Privacy Notice
1. Who are we? How can you contact us?
“We” are Rainbows Ireland (“ Rainbows Ireland ”) a registered Charity No 12507.
This Notice applies to Rainbows Ireland as the DATA CONTROLLER for the purposes of the General Data Protection Regulation EU2016/679, and the Data Protection Acts 1988 – 2018 .
When you apply to attend a course / project / program the Personal Data that you provide will be held by one or more of the following entities (each is a “Data Controller”),
Rainbows Ireland
Rainbows Authorised Registered Centres
Each Controller is committed to ensuring that the Personal Data it processes is handled in accordance with the principles set out in the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Acts 1988 to 2018.
Rainbows Ireland also acts as a Processor and Joint Controller in certain circumstances
For data protection issues, please email privacy@rainbowsireland.ie
2. What personal data do we collect & use and where do we get your personal data from?
“Personal Data” is data that can identify you, either directly or indirectly, as an identified or identifiable individual.”
There are many elements of Personal data which may be sought and recorded at enrolment and may be collated and compiled during the course of participation with us in our projects and programs., That relationship may be as a participant, applicant child, parent guardian , volunteer or training centre provider/ facilitator personal or a support of our services (by fundraising, donations, parents, and other stakeholders).
Personal Data is collected in order to facilitate the operation, management and coordination of the course and the needs of applicant child and parents and those involved in the projects and programs.
When you apply to attend a course / project / program the Personal Data that you provide will be held by one or more of the following entities (each is a “Data Controller”),
Rainbows Ireland
Rainbows Ireland Authorised Registered Centres
Each Controller is committed to ensuring that the Personal Data it processes is handled in accordance with the principles set out in the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Acts 1988 to 2018.
At all times we are conscious that our processing of personal data, including sensitive personal data( special category data ) will be limited to only what is necessary and proportionate for the purposes for which it is collected.
These records will include:
- name
- address and contact details
- Eircode
- date and place of birth
- names and addresses of parents/guardians and their contact details (including any special arrangements with regard to guardianship, custody or access)
- any relevant special conditions (e.g., special educational needs, health issues etc.) which may apply
- Attendance records
- Photographs and recorded images of participants (including at events and noting achievements)
- Personal Data relating to your emergency contacts and parents or guardian details for under 18s will be processed by us.
- Other records e.g., records of any serious injuries/accidents etc.
Personal data which will be sought and recorded through staff and volunteer records:
- Categories of staff/volunteer Personal Data: As well as existing members of staff/volunteers (and former members of staff/volunteers), these records may also relate to applicants applying for positions. These staff/volunteer records may include:
- Name, address and contact details, PPS number . Eircode
- Volunteer Referrer details
- Garda vetting outcome record
- Contract of employment and any amendments to it
- Original records of application and appointment to promotion posts
Financial information records
- Payroll records
- Employee review meetings
Grievance and disciplinary procedures information
- Details of approved absences (career breaks, parental leave, study leave etc.)
- Information relating to your health , which could include reasons for absence and GP reports and notes
- Details of work record (qualifications, classes taught, subjects etc.)
- Details of any accidents/injuries sustained on school property or in connection with the staff member carrying out their duties
- Records of any reports (or its employees) have made in respect of the staff member to State departments and/or other agencies under mandatory reporting legislation and/or child-safeguarding guidelines.
Personal data which will be sought and recorded through Parents/Guardians’ Records:
Categories of Personal Data: Rainbows Ireland may hold some or all of the following information about parents and/or guardians of participants: names and addresses, Eircode of parents/legal guardians and their contact details (including any special arrangements with regard to guardianship, custody or access) and other related correspondence.
Personal data which will be sought and recorded through fundraising and donation: names and addresses, e mails
You may give us personal data by:
- Corresponding with us by phone, e-mail or otherwise. We ask you to disclose only as much information as is necessary to provide you with our services or to submit a question/suggestion/comment in relation to our services
- Filling in forms Rainbows Ireland will use the personal information you provide in connection with our projects and services.
- The Personal Data that will be collected and processed for the purposes of the various programs/ projects including in order to facilitate the operation, management, and coordination of these services. There are many elements of Personal data which may be sought and recorded at enrolment and may be collated and compiled during the course of participation with us and our Authorised Registered Centres
- That relationship may be as a participant, applicant child, parent guardian , volunteer or training centre provider/ facilitator personal or a support of our services (by fundraising, donations, parents, and other stakeholders).
