Privacy Statement
Last updated 21st September 2020
CONTENTS
PART A: SPECIFIC PROCESSING INFORMATION.. 5
- JOB APPLICANTS. 5
- WEBSITE VISITORS. 7
- INDIVIDUALS CONNECTED TO OUR DPO SERVICES. 9
- SUPPLIERS (SOLE TRADERS) 11
- REPRESENTATIVES OF THIRD PARTY LEGAL ENTITIES. 13
PART B: GENERAL PROCESSING INFORMATION.. 15
INTRODUCTION
About this statement and how to read it
The purpose of this document is to provide information to you about the use of your personal data by Symmetry Solutions Ltd (“Symmetry” or “we”). At Symmetry we respect your right to privacy and we handle your personal data in accordance with our obligations under the General Data Protection Regulation EU 2016/679 (“GDPR”) and the Data Protection Act 2018 (“the Act”) (together “Data Protection Legislation”).
This document outlines what personal data we, as data controller, collect and process in our dealings with you, how and why we process those personal data and what your rights are in respect of your personal data.
The statement has been written to provide you with clear and transparent information in an easy to understand format. To help with this, the statement is split into three sections:
- PART A “SPECIFIC INFORMATION”: This contains different sections for each type of individual whose personal data we process, with each section providing information on how we process personal data specifically belonging to that type of individual. So to understand how we process your personal data, go to the section(s) that relates to you.
- PART B “GENERAL INFORMATION”: This contains information about processing that is relevant to ALL individuals.
- PART C “YOUR RIGHTS”: This contains information about your rights under Data Protection Legislation.
Contact
If you have any questions about our privacy statement, your rights, or how we use your information, please do not hesitate to contact us at:
Post: Data Protection, Symmetry Solutions Ltd, The Tara Building, 11-15 Tara Street, Dublin 2, Ireland
Tel: 01 5547350
Email: hello@symmetrygroup.ie
Changes to this statement
We will update this Privacy Statement from time to time. Any changes will be made available on our website and, where appropriate, notified to you by written notice or e-mail.
PART A: SPECIFIC PROCESSING INFORMATION
1. JOB APPLICANTS
Where you have applied for a job with Symmetry, this section relates to you.
1.1. How we collect your personal data
Information about you, including your personal data, is gathered when you apply for a job with us either directly or indirectly via employment agencies we work with, an introducer who has referred you to us or via our third level education partners. We also may obtain personal data indirectly from referees you nominate to us or from your professional social media profile link you provide to us as part of the job application.
1.2. The personal data we use
We will process and use all personal data included in your CV, job application correspondence and collected as part of the application process, including:
- IDENTITY DATA, including your
- first name, surname, salutation;
- date of birth (if included on your CV);
- photographic identification, where your photograph is included on your CV;
- CONTACT DATA, including your email address, home address, telephone number(s);
- PREFERENCES, in respect of the job you are applying for with us;
- OCCUPATIONAL, including
- the name of your employer, your job title and department;
- your employment and education history and any other information contained in a CV provided to us as part of a job application;
- STATEMENTS ABOUT YOU, including
- references we obtain from your nominated referees as part of a job application;
- notes we make in relation to your suitability;
- statements made as part of the interview and evaluation process when you apply for a job with us;
- ONLINE INFORMATION, including your online profile information where you have applied via an online network such as LinkedIn.
1.3. The purpose and legal basis for processing your personal data
We process your personal data for the purpose of recruiting staff. This includes the following, which we deem necessary for the purposes of entering into an employment contract with you (i.e. assess your suitability to enter into the contract):
- Identifying you and processing your job application;
- Verifying the information you provided and assessing your suitability for the role;
- Making a decision on whether to offer you a job and the provision of feedback to you in relation to your application;
We may also need to use your personal data for the purpose of satisfying our employment law obligations, in particular in relation to equality.
1.4. Who we share your personal data with
Your personal data will be shared to relevant staff within our organisation but also to a limited number of third parties where it is necessary to do so, including:
- To your nominated referees;
- To third party companies or individuals who are providing recruitment services to us;
- To third parties who are providing services to us to enable us to manage the relationship with you, including our software and IT support providers;
- To statutory, regulatory, government or law enforcement bodies as required by law;
Where we enter into agreements with third parties to process your personal data on our behalf, we will ensure that appropriate contractual protections are in place to protect the security of the data.
1.5. Consequences of not giving your data to us
You are not under any obligation to provide your personal data to us. However, we do need some personal data in order to consider a job application from you and failure to provide this information may result in us not being able to consider you for the position or role.
1.6. How long we keep your personal data for
Personal data is kept in a form, which permits data subject identification only for as long as is permitted while following fair and lawful processing. No personal data will be kept for a period longer than necessary. For example, we immediately delete any applications we receive from individuals once they are deemed to be an unsuitable fit for us. For individuals who are employed by us, information about our handling and retention of their personal data is contained within our internal privacy statement for staff.
2. WEBSITE VISITORS
Where you visit our website, this section relates to you.
If you visit our website and do not engage with us in any other way, please see our cookies banner on our website for more information on the cookies we use on our website.
If you choose to submit an online enquiry via our website, please proceed to the next section below which relates to online enquirers.
2.1. How we collect your personal data
Information about you, including your personal data, is gathered directly from you when you submit an enquiry to us via our website’s contact form.
2.2. The personal data we use
We process and use all personal data included in the webform and related correspondence. This includes your IDENTITY DATA (your name), CONTACT DATA (your email address) and any other personal data you submit in the subject line and your message to us.
2.3. The purpose and legal basis for processing your personal data
We only process your personal data where it is lawful and necessary to do so. Your personal data are processed in line with our legitimate interests to enable website visitors to make contact with our company, to respond to those individuals and, where you have expressed an interest in one of our products or services, to contact you about related products or services that may be of interest to you.
2.4. Who we share your personal data with
We do not share your personal data with third parties unless it is necessary. Sharing occurs with a limited set of individuals and organisations and in limited circumstances. For example, we may share your personal data to third parties who are providing services to us to enable us to manage the relationship with you, such as our software providers. Where we use suppliers to process your personal data on our behalf, we have entered agreements which contain appropriate contractual protections to protect the security of the data.
2.5. Consequences of not giving your data to us
You are not under any obligation to provide your personal data to us. However, please note that without your personal data we will be unable to approach you if you have any enquiry of our services.
2.6. How long we keep your personal data for
Personal data is kept in a form, which permits data subject identification only for as long as is permitted while following fair and lawful processing. No personal data will be kept for a period longer than necessary.
3. INDIVIDUALS CONNECTED TO OUR DPO SERVICES
In providing our outsourced data protection officer (“DPO”) services (“DPO Services”) to clients (“DPO Clients”), we perform our duties accordance with the tasks detailed in GDPR Article 39. In accordance with GDPR Article 38(3), we do cannot receive any instruction from DPO Clients regarding the exercise of those tasks and therefore we perform the DPO role in an independent manner as a data controller.
In performing the DPO role, we obtain a range of personal data from the DPO Client relating to individuals connected to that DPO Client, such as shareholders, directors, employees, customers, patients, suppliers, or otherwise.
Please note that for our other services, such as our consultancy, representation, software or outsourced appointments, we act as a data processor on behalf of our client. Information about any such processing of personal data shall be contained in the data controller’s privacy statement or policy.
3.1. How we collect your personal data
Information about you, including your personal data, is gathered directly from the DPO Client pursuant to our performance of the DPO role and duties for that DPO Client.
3.2. The personal data we use
A lot of our DPO work is conducted using limited amounts of personal data. For example, we may process a DPO Client’s employee’s name and contact data for the purposes of interacting with that employee on a particular piece of work.
However, certain parts of the DPO work can involve viewing, reviewing and analysing all types of personal data held by a DPO Client in order to provide relevant guidance and direction to the DPO Client on how best to protect that personal data and protect the individuals’ rights. Examples of where we may handle large amounts of personal data are in the event of assisting with reviews of specific processing activities or systems, or assisting with the management of data subject requests, cyber incidents, personal data breaches or complaints.
