Skip to main content

GDPR & Data Protection Policy

V2.0
Effective 1 st January 2020
Last updated July 2023

TABLE OF CONTENTS


1 GDPR & DATA PROTECTION POLICY 

  • 1.1 INTRODUCTION 
  • 1.2 ENVIRONMENTAL CHANGES THAT MAY AFFECT THE QUALITY OF DATA 
  • 1.3 DANGAN GROUP AS A DATA CONTROLLER 
  • 1.4 THE DATA PROTECTION PRINCIPLES 
  • 1.5 DATA SUBJECT ACCESS REQUESTS 
  • 1.6 IMPLEMENTATION 
  • 1.7 DATA STORAGE & ARCHIVING 
  • 1.8 CONTINGENCY PLAN FOR DATA SECURITY BREACH 
  • 1.9 HOW BLUE SAFFRON LTD. T/A DANGAN GROUP COLLECTS PERSONAL DATA 
  • 1.10 DATA RIGHTS 

 

1.1 Introduction
The GDPR is an EU privacy law that requires businesses to disclose their policies regarding the collection, use, storage and deletion of user data while also providing privacy rights to EU consumers. The following policy outlines Blue Saffron Ltd. t/a Dangan Group’s principles in data collection and usage in accordance with the GDPR requirements.

As a Data Controller, Blue Saffron Ltd. t/a Dangan Group and its staff (hereafter referred-to collectively as Blue Saffron Ltd. t/a Dangan Group comply with the Data Protection principles set out in the relevant Irish legislation. A substantial proportion of the communications sent by Blue Saffron Ltd. t/a Dangan Group to its member organisations is considered ‘business to business’, and thereby exempt from obligations under the Data Protection legislation.

Electronic and non-electronic communications of this nature by Blue Saffron Ltd. t/a Dangan Group are only to non-individual, business contacts and institutional subscribers. These come in the form of hard- copy mailings and e-mails. Hard copy mailings go to business/company addresses while business subscribers receive electronic mailings through their company email addresses.

In its role as an employer, Blue Saffron Ltd. t/a Dangan Group may keep information relating to a staff member’s physical, physiological or mental well-being, as well as their economic, cultural or social identity.

To the extent that Blue Saffron Ltd. t/a Dangan Group’s use of personal data qualifies as ‘business to customer’ processing, including the organisation’s communications to its staff and volunteers, the organisation is mindful of its obligations under the relevant Irish legislation, namely:

  • The Irish Data Protection Act (1988);
  • The Irish Data Protection (Amendment) Act (2003); and
  • The EU Electronic Communications Regulations (2011).

 

1.2 Environmental changes that may affect the quality of data
Blue Saffron Ltd. t/a Dangan Group policy is to be aware of environmental changes that affect the quality of data and to pre-empt the impact to our business and that of our clients. GDPR was the most recent change, one that we had spent two years preparing for.

 

1.3 Blue Saffron Ltd. t/a Dangan Group as a Data Controller
In the course of its daily organisational activities, Blue Saffron Ltd. t/a Dangan Group acquires, processes and stores personal data in relation to living individuals. To that extent, Blue Saffron Ltd. t/a Dangan Group is a Data Controller, and has obligations under the Data Protection legislation, which are reflected in this document.

In accordance with Irish Data Protection legislation, this data must be acquired and managed fairly. Dangan Group is committed to ensuring that all staff have sufficient awareness of the legislation in order to be able to anticipate and identify a Data Protection issue, should one arise. In such circumstances, staff must ensure that the Data Protection Officer (DPO) is informed, in order that appropriate corrective action is taken.

Due to the nature of the services provided by Blue Saffron Ltd. t/a Dangan Group, there is a regular and active exchange of personal data between Blue Saffron Ltd. t/a Dangan Group and its Data Subjects. In addition, Blue Saffron Ltd. t/a Dangan Group exchanges personal data with Data Processors on the Data Subjects’ behalf.  This is consistent with Blue Saffron Ltd. t/a Dangan Group’s obligations under the terms of its contracts with its Data Processors.

This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a staff member is unsure whether such data can be disclosed. In general terms, the staff member should consult with the Data Protection Officer to seek clarification.

 

1.4 The Data Protection Principles
The following key principles are enshrined in Irish legislation -namely GDPR art. 5- and are fundamental to Blue Saffron Ltd. t/a Dangan Group’s Data Protection policy. In its capacity as Data Controller, Blue Saffron Ltd. t/a Dangan Group ensures that all data shall:

  • Be obtained and processed fairly and lawfully.
  • Be obtained only for one or more specified, legitimate purposes.
  • Not be further processed in a manner incompatible with the specified purpose(s).
  • Be kept safe and secure.
  • Be kept accurate, complete and up-to-date where necessary.
  • Be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed.
  • Not be kept for longer than is necessary to satisfy the specified purpose(s).
  • Be managed and stored in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them.

 

1.5 Data Subject Access Requests
As part of the day-to-day operation of the organisation, Blue Saffron Ltd. t/a Dangan Group’s staff engages in active and regular exchanges of information with Data Subjects.  Where a valid, formal request is submitted by a Data Subject in relation to the personal data held by Blue Saffron Ltd. t/a Dangan Group which relates to them, such a request gives rise to access rights in favour of the Data Subject.

