Acorn Advisory Services Limited
DATA PROTECTION POLICY
ACORN ADVISORY SERVICES LIMITED
T/A ACORN AGRICULTURAL RESEARCH
DATA PROTECTION POLICY
Acorn Advisory Services Limited T/A Acorn Agricultural Research (the “Company”) necessarily collects, processes and stores significant volumes of Personal Data from our employees, customers, suppliers, service providers, employees or agents of our customers, suppliers and service providers and other business contacts or members of the public.
In accordance with the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018, Acorn Advisory Services Limited is a Data Controller and a Data Processor and, as such, acknowledges that it has responsibilities for ensuring the privacy of Data Subjects and the protection of Personal Data processed. The Company takes those responsibilities very seriously and, for that reason, has introduced and will abide by this policy. This policy also applies to any and all subsidiaries of the Company that may exist from time to time.
This policy applies to all Personal Data collected, processed and stored by the Company (and to any and all subsidiaries of the Company that may exist from time to time) in respect of all Data Subjects.
The following definitions shall have effect for the purposes of this policy:
Personal Data means any information relating to an identified or identifiable natural person (a Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject is an individual whose Personal Data is processed.
Processing means any operation or set of operations which is performed on personal data, by manual or automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special Categories of Data means any data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this policy, the Company will normally be the Data Controller.
Data Processor means a person, public authority, agency or other body who processes personal data on behalf of the controller.
The six principles of the GDPR require that personal data is:
Article 5(2) of the GDPR also obliges the Company to “be responsible for, and be able to demonstrate, compliance with the principles”. The Company endeavours at all times to comply with these principles.
3.1 Personal Data must be Processed in a way that is Lawful, Fair and Transparent
Article 6 of the GDPR sets grounds on which personal data processing is lawful.
Much of the personal data processing by the Company is carried out because it is necessary to effect to contracts with Data Subjects, because it is necessary for the compliance with the Company’s legal obligations or because it is necessary for the performance of the legitimate interests being pursued by the Company.
In very limited circumstances, the Company may request the consent of the data subject to process their data. In such cases, consent will be sought at the time that the data is collected, and the data subject will be advised that they can withdraw their consent at any stage during processing.
The Company will be fully transparent in relation to how personal data collected is used. The Company will provide the required information to data subjects when the personal data is collected. The Company will ensure that the information is provided in an intelligible form using clear and plain language.
The Company processes personal data only for the purposes for which it is collected. Any further proposed processing of data will be the subject of an impact assessment to ascertain if it poses a risk to the rights and freedoms of the data subject. This assessment may take the form of a data protection impact assessment.
The Company will make every reasonable effort to ensure that any data collected and held is the minimum amount required for the specified purpose. The Company will make every reasonable effort to not collect personal data that is unnecessary. All personal data requests issued by the Company will clearly state the business purpose for the collection of such data.
The Company will ensure that, where possible, all personal data held is kept accurate and up to date. Data subjects have the right to have inaccurate data held by the Company updated or erased, as appropriate.
The Company will make every reasonable effort to ensure that data is not retained for longer than it is required and that it will be properly destroyed/deleted when it is no longer needed.
The Company maintains high standards of technical, organisational, and physical security measures to ensure that personal data held and otherwise processed is as secure as is reasonably practicable at all times. Security systems and measures will be reviewed as and when appropriate and, when necessary, updated. Company employees will, where appropriate, be provided with training in relation to their responsibilities in respect of the protection of personal data.
4. GDPR – Rights of Data Subjects
Subject to the provisions of the Data Protection Act, 2018, and any associated regulations, the GDPR enumerates the following rights of Data Subjects:
4.1 Right to be Informed and Right of Access
Data Subjects have the right to be informed by the Company about the collection and use of their Personal Data. In addition, they have the right to access their Personal Data and other supplementary information, as appropriate (subject to restrictions prescribed by law).
The Company will respond to all such Data Subject access requests as required Article 12 of the GDPR. Further information on making a Data Subject access requests can be found on the website of the Data Protection Commission at https://www.dataprotection.ie/en/dpc-guidance/data-subject-access-requests-faq
4.2 Right to Rectification
Data Subjects have the right to have inaccurate Personal Data held by the Company rectified and to have incomplete Personal Data updated so that it is complete.
On receipt of a request from a Data Subject for rectification of their Personal Data, the Company will take reasonable steps to ensure that the data held is accurate and will ensure that data is rectified, where necessary.
4.3 Right to Erasure
Article 17 of the GDPR provides for the right of data subjects in certain circumstances to have their Personal Data erased (‘right to be forgotten’). The right to erasure is not an absolute right and does not apply in circumstances where the Company’s processing of personal data is necessary, for example, for the establishment, exercise or defence of legal claims.
