours after having become aware of it, notify the Data Protection Commissioner of the breach. GDPR specifies that a notification is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons” For the avoidance of uncertainty, DEW will make a notification in all cases where we consider the requirements to have been breached. Where the notification to the Data Protection Commissioner is not made within 72 hours, we will provide reasons for the delay in making such a notification.
In cases where a breach is required to be notified to the data subject such as breach of confidentiality or identity theft this will be made without undue delay.
Failure to comply with GDPR
The Data Protection Commissioner has significantly enhanced regulatory, investigative and sanctioning powers under GDPR. These powers enable the regulator to impose appropriate and proportionate administrative sanctions for infringements ranging from the issuing of a warning to the imposition of a significant fine of up to €20 million or 4% of worldwide turnover. In addition, the firm may be exposed to civil action by the data subject concerned A breach of the GDPR would have significant reputational damage for DEW.
All individuals involved in DEW have an obligation to ensure that they are aware of their obligations and responsibilities to data subjects under GDPR.
Ownership and Review
This Data Protection Policy is maintained by our Sarah Condon and approved by the organising committee, which keeps it under review and monitors adherence to it. It will be kept under ongoing review and a formal review will be undertaken and submitted to the committee at least annually.
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;