024 85561 / + 353 24 85561 Propogue House, Chickleys Road, Youghal, Co.Cork.

Privacy Policy

Acorn Advisory Services Limited





  1. Introduction and Scope

Acorn Advisory Services Limited T/A Acorn Agricultural Research (the “Company”) necessarily collects, processes and stores significant volumes of Personal Data from our employees, customers, suppliers, service providers, employees or agents of our customers, suppliers and service providers and other business contacts or members of the public.

In accordance with the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018, Acorn Advisory Services Limited is a Data Controller and a Data Processor and, as such, acknowledges that it has responsibilities for ensuring the privacy of Data Subjects and the protection of Personal Data processed.  The Company takes those responsibilities very seriously and, for that reason, has introduced and will abide by this policy.  This policy also applies to any and all subsidiaries of the Company that may exist from time to time.

This policy applies to all Personal Data collected, processed and stored by the Company (and to any and all subsidiaries of the Company that may exist from time to time) in respect of all Data Subjects.

  • Definitions

The following definitions shall have effect for the purposes of this policy:

Personal Data means any information relating to an identified or identifiable natural person (a Data Subject).  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Subject is an individual whose Personal Data is processed.

Processing means any operation or set of operations which is performed on personal data, by manual or automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Categories of Data means any data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.  For the purposes of this policy, the Company will normally be the Data Controller.

Data Processor means a person, public authority, agency or other body who processes personal data on behalf of the controller.

  • Data Protection Principles

The six principles of the GDPR require that personal data is:

  • processed in a way that is lawful, fair and transparent;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and is limited to what is necessary;
  • accurate and kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • processed in a manner that ensures appropriate security of the data.

Article 5(2) of the GDPR also obliges the Company to “be responsible for, and be able to demonstrate, compliance with the principles”.  The Company endeavours at all times to comply with these principles.

3.1     Personal Data must be Processed in a way that is Lawful, Fair and Transparent

Article 6 of the GDPR sets grounds on which personal data processing is lawful.

Much of the personal data processing by the Company is carried out because it is necessary to effect to contracts with Data Subjects, because it is necessary for the compliance with the Company’s legal obligations or because it is necessary for the performance of the legitimate interests being pursued by the Company.

In very limited circumstances, the Company may request the consent of the data subject to process their data. In such cases, consent will be sought at the time that the data is collected, and the data subject will be advised that they can withdraw their consent at any stage during processing.

The Company will be fully transparent in relation to how personal data collected is used. The Company will provide the required information to data subjects when the personal data is collected. The Company will ensure that the information is provided in an intelligible form using clear and plain language.

  •      Personal Data can only be Collected for Specific, Explicit and Legitimate Purposes

The Company processes personal data only for the purposes for which it is collected.  Any further proposed processing of data will be the subject of an impact assessment to ascertain if it poses a risk to the rights and freedoms of the data subject. This assessment may take the form of a data protection impact assessment.

  • Personal Data must be Adequate, Relevant and Limited to what is Necessary for Processing (Data Minimisation)

The Company will make every reasonable effort to ensure that any data collected and held is the minimum amount required for the specified purpose. The Company will make every reasonable effort to not collect personal data that is unnecessary. All personal data requests issued by the Company will clearly state the business purpose for the collection of such data.

  • Personal Data must be Accurate and Kept Up to Date

The Company will ensure that, where possible, all personal data held is kept accurate and up to date. Data subjects have the right to have inaccurate data held by the Company updated or erased, as appropriate.

  • Personal Data is Only Held for as Long as is Necessary

The Company will make every reasonable effort to ensure that data is not retained for longer than it is required and that it will be properly destroyed/deleted when it is no longer needed.

  • Personal Data is Processed in a Manner that Ensures Appropriate Security of the Data

The Company maintains high standards of technical, organisational, and physical security measures to ensure that personal data held and otherwise processed is as secure as is reasonably practicable at all times. Security systems and measures will be reviewed as and when appropriate and, when necessary, updated.  Company employees will, where appropriate, be provided with training in relation to their responsibilities in respect of the protection of personal data. 

4.       GDPR – Rights of Data Subjects

Subject to the provisions of the Data Protection Act, 2018, and any associated regulations, the GDPR enumerates the following rights of Data Subjects:

  • a right to be informed/right of access;
  • a right to rectification;
  • a right to erasure;
  • a right to restrict processing;
  • a right to data portability;
  • a right to object to processing; and
  • rights in relation to automated decision making and profiling.

4.1     Right to be Informed and Right of Access

Data Subjects have the right to be informed by the Company about the collection and use of their Personal Data. In addition, they have the right to access their Personal Data and other supplementary information, as appropriate (subject to restrictions prescribed by law).

The Company will respond to all such Data Subject access requests as required Article 12 of the GDPR.  Further information on making a Data Subject access requests can be found on the website of the Data Protection Commission at https://www.dataprotection.ie/en/dpc-guidance/data-subject-access-requests-faq

4.2      Right to Rectification

Data Subjects have the right to have inaccurate Personal Data held by the Company rectified and to have incomplete Personal Data updated so that it is complete.

On receipt of a request from a Data Subject for rectification of their Personal Data, the Company will take reasonable steps to ensure that the data held is accurate and will ensure that data is rectified, where necessary.