- Personal Data relating to your emergency contacts and parents or guardian details for under 18s will be processed by us. This Personal Data will also be processed jointly with various State Agencies and Authorised Rainbow Centres
- Applying to work with us. The type of information you may provide in your CV, a cover letter, your name, address, e-mail address and phone number. CVs should include information relevant to your employment history , your referrer details and education (degrees obtained, places worked, positions held, relevant awards, and so forth). When you apply to work with us, we may share your Personal Data with our various Funders and or Auditors.
- Volunteering with us. We also process Referrer details for prospective employees and volunteers
- Making of a donation.
- Garda Vetting
* As stipulated in The National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016 all CYDS staff, volunteers, voluntary officers, and other individuals who provide services to us and who interact with children or vulnerable persons must be vetted by A Gardaí Síochána.
* Garda Vetting is a procedure through which A Garda Síochána is asked, with a person’s permission, to disclose any information held on Garda file. The vetting process requires the provision of verified proof of identify and proof of address by all vetting candidates and, subsequently, checks by An Gardaí Síochána of their records The purpose for processing your Personal Data in this context is that it is necessary to comply with our legal obligations under the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016.
We may also process other data, which is not personal data.
When you access our website your device’s browser provides us with information such as your IP address, browser type, access time and referring URL which is collected and used to compile statistical data. This information may be used to help us to improve our website and the services we offer, and to offer services to you.
What information about you do we obtain from others?
When you use our services, we may obtain the following categories of personal data from others:to include Government Agencies/ Public Sector Bodies, Schools and Community Services, Tusla, and /or your authorised Representatives or involved agencies and statutory bodies.
3. Do you collect personal data from children (under 16yr olds)?
Children’s Personal Data: We do collect and manage information about children. The information is usually collected when children use our services. Where possible and appropriate we will seek consent from a parent or guardian before collecting information about children however we also process children’s data including special category data as is necessary for compliance with legal obligations to which we are subject.
4. How and why do we use personal data?
We collect the information in order to provide you with our services, to
We will use this information:
- To enrol you on our systems so as to provide you with our services in order to facilitate the operation, management and coordination of our group support programmes.
- To liaise with you and the various Authorised Registered Centres about services that we and they are providing to you.
- To deliver information about our services, where you have subscribed to receive same.
- To fulfil our statutory functions.
- To administer and improve our website and for internal operations, including troubleshooting, and statistical and survey purposes where consent is given.
- As part of our efforts to keep our website safe and secure.
- To make suggestions and recommendations to you and other users about services that may interest you or them.
- To publicise and promote the benefits of our services for their participants, by way of social media and other online platforms
- To facilitate donations
The legal bases for the processing of your Personal Data are:
- That you have provided consent for the processing for one of more specified purposes.
- Processing necessary for the performance of a contract which you have entered into with us or to take steps at your request prior to entering into a contract.
- Processing necessary for compliance with a legal obligation to which we are subject.
- to comply with the monitoring, reporting, and evaluating requirements:
- Processing done on the basis of legitimate interest, balancing the rights of freedoms of the data subject.
If you do not provide us with your Personal Data so that we can process it for the above purposes, we will not be able to enrol you or administer your participation on our programs/projects.
Special Category Data and the lawful basis for that processing activity.
The processing of your Personal Data may include personal data relating to children’s data or otherwise which is regarded as Special category of Personal data under the GDPR.
The legal bases for the processing of your special category data or sensitive data are:
- That you have explicitly provided consent.
- Processing necessary for compliance with a legal obligation to which we are subject, including but not limited to statistical and research purposes at an aggregate level and comparing the progress of socio-economic groups participating on programmes.
- Such statistics and research will assist in identifying gaps in the systems and assisting in the development and implementation of appropriate policies.
If you do not provide us with your Personal Data so that we can process it for the above purposes, we will not be able to enrol you or administer your or your children’s participation on our programme. Where we process Personal Data based only on consent, you may withdraw your consent. When someone withdraws their consent, this does not affect the lawfulness of the processing up to that point.
5. Do we share personal data ?
We may share your personal data with our selected suppliers and contractors and authorised registered centres to provide you with our services. The Personal Data held on your record will be disclosed to relevant staff/volunteers of Rainbows Ireland and other State Agencies on the basis of contract or statute. All staff/volunteers are made aware of the procedures they must follow to ensure your Personal Data is appropriately protected.
