Irish Penal Reform Trust

Data Protection & Privacy

IPRT PRIVACY STATEMENT

When you share your personal data[1] with the Irish Penal Reform Trust (IPRT) we are committed to protecting and respecting your privacy.  This Privacy Statement tells you about your privacy rights and sets out how we, as a Data Controller, collect, use, process and disclose your personal data, particularly in respect of your interactions with our website www.iprt.ie (the Site).

This statement contains the following sections. Please read each carefully to understand our use of your personal data. We hope it will answer any questions you might have. If you have any other questions please contact us at gdpr@iprt.ie

  1. How we collect information about you
  2. Special categories of personal data
  3. Consent
  4. How we use the personal data we collect
  5. How we keep your information safe
  6. Who do we share your information with?
  7. Links to other sites
  8. Your rights
  9. Exercising your rights
  10. What happens if there is a data breach?
  11. How to contact us
  12. Changes to this Privacy Statement

 

1.         How we collect information about you

We collect personal data about you when you decide to provide us with such information – for example when you email us, use our online forms, request advice or information, sign up to our events or to request our newsletters. In addition to the personal information you provide to us, we also collect certain information when you visit our website, engage with our social media and discussion fora and when we take photos at our events.

We may collect and process the following types of personal data about you:

Identity Data                          including name or similar identifier

Contact Data                          including address, email address and telephone numbers

Financial Data                         including bank account and payment card details.

(This is only where you are making a donation or paying for membership).

Transaction Data                    including details about donations or membership payments.

Usage Data                             including information about how you use our site.

Communications Data           including your preferences in when and how you are happy to receive communications from us

 

Technical data and cookies

Technical details in connection with visits to the Site are logged by our site hosting company (Linode), an international organisation, with the IPRT server based in the EU. IPRT will make no attempt to identify individual visitors, nor to associate the technical details with any individual. IPRT will never disclose such technical information in respect of individual website visitors to any third party (apart from our site hosting company, which records such data on our behalf and which is bound by confidentiality provisions in this regard), unless obliged to disclose such information by a rule of law.

The Site uses cookies. A cookie is a small text file that may be stored on your computer or mobile device that contains data related to a website you visit. It may allow a website to “remember” your actions or preferences over a period of time, or it may contain data related to the function or delivery of the website. Further information on cookies can be found here.

Visitors can continue to use the Site if certain cookies are disabled, but there may be some loss of functionality. However, some “Necessary” cookies are loaded when the content of the website is loaded. We cannot deliver the Site to you without setting these cookies.

You may refuse the use of certain cookies at any time by selecting “Change cookie preferences” in the footer of any page on the Site. However, please note that if you make a change to your cookie permissions, you may not be able to use the full functionality of the Site.

The following table includes a list of cookies that can be used on the IPRT website.

Cookie Type

Name

Description

Necessary

Necessary cookies help make a website usable by enabling basic functions. The website cannot function properly without these cookies.

Stripe

This cookie is necessary for making card transactions on the website. The service is provided by Stripe.com, which allows online transactions without storing any credit card information.

https://stripe.com/ie/privacy-center/legal#cookies-other-technology

Performance

Performance cookies record your visit to our website, the pages you have visited and other details about your use of the IPRT website.

Any information collected by these cookies is anonymous. We only use such information to improve our website functionality.

Google Analytics

Google Analytics cookies collect data on the number of times a user has visited the website. A unique ID is used to generate statistical data on how the visitor uses the website. This includes information on the visitor’s device.

https://policies.google.com/privacy?hl=en-US

External Media                         

Twitter

This cookie is set by Twitter. The cookie allows the visitor to share content from the IPRT website on their Twitter profile and to view content from the IPRT Twitter feed while on the IPRT website.

https://help.twitter.com/en/rules-and-policies/twitter-cookies

Tableau

This cookie is set by Tableau to deliver their service. It serves to remember your preferences and improves user experience.

https://www.tableau.com/legal/cookies

 

2.         Special Categories of Personal Data

As a general rule we do not collect details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. Nor do we generally collect any information about criminal convictions and offences.