4.3      Right to Erasure

Article 17 of the GDPR provides for the right of data subjects in certain circumstances to have their Personal Data erased (‘right to be forgotten’).  The right to erasure is not an absolute right and does not apply in circumstances where the Company’s processing of personal data is necessary, for example, for the establishment, exercise or defence of legal claims.

Where a Data Subject is of the opinion that elements of Personal Data held by the Company are incorrect, they may make a request in writing to have such data permanently erased.  The Company will review all such requests and, where appropriate, will erase the data in question.

4.4      Right to Restriction of Processing

A Data Subject has the right to obtain a restriction in relation to the processing of their Personal Data where any one of the following applies:

  • the Data Subject contests the accuracy of their data. The restriction will apply for a period enabling the Company to verify the accuracy of the personal data;
  • the processing is unlawful and the Data Subject does not wish to have the data erased, but rather wishes to restrict its’ use;
  • the Company no longer requires the data in question, but the Data Subject seeks its’ retention in order to establish, exercise or defend a legal claim; or
  • the Data Subject has objected to the processing of their Personal Data by the Company. The restriction will apply pending verification of whether the Company’s legitimate grounds for processing overrides the Data Subject’s concerns.

4.5    Right to Data Portability

In cases where the Company has collected Personal Data from a Data Subject by consent or by reason of a contract, that Data Subject can request the Company to provide the Personal Data in electronic format in order to provide it to another Data Controller.  The Company will comply with all such legitimate requests.

4.6      Right to Object to Processing

Under Article 21 of the GDPR, Data Subjects have a right to object to the processing of their personal data in specific circumstances. Where such an objection is received, the Company will assess each case on its’ individual merits.

4.7      Right not to be Subjected to Automated Decision-Making

Data Subjects have the right not to be subjected to a decision based solely on automatic processing, including profiling, that have a legal or similarly significant effect on them.  The Company will make every reasonable effort to ensure that no decision made in respect of a Data Subject is based on automatic processing alone.

4.8      Complaints

Data Subjects who may be concerned that their rights under the GDPR or the 2018 Act are not being respected by the Company can contact the Company’s Data Privacy Manager (DPM). The DPM will engage with the Data Subject in order to bring their complaint to a satisfactory conclusion.  The DPM can be contacted at info@aar.ie

Where a complaint to the DPM cannot be resolved, the Data Subject will be informed in writing and will be further informed of their right to bring their complaint to the Data Protection Commission.

5.0      Responsibilities of the Company

The Company is responsible for the following:

5.1    Implementing and maintaining appropriate technical and organisational measures for the protection of Personal Data

The Company has implemented appropriate technical and organisational measures to ensure that all Personal Data held under its control is secure and is not at risk from unauthorised access, either internal or external. Measures for the protection of Personal Data are reviewed and improved, where appropriate, from time to time.

5.2      Maintaining a record of Data Processing activities

The Company maintains a written record of all categories of processing activities for which it is responsible in accordance with GDPR Article 30.

5.3      Data Processing Agreements with Personal Data recipients

On an ongoing basis, the Company puts in place appropriate contracts with third party data processors where Personal Data is shared.  This includes security and other sub-contractors. The agreements specify the purpose of sharing the data, the requirements for security of the data and the requirements for termination of the agreement and the return/deletion of the data shared.

5.4      Data Protection by Design and Default

In accordance with Article 25 of the GDPR, the Company implements technical and organisational measures to give effect to the principles of the protection of Personal Data and to ensure that, by default, only Personal Data necessary for each specific purpose of the processing are processed.

Such measures include the implementation of security measures to secure the data.

5.5      Data Protection Impact Assessment (DPIA)

Where the Company considers that proposed processing (in particular, processing that involves new technology), poses a high risk to the rights and freedoms of Data Subjects, the Company will carry out a DPIA.

The Company’s DPM will be consulted in relation to each DPIA completed.  Where technical and/or organisational measures proposed will not mitigate any high risks previously identified, the Data Protection Commission will be consulted as appropriate.

5.6      Transfer of Personal Data Outside of the European Union

The Company will ensure that appropriate safeguards are in place prior to transferring any Personal Data outside of the European Union.

5.7      Personal Data Breaches

The GDPR defines a Personal Data breach as meaning “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Company employees are required to notify the Company’s DPM where they identify or suspect that a data breach has occurred. In accordance with GDPR, the DPM will notify the Data Protection Commission without undue delay where a breach is likely to result in a risk to the rights and freedoms of the Data Subject(s) involved.

The DPM will also assess if the breach is likely to result in a high risk to the data subject(s) involved. Where a high risk is identified, the DPM will arrange for the data subjects to be notified.

In the case of where the Company are acting as a Data Processor, it will give the Data Controller prompt notice of a Personal Data breach or a potential data breach, once becoming aware of same, and will cooperate with the Data Controller, in implementing any appropriate action concerning the breach or the potential breach as the case may be, including corrective actions.

5.8      Data Protection Governance

Compliance with the GDPR is a key requirement for the Company. The Company will at all times endeavour to oversee, monitor and ensure compliance with data protection legislation.

6.0      Data Protection Contacts

Data Privacy Manager

Joseph Kirk

Acorn Advisory Services Limited

Propogue House 

Chickleys Road 


Co Cork

Phone:   +353 24 85561

Email:     info@aar.ie

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2

D02 RD28


Email:                 https://forms.dataprotection.ie/contact