This policy is The National Leprechaun Museum’s public affirmation of how we intend to fulfil that goal.
The National Leprechaun Museum is located at 139a Abbey Street Upper, Dublin 1, Ireland. The assigned Data Protection Officer can be contacted at firstname.lastname@example.org
This policy only concerns itself with the processing of personal data. The types of personal data that The National Leprechaun Museum may process will vary and depend on the interactions that a person has with The National Leprechaun Museum. Specific policies may apply to your relationship with The National Leprechaun Museum in addition to this general statement of policy, for example if you are an employee with specific policies to your role.
Personal data is information that relates to an identified or identifiable person. If data does not permit us or another party to identify a person, directly or indirectly, then it is not personal data. The law does not require, and it is not The National Leprechaun Museum’s practice, to acquire extra, unnecessary information solely for the purpose of identifying persons.
Processing, refers to actions that can be done with personal data: collecting, storing, analysing, communicating, et cetera. This includes processing completed with or without computers.
For purposes of this policy, the controller is The National Leprechaun Museum.
A processor is any vendor or service provider who processes personal data on behalf of The National Leprechaun Museum.
Consent is a clear, unambiguous action by a person that they agree to a specific processing. In order for this consent to be valid, the person consenting has to understand the purpose, nature, and conditions of the processing, including, for example, if The National Leprechaun Museum will be getting outside help to process personal data.
GDPR is the EU General Data Protection Regulation 2016/679 (as amended and replaced from time to time)
Sensitive Data means any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
GDPR Data Protection Principles
The National Leprechaun Museum commits itself to operating on the basis of the following privacy principles:
Lawfulness, Fairness, and Transparency
Beyond upholding your legal rights, our aim is to provide our services fairly to you, and to be transparent in the way we process your data.
We will always provide you with a clear statement of the purpose behind a data processing.
We will always provide you with a clear statement on how that processing is compatible with your legal rights, also known as the legal or lawful basis for processing.
One common example of a lawful basis is where processing is necessary for a service or contract that you have requested. Another common basis is where we have a legal obligation to process your data, such as to protect against fraud. Your consent can sometimes also be a legal basis for processing.
We aim to collect your data only for specific, limited purposes that we will specify to you in advance as clearly as we can.
Moreover, in the event we ever rearrange how we do things, we aim never to process your data in a way that is incompatible with the original purposes.
We try only to process the personal data that we really need –no more and no less.
We will try to correct or erase, depending on what is appropriate in the context, personal data that are inaccurate.
We aim to delete data when we no longer need it. Time frames for this vary depending on the format of the information i.e. email, booking forms etc.
Integrity and Confidentiality
We protect your data with the appropriate technologies and business practices. We guard against unauthorised or unlawful processing, and against accidental loss, destruction, or damage to your data.
We aim to document, as necessary and appropriate, the things we do for your protection.
You also have a number of rights that you can use to check up on us and hold us accountable.
Finally, in addition to holding ourselves accountable, we also demand that our processors commit themselves to the protections you deserve. We aim to be transparent in our choice of processors so that you can hold them accountable too.
Rights to Object or Restrict Processing
You enjoy certain rights and privileges too that are important enough that they get their own section. We’d especially like to draw your attention to your rights to object and to restrict processing.
Right to Object
European law provides you with a right to object. This means you have an absolute right to tell us to stop processing your personal data for direct marketing.
Where the processing is for purposes other than direct marketing, you should explain to us what it is you’re objecting to and why it is that you’re objecting. The National Leprechaun Museum is then entitled at law to consider whether any legitimate grounds override those objections. If not, then The National Leprechaun Museum will cease that processing right away.
Right to Restrict Processing:
European law also provides you with a right called restriction of processing. If objection is like a stop button, then restriction of processing is the pause button: It lets you put a pause on all or certain types of processing.
Right to Withdraw Consent:
For any processing that is based on your consent, you can withdraw that consent at any time. This means that we will stop that processing, unless there is another basis to continue processing, such as a legal obligation. Withdrawing consent does not affect any processing that has already taken place.
Further Rights to Hold Us Accountable:
You have a number of legal rights that will help you hold us accountable and abide by the above privacy principles. Here’s a listing of rights that you should keep in mind:
- Rights to Information and Access
- Right to correct inaccurate data, or supplement incomplete data
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to avoid automated individual decision-making
Rights to Information and Access:
You have a legal right to know who we are, who our representative(s) is/are, who our data protection officer is, and contact information for each.
You have the right to know who, if anyone will receive your information from us. If we didn’t get your personal data from you, we will tell you where we got it.
You have the right to know in advance the purposes behind our data processing. Moreover, you have the legal right to know in advance the legal basis for our processing. We will always tell you where we processing is necessary for our legitimate interests.
We will always tell you whether providing your personal data is voluntary or obligatory, and what would be the result if you choose not to provide your personal data. In particular, we will tell you if you are legally or contractually required to provide us with personal data.
Not all jurisdictions or countries provide the same legal protections for personal data and privacy as the European Union and its Member States. Therefore, you have the right to know if your data is being sent outside the EU and if so, what appropriate safeguards have been put in place especially to protect your data protection and privacy rights. Whenever this arises, we’ll tell you how to get a copy of the protections in place for your personal data.
You have a right to receive other information too. We’ll always provide the following specifics to you at the appropriate, relevant time, but here’s a list of what you have a right to receive:
You have a right to know how long we’ll keep your data. If we can’t state a hard number, then we’ll tell you the criteria that will determine when we will delete your personal data.
You have a right to hear from us what it is that we have about you. If you see anything that needs correction or that you’d like deleted, please contact us through our data protection officer at email@example.com.
If the basis for our processing is your consent, you have a right to withdraw that consent at any time. Withdrawing consent does not affect any processing we’ve already undertaken. It also doesn’t have any effect where processing is not based on your consent.
If you think your rights have been violated, you have a right to file a complaint with Ireland’s Data Protection Commissioner.
Right to correct inaccurate data, or supplement incomplete data:
We will take every reasonable step to ensure the personal data we process are accurate and up to date. You have the right to inform us of an inaccuracy in data that we process and expect that we will correct it without undue delay. Likewise, if you find that the data we’re processing is incomplete considering the purposes of the processing, you have to right to submit supplementary information. Depending on the circumstances, we might have to ask for some verification of your identity. We’ll do our best to keep those questions to a minimum and to avoid asking for new personal data we don’t already have.
Right to Erasure:
In many cases, you have the right to have your personal data deleted. For more information, email our data protection officer at firstname.lastname@example.org.
Right to Data Portability:
We understand that sometimes you’ll need to take your data with you. At your request, we’ll provide you with a transferable copy of your data or send it directly (if possible) to your designated recipient. To make this request, please get in touch with the data protection officer at email@example.com.
[NB: This only applies where the lawful basis was either consent or performance of a contract and processing was automated]
Right to Avoid Automated Individual Decision-Making:
At The National Leprechaun Museum, all decisions that could affect your rights are human-made. While we use computers to help us in our work, all decisions are made by real people.
Exercising Your Rights:
The easiest way for you to exercise the rights above is to contact our data protection officer (DPO) directly via email. Let our DPO know, if possible, what it is that you’re looking for, and what it is that you’d like us to do. If you have multiple requests, please do make sure you state them all clearly so we can act on them all.
We train and instruct all our employees to identify and appropriately escalate what appear to be subject requests based on the above rights. Employees should usually escalate requests to their managers, who will be in touch with the DPO. The DPO may or may not require the assistance of an outside lawyer.
Sources of Information
We process the following information:
- Information you give us
- Information your computer shares with us
- Information from third party sources
Information you give us:
There are a number of ways that you can provide information to us for processing: When you subscribe to our newsletter, send us any sort of message (text, email, post), or ring us on the phone, you might provide us with information like:
- Your identity, including name and other information like mailing address
- Your credit card information, such as the card number, security code, billing address, and bank or issuer details
We will always process your information according to the privacy principles we explained above. In particular, we would like to say again that all our processing is limited to the specific purpose that we tell you at the time we collect your data, and is only stored for as long as is strictly necessary.
Information your computer shares with us:
In order for computers to be able to talk to each other, they absolutely have to disclose some minimum information. This can include technical information or practical information.
Technical information means data like your IP address, browser type and version, any browser plug-ins, your time zone and language settings, any login information, and your operating system
Practical information means information like whether you open or respond to our emails, whether you came to our website by clicking on a link at a different website, products or services you searched, browsed, or purchased.
Some of these data are necessary for us to run our website or to respond to your requests, like ticket bookings. Other data are a huge help to us in providing you with better services and maintaining a well-run company. We will always tell you what is necessary and what is voluntary.
