The purpose of this policy is to provide any person (or ‘data subject’) in relation to whom IPHA holds personal data, with details of the information that we collect, how we process it and who we share it with. It also explains your rights under data protection law in relation to our processing of your data.
Certain key terms are used in this policy such as ‘personal data’, ‘processing’, ‘data protection law’ and these are defined in the Key Definitions section included at Annex 1.
This policy applies to IPHA’s employees, contractors and officers.
Who controls the use of your personal data?
The Irish Pharmaceutical Healthcare Association, a company limited by guarantee exempt from the requirement to use ‘CLG’ in its name (with the registered business name ‘IPHA’), whose registered address is Wilton Park House, Wilton Place, Dublin 2, is the company that controls and is responsible for personal data that is covered by this policy. IPHA is therefore a ‘data controller’.
Compliance with principles of data protection law
IPHA adheres to the principles of the data protection law and as a result, your personal data will be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and up-to-date;
- Kept for no longer than is necessary for the specified purpose or purposes; and
- Processed in a manner that maintains the integrity and confidentiality of your data.
What personal data is collected?
The type of information that IPHA holds (in both paper or electronic format), where appropriate and permitted by law, includes personal details relating to you, such as your name, professional contacts, bank account details (if required for payments in the performance of a contract) and related information. Additional personal information is held about employees and parties such as directors so that IPHA can comply with relevant contractual and/or statutory obligations.
Special categories of data collected by IPHA included:
- Gender of employees;
- Data regarding the health of employee that arises in the context of sick leave or attendance at medical appointments;
- Data regarding the health of individuals visiting the IPHA office or participation in IPHA events, where such information is required to facilitate their visit/participation (e.g. information on disability or special dietary requirements).
Where do we collect your personal data?
Most of your personal data that we collect will be provided by you through your interactions with us. Certain personal information (name, job title, business email address, business address and/or mobile phone number) may be provided to IPHA by third parties, such as your employer, on your behalf for the purpose of contacting you about legitimate IPHA business. IPHA may also source personal data from publicly-available sources such as your employers’ website, your own website, and commercially published directories.
Legal basis for processing your information
We process your personal data in order to provide you with our services and to assist us in the operation of our business. Under data protection law we are required to ensure that there is an appropriate basis for the processing of your personal data, and we are required to let you know what that basis is.
There are various options under data protection law, but the primary bases on which we process your personal data are:
- Performance of a contract or agreement with you – we collect and use your information primarily for the purpose of managing our working relationship with you, for example, in order to provide services, to arrange payment for the provision of your services or to collect payment for our services, to communicate with you, and otherwise to fulfil any contractual obligations owed to you.
- Where required by applicable law – IPHA may be required under local laws to maintain records that can include personal information, such as mandatory reporting, tax and accounting requirements.
- To fulfil our legitimate business interests – IPHA also may process your personal data to pursue our legitimate business interests, which shall include planning for, conducting and monitoring the activities of our Association, providing service information, etc.
- Where you have consented – for certain types of information, IPHA may rely on your consent to the use of such information. Our policy is to keep to the minimum necessary any data where the basis for processing is your consent. In that event, you will have been asked for your explicit and specific consent; and you will be entitled to withdraw your consent at any time by contacting us using the contact details at the bottom of this policy. Please note that if you withdraw your consent we may not be able to continue providing you with the service to which the consent related.
IPHA will only use your information for the purposes for which it was collected, unless we reasonably consider that we need it for another purpose that is compatible with the original purpose. If we need to use your information for an unrelated but compatible purpose, we will notify you in advance of our use of your information and explain the legal basis for this. Note that we may process your information without your knowledge or consent where this is required or permitted by applicable law.
Who do we share your personal data with?
You should be aware that in certain circumstances, IPHA may need to transfer or disclose your personal information to third parties, including service providers who render administration and other support services to IPHA, but will only do so where it is consistent with the purposes outlined above.
IPHA will share members’ business contact details with other members to facilitate the legitimate business objectives of IPHA, for example, elections to offices of the Association.