However, there are some exceptions to this general rule:

  • The first exception to this is where you are registering for free membership as a person with experience of imprisonment or as the family member of such a person. If you provide this information about a conviction to us, in order to (1) avoid charging you for membership at the time of registering and annually after that and (2) quantifying in the aggregate the number of our members with lived experience of imprisonment, we will ask for your consent to record this piece of information. If you provide consent we will record the fact of consent on our CRM system and the relevant information. If you do not consent we will not record this. We will ensure there are appropriate safeguards in place to protect this information.
  • The second exception to this is where you contact us and in doing so disclose that you are a person with current or former experience of imprisonment and/or you disclose information about your health. This may be in the context of seeking advice or information or in response to a consultation process. In these circumstances, it will sometimes be necessary to initially record this information in order to (1) manage our relationship with you, including sending the requested advice or information to your current place of residence, which may be a prison and (2) providing appropriate advice or information or (3) engaging in consultation.
    In these circumstances we will ask for your consent to record this piece of information in the letter in which we provide the initial advice or information. If you provide consent we will record the fact of consent and the relevant information. The purpose of recording will only be for the purpose of providing advice and only where this is relevant to your query. If you do not consent we will not record this. We will ensure there are appropriate safeguards in place to protect this information.
  • The third exception is when we take photographs at our events. These photographs are used in our publications, on social media, on our website, in our reports to our funders and for archive purposes. We will request your consent to be photographed during event registration. If you do not consent to having your photograph taken and processed in this way, we will have a ‘sticker system’ in place to ensure that your photograph is not taken at the event. We will also have written notices in place at the venue advising attendees that photos are being taken, the purpose of taking the photo and the use to which the image will be put, and how to decline.

 

3.         Consent

Usually we will ask for your express consent to use your personal information. For example, when you sign up to become a member, we will ask for your consent to make you aware of other related things which may be of interest to you, for example making a donation to IPRT or attending one of our events. Before you give your consent, we tell you what information we collect and what we use it for. You can withdraw your consent at any time by contacting us.

 

4.         How we use the personal data we collect

We will never release your personal details to any organisation outside IPRT for mailing or marketing purposes. We only use your personal data for the following purposes:

  • Providing and personalising our services
  • Dealing with your enquiries or requests
  • Administering orders, donations and membership
  • Providing you with information about our activities

 

Purpose(s) for Processing

Legal Basis/Bases for Processing

Retention Period

To register for membership and provide you with related services and communications

  • You have provided your consent to receipt of these communications – which can withdraw at any time
  • The processing is necessary to enter and perform our contract with you
  • To manage our relationship with you, including processing your membership and providing the membership benefits to you including receiving our newsletter and invitations to events
We will contact you about your membership for duration of membership; 1 year from renewal date (as still ‘current’ member); 1 further year, as a ‘former’ member. Membership data is required for audit/accounts purposes so will be kept indefinitely.

To register for an event or to be part of a campaign and provide you with related services and communications

  • You have provided your consent to receipt of these communications – which can withdraw at any time
  • You may also be invited to consent to be contacted about future events, membership and donation opportunities

2 Years or longer depending on event funders’ requirements.

In the case of AGM attendance, indefinitely.

To process a donation and provide you with related communications

  • You have provided your consent to receipt of these communications – which can withdraw at any time
  • The processing is also necessary to comply with our legal and regulatory obligations, including tax and accounting rules.
  • For the prevention and detection of fraud, money laundering or other crimes
  • To manage our relationship with you, including processing your donation and providing connected donor benefits to you which include receiving our newsletter and invitations to events
We will contact you about your donation 1 year from most recent donation (as ‘current’ donor); 1 further year from the date of most recent donation (as a ‘former’ donor). Donor data is required for audit/accounts purposes so will be kept indefinitely.