3.3. The purpose and legal basis for processing your personal data
We only process your personal data where it is lawful and necessary to do so, and only for the purpose of performing the DPO role for which we are appointed by the DPO Client and, once appointed, legally bound by GDPR Article 39. As such, your personal data are processed as follows:
- To enter into and perform a DPO Services agreement, including establishing the DPO Client’s eligibility to enter in to the agreement and then performing the DPO Services (this may include the provision of services to assist the Forensics Client in complying with legal obligations such as family law obligation to have affidavits vouched or a court order for discovery);
- To enable us to comply with our legal, statutory and regulatory obligations including the performance of the DPO Services in accordance with GDPR Article 39; and
- To manage our everyday business needs in line with our legitimate interests, such as risk management, accounting, business continuity, complaint management, troubleshooting, technical support, protection of our assets and information, and to establish, exercise and safeguard our rights.
3.4. Who we share your personal data with
We only share your personal data with a third party where we have a necessity and have a valid legal basis to do so. Furthermore, we are legally bound by data protection law to perform the DPO tasks secrecy and confidentiality, and also are contractually bound to maintain confidentiality as per each DPO Services agreement with each DPO Client.
Accordingly, we only share your personal data with third parties in a limited set of circumstances, which may include:
- To the DPO Client as part of the performance of the DPO role for that DPO Client;
- To data protection regulators or supervisory authorities on behalf of the DPO Client;
- To third parties who are providing services to us to enable us to provide the DPO Services as per the agreement with our DPO Client and enable us to meet our legal obligations, including our software providers, IT support providers and consultancy support providers (note that where we enter into agreements with third parties to process your personal data on our behalf, we will ensure that appropriate contractual protections are in place to protect the security of the data);
- To statutory, regulatory, government or law enforcement bodies as required by law;
3.5. Consequences of not giving your data to us
There is no obligation on you or on the DPO Client to provide personal data to us. However, we do need some personal data in order to perform the DPO Services for the DPO Client and failure to provide this information may result in us not being able to provide a certain element of the DPO Services where such personal data may be required.
3.6. How long we keep your personal data for
Personal data is kept in a form, which permits data subject identification only for as long as is permitted while following fair and lawful processing. Personal data relating to the performance of the DPO Services contractual terms and conditions shall be kept for a period of 7 years from the end of the relationship with the DPO Client. This is in line with our legitimate interests to protect ourselves against a claim pursuant to statute of limitation law.
4. SUPPLIERS (SOLE TRADERS)
4.1. How we collect your personal data
As a supplier or service provider to Symmetry, we collect your personal data directly when you interact with us via telephone, email, post, fax and/or person (e.g. meetings, events, conferences, etc.). We may also collect personal data from third party sources, examples of which include;
- From publicly available information. For example, from company registers, press publications, trade directories and online search engines and related results;
- Introducers or common business associates who may pass on your details to us;
- Referees you nominate to us as part of tendering for work with us;
- Third parties who provide services to you (e.g. your representatives, advisors, etc.);
- Our banking providers, in relation to transactions with you;
4.2. The personal data we use
Our relationship with you as a supplier is a business to business relationship and the personal data processed is limited to those necessary to establish a relationship with you and obtain your services, including:
- IDENTITY DATA, including your first name, surname, salutation, business name;
- CONTACT DATA, including your email address, business address, billing address, telephone number(s);
- OCCUPATIONAL, including;
- information about your past or current clients, past or current projects and any other information that may be considered by us when assessing your suitability to provide a service; and
- relevant insurance and/or health and safety details where required.
- FINANCIAL, including bank account details and VAT or other relevant tax details to facilitate transactions with you, as well as your transactional and account history with us;
4.3. The purpose and legal basis for processing your personal data
We will only process your personal data where it is lawful and necessary to do so.
Typically, your personal data are processed for the purpose of entering into and performing a contract with you as a supplier to Symmetry, including when we:
- Make an inquiry to purchase a product or service from you;
- Avail of the products and/or services from you as a supplier;
- Transact with you and make payments to you pursuant to the contract;
- Establish, exercise or defend legal claims in relation to the contract;
- Correspond with you throughout the relationship.