The Personal Data you provide may be disclosed to third parties if we are under a duty to disclose or share your Personal Data in order to comply with any legal or regulatory obligation or request or to perform a public function. It may also be necessary, under contract, to disclose your Personal Data to comply with reporting obligations where you are a participant of a European Union co-funded programme. Some of your Personal Data will be disclosed to allow monitoring, reporting, and evaluating of programmes where the programme is co-funded by the European Union.
We may also disclose your Personal Data to governmental, regulatory and/or public bodies or other third parties:
- If we are under a duty to disclose or share your information in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property, or safety, our course participant attendees or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection
- Statutory and regulatory bodies (including central and local government) and law enforcement authorities in order to comply with any applicable laws, grant applications and /or court orders
- Your Authorised representatives
- Third parties with whom: (i) we need to share your information to facilitate transactions you have requested, and (ii) you ask us to share your information.
We attach at Schedule 1 a list of some entities with whom your personal data is shared.
6. Is personal data sent outside the European Union?
We will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Office 365/Microsoft. Where Personal Data needs to be transferred or processed outside the EU/EEA, we chose providers who process Personal Data on the basis of
- Standard Contractual Clause (s)(SCC’s)
- An Adequacy Decision from the European Commission.
7. What is the legal basis for collecting and processing personal data?
Irish and EU law sets out the grounds upon which data controllers such as Rainbows Ireland can rely on to lawfully process personal data.
We rely on the following grounds:
Where you have given, us consent to the processing of your personal data for a specific purpose.
The processing is necessary for Rainbows Ireland to fulfil our contract with you or others, such as funding agencies.
The processing is necessary for compliance with a legal obligation, for example to comply with child protection and/or Revenue requirements.
The processing is necessary in order to protect the vital interests of a staff member or another person, for example, an attendee at a training course in a medical emergency.
The processing is necessary for the purposes of the legitimate interests pursued by Rainbows Ireland or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Some marketing might take place under this heading, but never to children.
The legal bases for the processing of your special category data or sensitive data (for example health and wellbeing data) are:
- That you have explicitly provided consent.
- Processing necessary for compliance with a legal obligation to which we are subject.
- Processing necessary for substantial reasons of public interest, which will always respect the essence of the right to data protection.
Where we process your Personal Data based only on your consent, you may withdraw your consent. When someone withdraws their consent, this does not affect the lawfulness of the processing up to that point.
8. What are my rights, and how do I exercise them?
As an individual, under EU law you have certain rights to apply to us to provide information or make amendments to how we process your Personal Data. These rights apply in certain circumstances and are set out below: –
- The right to access Personal Data relating to you (‘access right’).
- The right to rectify/correct Personal Data relating to you (‘right to rectification’).
- The right to object to processing of Personal Data relating to you (‘right to object’).
- The right to restrict the processing of Personal Data relating to you (‘right to restriction’).
- The right to erase/delete Personal Data relating to you (i.e., the ‘right to erasure’).
- The right to ‘port’ certain Personal Data relating to you from one organisation to another (‘right to Personal Data portability’).
These rights are not absolute and only apply in certain circumstances. You may exercise any of the above rights by contacting us accompanied by all necessary information via:
an e-mail privacy@rainbowsireland.ie
You may lodge a complaint with your local supervisory authority with respect to our processing of your personal data. The local Supervisory Authority in Ireland is the Data Protection Commission. The website is www.dataprotection.ie
DATA PROTECTION COMMISSION contact details are:
Dublin Office
21 Fitzwilliam Square
Dublin 2
D02 RD28
Ireland
Portarlington Office
Canal House
Station Road
Portarlington
R32 AP23
Phone +353 57 868 4800 or +353 761 104 800
LoCall 1 890 25 22 31
Fax +353 57 868 4757
email: info@dataprotection.ie
We would ask that you contact us first at privacy@rainbowsireland.ie to enable us to try to deal with the matter to your satisfaction.
Where our processing of your personal data is based on your consent to that processing, you have the right to withdraw that consent at any time but any processing that we have carried out before you withdrew your consent remains lawful.
If you are receiving marketing from us, you may opt out. If you no longer wish to be contacted for marketing purposes, please contact us as set out in this Notice to request to “opt out” of marketing.
The exercise of Data Subjects’ rights as some other “interactions” requires the univocal identification of the person submitting such request as being, in fact, the Data Subject to whom such Personal Data pertains to, hence we may have to set in place a process or mechanism that allows it to document having undergone such assertive identification.
9. Can I stop getting emails, text messages and other communications from you?
Yes!
If you no longer wish us to contact you in a particular way, for example, to no longer send you text messages, just advise us of that and we will respect your wishes.
It may be necessary for us to contact you from time to time in connection with services, for example to ensure your Personal Data is correct.
MARKETING
If you no longer wish to receive marketing communications by electronic means, just use the opt-out facility in any of our communications, OR e mail us at admin@rainbowsireland.ie
10. Is personal data secure?
We are committed to protecting the security of your Personal Data. We use a variety of security technologies and procedures to help protect your Personal Data from unauthorised access and use. As effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our databases, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. We will continue to revise policies and implement additional security features as new technologies become available.
The transmission of information via the internet is not completely secure and may involve the transfer of Personal Data to countries outside of the European Economic Area (EEA). This occurs typically through use of cloud solutions for web hosting, email hosting or proprietary software solutions delivered to us through the Cloud. We do not however authorise any third party to use your Personal Data for their own purposes. Non-EEA countries may not provide an adequate level of protection in relation to processing your personal data. By submitting your Personal Data, you agree to this transfer, storing and processing. The sharing, storage and processing of your personal data/ information will predominantly take place within the EEA.
Although we will do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to us. Any transmission of Personal Data is at your own risk. Once we receive your Personal Data, we use appropriate security measures to seek to prevent unauthorised access.
11. How long do we keep personal data?
The time periods for which we retain your information depends on the type of information and the purposes for which we use it. We will keep your information for no longer than is required or permitted.
We keep your Personal Data for as long as is necessary for the performance of the contract between you and us and to comply with our legal obligations. If you no longer want us to use your Personal Data to provide this service to you, you can request that we erase your Personal Data. Please note that if you request the erasure of your Personal Data:
- We may retain some of your Personal Data as necessary for our legitimate business interests, such as fraud detection and prevention and enhancing safety
- We may retain and use your Personal Data to the extent necessary to comply with our legal or contractual obligations.
- Because we maintain our records to protect from accidental or malicious loss and destruction, residual copies of your Personal Data may not be removed from our backup systems for a limited period of time.
12. How do you contact us?
You have the right to complain to the Data Protection Commission if you feel that we are in breach of any of your rights. Full contact details are provided below.
We would ask that you contact us first, to enable us to try to deal with the matter to your satisfaction.
Please contact us at privacy@rainbowsireland.ie
13. Miscellaneous/Photos
Where we process your Personal Data based only on your consent, you may withdraw your consent.
You have the right to bring a complaint to a supervisory authority if you have any complaints about the processing of your Personal Data. In Ireland the Personal Data Protection Commission is the supervisory authority.
In circumstances where the provision of your Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, we will advise you at the point of collecting your Personal Data whether the Personal Data is a required field, and the consequences of not providing the Personal Data.
Videography and Photography: Some of our programmes will involve photographic or videos records to be made for informational and promotional purposes due to your presence at the event hosted by us or by any third party authorised by us. The images resulting from the photography, videography or recordings, and any reproductions or adaptations of same, may be used for promotion, publicity and/or other purposes.
By attending at such events, you acknowledge that event run by us is in a public place and that you may have a reduced expectation of privacy. While you have a right to object to your inclusion in any photographs or video footage, any such objection must be balanced against the legitimate interests pursued by us and/or third-party media outlets and broadcasters.
14. Links to other sites
Our website may, from time to time, contain links to and from other websites. If you follow a link to any of those websites, please note that those websites have their own privacy policies/notices and that we do not accept any responsibility or liability for those policies/notices. Please check those policies/notices before you submit any Personal Data to those websites.
15. Social Networks
We maintain active social network accounts. We embed widgets from these networks to provide follow buttons, like boxes and stream embeds. This will involve cookies being set by these networks while using our site. You may choose to refuse these cookies. Your use of these social media platforms remains subject to your own user agreements with the platform providers.
16. Changes to this Notice
This notice may change from time to time, and any changes will be posted on our website and will be effective when posted. Please review this notice each time you use our website or our services.
This Notice is effective from 20th June 2024.
Schedule 1
Third party name | Description of services provided | ||||
---|---|---|---|---|---|
Cloud Service Providers | Microsoft, Zoom, Callsoft | ||||
IT Providers | MicroPro | ||||
Website Service Providers | iWorks | ||||
Other Service
Providers/Funders | List can be provided on request |