To receive and respond to requests for information and advice and provide you with related services and communications

  • You have provided your explicit consent to the processing of your information for the purposes of us providing a response to your query.
  • The processing is necessary to the extent that you requested information and advice
Anonymised data (themes of enquiries) in perpetuity for research/ archive purposes; personal data (letters, emails etc.) will be deleted on 1st March annually.

Sending newsletters or other information updates

  • You have provided your consent to receipt of these communications – which can withdraw at any time

For duration of consent

 

5.         How we keep your information safe


We are committed to protecting the security of your personal data. We use a variety of technical and physical security technologies and procedures to help protect your personal data from unauthorised access.

To ensure the security of your credit card information when you use it to log a donation or membership on our Site, we use Secure Socket Layer (SSL) technology. You will see the padlock in your browser’s security display indicating that the transfer of all data between your browser and our Site has been encrypted. When you supply us with your card information in the context of an online transaction, this information is not retained on this Site. Rather, it is securely transferred to Stripe, a secure online payments provider.

As effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our database, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. We have implemented strict internal guidelines to ensure that your privacy is safeguarded at every level of our organisation. We will continue to revise policies and implement additional security features as new technologies become available.

Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Site. Any transmission of personal data is at your own risk. Once we receive your personal data, we use appropriate security measures to seek to prevent unauthorised access or disclosure.

 

6.         Who do we share your information with?

In some very limited circumstances we will share your information with third parties in order to improve our service to you, for example:

  • with our website hosting company LINODE which processes data entered on our web forms on our behalf;
  • with Stripe which processes data relating to any financial transaction on our website (i.e. a membership or donation) on our behalf;
  • with Salesforce, a consumer relationship management system which processes data relating to your interactions with IPRT;
  • with Mailchimp which processes bulk emails on our behalf;
  • with Zoom for the purposes of virtual meetings;
  • if we are under a duty to disclose in order to comply with any applicable law, legal obligation, regulation or lawful request (e.g. our accounting and auditing services)
  • Non-personal “technical” data may occasionally be used to compile statistics that may be shared with our funders to demonstrate our effectiveness or reach – e.g. the aggregate number of visitors to the site, etc.

We have taken steps to ensure that these third parties to have the same levels of data protection that we have. See for example:

 

7.         Links to other sites

Our Site may, from time to time, contain links to and from other websites. Also, some parts of the Site are powered by widgets designed by third parties e.g. YouTube. If you follow a link to any of those websites or widgets, please note that they will have their own privacy policies and we do not accept any responsibility or liability for those policies. Please check those policies before you submit any personal data to those websites or widgets.

 

8.         Your rights

You have the right to request access to, rectification, or erasure of your personal data, or restriction of processing or object to processing of your personal data, as well as the right to data portability. We will not charge for this service.

The following is a summary of your rights:

 

Your right

What it means

The right of access

You can ask us for a copy of the personal information we hold. You can ask us how we collect, share and use your personal information.

The right to rectification

You can request that we correct any inaccurate or incomplete personal data we hold about you.

The right to erasure

(the right to be forgotten)

You can ask us to delete your personal data in certain circumstances, including where:

  • It is no longer necessary for us to process your personal data;
  • You consider the personal data is being unlawfully processed;
  • You withdraw your consent (where the processing is based on consent);
  • You object to the processing and there are no overriding legitimate grounds justifying the processing; or
  • The personal data have to be erased to comply with a legal obligation.

We may refuse your request if the processing is necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims.

The right to restrict processing

You can ask us to halt the processing of your personal data in certain circumstances, including where:

  • You contest the accuracy of your personal data;
  • You consider the processing is unlawful, but you do not want your personal data erased;
  • We no longer need the personal data but you require it for the establishment, exercise or defence of legal claims; or
  • You have objected to the processing, and verification as to our overriding legitimate interests is pending.

 

We may continue to process your personal data:

  • Where we have your consent to do so;
  • For the establishment, exercise or defence of legal claims;
  • The processing is necessary to protect the rights of other individuals or legal persons; or
  • For important public interest reasons.

