1. PURPOSE OF CONTRA 4 BUSINESS DATA PROTECTION POLICY

  1. 1.1  The purpose of this Data Protection Policy is to provide for the protection of the rights and privacy of individuals about whom the Company processes personal data in accordance with the Data Protection Acts (Data Protection Act 1988 and Data Protection (Amendment) Act 2003).
  2. 1.2  Contra 4 Business is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Acts and acknowledges the rights that these Acts confer on individuals as well as the responsibilities the Acts place on Company employees who process personal data in the course of their duties.

2. DATA PROTECTION DEFINITIONS

  1. 2.1  The Data Protection Acts provide for the collection, processing, retention and eventual destruction of personal data in a responsible and secure way thereby avoiding its misuse.
  2. 2.2  Personal Data and Sensitive Personal Data
  1. 2.2.1  ‘Personal data’ is data that relates to a living individual who is identifiable either from the data itself or from the data in conjunction with other information held by the Company.
  2. 2.2.2  ‘Personal data’ has a very broad-ranging definition and includes, but is not limited to, a person’s name, physiological, economic, cultural, social identity, pseudonyms, occupation, address etc.
  3. 2.2.3  The Acts differentiate between ‘personal data’ and ‘sensitive personal data’. ‘Sensitive personal data’ relates to a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; physical and mental health; sexual life; criminal convictions, the alleged commission of an offence and trade union membership.
  4. 2.2.4  For the purposes of this Policy, references to ‘personal data’ are deemed to refer to both ‘personal data’ and ‘sensitive personal data’.
  5. 2.2.5  Personal data may be held in either electronic form (e.g. on a computer system, CCTV system) or in hard-copy.

2.3 Consent

2.3.1 At the time of providing any personal data to the Company, individuals must be made aware of the use(s) for which the data is being collected and give their consent to such use(s).

2

2.4 Personal Data related to Deceased Persons

2.4.1 Best practice requires that where personal data relating to deceased persons is held, this data is retained and processed in the same manner as personal data relating to living individuals.

2.5 Anonymised Personal Data

2.5.1 Personal data collected anonymously or irrevocably anonymised to the extent that the individual cannot be identified from the data is not subject to the requirements of the Data Protection Acts or this Policy.

3. USE OF PERSONAL DATA AT CONTRA 4 BUSINESS

  1. 3.1  In order to fulfill its functions, the Company (as ‘data controller’) must collect and process certain personal data about its employees, customers and other individuals who come in contact with the Company.
  2. 3.2  All personal data collected and processed by the Company must be treated with the highest standards of security and confidentiality in order to comply with the Data Protection Acts.
  3. 3.3  Any provision for the Company, as a ‘data controller’, to use a third party (known as a ‘data processor’) must be the subject of a written agreement. All proposed agreements between the Company and a third party must be developed in conjunction with the relevant legal advisors of Contra 4 Business.

4. PROCESSING OF PERSONAL DATA

  1. 4.1  The Data Protection legislation imposes a number of restrictions on how the Company may process personal data.
  2. 4.2  The Company must handle personal data in accordance with the eight stated data protection principles outlined in the Acts as follows:
    1. (a)  Obtain and process the personal data fairly;
    2. (b)  Keep only for one or more specified and lawful purpose(s);
    3. (c)  Use and disclose only in ways compatible with the purpose(s) for

      which it was initially provided;

    4. (d)  Keep safe and secure;
    5. (e)  Keep accurate, complete and up-to-date;
    6. (f)  Ensure that it is adequate, relevant and not excessive;
    7. (g)  Retain for no longer than is necessary for the specified

      purpose(s);

    8. (h)  Provide a copy of his/her personal data to an individual, on

      request.

5. RESPONSIBILITIES OF COMPANY EMPLOYEES & AGENTS

5.1 This Policy applies to all departments, offices, units and areas of work that form part of the Company structure and applies to all personal data processed by the Company.

3

  1. 5.2  While the Company as a whole has the overall responsibility for ensuring compliance with the Data Protection Acts, responsibility for the implementation of this Policy rests with the Head of each area of activity in the Company to ensure good data handling practices are in place in order to uphold the privacy of personal data within their respective areas of responsibility.
  2. 5.3  Notwithstanding the foregoing, all employees of the Company who collect or use personal data as part of their duties have a responsibility to ensure that they process personal data in accordance with the conditions set down in this Policy, the Company’s Data Protection Compliance Regulations, the Data Protection Acts and any other relevant Company policies/regulations/procedures.
  3. 5.4  Contra 4 Business Data Protection Regulations

5.4.1 In order to assist employees in implementing this Policy, Data Protection Compliance Regulations are available at contra4business.com. These regulations set out key areas of work at the Company where data protection issues may arise and outline best practice in dealing with them.

6. PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH

  1. 6.1  A personal data breach may be defined as an incident where unauthorised disclosure, loss, destruction or alteration of personal data occurs through, for example, loss or theft of a portable device, accidental disclosure via email/other electronic system, loss of hard copy records etc.
  2. 6.2  In the event of a personal data breach, Contra 4 Business must be notified immediately email: info@contra4business.com). Contra 4 Business will ensure, where appropriate and required, that the data subjects and the Data Protection Commissioner’s Office are notified within a maximum of two days of a breach occurring as required by the Data Protection Commissioner’s ‘Personal Data Security Breach Code of Practice’ (available at www.dataprotection.ie).
  3. 6.3  Breaches of the terms and conditions of this Policy and the Company’s Data Protection Compliance Regulations could result in major reputational and financial damage to the Company

7. DATA SUBJECT ACCESS REQUESTS

7.1 Under the Data Protection Acts, data subjects are entitled to make a request for their personal data held by the Company for a fee not in excess of €6.35. Any such requests should be made in writing to: The Managing Director, Contra 4 Business, 6 – 9 Trinity Street, Dublin 2 D02 EY47.

8. REVIEW

8.1 This Policy will be reviewed regularly in light of any legislative changes.