Information other parties give us:
Sometimes we receive information about you from other parties. We process personal data received from those parties by the same rules and principles as personal data that you give us directly. Moreover, we will always tell you who gave us your information and their contact information. That way, if you prefer, you can instruct those parties to stop sharing your information (we don’t have the authority to do that).
Use of Personal Data
We and our partners process your data to do the following:
- Provide you with the information, products, or services that you have requested
- Fulfil our obligations to you, including:
- Provide you with The National Leprechaun Museum services, products, and experiences
- Fulfil our legal obligations to you and financial or other institutions
- Improve and develop our business, such as our website, products, services, and experiences
- Provide you with information that we think would be of interest to you, sometimes pertaining to new products, services, and experiences
- To enforce our rights under our terms and conditions or any other contracts with you
- To prevent fraud
- To protect the rights, property, and safety of The National Leprechaun Museum employees and customers or other relevant persons
- To respond, when necessary, to valid law enforcement requests
- To comply with applicable laws
- To gather your opinions and input
- To manage any situation where processing or other transactions are disputed
- To handle and resolve complaints
We care deeply about our relationship with our customers and our community. Therefore, we look to see what people are saying about us in public forums. Some of those include:
Again, we only see what you share with the general public or share directly with us.
We use the following technologies and measures to help protect your data:
- Locked physical storage;
- Restricted access areas;
- Confidentiality agreements;
- Regular reviews for personal data we should delete because it’s outdated or unnecessary for the original purpose;
- Shredding and secure disposal;
While no system is absolutely secure, we take every reasonable precaution to protect your data and to respect your privacy.
Confidentiality of Personal Data
The National Leprechaun Museum requires all its employees to maintain the confidentiality of the personal data you handle. Further, we expect you to voice or escalate any concerns you have about the way The National Leprechaun Museum handles personal data. Data and privacy protections are only as strong as the weakest link, so we rely on a solid team effort!
In order to provide the services and experiences that we offer, we rely on a little help from our partners to process your information, such as sales and bookings, payments and communication. We will always tell you who those partners are for your specific situation, and what it is that they do. We will also always tell you whether or not they have any access to your personal data, or if they only handle your data in its encrypted form.
Our contracts with these third parties require them to maintain the confidentiality of the personal information we provide to them, only act on our behalf and under our instructions, and not use information for purposes other than the product or service they’re providing to us or on our behalf.
We aim to reviewing our data protection and privacy policies and procedures at least once a year, and more often if necessary to account for changes in the law or in the way we do things.
Purpose of CCTV:
The CCTV images are monitored for crime prevention and public safety only. Please contact firstname.lastname@example.org for any CCTV enquiries.
CCTV footage is stored in a secure room with access to only authorised personnel.
CCTV footage access request:
State agencies can request a copy of CCTV footage by contacting the DPO at email@example.com.
Website Data Processing
The National Leprechaun Museum’s website collect and process your personal data to provide you with the services you seek from our website. Information you provide helps us respond to your customer service requests and support needs more efficiently.
We may use the feedback you provide to:
- Improve our products and services ensure the security of our website.
- Improve our marketing.
- Send you periodic emails once you have opted-in.
- We may use the email address to respond to enquiries, questions and other requests.
- Only will email if you opt-in
- Can unsubscribe any time
- Can consent to let The National Leprechaun Museum track success of email campaigns
- Limited access
- Limited purpose
- Technical and Organisational Protection
- Use adequate physical and technological security measures to protect data
- Limit organisational use and access to personal data
- Provide training to employees on data protection and privacy best practices, require them to enter into confidentiality agreement
- Use all reasonable efforts, but cannot guarantee absolute security.
Rights of data subjects:
- Withdraw Consent
- Information & Access
- The subject has the right to access their personal data at any time by sending an email to firstname.lastname@example.org.
The subject has the right to object any of his personal data to be processed by The National Leprechaun Museum.
The subject has the right to request The National Leprechaun Museum to transfer their personal data to another controller in a plain simple electronic form by sending an email to email@example.com.
Rights of state agency:
A state agency can request to access subject data by sending an email to firstname.lastname@example.org
General Contact: The National Leprechaun Museum, 139a Abbey Street Upper, Dublin 1, Ireland. General telephone contact: (01) 8779038. Email address: email@example.com
Data Protection Officer, The National Leprechaun Museum, 139a Abbey Street Upper, Dublin 1, Ireland. Email address: firstname.lastname@example.org