The right to object

You can object to us processing your personal data on the basis of our legitimate interests (or those of a third party).  We will stop such processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests or the processing is necessary for the establishment, exercise or defence of legal claims.

The right to data portability (moving your information)

You can request us to transmit personal data that you have provided to us, to a third party without hindrance, or to give you a copy of it so that you can transmit it to a third party, where technically feasible. The right only applies where:

  • The processing is carried out by automated means; and
  • The processing is based on your consent or for the performance of a contract with you.

The right to complain

You can lodge a complaint with IPRT and/or with the Data Protection Commissioner if you consider that the processing of your personal data infringes the GDPR or other data protection legislation.

 

9.         Exercising Your Rights

Our Executive Director oversees how we collect, use, share and protect personal data to ensure your rights are fulfilled. If you wish to exercise any of the rights listed in the table above, please contact her. You may contact her in person, by telephone, in writing or by email at gdpr@iprt.ie. Any complaint will be fully investigated.

 

  • We will respond to your request within one month.
  • That period may be extended by two further months where necessary, taking into account the complexity and number of requests.
  • We will inform you of any such extension within one month of receipt of your request.
  • We may request proof of identification to verify your request. This is to help protect your information.
  • We have the right to refuse your request for the reasons set out above, or if it is manifestly unfounded or excessive, or to the extent necessary for important objectives of public interest.

 

10.       What happens if there is a Data Breach?

All staff of the organisation receive training on data protection. In the unlikely case of any data breach occurs (which we define as any loss of control over the personal data which has been entrusted to us, including any inappropriate access to personal data on our systems or sending personal data to the wrong receiver) IPRT will apply the Personal Data Security Breach Code of Practice issued by the Data Protection Commissioner and which can be viewed in full at www.dataprotection.ie

 

In brief: 

  • Staff must immediately report any data breach to the Executive Director. 
  • Executive Director is responsible for dealing with the incident.
  • She will inform those affected by the breach as soon as reasonably possible
  • She will inform those that may be in a position to assist in protecting the personal data including An Garda Siochana as soon as reasonably possible
  • She will report the incident to the Data Protection Commissioner as soon as reasonably possible and in any event within 2 working days
  • She will consider and if possible take any steps necessary to limit damage or distress to those affected
  • She must keep a summary record of the incident
  • S/he will ensue that measures should be taken to prevent repetition of the incident

 

11.       Changes to this Privacy Statement

We reserve the right to change this Privacy Statement from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Statement.  However, if we make material changes to this Privacy Statement, we will notify you by means of a prominent notice on the Site prior to the change becoming effective.  Please review this Privacy Statement periodically for updates.

 

12.       Contact Us

Questions, comments, requests and complaints regarding this Privacy Statement and the personal data we hold are welcome and should be addressed to the Executive Director at gdpr@iprt.ie or sent in writing to:

 

Executive Director
GDPR Query
MACRO
1 Green Street
Dublin 7
Ireland
 

To download or print the privacy statement in full, click here.

[Last Updated: May 2018, changes to providers May 2019; update of third-party processors September 2020; update to retention periods December 2020; update to retention period wording February 2021; update to technical data and cookies November 2021]

 


[1] "Personal data" means any information about an individual from which that person can be identified. 

Our work is supported by

Respect for rights in the penal system with prison as a last resort.

Subscribe

Legal

Contact us

This website uses cookies to provide a good browsing experience

Some are necessary to help our website work properly and can't be switched off, and some are optional. Click on "Choose cookies" below for more information on the cookies being used on this website. Please note that based on your settings, not all functions of the website may be available. You can manage your preferences by visiting “Cookie preferences" at the bottom of any page.

This website uses cookies to provide a good browsing experience

Some are necessary to help our website work properly and can't be switched off, and some are optional. Please choose the cookies to allow below. Please note that based on your settings, not all functions of the website may be available. You can manage your preferences by visiting “Cookie preferences" at the bottom of any page.

Your cookie preferences have been saved.