Epilepsy Ireland endeavours to comply with the General Data Protection Regulation, Data Protection Acts, ePrivacy Regulation and data protection best practices. This Policy informs individuals how Epilepsy Ireland processes personal data in accordance with the principles of data protection identified in the data protection legislation.
We will process any personal information provided to us by individuals, whether it be provided through our website (www.epilepsy.ie), in person, on a form, correspondence, telephone, email or by any other means, or otherwise held by us in relation to you in the manner set out in this policy.
Epilepsy Ireland is a registered charity that provides a wide range of services to its members (who can renew or cancel their membership at will) and the general public at large. We employ a number of staff and also at times rely on volunteers; both employees and volunteers have an internal Data Protection Policy that governs how they process data.
Information collected by us
The information about you that we may collect, use, and store (process) includes:
- Information necessary in order to facilitate, process, deliver or that relates to the billing of an agreed business transaction, fundraising or collection of monies or any transaction associated with membership of Epilepsy Ireland (name, address, contact details, billing details, etc.)
- Information you provide to us by filling out any forms on the website or by way of emailing us.
- Records of correspondences whether by email, telephone, through any form on our website or by any other means,
- Information you provide to us in person.
- Details of any business, commercial or membership transactions you carry out with us, whether through email, the website, telephone, or by any other means.
How we use your personal information
We may use your personal information for the purposes of:
- Processing any enquiry requested by you;
- Entering into and or completing any sales or membership related request requested by you, including renewal of membership;
- Setting up, operating and managing any account or line of credit, if applicable;
- Setting up, operating and managing any marketing and or fundraising services subject to your explicit consent (please see Marketing & Fundraising below);
- Complying with our legal duties and responsibilities;
- Debt collection and the collection of outstanding monies;
- Monitoring any billing or credit transactions for the purpose of preventing fraud;
- Provision of security to, and ensuring the health and safety of, employees, volunteers and visitors to company premises.
As Epilepsy Ireland provides support services for persons affected by epilepsy we are sometimes contacted by members of Epilepsy Ireland and members of the general public to either provide emotional or community support, or to provide a referral to a third party support provider or medical advice provider. By necessity, in order to provide such services, any support or referral may necessitate the processing of special categories of personal data (medical history, current medication, etc.).
We will only process such data with the explicit consent of any individual that we request in writing (via a consent form) and the data will be held as confidential, secure, will be used only for the purposes for which it was collected and will be destroyed or deleted once it is no longer necessary (in accordance with our data retention policy).
Epilepsy Ireland does not engage in any automated decision making processes nor do we use any personal data as a basis for any such automated decisions.
Epilepsy Ireland does not transfer personal data outside the EU or outside the jurisdiction of the General Data Protection Regulation. However, Epilepsy Ireland may use some external service providers to provide business functions [For example, the use of Salesforce to provide customer care facilities (if you so choose to become a client of Epilepsy Ireland)] some of whom may be located outside the EU or EEA. In such cases, personal data is protected by use of binding corporate rules or EU-US privacy shield to ensure continued compliant with the General Data Protection Regulation and uphold the privacy rights of all data subject.
Some of these service providers may be located within another EU member state, and any that are, are subject to the One Stop Shop Mechanism as identified by the Irish Data Protection Commission.
For more information about binding corporate rules, EU-US Privacy Shield and the One Stop Shop Mechanism please visit the Data Protection Commission website at www.dataprotection.ie
Marketing & Fundraising
Epilepsy Ireland is a registered charity that relies on the public for support and fundraising; without which we are unable to provide a wide range of support services. Our fundraising is governed by our fundraising and governance policies that are available on our governance page.
In terms of data processing, subject to your explicit consent, we may also use your personal information for the purpose of:
- Marketing and Sales promotions;
- Providing you with information about promotional offers on our products and services, including membership;
- Carrying out any membership or customer research, survey and analysis;
- Fundraising activities, including brand or event awareness, participation and collections of monies;
At some interactions with Epilepsy Ireland you may be asked to consent to your data being used for marketing and or fundraising purposes. In such cases, consent will require a positive action on your part. For example, on a new membership form you would have to tick a box stating that you consent to your data being processed for marketing and or fundraising purposes.