IPHA will also disclose your personal information in response to a valid, legally compliant request by a competent authority or in response to a court order or otherwise in compliance with any applicable law, regulation, legal process or enforceable governmental request or other statutory requirement; to detect, prevent or otherwise address fraud, security or technical issues; or to protect against imminent harm to the rights, property or safety of PHA, its members or the public as required or permitted by law.
IPHA will ensure through contracts and data processing agreements that third parties with whom your personal data is shared apply appropriate security measures to protect your data from loss, misuse and unauthorised access or disclosure.
Transfers outside of the European Economic Area (EEA)
IPHA does not transfer personal data outside the European Economic Area.
IPHA does not carry out automated decision-making processes with personal data.
Retention of personal data
IPHA will retain your personal data in accordance with our record retention policy. This policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it. It is also kept in accordance with any legal requirements that are imposed on us. This means that the retention period for your personal data will vary depending on the type of personal data. For further information about the criteria that we apply to determine retention periods, please see below:
- Statutory and regulatory obligations – we have certain statutory obligations to retain personal data for set periods of time.
- Business requirements – As we only collect personal data for defined purposes, we assess how long we need to keep personal data for in order to meet our reasonable business purposes.
IPHA will permanently delete your personal data when the relevant retention period has expired.
All breaches of personal data held by IPHA will be reported to the Data Protection Authority within 72 hours, unless the data was anonymised or encrypted.
Breaches of this policy by employees will be dealt with under the IPHA Grievance and Disciplinary Policy and may lead to a disciplinary sanction.
IPHA takes the security of your data very seriously and has implemented reasonable security measures, including secure password protected networks and physical security measures to protect your data from loss, misuse and unauthorised access or disclosure. IPHA also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current.
Employees who handle personal data covered by this policy are aware of this policy and have been given training in how to correctly collect, process, store and delete data.
You have various rights under data protection law, subject to certain exemptions, in connection with our processing of your personal data including the right to:
- Right to access the data – You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
- Right to rectification – You have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
- Right to erasure – You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the ‘right to be forgotten’.
- Right to restriction of processing or to object to processing – You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
- Right to data portability – You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
- Right to complain – You have the right to lodge a complaint with the Data Protection Authority if you are unhappy with our processing of your personal data.
- Right to withdraw your consent – When we process your personal data on the basis of your consent, you are free to withdraw that consent at any time by contacting us using the contact details below. Please note that if you withdraw your consent we may not be able to continue providing you with the service to which the consent related.
In order to exercise any of these rights, please contact us using the contact details set out below.
Changes to this policy
The provisions of this policy may be altered by IPHA from time to time. Any alteration or addition will be posted on our website at www.ipha.ie.
Queries and complaints
IPHA has not appointed a data protection officer, however, if you have any queries or complaints in connection with our processing of your personal data, you can get in touch with us using the following contact details:
- Post: Oliver O’Connor, Chief Executive, IPHA, Wilton Park House, Wilton Place, Dublin 2
- E-Mail: firstname.lastname@example.org
Annex 1 – Key Definitions:
“Data Protection Authority” means the Irish Data Protection Commissioner which is IPHA’s supervisory authority in the European Union.
“data protection law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Ireland and any successor legislation to the GDPR or the Data Protection Acts 1988-2003.
“consent” of the data subject means any freely given, specific, informed an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – such as a written/electronic statement or an oral statement.
“data controller” means the legal person or company who determines the purposes and means of the processing of personal data, e.g. IPHA.
“data processor” means a person or company who processes personal data on behalf of the data controller, e.g. IPHA’s payroll provider.
“data subject” means an identifiable natural person who is the subject of the personal data, e.g. an employee, an employee of an IPHA member organisation;
“personal data” means any information relating to an identified or identifiable natural person (data subject).
“processing” means any operation which is performed on personal data, where automated or not, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.
“special categories of data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and data concerning health or a person’s sex life or sexual orientation.