Privacy Statement
Services Industrial Professional and Technical Union (SIPTU) is committed to protecting and securing all your personal information.
This Privacy Statement is designed to ensure you are aware of the information we process about you, why we process that information, with whom we share it and the rights you have in relation to the information we use.
We will only use your personal information for the purposes for which it was provided. If we need to use your personal data for alternative purposes, we will notify you and explain our legal basis for doing so prior to processing.
Who we are?
The Services, Industrial, Professional and Technical Union (SIPTU) represents over 180,000 workers from every category of employment across almost every sector of the Irish economy. SIPTU provides the expertise, experience, and back-up services necessary to assist workers in their dealings with employers, government and industrial relations institutions. SIPTU is a data controller and data processor under the GDPR.
Definitions
- “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- “Cross Border Processing” means processing of personal data which: –
– takes place in more than one Member State; or
– which substantially affects or is likely to affect data subjects in more than one Member State
-
“Data controller” means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- “Data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- “Data protection laws” means for the purposes of this document, the collective description of the GDPR and any other relevant data protection laws that the Organisation complies with.
- “Data subject” means an individual who is the subject of personal data
- “GDPR” means the General Data Protection Regulation (EU) (2016/679)
- “Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
- “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- “Supervisory Authority” means an independent public authority which is established by a Member State.
- “Third Party” means a natural or legal person, public authority, agency or body other than the data subject, under our direct authority.
Purpose of Data Collection and Processing
As a general trade union, we are member focused. To serve the members of the union and to advance economic and social justice for all working people we collect and process data for purposes including:
• To meet the Objects and Rules of SIPTU
• To register you as a SIPTU member
• To contact you about membership and trade union activities
• To represent you in collective and individual issues
• To provide membership services and benefits
• To comply with our legal obligations
• For statistical and audit purposes
We collect personal data directly from you and in some instances from our members, affiliated organisations (Irish Congress of Trade Unions, Guinness Staff Union and Building and Allied Trades’ Union), and third parties (e.g., your employer, The Workplace Relations Commission, The Labour Court, The Nursing and Midwifery Board of Ireland, CORU and National College of Ireland) in the course of our legitimate organisational activities.
Legal basis for processing your data and the personal data we collect from you
We rely on various legal bases for processing your personal data which include:
• Performance of our membership contract with you
– Name, contact details, employment details
– Direct Debit mandate, Deduction At Source Authorisation or Credit Card details – Subscription payments and financial transactions
• Compliance with our legal obligations
– To hold a ballot in relation to any proposed industrial action
– To maintain health and safety records
– Records required for Financial Reporting
– To comply with the GDPR and Data Protection Act 2018
• In our legitimate interest
– To represent our members in collective industrial relations issues
– To represent our members in individual matters relating to their employment
– To maintain balloting records – To facilitate your attendance at conferences and meetings
– To provide you with membership benefits and entitlements
– To provide access to courses and scholarship awards
– To communicate with you on matters relating to SIPTU campaigns
– To respond to membership complaints – In response to general correspondence
– To engage with you on social media and manage our social media activity
– To facilitate equality monitoring
– To facilitate employee recruitment
– To conduct statistical analysis of our membership and workplaces
– To manage sign in sheets for meeting attendance management and health and safety on our premises
• Where you provide unambiguous consent
– Photos, video, and sound bites used in campaigns
– To communicate with supporters
– Cookies
• Public interest
– Publicly available data for research purposes such as company accounts
• Charity or not-for-profit bodies
– Trade Union membership
• Employment law and exercise / defence of legal claims
– Case files
• Data manifestly made public by the data subject
How we share your personal data
We are committed to protecting and securing your personal data and we aim to ensure that all third-party providers are compliant with legislation and do not use your data for their own purposes unless they are controllers.
We share your personal data from time to time with trusted third-party providers where required for business, legal and regulatory purposes.
With your consent we share your personal data from time to time with professional and legal bodies in the interest of representing you.
Retention and deletion
We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was collected, considering all legal and contractual obligations. Where possible we will identify the duration for retention and, where this is not possible, we will explain the criteria for determining retention periods.
Once the retention period has concluded we shall safely and securely delete or destroy all personal data.
How do we secure your data?
Considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Technical and organisational measures to ensure the security of personal data are driven by a suite of policies including the following
– Access Control Policy
– BYOD Remote Access Policy
– CCTV Policy – Clear Desk Policy
– Cookie Policies – Data Breach Policy
– Email Usage Policy Encryption Policy
– Information Security Policy
– PCI DSS Policy
– Privacy Policy
– Retention Policy
– Subject Access Request Policy
Your rights
You have the following rights and entitlements regarding your personal data held by us:
• To enquire if we hold personal data on you and to access copies of that data
• To request rectification of personal data we hold on you
• To request erasure of your personal data To request restriction of processing of your personal data
• To withdraw consent at any time free of charge where we process your personal data based solely on your consent
• The right to object to processing of personal data where we are relying on legitimate interests as the legal basis for processing the personal data
• To have a copy of your personal data or facilitate transfer of your personal data to another data controller, where it is possible to do so
• To lodge a complaint in respect of processing of your personal data with the Data Protection Commissioners Office www.dataprotection.ie
If you wish to exercise any of your rights in relation to your personal data processed by us, please make a request to the
Data Protection Officer, SIPTU, Liberty Hall, Dublin 1.
Tel: 01 858 6300 Email: dataprotection@siptu.ie
Requests to exercise any of your rights will be free of charge where they are reasonable and not excessive. We reserve the right to request clarity in relation to determining the data under request, including to request proof of identity and signed authorisation in the case of third-party requests. Furthermore, we reserve the right to refuse to comply where legal obligations restrict us from doing so and where requests are unreasonable or excessive.
Failure to provide personal data
We collect personal data to ensure we can represent our diverse member base in its entirety and to fulfil our responsibilities to our members and affiliates within the Rules of the Union. Failure to provide us with the required personal data, on request, may limit our ability to represent you.
We rely on you to ensure the data we hold is accurate and up to date by communicating to us any changes to your personal information. Such updates can be made by contacting retention@siptu.ie.
Profiling and automated decision making
We do not use profiling or automated decision making on any of the personal data we hold.
Transmission to countries outside the European Economic Area (EEA)
Where we transfer your personal data to service providers outside the EEA we will ensure the data is carefully managed and given appropriate safeguards in accordance with applicable data protection law.
Updates and further processing
We will amend this notice from time to time. Any such changes can be viewed on our website at www.siptu.ie/privacystatement/
You can contact us with queries in relation to this policy or for any other reason at Data Protection Officer, SIPTU, Liberty Hall, Dublin 1. Tel: 01 858 6300 Email: dataprotection@siptu.ie.