Epilepsy Ireland is committed to privacy by design and privacy by default. As such, you will never have to ‘opt-out’ of our marketing or fundraising processes; you will only ever have the option of ‘opting in’ if you’d like to be included. We do not engage in ‘pre-ticked’ boxes on consent forms nor do we ever assume you would consent to your data being processed. You are free to withdraw consent for any marketing and or fundraising related matters at any time you want.
Epilepsy Ireland engages in a number of social media services and we strive to uphold privacy rights online. However, sometimes members of the public may post something objectionable and beyond our control to Epilepsy Ireland’s social media pages/forums. In such cases, we will act to rectify any difficulties as soon as we are notified or become aware of the problem. We do not provide a continuous monitoring of social media sites/forums so there may be a slight delay from the initial post to when we become aware of a problem.
Epilepsy Ireland sometimes hold marketing or fundraising events in which members of Epilepsy Ireland and the general public may be present. Such events are often held at public locations. Sometimes we may wish to take a photograph at such events to promote our brand or event on social media. In such cases, it is our policy for our photographer/social media handler to announce their presence and provide additional instructions and assistance. However, we do not have any control over private individuals or their social media accounts and we cannot stop members of the public from posting pictures of events online without the consent of all participants.
We will take reasonable steps to ensure that your information is kept secure and protected, including but not limited to electronic data being protected using appropriate software, relevant networks safety and security checks, and, where applicable, any physical data records will be kept in an appropriately secure environment.
We have a general data retention policy that relates to the retention of relevant data for seven years. Personal data that is no longer required will be destroyed and or deleted in a secure manner.
We do not record or process personal data that is not required or not necessary for any of our stated purposes.
Disclosure of data
We may outsource to an external third party the process of contacting members whose membership has expired or due to expire. In such cases, the member's name and contact details may be shared with the third party for the exclusive purpose of contacting the member regarding membership renewal. An appropriate data processing agreement, with relevant safeguards, is in place to ensure our ongoing obligations under the Data Protection Acts are upheld.
We may also outsource certain other commercial functions to external third parties, e.g. debt collection, accounting auditors, etc. In such cases where your personal data is required for the purposes of completing those functions then an appropriate data processing agreement, with relevant safeguards, will be put in place to ensure our ongoing obligations under the Data Protection Acts are upheld.
We may also have to disclose certain personal data in accordance with any legal obligation imposed on us. Any such disclosure would be in accordance with the law, e.g. disclosed on foot of a court order etc.
Requesting your data
Any person has the right to find out whether an organisation has any personal data about them, what they use the personal data for and ask for copies of personal information held by that organisation.
If you wish to make a data access request in order to get a copy of any personal data we may process, please write a letter stating that you wish to make a data access request and address it to:
249 Crumlin Road
Or email Catherine at email@example.com
In order to process your request we may request that you send us a copy of your identification (passport, driver’s license, etc.).
The reason we ask for personal identification is to ensure that you are the correct person making the request for your personal data.
Unfortunately verbal access requests cannot be entertained.
In response to any data access request, you have the right to refer the matter to the Data Protection Commission if you are unhappy with the outcome, however, we ask that you would notify us first of any issue so that we may help resolve it as quickly as possible.
You have the right to rectify any incorrect or inaccurate personal data at no cost to you.
If you believe that we are incorrectly processing any of your personal data, please inform us by writing to Catherine Powell, Executive Assistant at the above address or email firstname.lastname@example.org.
Queries or complaints
Individuals have the right to refer any matter to the Data Protection Commission by contacting them at www.dataprotection.ie or by writing to:
Data Protection Commission
Office of the Data Protection Commission
If you are, for whatever reason, considering contacting the Data Protection Commission about us we would ask that you inform us of your difficulty first so that we can try to resolve it to your satisfaction.