Blue Saffron Ltd. t/a Dangan Group’s staff will ensure that such requests are forwarded to the Data Protection Officer in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than 40 calendar days from receipt of the request.

 

1.6 Implementation
As a Data Controller, Blue Saffron Ltd. t/a Dangan Group ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation through the Data Processor Agreement. Regular audit trail monitoring is done by the Data Protection Officer to ensure compliance with this Agreement by any third-party entity which processes Personal Data on behalf of Blue Saffron Ltd. t/a Dangan Group.

Failure of a Data Processor to manage Blue Saffron Ltd. t/a Dangan Group’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts. Failure of Blue Saffron Ltd. t/a Dangan Group’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.

 

1.7 Data Storage & Archiving

Security & Storage

  • The following policies apply to company computer, server and database:
    Blue Saffron Ltd. t/a Dangan Group only provide limited access to personal data on a need-to-know basis
  • Servers including the database server for hosting web content, web services and personal or non-personal data is within Blue Saffron Ltd. t/a Dangan Group Computer Centre (CCC) with a specific IP address in Ireland.
  • The CCC is managed by a trusted IT operator with SLA.
  • Any access to the computer systems is monitored and logged on a 24/7 basis.
    The log includes the username, access time and duration.
  • Computing devices, including PC, laptop, or mobile phones etc are located within the Company office (with a specific IP address). Each device is protected by a unique password and have one designated owner. On a shared device, each user has their own unique password for access.
  • All computing/storage devices in the company and office are equipped with anti- virus software and protected with firewall. Unattended devices are locked automatically with a screen saver.
  • Blue Saffron Ltd. t/a Dangan Group maintains a list of restricted databases and application along with a defined business owner for each listing. Only the account (contract) manager can authorize an individual to have any access to the restricted database or applications.
  • Unescorted access is restricted to authorised persons for valid and documented business purposes.
  • Visitors to the company or area for above infrastructures must be escorted by authorised staff, and their access must be logged with the visitor identity, time in and time out and reason for entry. This information is maintained in a central record system for one year.
  • Computing and storage devices should be viewable by members of public.
    Disposal papers are kept in the green box for collected paper.
  • Email attachments from unexpected sources are not to be opened unless first screened by anti-virus software.


Network Access

  • Staff can access the Company network inside the office. Remote access is only allowed via VPN.
  • Modems must be locked in a case and the key removed and secured. They can only be accessed by the Security Officer.
  • The Company WIFI network is protected by password.
  • LANs shall be designed so as to limit the aggregation of data subject to unauthorised interception.
  • Active ports are not allowed on network backbones unless the port is located in the Company Computer Centre
  • If a data port is located in the Company Public Space (e.g. reception), it must be supervised at all times while it is active.


Storage & Archive

  • Contents, web services and database are hosted and stored on designated Company storage servers, not on any local devices.
  • If downloading of personal data from above servers is necessary for data processing, such downloading can easily be blocked by technical means (disabling drives etc). Also, the downloaded data must be deleted immediately after the data processing.
  • Content, web services and database are backed up automatically on a daily basis.
  • Content, web services and database are archived from backups and retained for 1 year.
  • Storage backup media are stored in the Company Computer Centre at all times.
  • All databases including backups are in encrypted format and protected by password.
  • Records of data wiping are stored electronically in the central record system.
  • Cloud based or file sharing systems are only used when agreed with all parties and data files should be password protected and removed once transfer is completed.

 

1.8 Contingency Plan for Data Security Breach
Blue Saffron Ltd. t/a Dangan Group communications strategies are predicated on establishing a comprehensive understanding of the relevant audience so as to produce an appropriate response and management to a data security breach. To this end Blue Saffron Ltd. t/a Dangan Group and our PR partners has extensive experience in the organisation and management of community consultation processes, including extensive engagement with local and regional media.

We would envisage, as part of a communications strategy that would fall within client engagements, the design of a communications toolkit to underpin the process, in order to ensure best practice in engagement with key media, stakeholders and effected citizens.

 

1.9 How Blue Saffron Ltd. t/a Dangan Group collects personal data
Different personal data is collected in different ways:
a) Personal data you provide to Blue Saffron Ltd. t/a Dangan Group (personal identification information, namely name, email address, phone number, address, nationality, date of birth, bank details.)

b) Personal data we collect automatically (as you use the Website, Blue Saffron Ltd. t/a Dangan Group will collect technical data including your browser type, the Internet Protocol (IP) address used to connect your computer to the internet, and your usage habits.)

 

1.10 Data Rights
The GDPR grants individuals the following rights over their personal data:

  • The right of access. This enables them to receive a copy of their data and to check that we are lawfully processing it.
  • The right to rectification. This enables them to ask us to correct any incomplete or inaccurate information we hold about them.
  • The right to erasure. This enables them to ask us to delete or remove their data where there is no good reason for us continuing process it.
  • The right to restrict processing. This enables them to request that Our Company restrict the processing of their personal data, under certain conditions.
  • The right to data portability. This enables them to request that Our Company
    transfer the data that we have collected to another organization or to them, under certain conditions.
  • The right to object to processing. This enables them object to Our Company’s processing of their personal data, under certain conditions.

 

Brian Whelan
Managing Director
July 2023