DATA PROTECTION POLICY
Activity Days Ireland Limited
Activity Days Ireland Limited a company incorporated under Irish law with company number 559999 and having its registered office at 10 Bracken Wood, Blarney, Co. Cork, t/a as Activity Days (“Activity Days”, “the Company”) are committed to ensuring the privacy of its customers and guides. We are fully compliant with the General Data Protection Regulation (“GDPR”). The purpose of this data protection policy document the steps taken to ensure compliance with the GDPR.
1. Purpose and Basis for Processing of Data
a) Activity Days process data on behalf of natural persons comprising their customers and tour guides. We will reply on the following legal basis for the processing the data;
- Entry into and performance of the contract entered into between Guides, Customers and Activity Days
- Legitimate interests of the business of the Company in promoting its services and activities;
- Compliance with statutory obligations (where applicable);
- Consent (in limited circumstances)
b) Activity Days will rely on consent only as a basis for processing in exceptional cases. When relying on legitimate interest as a basis for processing, we will ensure that the rights of the data subject are balanced against the rights of the business in compliance with the GDPR.
c) Activity Days will use the data provided to it as follows;
- to process bookings
- to correspond with customers and the tour guides regarding arrangements for bookings
- to send publications and information, including special offers to our customers and guides
- to respond to “contact us” queries
- to issue gift vouchers
- for marketing purposes
- In relation to tour guides only, to process payments in connection with customer bookings
- To meet our legal and statutory responsibilities (including legal claims if applicable)
2. Data Collected
a) Customer Data:
We will collect the following data from our customers when they complete a booking form;
- Contact number
- Email address
- Health and Fitness Information including information regarding medical conditions.
- Payment information (in limited cases)
It may be necessary for us to obtain sensitive personal data about our data subjects and in particular, information relating to their health. This data may need to be shared with our Guides, which will be done only where necessary for performance of our contractual obligations (taking into account the nature of the activity and the nature of the medical condition) or with the data subject consent. Sensitive Data will not be retained for longer than necessary to enable performance of the Contract with Activity Days.
Children under the age of 13 are unable to consent to the processing of personal data for information society services (any service normally provided for payment, by electronic means and at the individual request of a recipient of services). Consent will be sought from the person who holds parental responsibility over the child. However, it should be noted that where processing is lawful under other grounds, consent need not be obtained from the child or the holder of parental responsibility.
b) Guide Data:
We will collect the following data from our Guides;
- Contact number
- Email address
- Payment information
- Garda Vetting information (on occasion)
c) Employee Data
We will collect the following data from our Employees;
- Contact number
- Email address
- Payment information
- PPS number
3. Sharing of Data
a) We may only transfer personal data where one of the transfer scenarios list below applies:
- The data subject has given Consent to the proposed transfer.
- The transfer is necessary for the performance of a contract with the data subject
- The transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject’s request.
- The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the data subject.
- The transfer is legally required on important public interest grounds.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject
b) To enable us to complete customer bookings, we will need to share data provided by Customers with our Guides, which said data sharing is necessary for the performance of the Contract with the data subject.
c) We will not provide personal data data to third parties for marketing purposes. We may also share data with our professional advisers where necessary including lawyers, bankers, auditors and insurers who provide professional services necessary for the operation of the business.
4. Data Retention
a) Activity Days will keep the data for no longer than necessary in accordance with the retention periods set out below. The legal basis for the retention of the data referred to below is the legitimate interests of the company in providing its services, and promoting its services, and to enable it to comply with its contractual, statutory and legal obligations. We will delete all data at the expiration of the retention periods below, unless there is a legitimate legal basis to hold same under law.