Your personal may also be used:
- To enable us to comply with our legal, statutory and regulatory obligations. For example, your personal data may be included in our returns to the Revenue Commissioners in complying with taxation law, as part of the preparation and audit of financial statements in compliance with company law and for compliance with legally binding requests from regulatory bodies, law enforcement agencies, the courts or otherwise;
- To manage our everyday business needs in line with our legitimate interests, such as accounting, complaint management, troubleshooting, technical support, protection of our assets and information, and fraud prevention.
4.4. Who we share your personal data with
We do not share your personal data with third parties unless it is necessary. Sharing occurs with a limited set of individuals and organisations and in limited circumstances. Examples of when sharing may occur and the third parties to whom we share your personal data are as follows:
- To third parties who are providing services to us to enable us to manage the relationship with you. For example, our software providers, our IT support providers and our professional advisors. Where we enter into agreements with third parties to process your personal data on our behalf, we will ensure that appropriate contractual protections are in place to protect the security of the data
- To our bank when we are transacting with you; and
- To statutory, regulatory, government or law enforcement bodies as required by law.
4.5. Consequences of not giving your data to us
You are not under any obligation to provide your personal data to us. However, we do need some personal data in order to be able to enter into an agreement with you in order to avail of your services and failure to provide this information may result in us not being able to enter into such an agreement.
4.6. How long we keep your personal data for
Personal data is kept in a form, which permits data subject identification only for as long as is permitted while following fair and lawful processing. Personal data relating to the performance of a service contract with you shall be kept for a period of 7 years from the end of the relationship with you. This is in line with our legitimate interests to protect ourselves against a claim pursuant to statute of limitation law.
5. REPRESENTATIVES OF THIRD PARTY LEGAL ENTITIES
5.1. How we collect your personal data
In our business to business relationships with third party companies and organisations (e.g. suppliers, state bodies, or otherwise), we will process some personal data belonging to individuals who represent those companies and organisations in the capacity of an employee, director or otherwise. If you fall into this category of individual where you are representing a company or organisation (“Your Organisation”), we gather your personal data from both direct and indirect sources:
- Directly from you. Examples include when you, on behalf of Your Organisation:
- Interact directly with us via telephone, email, post, fax and/or in person;
- Provide information as part of an inquiry about a service to or from us;
- Purchase our services or provide us with services and conduct transactions with us;
- From third parties. Examples include collection from:
- Publicly available information. For example, from press publications, online search engines and related results.
- Referees you nominate to us as part of Your Organisation tendering for work with us;
- Introducers or common business associates who may pass on your details to us;
- Third parties who provide services to Your Organisation (e.g. your representatives, advisors, etc.).
5.2. The personal data we use
As you are acting on behalf of Your Organisation and not a personal capacity, the personal data we use for the business to business relationship is limited and includes:
- IDENTITY DATA, including your first name, surname, salutation, signature on signed documents;
- CONTACT DATA, including your business email address, business telephone number(s);
- OCCUPATIONAL, including the name of Your Organisation and your job title,
- OPINIONS, where you consent to provide testimonials or references.
5.3. The purpose and legal basis for processing your personal data
We will only process your personal data where it is lawful and necessary to do so, including
- For the purpose of taking steps to enter into and perform a contract to obtain services from Your Organisation;
- To enable us to comply with our legal, statutory and regulatory obligations. For example, Your Organisation may be a government body with whom we need to interact as part of our legal obligations and your personal data will be used to manage this relationship;
- Where you have provided us with consent to use your personal data for marketing or referral purposes;
- To manage our everyday business needs in line with our legitimate interests, such as customer service, accounting, complaint management, troubleshooting, technical support, fraud prevention, protection of our assets and information, and fraud prevention.
