Notice of Data Subject Rights

Right of Access

The data subject has the rights to obtain from Scoil Mhuire agus Íde (Controller) confirmation as to whether or not personal data concerning him or her is being processed and where such personal data is being processed, he / she will have the right to access their personal data and ascertain the purpose of any processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular any recipients in third countries or international organisations, the period for which the personal data will be retained or stored or if not possible the criterial used to determine that period, the right to request from the controller rectification or erasure of their personal data or restriction of processing of personal data concerning the data subject or their right to object to such processing, the right to lodge a complaint to the supervisory authority (Data Protection Commissioner), in the event that the personal data was not collected from the data subject any available information as to their source and the existence of any automated decision-making profiling and at least in such events meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject. In the event of personal data being transferred to a third country or to an international organisation the data subject has the right to be informed of the appropriate safeguards relating to the transfer. The data subject also has the right to obtain a copy of the personal data undergoing processing from the controller.

Right to Rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase their personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent to the processing of his or her personal data for one or more specific purposes, or where the European Union or Member State law prohibit the consenting by data subjects to the processing of special categories of personal data and where there is no other legal ground for the processing;

(c) the data subject objects to the processing on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on the grounds that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (except where processing is carried out by public authorities in the performance of their tasks) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of their personal data for direct marketing purposes including profiling for direct marketing purposes .

(d) the personal data has been unlawfully processed;

(e) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data has been collected in relation to the offer of information society services from a child under the age of 16 years of age and the consent for the processing of that child’s personal information has not been given or authorised by the holder of parental responsibility over the child .

The above requirements in relation to the right to erasure shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) when processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is for reasons of public interest in the area of public health or where such data is processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subjected to the appropriate safeguards being put in place in accordance with this regulation, protecting the rights and freedoms of the data subject by the putting in place technical and organisational measures to ensure respect for the principle of data minimisation, which may include pseudonymisation; provided such purposes can be fulfilled in that manner or where further purposes for processing of such data does not permit or no longer permits the identification of data subjects, then those purposes shall be fulfilled in that manner so as to render impossible or seriously impair the achievements of the objectives of that processing or (e) for the establishment, exercise or defence of legal claims.

Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) the data subject has objected to processing on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is based on the fact that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, with the exception of processing carried out by public authorities in the performance of their tasks; pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under the above conditions, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to the above-mentioned conditions shall be informed by the controller before the restriction of processing is lifted. Right to notification obligation regarding rectification or erasure of personal data or restriction of processing. The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with their right to rectification, erasure, and restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes or the data subject has given explicit consent to the processing of personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation may not be lifted by the data subject; if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to above may not be lifted by the data subject or on a contract where the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ; and

(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right to data portability shall be without prejudice to the data subject’s right to erasure Article 17. which shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. provided that the right of data portability of a data subject shall not adversely affect the rights and freedoms of others.

Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child or (processing carried out by public authorities in the performance of their tasks) including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. This right to object should be brought to the notice of the data subject at the very first communication and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to withdraw consent

Where the processing is based on the data subject having given consent to the processing of his or her personal data for one or more specific purposes except where Union or Member State law provide that the prohibition the right to withdraw his or her consent may not be lifted by the data subject; or where consent to processing of his or her personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation the data subject has the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

Time frame to respond to requests

If you exercise any of your rights under the General Data Protection Regulations such as access to and rectification or erasure of personal data or the exercise of the right to object, Scoil Mhuire agus Íde (the Controller) is obliged to respond to requests without undue delay and at the latest within one month and if Scoil Mhuire agus Íde failed to comply with your requests, Scoil Mhuire agus Íde must give you reasons why.

Mechanisms for the right to request from the controller, access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability are available through Scoil Mhuire agus Íde.

How a Data Subjects may verify the accuracy or request to amend their personal data?

A data subject may verify that their personal data submitted to Scoil Mhuire agus Íde is accurate by double checking their data that they entered before submitting the details to Scoil Mhuire agus Íde In the event of any inaccuracy being discovered in any e-mails or other communications the data subject may send an e-mail to Scoil Mhuire agus Íde at smi@smincw.ie informing us of the inaccuracy and the relevant corrections required. Scoil Mhuire agus Íde will rectify any inaccurate data highlighted.

How to exercise your data subject rights?

Similarly, if a data subject wishes to request their personal data to be deleted, or wishes to request the portability of their personal data or to access their personal data, withdraw their consent to the processing of same, the data subject may e-mail Scoil Mhuire agus Íde at smi@smincw.ie and request it. However, the data subject should note that the personal data that is processed under ‘legal obligation’ cannot be deleted until the required period of retention has expired, which is seven (7) years after the student reaches the age of 18 years of age. Regarding the consent withdraw, if the data subject consented to more than one form of processing, the data subject should clarify if the withdrawal is in respect of all processing of their personal data or in respect of one or more purposes of processing their personal data.

The controller is obliged to respond to a data subject request without undue delay and in any event within one month and where the controller does not comply with the request the controller is required to give reasons for such non-compliance.

Right of Data Subject to lodge a complaint with the Supervisory Authority

The data subject has the right to lodge a complaint with the supervisory if he or she feel that any of their rights under the General Data Protection Regulations have been infringed and the data subject also has a right to seek judicial remedy to any such infringement.

