Data Protection Policy

• Other relevant links
• A guide to your rights
• Legislative Framework
• How to request your personal information
• Privacy Statement
• Data Protection Policy
• CCTV Policy
• Photography & Video Policy
• Contact Information
• Privacy Notices

‌This Data Protection Policy sets out the Galway County Council’s commitment to protecting the rights and privacy of individuals and details how we will ensure compliance with the General Data Protection Regulation (GDPR) the Data Protection Acts 1988 to 2003 and the Data Protection Act 2018.

This policy applies to all personal data processing activities undertaken by the Galway County Council.

This policy should be read in conjunction with other relevant County Council policies and documents such as our Privacy Statement and Subject Access Requests Policy. Galway County Council may supplement or amend this policy by additional policies and guidelines from time to time.

Definitions:

Personal data - Article 4(1) is defined as: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing data - Article 4(2) is defined as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

What and who is a Data Controller?

A data controller under Article 4 (7) of the General Data Protection Regulation (EU) No. 2016/679 means

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

Sharing of personal data

When you provide personal data to one department within Galway County Council, it may be shared with other departments within the Council as long as such internal sharing is relevant, proportionate and reasonably necessary for the performance of our statutory functions. Examples of when departments within Galway County Council may share information with each other include:

• To facilitate the investigation and prosecution of regulatory breaches and offences e.g. the environment department may have information that would assist the planning department in prosecutions and applications for injunctive relief; and
• To enable the set-off of moneys due to the Council, against sums owed by the Council to that person, pursuant to section 7 of the Local Government (Financial Provisions) (No.2) Act 1983.

Galway County Council may also share your information with other organisations and Government Bodies where necessary and permitted or required by applicable law. Personal data may also be shared with third party data processors responsible for supporting the Council’s operations.

The main legal basis for Galway County Council processing your personal data is that such processing is (i) necessary for us to comply with our legal obligations and/or (ii) necessary for us to carry out our tasks in the public interest and/or in the exercise of official authority vested in us.

We will retain your personal data only for as long as we require it for the performance of our functions, after which time it will be deleted by appropriate and secure methods.

Data protection principles

All processing of personal data must be conducted in accordance with the data protection principles set out in Article 5 (1) of the General Data Protection Regulations.

Personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the Regulation, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘accountability ,integrity and confidentiality’).

Rights of Individuals whose data is collected

Data subjects can exercise their rights as follows:

1. Right of access by the data subject - Article 15
   Galway County Council implements procedures to ensure that requests from data subjects for access to their own personal data will be identified and fulfilled in accordance with relevant legislation. A subject Access request form can be accessed at- (weblink).
2. Right to rectification – Article 16
   Galway County Council is committed to holding accurate data about data subjects and will continue to implement processes and procedures to ensure that data subjects can rectify their data where inaccuracies have been identified.
3. Right to erasure (right to be forgotten) - Article 17
   Data subjects have a right to request the erasure of their personal data in specific circumstances. This right is not absolute and applies only in certain circumstances. Where such an objection is received, Galway County Council will assess each case on its merits.
4. Right to restriction of processing -Article 18
   Galway County Council implements and maintains appropriate procedures to assess whether a data subject’s request to restrict the processing of their data can be implemented. Where the request for restriction of processing is carried out, the Council will write to the data subject to confirm the restriction has been implemented and when the restriction is lifted.
5. Right to data portability -Article 20
   Where the Council has collected personal data on data subjects by consent or by contract then the data subjects have a right to receive the data in electronic format to give to another data controller. It is expected that this right will apply only to a small number of data subjects.
6. Right to object to automated decision making- Article 21
   Data subjects have a right to object to the processing of their personal data in specific circumstances. Where such an objection is received, the Council will assess each case on its merits.
7. Right not to be subject to automated decision making including profiling – Article 22.
   Data subjects have the right not to be subject to a decision based solely on automated processing, where such decisions would have a legal or significant effect concerning him or her. Data subjects will be informed when elements of processing include automated decision making or profiling.

Responsibilities of Galway County Council

1. Security of processing- ensuring appropriate technical and organisational measures – Article 32
   The Council implements appropriate technical and organisational measures to ensure the security of personal data.
2. Maintaining a record of data processing – Article 30.
   The Council maintains a record of its data processing activities in the manner prescribed by the Regulation.
3. Implementing appropriate agreements with third parties – The Processor -Article 28.
   The Council will continue to put in place processing agreements with all third parties with whom it shares personal data.
4. Transfers of personal data outside of the European Economic Area- Article 45
   Galway County Council does not transfer the personal data of its data subjects outside of the European Economic Area unless an adequate level of protection is ensured. Data subjects will be informed where transfers to a third country are in place.
5. Data protection by Design and by default – Article 25.
   The Council will continue to implement technical and organisational measures, at the earliest stages of the design of processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, the Council will also continue to ensure that personal data is processed with the highest privacy protection so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).
6. Data Protection Impact Assessments – Section 3- Article 35
   The Council will implement procedures and documentation whereby all new types of processing, in particular using new technologies, that result in a high risk to the rights and freedoms of its data subjects shall carry out a data protection impact assessment. As part of this process, a copy of the impact assessment shall be shared with the Council’s Data Protection Officer. Where the Council is unable to identify measures that mitigate the high risks identified, the Council will consult with the Data Protection Commissioner prior to the commencement of processing.
7. Personal data breaches – Article 33 and Article 34
   The Data protection regulations (GDPR) defines a ‘personal data breach’ as meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (e.g. the most common breach incidents that can occur are correspondence issuing to an unauthorised third party). The Council deems any loss of personal data in paper or digital format to be a personal data breach. 
   The Council maintains a protocol for dealing with personal data breaches. This protocol establishes the methodology for handling a personal data breach and for notification of the breach to the Data Protection Commissioner and to data subjects where this is deemed necessary.

Policy in respect of Restriction on the Rights of Access- Article 23.

Article 23 enables Member States to introduce derogations to the GDPR in certain situations. Galway County Council will not provide information if a Subject Access Request is made and it is considered a necessary and proportionate measure to withhold information to safeguard:

• national security;
• defence;
• public security;
• the prevention, investigation, detection or prosecution of criminal offences;
• other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;
• the protection of judicial independence and proceedings;
• breaches of ethics in regulated professions;
• monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
• the protection of the individual, or the rights and freedoms of others; or
• the enforcement of civil law matters.

The Data Protection Officer’s Role – Article 39(1) (a)

The DPO’s tasks are defined in Article 39 as:

• to inform and advise Galway County Council and its employees about our obligations to comply with the GDPR and other data protection laws;
• to monitor compliance with the GDPR and other data protection laws, and with our data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
• to advise on, and to monitor, data protection impact assessments;
• to cooperate with the supervisory authority; and
• to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
• Contact details: dpo@galwaycoco.ie

Raising a concern with Galway County Council

You have the right to be confident that Galway County Council handles your personal information responsibly and in line with good practice. We will take your concern seriously and work with you to try to resolve it.
Galway County Council implements and maintains a complaints process whereby data subjects can contact the Data Protection Officer. The Data Protection Officer’s role includes working with the data subject to bring complaints to a satisfactory conclusion for both parties.

Data Protection Officer, Áras an Chontae, Prospect Hill, Galway, H91H6KX / dpo@galwaycoco.ie

Data subjects are also informed of their right to bring their complaint to the Data Protection Commissioner.

Postal Address: Data Protection Commissioner, Canal House, Station Rd, Portarlington, Co Laois, R32 AP23
Telephone: 1800 437 737 / 01 765 0100
Email: info@dataprotection.ie