At TFC Research and Innovation Limited, ‘TFC’, we understand the importance of trust in our business. We apply much care with personal information that is provided to us online or otherwise, taking steps to keep it secure and ensure it is used only for legitimate purposes. This information will never be disclosed to any 3rd party, other than the Companies Registration Office without your full consent. We are fully compliant with the EU General Data Protection Regulation (GDPR). In the unlikely event of a police or revenue investigation for money laundering, terrorist financing, etc., which is unlikely, we are legally obliged to disclose our files. We may on occasions, send you or forward an e-mail to inform you of services we offer, or research and projects that we are conducing, which we believe may be of interest to you, but you may opt out of these e-mails at any time. We wouldn’t want to see you go. Should you wish to leave, send an email directly at email@example.com to let us know please.
Any information, which is provided by you will be treated in accordance with the terms of the Data Protection Act, EU General Data Protection Regulation (GDPR), 1988, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, and any implementing and/or amending legislation as may be adopted in Ireland from time to time.
Data Protection Notice
TFC Research and Innovation Limited as the Data Controller in compliance with Data Protection regulation is required to gather and use a variety of information about individuals and businesses through the course of normal business practices.
Information gathered includes associates, project partners, customers, suppliers, employees, and any other person deemed necessary throughout the course of conducting business.
This policy exists to further strengthen the compliance displayed by TFC, showing good practice and process with regards to data protection legislation. It protects the rights of staff, project partners, customers and all other connected parties while being transparent about how individuals’ data is processed and maintained. This policy should also protect TFC from risk of data breach.
The organisation should comply with the requirements of the relevant Irish legislation, namely the Irish Data Protection Act (1988), and the Irish Data Protection (Amendment) Act (2003). Along with GPDR regulations being implemented by the EU Data Protection Commission on the 25th May 2018, TFC will adhere to the below broad points throughout with regards to data processing:
- Fair and lawful processing;
- As much as possible kept up to date and accurate
- >Retained no longer than is necessary
- To be protected appropriately
- Obtained only for specific lawful purposes
- To be relevant, adequate and not excessive
- Maintained and managed in accordance with data protection rights and regulations.
2. Policy Scope
When referring to ‘TFC Research and Innovation Limited’, ‘TFC’, ‘us’, ‘we’ or ‘the company’ within the body of this policy document, encompasses all trading names, subsidiaries and direct affiliates including but not limited to – TFC Research and Innovation Limited (TFC).
All personnel associated with any of the above entities or trading names, volunteers, contractors, suppliers or anyone else acting on behalf of TFC Research and Innovation Limited will be covered by this policy.
This policy encompasses the Subject Access Request procedure, the Data Retention and Destruction Policy, the Data Retention Periods List and the Data Loss Notification procedure all detailed within.
It will cover any and all information or other data held on any identifiable individuals. This includes:
Names, Dates of Birth, Addresses, Email Addresses, Telephone Numbers, Passport Copies, Proof of Address Copies and any other information relating to any individual.
3. Data Protection Risks
This policy exists to cover a wider protection against direct risks, which can be generally classified as follows:
- Breaches in confidentiality.
- Failing to offer choice.
- Reputational damage.
4. Data Collection
TFC collects an amount of personal data either through direct means, requested as part of providing any kind of service within the company or through standard business procedures. We will also collect data through our websites, social media platforms, market research, desk-checks, discussion forums, videos and CCTV footage, as it be applicable. Our websites use cookie technology, which is a section of text placed on your device to help make our sites perform better for our customers, partners and visitors. Any changes to the above methods of data collection will be fully explained in advance of their use.
To comply with up to date data protection regulation (GDPR), with time we aim to collect some personal information and verify it. This information will also be kept up to date and maintained but will be deleted/appropriately disposed of once the information is no longer required. In some cases, 3rd parties may be used to obtain further information about individuals if required. If the appropriate level of information is not received, we may not be able to provide services to an individual.
No collected data is to be written down unnecessarily or passed informally between employees.