The Data Commissioner in Ireland may be contacted by

Telephone
+353 57 8684800 +353 (0)761 104 800
Fax
+353 57 868 4757
E-mail
info@dataprotection.ie
Postal Address  
Data Protection Commission Canal House Station Road Portarlington R32 AP23 Co. Laois. Dublin Office 21 Fitzwilliam Square Dublin 2 D02 RD28 Ireland.

Security of Personal Data

Scoil Mhuire agus Íde endeavour to hold all personal data securely in accordance with our
internal security procedures and applicable laws. Scoil Mhuire agus Íde will encrypt all
personal data received through VSware, and PPOD Applications as well as through
ProtectorApp Encryption Program as applicable to ensure the protection of your personal
data and to prevent any unauthorised access to your personal data or the unauthorised use
of your personal data.

Unfortunately, no data transmission over the Internet or any other network can be guaranteed as 100% secure. As a result, while we strive to protect your personal data, we cannot ensure and do not warrant the security of any information you transmit to us, and this information is transmitted at your own risk.

Risks & Safeguard
The greatest risk to personal data is that of unlawful access. Scoil Mhuire agus Íde has addressed and mitigated such potential risk by regulation of access, provision of access controls, encryption of personal data through VSware, PPOD, E-mail attachment encryption application and ProtectorApp Encryption Program as applicable.

The greatest risk to personal data is that of unlawful access. Scoil Mhuire agus Íde has addressed and mitigated such potential risk by regulation of access, provision of access controls to safeguard and encryption personal data it processes through VSware, PPOD, E-mail attachment encryption application and ProtectorApp Encryption Program as applicable

Rules in relation to the processing of personal data
The rules of processing of personal data that is processed by Scoil Mhuire agus Íde is that all personal data will be stored in encrypted format through VSware, PPOD, E-mail attachment encryption application and ProtectorApp Encryption Program as applicable.

Contact Details of Scoil Mhuire agus Íde

Scoil Mhuire agus Íde
Bóthar Buí,
Rathnaneane,
Newcastlewest,
Co. Limerick.
(069) 62443
Email address: smi@smincw.ie

If you wish to request any information about your personal data or believe that we are holding incorrect personal data on you, please contact smi@smincw.ie .

Provision of the contents of Privacy Notice Orally

If a data subject wishes to receive the information contained in this privacy notice orally, this will be provided by sending an e-mail to smi@smincw.ie requesting same and providing a contact phone number and a suitable time for the delivery of the information contained within this document to the intended recipient. Arrangements will be made for a member of Scoil Mhuire agus Íde to phone the intended recipient and provide all the contents of Scoil Mhuire agus Íde Privacy Notice to him or her and we will also ascertain if the recipient understands the information that has been provided orally to him or her.

Browsing Scoil Mhuire agus Íde Website

Every time you connect to our website, Google Analytics stores a log of your visit which informs us what has been looked at, whether the page request was successful or not. The purpose of collecting and recording this data is to use it for statistical purposes as well as to help customise the user experience as you browse the website and interact with Scoil Mhuire agus Íde. This helps us to understand which areas of the website are of particular interest, which pages are not being requested, and how many people are visiting the website in total. It also helps us to determine which areas may be of specific interest to visitors. No personal data is recorded for Scoil Mhuire agus Íde during this processing of information.

Automated Decision Making (Profiling)

Scoil Mhuire agus Íde does not use any automated decision-making tools or processes in its processing of any personal data.

Under the GDPR you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affecting you, however, this shall not apply if a decision is necessary for entering into or performance of a contract between you and the data controller, or is authorised by European Union or Member State law or where you have given explicit consent for such processing.

If your personal data was subjected to automated decision-making, including profiling you are entitled to be notified of the existence of such processing and information about the logic involved as well as any significance and the envisaged consequences of such processing for you.

Account management

Scoil Mhuire agus Íde may use your contact details
i. providing account management,
ii. maintaining our school’s accounts and records.

Market research and surveys

Scoil Mhuire agus Íde does not engage in market research or surveys

Email communications

Scoil Mhuire agus Íde adhere to the following guidelines in relation to our email communications:

  • emails will clearly identify us as the sender,
  • any third parties who send emails on our behalf will be required to comply with legislative requirements on unsolicited emails and the use of personal data.
  • We send emails from email addresses: smi@smincw.ie

If you receive an email which claims to come from us but does not, use this domain, or if you are suspicious that an email may not be approved by us, then please send a copy of the email to smi@smincw.ie so we can investigate.

Links

This Privacy Notice applies to personal data collected by Scoil Mhuire agus Íde. If an email or website contains links to a third-party site, please be aware that we are not responsible for the content or privacy practices of such site. We encourage our users to be aware when they leave our Site, and to read the Privacy Notice of other sites that collect personal data.

Notification of changes

We reserve the right to amend or vary this Privacy Notice at any time and the revised notice will apply from the date posted on the site. Scoil Mhuire agus Íde will provide a link to our Privacy Notice on all electronic correspondences in order to keep you abreast of the contents of this Notice.

Reviews of Scoil Mhuire agus Íde compliance with the General Data Protection Regulations and Data Protection Acts will be conducted yearly.