Data Protection Policy
This document provides a concise policy regarding the data protection obligations of the Jesuit Centre for Faith and Justice and is part of the organisation’s commitment to data protection by design and default.
Jesuit Centre for Faith and Justice is a data controller regarding the personal data which it manages, processes and stores. All stakeholders of the Jesuit Centre for Faith and Justice may refer to guidance provided by the Office of the Irish Data Protection Commissioner for advice regarding best practice in this area.
Our commitment to Data Protection
We believe in establishing a clear, transparent and accountable approach to our data protection to ensure that all those who support and engage with the Jesuit Centre for Faith and Justice can do so reassured that we will handle their personal data in a secure, transparent and responsible manner with full respect for their privacy, in line with all relevant legal obligations.
Purpose of this Policy
As a data controller the Jesuit Centre for Faith and Justice must comply with the data protection principles set out in the relevant Irish and EU legislation. This Policy applies to all personal data collected, processed and stored by the Jesuit Centre for Faith and Justice in the course of its activities. This Policy is designed to ensure the Jesuit Centre for Faith and Justice’s compliance with the European General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018.
Definitions of terms used in this Policy:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’ means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘Processor’ means a natural or legal person, which processes personal data on behalf of the controller;
‘Recipient’ means a natural or legal person, to which the personal data are disclosed, whether a third party or not.
‘Third party’ means a natural or legal person, other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Supervisory authority’ means the Irish Data Protection Commissioner, as an independent public authority established by Ireland pursuant to Article 51 of the GDPR.
Jesuit Centre for Faith and Justice, as a data controller, collects, processes and stores personal and data on an ongoing basis about its staff, and stakeholders who come into contact with the organisation through our work.
We process personal data for the following reasons:
- The creation and management of mailing lists
- The collection and management of donations
- The recruitment, management and payment of staff
- Compliance with statutory obligations
Jesuit Centre for Faith and Justice also contracts other companies to act as data processors for the personal data collected by us. This Policy applies to all data collected, both manually and automated, held by the Jesuit Centre for Faith and Justice. This includes electronic and paper records.
The Data Protection Policy is maintained by The Jesuit Centre for Faith and Justice’s DPO and is approved by the Executive Leadership Team. Further comments or questions on the content of this 4 Policy should be directed to the DPO. Any material changes to this Policy will require approval by the Executive Leadership Team.
The use of third-party data processors
In the course of its role as data controller, the Jesuit Centre for Faith and Justice engages third-party service providers, or data processors, to process personal data on its behalf. In each case, a formal, written contract is in place with the processor, outlining their obligations in relation to the personal data, the security measures that they must have in place to protect the data, the specific purpose or purposes for which they are engaged, and the understanding that they will only process the data a) as instructed by the Jesuit Centre for Faith and Justice, and b) in compliance with the European General Data Protection Regulation and the EU Electronic Communications Regulations. The contract will also include reference to the fact that the data controller is entitled, from time to time, to audit or inspect the data management activities of the data processor, and to ensure that they remain compliant with the relevant legislation, and with the terms of the contract. Failure of a data processor to manage the Jesuit Centre for Faith and Justice’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts if necessary.
Data Protection Principles
The following key Principles are enshrined in EU legislation and are fundamental to the Jesuit Centre for Faith and Justice’s Data Protection Policy.
In its capacity as data controller, the Jesuit Centre for Faith and Justice ensures that all data shall:
Be obtained and processed fairly and lawfully.
The Jesuit Centre for Faith and Justice will only process personal data in line with one of the lawful basis enshrined in Article 7 of the GDPR. The Jesuit Centre for Faith and Justice will fulfil its obligation in this regard by ensuring that:
Where possible, the informed consent of the data subject will be sought before their data is processed. The Jesuit Centre for Faith and Justice will ensure that the request for consent is presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The Jesuit Centre for Faith and Justice will also ensure that the data subject is made aware of his or her right to withdraw his or her consent at any time.
Where it is not possible to seek consent, the Jesuit Centre for Faith and Justice will ensure that collection of the data is justified under one of the other lawful processing conditions listed in Article 7 of the GDPR (compliance with legal obligation, contractual necessity, vital interests of data subject, public interest, or the legitimate interests of the data controller).
Where the data processed by the Jesuit Centre for Faith and Justice can be considered sensitive personal data, as defined in Article 9 of the GDPR, the organisation will not collect, process and store such data, unless permissible under the exemptions listed in Article 2 (a-j) of the GDPR.
Processing of the personal data will be carried out only as part of the Jesuit Centre for Faith and Justice’s lawful activities, and it will safeguard the rights and freedoms of the data subject.
The data subject’s personal data will not be disclosed to a third party other than to a party contracted by the Jesuit Centre for Faith and Justice and operating on its behalf, or where the Jesuit Centre for Faith and Justice is required to do so by law.
Be obtained only for one or more specified, legitimate purposes
The Jesuit Centre for Faith and Justice will obtain data for purposes which are specific, lawful and clearly stated. A data subject will have the right to question the purpose(s) for which the Jesuit Centre for Faith and Justice holds their data, and the Jesuit Centre for Faith and Justice will be able to clearly state that purpose or purposes.
Not be further processed in a manner incompatible with the specified purpose(s).