Through the course of business, TFC collects data from a variety of sources and types, which may change based on the specific requirements of the service being ordered or inquired about.
When data is collected or obtained, the individual should be made aware of the below:
- TFC in any of the above listed forms is the overall Data Controller in all cases.
- Why data is being obtained/collected.
- What parties, internal or external the data will be processed by.
- All or any other relevant information that can be provided to add to the information surrounding the same should be provided.
In all cases, the individual has the right to a full and transparent explanation as to the reason data is being collected and the intended use of the data in question.
Data should only be used within the purposes it was acquired for.
The company will have high standards in all cases when it comes to the protection of data.
Access to data should only be granted to the employees for the completion of their role or task. TFC will also ensure:
- Each unit of the business conducts regular reviews of admin and IT processes to ensure data security.
- Reviews of this nature should apply to both personal data or customers, individuals and employees, sample data should be taken by the Data Protection Officer and updated where appropriate every year.
- Review amount of data being obtained relevant to each service or tasks under the same time period.
All personnel and the company as a whole will ensure that data collected is fit for purpose and relevant to the service being provided to individuals. Where data is not applicable, it should not be collected or if inadvertently provided by an individual be destroyed. As soon as the appropriate retention period has expired, all data should be destroyed and/or put beyond use.
In line with legislation, TFC have established a Subject Data Request process, with further information details below. Requests can be directed to our Data Protection Officer.
5. Employee and Potential Employee Data
As part of the standard recruitment process, TFC may collect, CVs, Personal Information from online and social media sources, Proof of Identity and address and Proof of Qualifications where appropriate. When a role has been filled, personal information gathered on an unsuccessful candidate will be destroyed/shredded, unless it is agreed that it can be held for future recruitment or other legitimate business purposes. As a direct employee, all of the above is gathered where required and stored safely within the company. As with all information, the company is required to retain data for six years after it becomes inactive, e.g. ceases employment. Once this information is no longer required it will be destroyed as above.
6. Internal Processes
While a general overview of staff responsibilities will be discussed below, there are two key relevant positions.
The Board of Directors
Ultimately responsible for ensuring that TFC complies with its legal obligations. All of the sitting directors are to be considered Representatives for the purposes of Data Protection Legislation.
Data Protection Officer
Tasked with keeping the board up to date with data protection regulation and renewing data protection procedures and related policies. Arranging training and handling queries in this regard from staff. To deal with requests from individuals to see data held by TFC on them – called ‘subject access requests’. Review of contracts, agreements in place with any third party that maintains or handles any sensitive data associated with TFC.
Once personal information has been provided to TFC through a means of communication or website with the appropriate consent, marketing materials of a legitimate interest including related products or services in line with those originally requested may be sent.
If a customer, partner or potential partner does not wish to receive these materials, then they can simply inform us at firstname.lastname@example.org. Note, we do not consider ‘unsubscribing’ as being the same as the cancellation of services – this must be communicated separately.
Customers may be asked over the phone if they wish to receive marketing materials, offers and other content from TFC prior to the same being sent.
In all cases, a customer or potential customer will not be contacted with marketing materials, etc. where consent through them being classified as an on-going or professional customer, legitimate interest in services or direct permission cannot be established.
In some situations, the company may have obtained sensitive personal information from a customer directly as part of providing a service. This information will not be shared with any party unless the express agreement of the customer has been obtained.
8. Data Storage
Questions about storing data safety can be directed to our Data Protection Officer where applicable.
Where appropriate, paper documents containing any kind of personal information or customer communications shall be shredded and externally disposed.
Internal policies are in place to ensure security is maintained once handled by all employees.
9. Data Use
Computers with access to any personal data; each employee should ensure that screens are locked appropriately before leaving machines unattended. Personal Data should not be shared informally. Where appropriate data should be encrypted before being transferred electronically.
10. Data Accuracy
In all cases, data will be held in as few places as possible. Based on risk, files should be reviewed on a staggered basis to ensure data is updated and inaccuracies are discovered and corrected.
