Data Purpose Limitation and Retention Policy
At EUROSTALLIONS we collect and process your personal data in order to offer you our services. As part of our duty to you under GDPR and Irish Data Protection law we are required to have a Data Purpose Limitation and Retention Policy.
1. Data Purpose Limitation
We collect your data for the purposes of offering you the services to which you are entitled under our Terms of Services (this is what GDPR calls a “legitimate interest”). These purposes are set out in our Data Protection Policy.
We process that data solely for the purposes of offering you our services. We do not process your data for any other purposes unless we are required to do so by law or we have your consent.
Should we seek to process your data for any other purpose, we will seek your consent to process it for this new purpose.
2. Data Minimisation
EUROSTALLIONS observes the principle of data minimisation. We do not collect data unless it is relevant for the delivery of our services to you.
We retain your data during the active life of your business with us. We understand that this active business relationship may be episodic and last over many years. While you do business with us we will keep your data. Thereafter we will erase and delete your files unless we are required to retain your files by law or regulations.
In general EUROSTALLIONS deletes files on an annual basis unless required to keep files by law or to permit the maintenance of a continuing business relationship.
EUROSTALLIONS reserves the right to preserve relevant data (including your personal data as the case may be) for such periods as may be required by law to permit EUROSTALLIONS to exercise its rights under GDPR or Irish law.
4. Limitations on Processing
You have the right under GDPR and Irish law to restrict processing of your personal data in order to vindicate your rights and if you need your data to establish, defend, or exercise, a legal claim, or they have lodged a claim under Article 21(1) of GDPR regarding the processing of your data.
EUROSTALLIONS may, as resources permit, archive your file for the periods required by law. Thereafter it will delete your file.
Data Loss Notification Procedure
This document sets out the procedure to be followed when a data breach occurs. It is for internal use only and for disclosure to the Data Protection Commissioner or similar interested party as proof of compliance with GDPR and Irish Law.
The effect of a data breach on EUROSTALLIONS’s reputation and the reputation of its clients has the potential to cause significant damage.
Duty to Notify
A data breach must be notified without undue delay to the Data Protection Commissioner, within 72 hours where feasible, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. This is a low threshold and, given that 72 hours may be too short a time to establish a risk to the rights and freedoms of natural persons, it is advised that in the event of a data breach the presumption should be to report unless it is apparent that there is no risk.
Definition of a Data Breach
Per Article 4 a Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
In practical terms this may occur through:
- The loss of a laptop, memory stick or mobile device that contains personal data,
- Lack of a secure password on personal computers and applications,
- Emailing a list of customers to someone in error,
- Giving a system login to an unauthorised person,
- Failure of a door lock or some other weakness in physical security which compromises personal data,
- Failure to secure paper files in secure cabinets,
- Failing to restrict access to files.
When a Breach Occurs
When any staff member finds or suspects that a breach has occurred, or that a potential breach may occur, he or she should implement this policy.
- Notify your line manager (if you have one) or senior management that you know or suspect a breach has occurred.
- Open a file to record the data breach. The file should contain the following items;
- Number of data subjects affected,
- Types of data,
- Number of records,
- Likely consequences of the breach,
- Remedial measures to cure the breach,
- Contact details of the relevant staff member dealing with the Data Protection Commissioner.
- Try to assess the scope of the breach. Is it:
- Destruction of personal data,
- Loss of personal data,
- Alteration of personal data,
- unauthorised disclosure of personal data,
- or unauthorised access to personal data?
- If destroyed, assess the cost of the loss and assess if the breach is likely to result in a risk to the rights and freedoms of natural persons.
- If lost, assess if third parties will have or are likely to have access to the data i.e. is is encrypted or secured by some other means? Assess if the breach is likely to result in a risk to the rights and freedoms of natural persons.
- If altered, assess the effect of the alteration and assess if the breach is likely to result in a risk to the rights and freedoms of natural persons.
- If disclosed without autorisation, assess the cost or effect if any of the disclosure and assess if the breach is likely to result in a risk to the rights and freedoms of natural persons.
- If unauthorised access has been gained, assess the cost or effect of that unauthorised access and assess if the breach is likely to result in a risk to the rights and freedoms of natural persons.
- Having assessed the impact of the breach of personal data, decide if the assessment can be made that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If it is unlikely to cause a risk, you should still record the data breach.
- If it is likely to cause a risk to the rights and freedoms of natural persons, record the data breach and make a report to the Data Protection Commissioner. The standard for notification is quite low and the reporting time is very tight, 72 hours, which may not be enough time to make an assessment of risk. It is therefore good practice to make a report to the Data Protection Commissioner by default rather than to add a second breach of the GDPR to the breach of personal data.
- If it is likely to cause a high risk to rights and freedoms of natural persons then the data subject should be informed unless the data were encrypted, or you have taken steps to ensure that the high risks are not now likely to occur, or if notifying the data subject would involve disproportionate effort.
- A personal report to the data subject should include:
- the contact details of the staff member handling the matter,
- The likely consequences of the breach
- Measures taken to remedy the breach.
Data Subject Access Request Policy and Procedure
1. Your Rights
You have the right to access your data held by EUROSTALLIONS in order to be aware of the presence of personal data held by us, to verify this data, and to prove the lawfulness of the processing of this data by us.
Once you request access to your data, we have 30 days to provide access to your data or to tell you if there will be a delay or difficulty in providing access within the 30 day limit. If there is difficulty such as collating data from many sources, we have a further 60 days to deliver your request.
We are obliged to provide you with a copy of your personal data and to the following information regarding the processing of your information should you request it:
- The purposes for data processing;
- The categories of personal data stored;
- Whether the data has or will be disclosed the third countries or international organisations;
- How long the data will be stored or the criteria which will be used to decide how long it will be stored;
- Any available information on the source of the data;
- Whether or not any automated decision making such s data profiling have been applied to the individual’s personal data.
- If automated decision making / profiling has been used, you are entitled to meaningful information on the logic used in the automated decision making process as well as the impact or consequences of such decision making.
- Once you have received an answer to your data subject access request, you may:
- Request the rectification of any errors in your data;
- Object to the processing of your data;
- Request that the processing of your data be restricted;
- Request the erasure of your personal data if:
- The data is no longer necessary for the purpose for which it was collected,
- You withdraw consent to processing and there is no other legal reason to process the data,
- If you object and we can demonstrate no overriding legitimate interest for processing the data,
- If obliged by law to erase the data,
- If the data was collected in relation to the provision of internet services,
- If the data has been unlawfully processed in breach of GDPR
- You have the right at all times to lodge a complaint with the Data Protection Commissioner.
- You have the right to a portable copy of your data in a machine readable format, if we can so supply it.
2. Data Access Procedure
We are required to accede to your data access request but we are also required to maintain the security of your data. GDPR requires that we verify your identity so we have implemented the following data access procedure:
- We can only agree to a data access request when we have authenticated your request.
- We cannot give you anyone else’s data unless you are the verified agent(s) of the data subject and provide proof of your permission to receive such data.
- We will comply with your request and sent you a copy of your data within the time limits specified by GDPR and Irish law.
- We are required to record the fact that you have made a data access request, a data rectification request, or a data erasure request.
- Please contact EUROSTALLIONS at: AGHANCARNAN, DURROW, TULLAMORE, CO. OFFALY