Context
Data protection is a fundamental right. As set out in Article 8 of the EU Charter of Fundamental Rights:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
The General Data Protection Regulation (GDPR) is designed to give individuals more control over their personal data. Enterprise Ireland became subject to the GDPR on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
The purpose of this notice is to inform grant applicants of what personal data Enterprise Ireland holds in relation to them, and, as may be appropriate, their employees, and related persons, and how Enterprise Ireland uses that personal data as controller.
PERSONAL DATA PROTECTION NOTICE relating to Enterprise Ireland’s Grant Administration Process
Enterprise Ireland (‘we’, ‘our’, ‘us’) takes data privacy seriously. In order to perform our public functions and to provide our services, we collect and process a certain amount of personal data. This Data Protection Notice relates to personal data collected by us in respect to the grant administration process and is intended to ensure that data subjects (who may be connected to client companies and third level institutions, or be entrepreneurs applying for grant funding) are aware of what personal data we hold in relation to them, and how we use that personal data as controller.
Please read the following carefully to understand our use of personal data.
1. What is Personal Data?
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Enterprise Ireland holds personal data received from a number of sources in connection with the performance of our public functions and the delivery of our various services to our clients. In some instances, personal data is provided directly to us by the data subject concerned (e.g. a business owner or sole trader). We may also receive personal data about a data subject indirectly. For example, an employer may provide employee personal data in connection with the grant or a representative of a number of data subjects may provide personal data in relation to one or more data subjects. By describing our activities below, we are able to identify where we may hold some or all of the following types of personal data:
Category | Types of personal data collected | EI Activity |
Individual details | Name
Address Fax number Phone number Nationality Date of birth Civil status Photos / video Directorships and shareholdings Biographical Social media accounts |
Grants and investment services administration required to support companies start, scale, internationalise and innovative, such as project review, due diligence activities and grant inspection.
|
Employment details | Employer,
Employee number Salary Job Position / Job title Hours worked
|
Grants and investment services administration required to support companies start, scale, internationalise and innovative. This includes Enterprise Ireland’s grant inspection activity which is required for grant drawdown. |
Identification details | PPS number, passport details | Grants administration for an entrepreneur where there is no CRO number available. |
2. Purpose and Legal Basis for Processing
We will hold, process and may disclose personal data for the following purposes:
|
|
|
|
|
|
3. Special Categories of Personal Data
Certain categories of personal data are regarded as ‘special’. We have provided the following list of what personal data are identified in the General Data Protection Regulation (GDPR) as special data for information purposes only. Special data includes information relating to an individual’s:
- Physical or mental health;
- Religious, philosophical or political beliefs;
- Trade union membership
- Ethnic or racial origin;
- Biometric or genetic data; and
- Sexual orientation.
This list should not be read or understood as an indication of any policy of Enterprise Ireland to actively collect/process such data.
As part of Enterprise Ireland due diligence on a grant inspection in relation to employment grants, on occasion, though we have not requested them, we may receive salary certificates with Trade Union membership details. This processing is necessary for reasons of substantial public interest on the basis of law.
4. Where the data subject does not provide their Personal Data
If we cannot collect or process certain personal data, we may not be able to provide employers with a grant or an equity investment or other support or service. If you have any queries in respect of the consequences of not providing information or withdrawing your consent, please contact us (see Contact Us below).
5. Recipients of Personal Data
In order to provide our services and to comply with legal obligations imposed on us, it may be necessary from time to time for us to disclose personal data to third parties, including without limitation to the following:
- with our agents and third parties who provide services to us to help us administer and audit our services;
- with regulatory bodies and law enforcement bodies, including an Garda Síochána (where we are required to do so to comply with a relevant legal and regulatory obligation);
- relevant Government departments and agencies and relevant European Union agencies.
6. Transfer of Personal Data outside the EEA
The personal data that we collect may be transferred to, and stored at, a destination outside the European Economic Area (“EEA“), for the purposes described above. Those countries may not provide an adequate level of protection in relation to processing personal data. Due to the global nature of our business, certain personal data may be disclosed to staff members of Enterprise Ireland working outside the EEA: To view a list of Enterprise Ireland overseas office, click here. To the limited extent that it is necessary to transfer personal data outside of the EEA, we will ensure appropriate safeguards are in place to protect the privacy and integrity of such personal data, including standard contractual clauses under GDPR Article 46.2 or adequacy decision under GDPR Article 45. Please contact us if you wish to obtain information concerning such safeguards (see Contact Us below).
7. Data Retention
We will store personal data only for as long as necessary for the purpose(s) for which it was obtained. The criteria used to determine our retention periods include (i) the length of time we have an ongoing relationship and/or provide our services; (ii) whether there is a legal requirement to which we are subject; and (iii) whether the retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations). Please contact us if you wish to obtain further information concerning our retention periods (see Contact Us below).
8. Data Rights
You have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions. We will respond to any valid requests within one month, unless it is particularly complicated or you have made repeated requests in which case we will respond, at the latest, within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request.
If you wish to exercise any of these rights, please contact us (see Contact Us below). We may request proof of identification to verify your request.
Your Right | What this means |
Right to withdraw consent | If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time (see Contact Us below). However, the withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent. |
Right of Access | You can request a copy of the personal data we hold about you. |
Right to Rectification | You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete. |
Right to Erasure (‘Right to be Forgotten’) | You have the right to request that your personal data be deleted in certain circumstances including:
However, this right does not apply where, for example, the processing is necessary:
|
Right to Restriction of Processing | You can ask that we restrict your personal data (i.e., keep but not use) where:
We can continue to use your personal data:
|
Right to Data Portability | Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where:
|
Right to Object | You have a right to object to the processing of your personal data in those cases where we are processing your personal data in reliance on our legitimate interests, for the performance of a task carried out in the public interest or in the exercise of our official authority. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate grounds which override your interests and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes. |
Automated Decision-Making | You have a right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affects you other than where the decision is:
Where we base a decision solely on automated decision-making, you will always be entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward. |
Right to Complain | You have the right to lodge a complaint with the Data Protection Authority, in particular in the Member State of your residence, place of work or place of an alleged infringement, if you consider that the processing of your personal data infringes the GDPR
Please see the below contact details for the Irish Data Protection Authority:
Data Protection Commissioner +353 (0)761 104 800 Website: www.dataprotection.ie |
9. Change of Purpose
We will only use personal data for the purposes for which we collected it outlined in Section 2 above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to obtain information as to how the processing for the new purpose is compatible with our original purpose, please contact us (see Contact Us below).
If we need to use your personal data for an unrelated purpose, we will notify you and provide an explanation of the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is permitted by applicable data protection laws.
10. Contact Us
If you require any further clarification regarding this Data Protection Notice, please contact:
Paula Maguire
Data Protection Officer
Data Protection and Freedom of Information Office
Enterprise Ireland
The Plaza
Eastpoint Business Park
Dublin 3
D03 E5R6
GDPRonline@enterprise-ireland.com
Last Updated: 17th of May, 2018