Any use of the data by the Jesuit Centre for Faith and Justice will be compatible with the purposes for which the data was acquired and the Jesuit Centre for Faith and Justice will take steps to ensure that no personal data will be further processed in a manner that is incompatible with those purposes in line with the principles laid down in Article 5 of the GDPR.
Be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed.
The Jesuit Centre for Faith and Justice will ensure that the data it processes in relation to data subjects is adequate, relevant and limited to what is necessary in relation to the purposes for which the data is collected, in line with the principles laid down in Article 5 of the GDPR. Data which is not relevant to such processing will not be acquired or maintained, in line with the principle of data minimisation.
Be kept accurate, complete and up-to-date where necessary.
The Jesuit Centre for Faith and Justice has adopted a Data Quality Policy, in line with the principles laid down in Article 5 of the GDPR, to:
Ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
Conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. The Jesuit Centre for Faith and Justice conducts a review of sample data every six months to ensure accuracy;
Ensure that staff contact details and details on next-of-kin are reviewed and updated every two years, or on an ‘ad hoc’ basis where staff members inform the office of such changes;
Conduct regular assessments in order to validate the need to keep certain personal data;
Ensure that every reasonable step is taken to ensure that inaccurate personal data is erased or rectified without delay.
Not be kept for longer than is necessary to satisfy the specified purpose(s).
The Jesuit Centre for Faith and Justice will ensure that personal data is not kept for longer than is strictly necessary for the purpose for which the data is processed, in line with the principles laid down in Article 5 of the GDPR. To fulfil this commitment, the Jesuit Centre for Faith and Justice has developed a Data Retention Policy and associated schedule to ensure the Jesuit Centre for Faith and Justice fulfils its obligation in regards to retention periods for all categories of personal data processed by the organisation. Once the respective retention period has elapsed, the Jesuit Centre for Faith and Justice undertakes to destroy, erase or otherwise put this data beyond use.
Be kept safe and secure
The Jesuit Centre for Faith and Justice will ensure that the personal data it collects will be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. To this end, the Jesuit Centre for Faith and Justice will employ high standards of security in order to protect the personal data under its care.
In the event of a data breach likely to result in a risk to the rights and freedoms of the data subject or other persons, the Jesuit Centre for Faith and Justice will notify the Irish Data Protection Commissioner without undue delay and, where feasible, within 72 hours after having become aware of the breach, in line with Article 33 of the GDPR.
In the event of a data security breach affecting the personal data being processed on behalf of the data controller, the relevant third-party processor will notify the data controller without undue delay.
Data subject rights: Clear and easily accessible communication
The Jesuit Centre for Faith and Justice will take appropriate measures to ensure any and all communication with a data subject is conducted in a concise, transparent, intelligible and easily accessible from, using clear and plain language that is easy for the data subject to understand. Information provided to data subjects the Jesuit Centre for Faith and Justice will ensure that all data subjects will be made aware, at the time their data is being collected, of:
- The identity of the data controller (the Jesuit Centre for Faith and Justice);
- The contact details of the DPO;
- The purpose(s) for which the data is being processed;
- The legitimate interests pursued by the controller (if processing is based on Article 6 (1)(f) of the GDPR)
- The person(s) to whom the data may be disclosed by the data controller;
- Any other information that is necessary so that the processing may be considered fair. Right of access by data subjects
Upon receipt of a valid, formal request by a data subject in relation to the personal data held by the Jesuit Centre for Faith and Justice which relates to them, the organisation will provide the data subject with the following information, free of charge, in line with Article 15 of the GDPR:
- The purposes for processing the data.
- The categories of personal data concerned.
- To whom the data has been or will be disclosed.
- Whether the data has been or will be transferred outside of the EU.
- The period for which the data will be stored, or the criteria to be used to determine retention periods.
- Information about the right to make a complaint to the Irish Data Protection Commissioner.
- Information about the right to request rectification or deletion of the data.
- Whether the individual has been subject to automated decision making.
The Jesuit Centre for Faith and Justice will ensure that all subject access requests receive a response within 30 days.
Right to rectification and the right to be forgotten
As covered above in point 5 of this Policy, The Jesuit Centre for Faith and Justice has put in place processes to ensure the complete and accurate nature of the personal data it collects. However, in the event that a data subject submits a valid request for correction or completion of incorrect or incomplete data, the Jesuit Centre for Faith and Justice will ensure that any such data will be rectified or completed without undue delay, in line with Article 16 of the GDPR, and that the data subject is informed of the correction or completion of data.
The Jesuit Centre for Faith and Justice will ensure that, upon request of the data subject, and where one of the specific grounds listed in Article 17 of the GDPR applies, all personal data related to the data subject in question is erased without undue delay, and that the data subject is informed of the erasure.
The right to restriction of processing and the right to object
The Jesuit Centre for Faith and Justice will put in place processes that ensure respect for a data subject’s right to object or have restriction put in place against processing of their data.
The Jesuit Centre for Faith and Justice will ensure these processes comply fully with Articles 19 and 21 of the GDPR.
This Policy will be reviewed at least annually to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.
Should you wish to contact the relevant supervisory authority in relation to a data protection issue involving the Jesuit Centre for Faith and Justice, you should contact:
The Irish Data Protection Commissioner Telephone +353 57 8684800 +353 (0)761 104 800
Fax +353 57 868 4757
Dublin Office: 21 Fitzwilliam Square, Dublin 2, D02 RD28, Ireland
Portarlington Office: Canal House Station Road, Portarlington, R32 AP23 Co. Laois