- Establish, exercise or defend legal claims;
5.4. Who we share your personal data with
We do not share your personal data with third parties unless it is necessary. Sharing occurs with a limited set of individuals and organisations and in limited circumstances. Examples of when sharing may occur and the third parties to whom we share your personal data are as follows:
- To third parties who are providing services to us to enable us to manage the relationship with you. For example, our software providers, our IT support providers, our professional advisors and our financial statement auditors. Where we enter into agreements with third parties to process your personal data on our behalf, we will ensure that appropriate contractual protections are in place to protect the security of the data; and
- To statutory, regulatory, government or law enforcement bodies as required by law.
5.5. Consequences of not giving your data to us
You are not under any obligation to provide your personal data to us. However, we do need some personal data to be able to enter into an agreement with Your Organisation in order to avail of Your Organisation’s goods or services and failure to provide this information may result in us not being able to enter into such an agreement.
5.6. How long we keep your personal data for
Personal data is kept in a form, which permits data subject identification only for as long as is permitted while following fair and lawful processing. No personal data will be kept for a period longer than necessary.
PART B: GENERAL PROCESSING INFORMATION
1. How we keep your personal data safe
Appropriate security measures are implemented in order to protect your personal data.
Security measures refer to physical security in the office as well as implementing appropriate technology and cyber security measures across our systems and networks in order to prevent any accidental or unauthorised access, interference, damage, loss or disclosure of personal data.
In the event of certain types of personal data breaches, we are legally obliged to notify the Data Protection Commission and affected individuals to whom the personal data belong. We have implemented internal procedures to manage personal data security breaches in accordance with our legal obligations.
2. Transfers outside the European Economic Area
In connection with the above purposes we do not currently transfer your personal data to third parties outside the European Economic Area (“EEA”). If and to the extent we ever do so, we will ensure that appropriate measures are in place to comply with our obligations under applicable law governing such transfers, which may include:
- to a jurisdiction which has been subject to an “Adequacy” decision from the European Commission, meaning the jurisdiction is recognised as providing for an equivalent level of protection for personal data as is provided for in the European Union; or
- entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the European Commission.
PART C: YOUR RIGHTS
You have a number of rights in respect to your personal data. These are:
- The right to access your personal data, which includes receiving confirmation on whether the personal data are being processed and if so, receiving the personal data and related information about why they are being processed, the categories of personal data involved, to whom the personal data have been or will be shared and how long the data will be kept for. We will accede to any such valid requests within one month of the receipt of a valid request in writing
- The right to request that we rectify inaccurate data or update incomplete data. You may also request that we restrict the processing of the personal data until the rectification or updating has been completed, although please be aware that we may have to suspend the operation of your account or the products or services that we provide.
- The right to request that we erase your data under certain circumstances, including where you want to withdraw the consent you previously gave to us, where you object to our processing of your personal data for our own legitimate interests or where our processing of the data is unlawful. In the case of unlawful processing, you can also request that this processing is restricted rather than the personal data being erased. Please be aware that we may have to suspend the operation of your account or the products or services that we provide where data processing is restricted.
- The right to object to the processing of your personal data, where such processing is being conducted for the purpose of:
- Direct marketing (note that we do not currently conduct direct marketing, but your right to object exists if we ever do process your personal data in this way);
- Establishing, exercising or defending ourselves or others from legal claims; or
- Our legitimate interests, unless we can demonstrate that our interests override your interests and rights. You may request that we restrict the processing of the personal data until this analysis of legitimate interests has been concluded, although please be aware that we may have to suspend the operation of your account or the products or services that we provide where data processing is restricted.
- The right to receive your data in a portable format or, subject to it being technically feasible, have us transfer it directly to a third party. This applies where you have provided us with consent for the processing or where the processing is necessary for entering a contract with us.
- The right, at any time, to withdraw consent you have provided to us to process your personal data.
- If you wish to raise a complaint in relation to how we processed your personal data, please contact us. We take your privacy and data protection very seriously and we endeavour to address your complaint as expediently and as thoroughly as we can in order to find a satisfactory resolution for you.
- The right to lodge a complaint to the Data Protection Commission or another supervisory authority. The Office of the Data Protection Commission can be contacted at:
- Email: info@dataprotection.ie
- Telephone: +353 (0)761 104800
- Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD2