Data and Privacy Information

Tree Council of Ireland Data Protection Policy

Introduction

This document provides a concise policy regarding the data protection obligations of Tree Council of Ireland and is part of Tree Council’s commitment to data protection .

Tree Council of Ireland is a data controller with reference to the personal data which it manages, processes and stores for a short period of time.

Employees/supporters/beneficiaries/consultants and donors of Tree Council of Ireland should refer to the guidance provided by the Office of the Irish Data Protection Commissioner (www.dataprotection.ie) as well as seeking professional advice regarding best practice in this area.

Tree Council of Ireland’s commitment to data protection

We believe in establishing a clear, transparent and accountable approach to our data protection to ensure that all those who support and engage with Tree Council of Ireland can do so safe in the knowledge that we will apply the same values to our data protection as we do to all our work and will handle their personal data in a secure, transparent and responsible manner with full respect for their privacy.

Purpose of this Policy

As a data controller, Tree Council of Ireland and its staff (hereafter referred-to collectively as Tree Council of Ireland) must comply with the data protection Principles set out in the relevant Irish, EU legislation.

This Policy applies to all personal data collected, processed and stored by Tree Council of Ireland in the course of its activities. This Policy is designed to ensure Tree Council of Ireland’s compliance with the following legislation:

The EU Electronic Communications Regulations (2011)

The GDPR confers rights on individuals as well as additional responsibilities on those persons and organisations processing personal data and Tree Council of Ireland will ensure that all policies and activities are done in compliance with this legislation.

The European General Data Protection Regulation (GDPR)

Definitions

For the purpose of this Policy:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;

‘Processor’ means a natural or legal person, which processes personal data on behalf of the controller;

‘Recipient’ means a natural or legal person, to which the personal data are disclosed, whether a third party or not.

‘Third party’ means a natural or legal person, other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘Supervisory authority’ means the Irish Data Protection Commissioner, as an independent public authority established by Ireland pursuant to Article 51 of the GDPR.

Scope

The Tree Council of Ireland, as a data controller, collects, processes and stores personal data on an ongoing basis. Tree Council of Ireland collects data about its staff, members, partners and programme participants who come into contact with the organisation

through our on-going or work with regard to trees. We process personal data for the following reasons:

  • The collection and management of sponsorship and membership fees.
  • The operations of National Tree Week and Tetra Pak Tree Day each year.
  • The operations, monitoring and evaluation of work, including tree Planting with Schools and Communities, Educational programmes carried out by also. Conferences and seminars, for an educational purpose of making people aware of trees.
  • The recruitment, management and payment of staff,

Ensuring the security of staff and premises,

Compliance with statutory obligations.

The Tree Council also contracts other companies to act as data processors for the personal data collected by our websites for events run by us with regard to trees.

This Policy applies to all data collected, both manually and automated, held by the Tree Council of Ireland. This includes electronic and paper records.

Ownership

The Data Protection Policy is maintained by The Tree Council of Ireland on an on going basis and is approved by the Executive Leadership Team. Any material changes to this Policy will require approval by the Executive Leadership Team.

Staff

In its role as an employer, The Tree Council of Ireland may keep information relating to a staff member’s physical, as well as their economic, cultural or social identity.

Tree Council of Ireland will ensure that all staff members receive awareness raising and training on data protection.

The use of third-party data processors

In the course of its role as data controller, The Tree Council of Ireland uses a third party company to manage its web sites.

In each case, the third party has its own GDPR Policy in place, outlining their obligations in relation to the personal data, the security measures that they must have in place to protect the data, the specific purpose or purposes for which they are engaged, and the understanding that they will only process the data.

a) as instructed by Tree Council of Ireland, and

  1. b) in compliance with the European General Data Protection Regulation and the EU

Electronic Communications Regulations.

The contract will also include reference to the fact that the data controller is entitled, from time to time, to audit or inspect the data management activities of the data processor, and to ensure that they remain compliant with the relevant legislation, and with the terms of the contract.

The Data Protection Principles

The following key Principles are enshrined in EU legislation and are fundamental to Tree Council of Ireland’s Data Protection Policy.

In its capacity as data controller, Tree Council of Ireland ensures that all data shall:

Be obtained and processed fairly and lawfully

Tree Council of Ireland will only process personal data in line with one of the lawful basis enshrined in Article 7 of the GDPR. Tree Council of Ireland will fulfil its obligation in this regard by ensuring that:

  • Where possible, the informed consent of the data subject will be sought before their data is processed. Tree Council of Ireland will ensure that the request for consent is presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Tree Council of Ireland will also ensure that the data subject is made aware of his or her right to withdraw his or her consent at any time
  • Where it is not possible to seek consent, Tree Council of Ireland will ensure that collection of the data is justified under one of the other lawful processing conditions listed in Article 7 of the GDPR (compliance with legal obligation, contractual necessity, vital interests of data subject, public interest, or the legitimate interests of the data controller);
  • Processing of the personal data will be carried out only as part of Tree Council of Ireland lawful activities, and it will safeguard the rights and freedoms of the data subject;
  • The data subject’s personal data will not be disclosed to a third party other than to a party contracted by Tree Council of Ireland and operating on its behalf, or where Tree Council of Ireland is required to do so by law.

Be adequate, relevant and not excessive in relation to the purpose(s) for which the

data were collected and processed

The Tree Council of Ireland, will ensure that the data it processes in relation to data subjects is adequate, relevant and limited to what is necessary in relation to the purposes for which the data is collected, in line with the principles laid down in Article 5 of the GDPR. Data which is not relevant to such processing will not be acquired or maintained, in line with the principle of data minimisation.

Not be kept for longer than is necessary to satisfy the specified purpose(s)

The Tree Council of Ireland will ensure that personal data is not kept for longer than what is strictly necessary for the purpose for which the data is processed, in line with the principles laid down in Article 5 of the GDPR.

Be kept safe and secure

The Tree Council of Ireland will ensure that the personal data it collects will be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Tree Council of Ireland