11. Data Retention & Destruction Procedure
In all cases, personal data will not be held longer than is necessary and when appropriate destroyed in a secure manner. Documents held securely by TFC following the cancellation of services are destroyed using shredding facilities, as below once the tracked time period has expired.
Data is, in all cases to be destroyed in an appropriate manner. All elements of TFC use approved shredding facilities to ensure data integrity. Unless where specifically specified in this policy, data will be retained by TFC for a period of six years following the data being classed as inactive. This is represented by customer or enquiry no longer being considered live or on-going. This will be indicated by the cancellation of services either by the customer, any element of TFC or if an enquiry received is deemed to be inactive – more than one year old.
12. Data Loss Notification Procedure
In the event of a breach or any data suspected of being compromised, any member of staff is to inform our Data Protection Officer at the earliest possible opportunity.
Where appropriate, the relevant authorities should be informed of the breach at the earliest possible instance. The earliest possible timeframe for this report should be as soon as the extent and nature of the data loss has been confirmed or no more than seven days after the breach. This should include the nature of the breach, the amount of personal information compromised, and the action being taken to rectify the issue.
Any individual that has been subject to the breach should be informed as soon as the extent and nature of the data loss has been confirmed or no more than seven days after the breach, detailing the steps being taken to rectify the issue and the steps, if any that the individual should take directly to further secure their information.
In all cases, the relevant authorities and any effected individuals should be kept informed of the progress of dealing with any breach until a time when the issue is considered closed. A report should be maintained and made available when required by any effected party.
13. Subject Access Requests Procedure
All individuals who have personal data stored by TFC are entitled to what information the company holds about them, why it is retained and how to obtain access to the data.
Each individual should be informed how their personal data is kept up to date and how TFC meets its data obligations.
Requests for any such information can be submitted to our Data Protection Officer. The aim is to provide information on all requests within 30 days. Note that, appropriate measures will be taken to confirm the identity of the requestee prior to providing any information.
Once a request has been made it is the responsibility of the Data Protection Officer to prepare the Subject Access report.
The report should review all email communication and information held in relation to an individual. In addition, any hard copy documentation or files should be listed, and the subject made aware of a data contained within.
A report should be presented within the above timeframes, which should include a listing of all information held by the company on an individual and any relevant 3rd party that information has been shared with.
The report should be reviewed, verified and signed off on by our Data Protection Officer. In all cases, an individual will have the right for their personal information to be removed (forgotten) from our system. The sole caveat to this being when it impacts TFC in providing or completing any service which the entity has been contracted to provide.
14. Personal Information and Third Parties
TFC does not share personal information with 3rd parties in any ancillary way. Information may, however, be shared with a 3rd party in direct connection with a service being provided by a Unit of the company. In a number of cases, pre-approved agents in various jurisdictions may be used to complete secretarial services and other business-related activities.
In providing personal information in relation to a service, customers should be aware this information may be shared with a 3rd party in direct support of a service being provided by the relevant 3rd party.
We are also required to share information with 3rd parties to meet any applicable law, regulation or lawful request. When we believe we have been given false or misleading information, or we suspect criminal activity we must record this and inform appropriate law enforcement agencies which may be either within or outside of Ireland.
TFC can use and can obtain the support of a number of 3rd parties for services that are not internally managed. Services can include payment processing and IT support services depending on the scientific research project at hand. This process is managed by our Data Protection Officer.
15. Internal Communication
Where avoidable personal information on customers should not be shared through email and under no circumstances should information of a sensitive nature be sent in this way.
16. Making a Complaint
Should any person have a concern with regards to the use of their personal information, a member of staff can be informed in person and via phone or email. All complaints or concerns will be fully investigated and reviewed. We would simply ask that as much information is provided as possible to enable us to resolve the complaint as quickly as possible.
17. Update to Data Policy
From time to time, particularly when how we are required to use information changes or when our systems are upgraded and in line with future legislation on data protection, changes will be made to this policy. An up to date version of this policy can be found on our website at all times.