b) The retention periods are as follows;
|Data Type||Retention Period|
|Customer contact information (client name, address, email address and phone number)||Two years after completion of the booking of the order (or the most recent order as appropriate)|
|Financial information (including credit card information)||One month after completion of the activity which the customer ordered (if any data is in fact held)|
|Tour Guide contact information (client name, address, email address and phone number)||One year after termination of the customer contract with Activity Days|
|Customer Health Information||Two months after completion of the activity which the customer ordered (if any data is in fact held) (save in the event of occurrence of any breach of contract, accident, injury, loss, or other matter which may give rise to a legal claim or dispute)|
|Personal Injury, Accidents, Damaged Property or other loss sustained by the Customer in the course of the activity||Three years following the date of the activity, or in the event that the customer is a minor, three years after the minor reaches the age of 18 years. In the event that proceedings are issued or any notification of a claim is made, then Activity Days may retain the data for as long as may be necessary until the proceedings have been concluded.|
|Data Law Compliance||Records in relation to our compliance with Data Law and GDPR will be kept for a five year period.|
|Breach of Contract related records||Records are retained 6 years from the date of the breach. In the event that proceedings are issued, then Activity Days may retain the data for as long as may be necessary until the proceedings have been concluded.
|Employee Data||3 years after termination of the employment relationship with Activity Days, or in the event that any claim is made in connection with the employment, until conclusion of that claim, or such longer period as may be required in accordance with statute.
We will retain interview records and candidate documentation for a period of one year post completion of the interview process where the candidate is unsuccessful.
5. Data Storage & Accuracy
a) Activity Days will take all reasonable steps to ensure that personal data is retained in a safe and secure manner and in compliance with GDPR. We will adopt physical, technical, and organisational measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment.
b) We will take all reasonable steps to ensure that the data we hold is kept up to date, and will afford the data subjects the opportunity to update and rectify their data at all times.
6. Data Subject rights relating to personal data
a) We acknowledge that Data Subjects have the following rights under the GDPR, in certain circumstances and subject to certain exemptions;
- Right to access the data
- Right to rectification
- Right to erasure
- Right to restriction of processing or to object to processing
- Right to data portability
- Right to object to processing
We will consider each such request in accordance with all applicable data protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. data subjects are entitled to obtain, based upon a request made in writing/email to: team:@activitydays.ie
It should be noted that situations may arise where providing the information requested by a data subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that person’s rights.
7. Automated decision-making and profiling
a) We do not use any personal data for the purpose of automated decision-making or profiling.
8. Digital Marketing
a) Any digital marketing campaigns will be carried out only pursuant to the legitimate interests of Activity Days, or with the consent of individual non-corporate data subject. If the data subject puts forward an objection, digital marketing related processing of their personal data must cease immediately. It should be noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to carry out digital marketing to individuals provided that they are given the opportunity to opt-out.
9. Law Enforcement Requests & Disclosures
a) In certain circumstances, it is permitted that personal data be shared without the knowledge or consent of a data subject. This is the case where the disclosure of the personal data is necessary for any of the following purposes:
- The prevention or detection of crime.
- The apprehension or prosecution of offenders.
- The assessment or collection of a tax or duty.
- By the order of a court or by any rule of law.
If we process personal data for one of these purposes, then it may apply an exception to the processing rules outlined in this policy but only to the extent that not doing so would be likely to prejudice the case in question. If any employee receives a request from a court or any regulatory or law enforcement authority for information relating to a data subject, they must immediately notify the Data Protection Officer who will provide comprehensive guidance and assistance.
10. Complaints handling
a) Data subjects with a complaint about the processing of their personal data, should put forward the matter in writing to the Maire Ni Mhurchu. An investigation of the complaint will be carried out to the extent that is appropriate based on the merits of the specific case. Activity Days will inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the issue cannot be resolved through consultation between the data subject and the Comapny, then the data subject may, at their option, seek redress through mediation, binding arbitration, litigation, or via complaint to the Data Protection Authority within the applicable jurisdiction.
11. Breach Reporting
a) Any individual who suspects that a personal data breach has occurred due to the theft or exposure of personal data must immediately notify the Maire Ni Mhurchu providing a description of what occurred. The Company will investigate all reported incidents to confirm whether or not a personal data breach has occurred. If a personal data breach is confirmed, the Company will follow the relevant authorised procedure based on the criticality and quantity of the personal data involved.
Dated 30th day of April 2019
Activity Days Ireland Limited