Where a Data Subject is of the opinion that elements of Personal Data held by the Company are incorrect, they may make a request in writing to have such data permanently erased. The Company will review all such requests and, where appropriate, will erase the data in question.
4.4 Right to Restriction of Processing
A Data Subject has the right to obtain a restriction in relation to the processing of their Personal Data where any one of the following applies:
4.5 Right to Data Portability
In cases where the Company has collected Personal Data from a Data Subject by consent or by reason of a contract, that Data Subject can request the Company to provide the Personal Data in electronic format in order to provide it to another Data Controller. The Company will comply with all such legitimate requests.
4.6 Right to Object to Processing
Under Article 21 of the GDPR, Data Subjects have a right to object to the processing of their personal data in specific circumstances. Where such an objection is received, the Company will assess each case on its’ individual merits.
4.7 Right not to be Subjected to Automated Decision-Making
Data Subjects have the right not to be subjected to a decision based solely on automatic processing, including profiling, that have a legal or similarly significant effect on them. The Company will make every reasonable effort to ensure that no decision made in respect of a Data Subject is based on automatic processing alone.
4.8 Complaints
Data Subjects who may be concerned that their rights under the GDPR or the 2018 Act are not being respected by the Company can contact the Company’s Data Privacy Manager (DPM). The DPM will engage with the Data Subject in order to bring their complaint to a satisfactory conclusion. The DPM can be contacted at info@aar.ie
Where a complaint to the DPM cannot be resolved, the Data Subject will be informed in writing and will be further informed of their right to bring their complaint to the Data Protection Commission.
5.0 Responsibilities of the Company
The Company is responsible for the following:
5.1 Implementing and maintaining appropriate technical and organisational measures for the protection of Personal Data
The Company has implemented appropriate technical and organisational measures to ensure that all Personal Data held under its control is secure and is not at risk from unauthorised access, either internal or external. Measures for the protection of Personal Data are reviewed and improved, where appropriate, from time to time.
5.2 Maintaining a record of Data Processing activities
The Company maintains a written record of all categories of processing activities for which it is responsible in accordance with GDPR Article 30.
5.3 Data Processing Agreements with Personal Data recipients
On an ongoing basis, the Company puts in place appropriate contracts with third party data processors where Personal Data is shared. This includes security and other sub-contractors. The agreements specify the purpose of sharing the data, the requirements for security of the data and the requirements for termination of the agreement and the return/deletion of the data shared.
5.4 Data Protection by Design and Default
In accordance with Article 25 of the GDPR, the Company implements technical and organisational measures to give effect to the principles of the protection of Personal Data and to ensure that, by default, only Personal Data necessary for each specific purpose of the processing are processed.
Such measures include the implementation of security measures to secure the data.
5.5 Data Protection Impact Assessment (DPIA)
Where the Company considers that proposed processing (in particular, processing that involves new technology), poses a high risk to the rights and freedoms of Data Subjects, the Company will carry out a DPIA.
The Company’s DPM will be consulted in relation to each DPIA completed. Where technical and/or organisational measures proposed will not mitigate any high risks previously identified, the Data Protection Commission will be consulted as appropriate.
5.6 Transfer of Personal Data Outside of the European Union
The Company will ensure that appropriate safeguards are in place prior to transferring any Personal Data outside of the European Union.
5.7 Personal Data Breaches
The GDPR defines a Personal Data breach as meaning “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Company employees are required to notify the Company’s DPM where they identify or suspect that a data breach has occurred. In accordance with GDPR, the DPM will notify the Data Protection Commission without undue delay where a breach is likely to result in a risk to the rights and freedoms of the Data Subject(s) involved.
The DPM will also assess if the breach is likely to result in a high risk to the data subject(s) involved. Where a high risk is identified, the DPM will arrange for the data subjects to be notified.
In the case of where the Company are acting as a Data Processor, it will give the Data Controller prompt notice of a Personal Data breach or a potential data breach, once becoming aware of same, and will cooperate with the Data Controller, in implementing any appropriate action concerning the breach or the potential breach as the case may be, including corrective actions.
5.8 Data Protection Governance
Compliance with the GDPR is a key requirement for the Company. The Company will at all times endeavour to oversee, monitor and ensure compliance with data protection legislation.
6.0 Data Protection Contacts
Data Privacy Manager
Joseph Kirk
Acorn Advisory Services Limited
Propogue House
Chickleys Road
Youghal
Co Cork
Phone: +353 24 85561
Email: info@aar.ie
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland