Bord na Móna Plc and its subsidiaries (“we” or “Bord na Móna”) collect, use, share and hold certain Personal Data about current, past and prospective consumers, customers, suppliers, business contacts, employees and other people in the course of its business activities. Personal Data must be processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and other applicable national and European privacy legislation and regulations (together the “Data Protection Law”).
A person whose personal data we hold hereafter referred to as “you” and “your” shall have a corresponding meaning.
We use the words Personal Data to describe information that is about you or others from which you or they are identifiable. Other key data protection terms are defined in Schedule 1 (Definitions of key data protection terms).
- ensure Bord na Móna protects the rights of customers, staff and partners;
- describe what personal data Bord na Móna holds and how it processes it;
- ensure Bord na Móna complies with the Data Protection Law; and
- allow Bord na Móna to demonstrate compliance with the Data Protection Law particularly in accordance with Article 24(1) of the GDPR.
This policy is part of the appropriate arrangements and structures put in place that are, in the Directors’ opinion, designed to secure material compliance with the company’s “relevant obligations” under the Companies Act 2014.
Personal Data we process
Bord na Móna holds personal data in relation to current, past and prospective:
- business contacts.
We endeavour to keep the Personal Data we process accurate and up to date and held securely.
Furthermore, Personal Data is stored in as few places, with as few copies, as is reasonably possible.
Our staff are trained not to create any unnecessary additional copies of Personal Data.
How we use Personal Data
We use Personal Data to carry out our business activities. The purposes for which we use your Personal Data may differ based on our relationship, including the type of communications between us and the services we provide.
The main purposes include using Personal Data to:
- provide our products and services;
- manage the employment relationship including to process payroll for our employees, make corporate discounts available to our employees, distribute the company magazine to our employees;
- process customer and supplier invoices;
- communicate with you and other individuals;
- improve the quality of our products and services, provide training and maintain information security (for example, for this purpose we may record or monitor phone calls to improve our quality of service to our customers.);
- carry out research and analysis, including analysis of our customer base and other individuals whose Personal Data we collect;
- provide marketing information in accordance with preferences you have told us about (marketing information may be about offers or discounts or our other products and services);
- manage our business operations and IT infrastructure, in line with our internal policies and procedures;
- manage complaints, feedback and queries, and handle requests for data access or correction, or the exercise of other rights relating to Personal Data;
- comply with applicable laws and regulatory obligations, for example, laws and regulations and statutory responsibilities relating to employee working time regulations, tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring, anti-money laundering, sanctions and anti-terrorism; comply with legal process and court orders; and respond to requests from public and government authorities (including those outside your country of residence); and
- establish and defend legal rights to protect our business operations and those of our business partners.
Automated decisions using Personal Data
We may use automated decision-making tools (i.e. where a person is not involved in the decision). We typically use these tools when making straightforward decisions about you. Where this is the case we may provide you with more information at the time to aid your understanding of what is involved.
Responsibility for Personal Data
When employees or others that work on Bord na Móna’s behalf handle Personal Data we will always ask that they treat Personal Data in a confidential, secure manner and will require them to comply with the Confidentiality Code of Conduct set out in Schedule 2.
Sharing of Personal Data
In connection with the purposes described above, we may need to share your Personal Data with third parties. The types of third parties with which we may share your Personal Data are further described in the Third-Party Disclosures set out in Schedule 3.
When we provide Personal Data to third parties, the third parties will be selected carefully and required to use appropriate measures to protect the confidentiality and security of the Personal Data. Those third parties will assume certain responsibilities under the Data Protection Law for looking after the Personal Data that they receive from us.
In certain circumstances, Data Protection Law allows Personal Data to be disclosed to law enforcement agencies without the consent of the Data Subject. In such circumstances, we will disclose requested Personal Data to the extent permitted by, and in accordance with, applicable Data Protection Law.
Where necessary, line managers can be given proxy access to a direct reports email account where this has been authorised. For example, when a user is off sick, on leave or has left the company, access may be necessary for the proper and uninterrupted functioning of the business. Proxy access will be enabled for a 2-week period to administer the account.
International Transfers of Personal Data
When making these transfers, we will take steps to ensure that your Personal Data is adequately protected and transferred in accordance with the requirements of the Data Protection Law.
This may involve the use of data transfer agreements in the form approved by the European Commission or another mechanism recognised by data protection law as ensuring an adequate level of protection for Personal Data transferred outside the EEA (for example, standard contractual clauses).
For further information about these transfers and to request details of the safeguards in place, please contact by email at: firstname.lastname@example.org.
Security of Personal Data
Bord na Móna uses appropriate technical, physical, legal and organisational measures, which comply with data protection laws to keep Personal Data secure.
As most of the Personal Data we hold is stored electronically we have implemented appropriate IT security measures to ensure this Personal Data is kept secure. For example, we may use anti-virus protection systems, firewalls, and data encryption technologies. We have procedures in place at our premises to keep any hard copy records physically secure. We also train our staff regularly on data protection and information security. It is the responsibility of all employees to handle Personal Data securely and in line with such data security and storage guidelines set out by Bord na Móna from time to time.
When Bord na Móna provides Personal Data to a third party (including our service providers) or engages a third party to collect Personal Data on our behalf, the third party will be selected carefully and required to use appropriate security measures to protect the confidentiality and security of Personal Data. For example, Personal Data is encrypted / password protected where appropriate.
Unfortunately, no data transmission over the Internet or electronic data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any Personal Data you might have sent to us has been compromised), please immediately notify us.
If there is ever a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Bord na Móna will follow the Bord na Móna’s Data Breach Procedure.
Legal justifications for our processing of Personal Data
To comply with Data Protection Law, we are obliged to advise you of the legal justification we rely on for using your Personal Data for our purposes.
While the law provides for several legal justifications, the main legal justifications that apply to our purposes for using Personal Data are:
- Contractual Necessity,
- Legal Requirements, and
- Legitimate Interest.
In order to enable us to fulfil the terms of our contract with you (or someone else) or in preparation of entering into a contract with you (or someone else), we may be required to obtain certain Personal Data from you. We will inform you of the legal justifications for which we are obtaining your personal data when we obtain your Personal Data. In some circumstances, we may be legally required to obtain certain personal data from you. In these instances, we may not be able to provide our products or services to you if you do not provide the relevant Personal Data to us. If you would like further information, please contact us at email@example.com.
Where we rely on our legitimate business interests or the legitimate interests of a third party to justify the purposes for using your Personal Data, our legitimate interests will usually be:
- the pursuit of our commercial activities and objectives, or those of a third party (for example, by carrying out direct marketing);
- compliance with applicable legal and regulatory obligations, and any guidelines, standards and codes of conduct (for example, by carrying out background checks or otherwise preventing, detecting or investigating fraud or money laundering);
- improvement and development of our business operations and service offering, or those of a third party;
- protection of our business, shareholders, employees and customers, or those of a third party (for example, ensuring IT network and information security, enforcing claims, including debt collection); and
- analysing competition in the market for our services (for example, by carrying out research, including market research).
For Processing of more Sensitive Personal Data we will rely on either:
- your consent;
- that use of your Sensitive Personal Data is necessary for the purpose of the assessment of the working capacity of an employee and to enable Bord na Móna to provide suitable accommodations where necessary; or
- that use of your Sensitive Personal Data is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity (for example, when a court issues a court order requiring the Processing of Personal Data).
Processing of Personal Data relating to criminal convictions and offences is subject to the requirements of applicable law.
We may record telephone calls with you so that we can:
- improve the standard of service that we provide by providing our employees with feedback and training;
- address queries, concerns or complaints;
- prevent, detect and investigate crime, including fraud and money laundering, and analyse and manage other commercial risks; and
- comply with our legal and regulatory obligations.
In addition, we monitor electronic communications between us (for example, emails) to protect you, our business and IT infrastructure, and third parties including by:
- identifying and dealing with inappropriate communications; and
- looking for and removing any viruses, or other malware, and resolving any other information security issues.
Our use of CCTV involves Processing of Personal Data. Further information on how we Process Personal Data using CCTV is set out in Schedule 4.
Retention of Personal Data
We will keep Personal Data for as long as is necessary for the purposes for which we collect it. Where we hold Personal Data to comply with a legal or regulatory obligation, we will keep the information for at least as long as is required to comply with that obligation. In some cases, a retention period will apply once the initial purpose has ceased e.g. financial information is kept for 7 years, payroll files are required to be kept for current year plus 6 years.
Where we hold Personal Data in order to provide a product or service, we will keep the information for at least as long as we provide the product or service, and for a number of years thereafter. The number of years varies depending on the nature of the product or service provided. If you have any queries on data retention please contact firstname.lastname@example.org.
Bord na Móna endeavours to ensure that Personal Data will only be kept for a period which is relevant and not excessive to achieve the purposes for which it is being held. Personal Data will be deleted once that purpose is achieved or it is no longer required.
Your Personal Data rights
Schedule 5 sets out a summary of the data protection rights available to individuals in the EEA in connection with their Personal Data. These rights may only apply in certain circumstances and are subject to certain legal exemptions.
Any request to exercise your rights should be sent to the Information Officer at email@example.com.
To help us to respond to your request, please be as specific as possible. For example, if you wish to exercise your right to access your Personal Data, please specify the Personal Data of which you wish to obtain a copy.
Please include any additional details that would help us to respond to your request – for example, your customer account number, a staff reference number, names of departments/offices that you were associated with, etc.
If you wish a third party to submit a request to exercise your rights on your behalf (e.g. a family member or solicitor), you must provide written authorisation to allow us to disclose your Personal Data to that third party.
You may be asked to provide further information in order for Bord na Móna to confirm your identity.
Who to contact about your Personal Data
If you have any questions or concerns about the way your Personal Data is used by us, you can contact us by email at: firstname.lastname@example.org.
Review and Revision