Introduction
At Tipperary Tourism we are committed to protecting and respecting your privacy.
This Privacy Statement will let you know how we look after your personal data. It also informs you as to our obligations and your rights under data protection law.
Please note that this Privacy Statement is a general Tipperary Tourism statement about how we approach data protection as an Organisation.
Important Information about Tipperary Tourism and this Privacy Statement
Tipperary County Council’s contact details are as follows:
Data Protection Contact
Data Protection Officer
Telephone
0761 06 5000
Email: dataprotection@tipperarycoco.ie
Post: Data Protection Officer, Tipperary County Council, Civic Offices, Emmet St., Clonmel, County Tipperary.
You have the right to make a complaint at any time to the Irish supervisory authority of data protection issues whose contact details are as follows:
Contact
Data Protection Commission
Telephone
+353 57 8684800/+353 761 104 800
Post
Data Protection Commission
Canal House
Station Road
Portarlington
R32 AP23 Co. Laois
Changes to the Privacy Statement and your duty to inform us of changes
This version of the Privacy Statement was updated on 20.7.2019.
Our Privacy Statement may change from time to time, and any changes to this Privacy Statement will be posted on our website and will be available from our offices.
It is important that the personal data which we hold about you is accurate and up to date. Please keep us informed of any changes to your personal data during the term of your relationship with us.
Third Party Links
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. If you do use one of these third-party links we would recommend that you carefully read the privacy statement on the third-party website.
Data Controller
For the purposes of the EU General Data Protection Regulation (EU Regulation 679/2016) (the “GDPR”), Tipperary Tourism may act as a data processor and/or a data controller with regard to the personal data described in this Privacy Statement and in the sections specific privacy statements listed below.
“Data controllers” are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed, who/which make independent decisions in relation to the personal data and/or who/which otherwise control that personal data.
“Data processors” are the people who or organisations which process personal data on behalf of the data controller.
We have appointed a Data Protection Officer to oversee data protection compliance within Tipperary County Council and to ensure that questions and requests which we might receive from you in relation to data protection matters are dealt with by the appropriate person. If you have any questions about this Privacy Statement or if you wish to make a request to us to exercise your legal rights as set out below, please contact our Data Protection Officer using the contact details set out above.
What personal data do we collect from you?
“Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and/or behavior. Personal data does not include anonymous data.
The details on what specific data is collected from you and processed by us is contained in the section specific privacy statements listed at the end of this document. However, we have set out in this section examples of the personal data we may collect, use, store and transfer which we have grouped together as follows:
- Identity Dataincludes, for example, first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Dataincludes, for example, billing address, delivery address, email address and telephone numbers.
- Financial Dataincludes, for example, bank account and payment card details.
- Transaction Dataincludes, for example, details about payments to and from you and other details of products and services you have purchased from us.
- Technical Dataincludes, for example, internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Dataincludes, for example, your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
- Usage Dataincludes, for example, information about how you use our website, products and services.
- Marketing and Communications Dataincludes, for example, your preferences in receiving marketing from us and our third parties and your communication preferences.
We also may collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We may collect some special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) and where this happens you will always be informed and a higher standard of protective measures will apply.
How do we collect your personal data?
Again, the ways in which your personal data are collected will be more specifically described in the section specific privacy statements. However, we have listed below examples of how we might collect personal data relating to you:
- Direct interactions.You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email, internet or otherwise.
- Automated technologies or interactions.As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We may collect this personal data using cookies or analytical technologies. Where we do apply such technologies, we will place a cookie or equivalent policy on the relevant web site. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.
- Third parties or publicly available sources.We may receive personal data about you from various third parties and public sources.
- Contact, Financial and Transaction Datafrom providers of technical, payment and delivery services based [inside OR outside] the EU.
- Identity and Contact Datafrom data brokers or aggregators based [inside OR outside] the EU.
- Identity and Contact Data from publicly availably sources such as Companies Registration Office and the Electoral Register based inside the EU.
How will we use the personal data collected?
We will only process your personal data where we have a valid legal basis for doing so. Most commonly, we will use your personal data on the following legal bases:
- Where we need to comply with a legal or regulatory obligation; and
- Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Change of Purpose
We will only use your personal data for the purposes for which we collected it which are contained in this document and were notified to you at the time that we collected the data. We are permitted to use for another purpose where we reasonably consider that the other purpose is compatible with the original purpose.
If we intend to use your personal data for an unrelated purpose, we will first notify you and either seek your consent to such further processing or inform you of the valid legal basis upon which we process your data for this new purpose.
There may be circumstances where we are required to further process your personal data, without informing you of this fact, in compliance with EU or Irish law.
Will we share your personal data with anyone else?
We may share your personal data with third parties in connection with our processing of your personal data. More information on this can be found in the section specific privacy statements listed below at section 13.1.7
We require all third parties to enter into a data processing agreement with us which complies with our obligations under the GDPR. This agreement requires third parties to have appropriate security systems in place and only to use your personal data on our instructions and in accordance with data protection law.
Security of your personal data
We take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. We limit access to your personal data to those employees, agents and other third parties who are required to have access to your personal data and where they have agreed that they are subject to a duty of confidentiality.
We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We have procedures in place to deal with actual and suspected data breaches which include an obligation on us to notify the supervisory authority and/or you, the data subject, where legally required to do so.
Transferring personal data abroad
There may be circumstances in which we will have to transfer your personal data out of the European Economic Area for the purposes of carrying out the services we provide to you. Where the need for such a transfer arises we will always ensure that there are appropriate safeguards in place to protect your personal data such as:
- the European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
- appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Data Protection Officer; or
- the personal data is being transferred to a company in the US which has self-certified its compliance with the EU-US Privacy Shield which has been found by the European Commission to provide an adequate level of protection to the personal data of EU citizens.
How long will we retain your personal data?
We will only retain your personal data for as long as is necessary to fulfill the purposes for which we collected it and for as long as we are legally required to under EU or Irish law.
We subscribe to the National Retention Policy for Local Authority Records.
We also maintain a Data Retention Policy which supplements the National Retention Policy.
Where you ask to be unsubscribed from marketing communications we may keep a record of your email address and the fact that you have unsubscribed to ensure that you are not sent any further emails in the future.
Your data protection rights
Under certain circumstances, by law you have the right to:
- Request information about whether we hold personal information about you, and, if so, what that information is and why we are holding/using it.
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by us using your personal information or profiling of you.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically usable format.
- Withdrawal of consent: Where we rely on consent as our legal basis for processing you have the right to withdraw consent to marketing at any time by contacting us.
Requests to exercise your rights
If you have any questions about this policy or about our data protection compliance please contact us.
Data subjects must make a formal request for personal data we hold about them or otherwise to exercise their data protection rights by contacting us. [We have provided sample letters which can be used to send us any such requests and these are available here. Please note these are sample letters only, you may make requests to exercise your rights in whatever way you please.
No fee required as standard
You will not usually have to pay a fee to access your personal data (or to exercise any of your other rights). However, we are entitled to charge a reasonable fee in circumstances where your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Response time
We will endeavor to respond to your requests within one month. If your request is particularly complex or if you have made numerous requests it may take us longer to respond. If we anticipate that it will take us longer than one month to respond to your request we will notify you of the delay and reasons for such delay.