Purpose and Scope:
The purpose of this procedure is to provide information and processes to help the Society to ensure and demonstrate compliance with the EU General Data Protection Regulation (GDPR) introduced on 25 May 2018
RAINBOW RUSSIAN SCHOOL – RADUGA holds personal contact details and preferences only for the time of services provided. Upon completion of the service, any personal data deleted.
RAINBOW RUSSIAN SCHOOL – RADUGA holds data of corporate clients contact details and preferences including names, postal addresses and email addresses so that we can:
● maintain an accurate list of clients
● have accurate financial accounting of services fees and
● send business related emails.
RAINBOW RUSSIAN SCHOOL – RADUGA commit to the following eight principles of data protection:
1. Obtain and process information fairly.
2. Keep it only for one or more specified, explicit and lawful purposes.
3. Use and disclose it only in ways compatible with these purposes.
4. Keep it safe and secure.
5. Keep it accurate, complete and up-to-date.
6. Ensure that it is adequate, relevant and not excessive.
7. Retain it for no longer than is necessary for the purpose or purposes.
8. Give a copy of his/her personal data to that individual, on request.
Arrangements and Procedures:
Our arrangements and procedures follow the 12 step guidance issued by the Data Protection Commission at the introduction of the GDPR.
● All staff members will be made aware of the importance of data protection via this procedure.
● All staff members are required to ‘factor in’ data protection to any tasks or projects they undertake and they should identify areas that could cause compliance problems under the GDPR.
● An inventory of all personal data we hold will be maintained in a ‘Master Database’
● Furthermore within the database, for each ‘data’ grouping (e.g. name, address etc.) the following information will be linked with each grouping: Why we hold this data, How we obtained it, when we obtained it, how long we will retain it, whether it is shared with third parties and if so on what basis it is shared.
● The ‘Master Database’ will be password protected and the Director and Accountant who will have access to the database.
● If other persons need limited access (e.g. modifying the website) either of the above two officers of the company can allow limited access for specific purposes.
● The Master Database’s inventory will enable the company to maintain an accurate list of clients and to maintain accurate financial accounting of services fees.
● The Master Database’s inventory will also enable the company to amend incorrect data, manage access requests and preferences and track third-party disclosures (if in place in the future).
3: Communicating with Service User
The following Privacy Statement is available on our Website. The Privacy Statement is also referenced on our Contracts and Invoices
RAINBOW RUSSIAN SCHOOL – RADUGA – Privacy Statement
RAINBOW RUSSIAN SCHOOL – RADUGA will only collect personal data directly (i.e. where you provide the information to us). We do not collect personal data indirectly (i.e. via an external source).
● Our contact information is:
RAINBOW RUSSIAN SCHOOL – RADUGA,
9 SAINT BRIGIDS CLOSE, KILLESTER, DUBLIN 5, IRELAND
Our email is: firstname.lastname@example.org
● The purpose of our data processing is:
holding personal data on Clients contact details and preferences, including names, postal addresses, and email addresses so that we can maintain an accurate list of clients have accurate financial accounting of services fees to enable us to distribute Invoices and Offers contact potential clients with the offers were they have requested the information
● We do not share your personal data with any other entity and do not forward your personal data to a third country (outside the EU).
● We retain the data for all clients for the period of their business with us
● We retain the data for all lapsed clients for two years after their business has lapsed
● You have entitlements regarding your personal data held by us which include:
subject access, (your personal data held by us) to have inaccuracies corrected, to have information erased, to object to direct marketing, to restrict the processing of your information, including automated decision-making, data portability
4: Personal Privacy Rights
● RAINBOW RUSSIAN SCHOOL – RADUGA understands the importance of personal Privacy Rights and the requirements of the General Data Protection Regulation and will respond to requests and enquiries in a timely manner (i.e. within 30 days as per the GDPR)
● To facilitate this we only hold one ‘Master Database’ which contains clients personal data in which any requests will be completed and actions noted.
● The decision to make changes to the Master Database in response to requests will be made and carried out by the Director
● Changes in personal data on the Master Database will also be used to maintain accurate accounting of services fees. This will be carried out by the Accountant.
● Changes in personal data on the Master Database will in turn result in changes to the personal data held on our Website. This will be carried out by the Director.
5: Access Requests
● On receipt of an Access Request the Director will consider the following:
The rights of the individual under GDPR subject access, (individual personal data held by us) to have inaccuracies corrected, to have information erased, to object to direct marketing, to restrict the processing of your information, including automated decision-making, data portability
● Will consult the Master Database and the accuracy of individual personal data held.
● Will provide additional information to people making requests, such as our data retention periods and the right to have inaccurate data corrected.
● Will amend the Master Database according to the request so that the rights of the individual under GDPR are respected and/or amended as per the request and that this is communicated to the individual
6: ‘Legal Basis’
● Our legal basis for processing personal data is ‘Consent’: the individual has given consent for the RAINBOW RUSSIAN SCHOOL – RADUGA to process their personal data for the purpose of ‘Service management’ and ‘Contact’.
7: Using customer consent as a grounds to process data
● Consent must be ‘freely given, specific, informed and unambiguous’. Essentially, our clients cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.
● Note that consent has to be verifiable, that individuals must be informed in advance of their right to withdraw consent and that individuals generally have stronger rights where you rely on consent to process their data.
● RAINBOW RUSSIAN SCHOOL – RADUGA will keep records of consent so that we are able to demonstrate that consent was given.
8: Processing Children’s Data
● RAINBOW RUSSIAN SCHOOL – RADUGA does not process children’s data.
● I RAINBOW RUSSIAN SCHOOL – RADUGA was to process data from underage subjects, we must ensure that we have adequate systems in place to verify individual ages and gather consent from guardians and will refer to the Data Protection Commission guidance.
9: Data Protection Impact Assessments (DPIA) and Data Protection by design and default
● RAINBOW RUSSIAN SCHOOL – RADUGA will refer to Data Protection Commission guidance if a DPIA situation arises in the future.
● A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders.
10: Reporting data breaches
● The GDPR introduces a duty on all organisations to report certain types of personal data breach to the Data Protection Commission
● If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, individuals must also be informed without undue delay.
● RAINBOW RUSSIAN SCHOOL – RADUGA will keep a record of any personal data breaches, regardless of whether they are required to be notified to the Data Protection Commission
● RAINBOW RUSSIAN SCHOOL – RADUGA will apply the guidance on Data Breaches available from the Data Protection Commission in the event of a data breach
11: Data Protection Officers
● RAINBOW RUSSIAN SCHOOL – RADUGA has not designated a Data Protection Officer (DPO).
● The person in RAINBOW RUSSIAN SCHOOL – RADUGA who is responsible for data protection compliance is SVETLANA USOVICH
12: Cross-border processing and the one stop shop
● RAINBOW RUSSIAN SCHOOL – RADUGA in not engaged in cross-border processing of personal data.
The responsibilities of RAINBOW RUSSIAN SCHOOL – RADUGA staff members are as is indicated in the Arrangements and Procedures Section of this procedure