As well as being a primary piece of EU legislation, the General Data Protection Regulation (GDPR) (EU) 2016/679GDPR also provides that individual member states may enact their own legislation to give specific interpretation to the application of some of the provisions covered under the GDPR. In the Republic of Ireland, this is contained within the Data Protection Bill 2017.

During the course of day-to-day business, FOAM-PRO gathers and uses certain information about individuals. Such individuals can include customers, suppliers, business contacts, employees, and other persons with which the organisation has a relationship or may need to contact.

This Data Protection Policy (hereinafter referred to as the “Policy”) describes how personal data must be collected, handled, and stored to meet the company's data protection standards and comply with the law.

This Policy has been established to ensure FOAMPRO:

• Complies with data protection law and follows good practice;

• Protects the rights of staff, clients, and associates;

• Is open about how it stores and processes individuals' data; and

• Protects itself from the risks of a data breach.

Ownership

Everyone who works for or with FOAM-PRO is responsible for ensuring data is collected, stored, and handled appropriately. All staff have a personal responsibility to ensure compliance with the principles of the applicable Data Protection legislation and to adhere to our Policy.

Further comments or questions on the content of this Policy should be directed to our team via the Contact page on the website.

Data Protection Principles

GDPR sets out eight principles governing the use of personal information, which must be complied with unless an exemption applies.

These principles are, in essence, a code of good practice for processing personal data. They state that personal data must:

1.     Be processed fairly and lawfully. This means we must:

• Have legitimate grounds for collecting and using the personal data;

• Not use the data in ways that have unjustified adverse effects on the Individuals concerned;

• Be transparent about how it intends to use the data and give Individuals appropriate and fair processing notices when collecting their personal data;

• Handle individuals’ personal data only in ways they would reasonably expect;

• Make sure it does not do anything unlawful with the data.

2.     Be obtained for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or those purposes. This means that we must:

• Be clear from the outset about why it is collecting personal data and what it intends to do with it;

• Comply with the fair processing requirements of the GDPR, including the duty to give clear and fair processing notices to Individuals when collecting their personal data;

• Comply with what the GDPR says about notifying the Information Commissioner;

• Ensure that if it wishes to use or disclose the personal data for any purpose that is additional to, or different from, the originally specified purpose, the new use of disclosure is fair.

3.     Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed. As such, we:

• May only hold personal data about an Individual that is sufficient for the purpose/purposes for which it is being requested;

• May not hold more information than needed for the applicable purpose/purposes.

4.     Be accurate and, where necessary, kept up to date. Furthermore, we will:

• Take reasonable steps to ensure the accuracy of any personal data it obtains;

• Ensure that the source of any personal data is clear;

• Carefully consider any challenges to the accuracy of information;

• Consider whether it is necessary to update the information.

5.     Not be kept for longer than is necessary. In this regard, we shall:

• Review the length of time it keeps personal data;

• Consider the purpose or purposes for which it holds the information in deciding whether (and for how long) to retain it;

• Securely delete information that is no longer needed;

• Update, archive, or securely delete information if it goes out of date.

6.     Be processed by the Data Protection Bill 2017 and GDPR, and in doing so, accept that providers of personal data shall have:

• A right of access to a copy of the information held in their personal data file;

• A right to object to processing that is likely to cause or is causing damage or distress;

• A right to prevent processing for direct marketing;

• A right to object to decisions being taken by automated means;

• A right in certain circumstances to have inaccurate personal data rectified, blocked, erased, or destroyed;

• A right to claim compensation for damages caused due to a breach of the GDPR by FOAM-PRO.

7.     Be protected in appropriate ways. Accordingly, we shall:

• Design and organise security to fit the nature of the personal data it holds and the harm that may result from an information security breach;

• Be clear about who in the organisation is responsible for ensuring information security;

• Make sure it has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff;

• Be ready to respond to any breach of security swiftly and effectively.

8.     Not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Breach Notification

Under the GDPR, notifying a breach of Personal Data is mandatory in all EU member states. A Data breach is likely to “result in a risk for the rights and freedoms of individuals”. Any data breach must be reported no less than 72 hours after FOAM-PRO first realises the breach has occurred.

Right to be Forgotten

Data Subjects may request that FOAM-PRO erase his/her personal data, prohibit us from further disseminating the data, and request that any third parties in receipt of their personal data halt the processing of same. We may, in certain circumstances, retain some data to ensure compliance with other regulations; however, where no such justification to retain data exists, the Data Subject’s right to be forgotten applies.

Privacy By Design

FOAM-PRO strives to implement appropriate and effective technical and organisational measures in order to meet the requirement of the GDPR and protect the rights of all FOAM-PRO Data Subjects. Accordingly, we endeavour to only obtain, hold, and process the data absolutely necessary for the completion of its duties (“data minimisation”), and limit access to personal data strictly to those needing to act out the processing.

Communication with Staff and Service Users

FOAM-PRO is committed to reviewing all current data privacy notices and alerting individuals to the collection of their data. In doing so, we shall promptly identify and rectify any deviation found to exist between the extent of data collected versus that required to be processed.

What Data is Collected

FOAM-PRO may collect and use data about you even if you are not a customer but are working directly or indirectly with such a person, e.g. you may be a potential client seeking to avail of our services.

Data collected, used, and held by FOAM-PRO may include information:

• To identify you, including your contact information;

• You have otherwise consented to FOAM-PRO collecting and using.