EPIC Ireland Group is located at The chq Building, Custom House Quay, Dublin 1, Ireland. The assigned Data Protection Officer can be contacted at email@example.com.
Personal data is information that relates to an identified or identifiable person. If data does not permit us or another party to identify a person, directly or indirectly, then it is not personal data. The law does not require, and it is not EPIC Ireland Group’s practice, to acquire extra, unnecessary information solely for the purpose of identifying persons.
Processing, refers to actions that can be done with personal data: collecting, storing, analysing, communicating, et cetera. This includes processing completed with or without computers.
For purposes of this policy, the controller is EPIC Ireland Group.
A processor is any vendor or service provider who processes personal data on behalf of EPIC Ireland Group.
Consent is a clear, unambiguous action by a person that they agree to a specific processing. In order for this consent to be valid, the person consenting has to understand the purpose, nature, and conditions of the processing, including, for example, if EPIC Ireland Group will be getting outside help to process personal data.
GDPR is the EU General Data Protection Regulation 2016/679 (as amended and replaced from time to time)
Sensitive Data means any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
GDPR Data Protection Principles
EPIC Ireland Group commits itself to operating on the basis of the following privacy principles:
- Lawfulness, Fairness, and Transparency
- Beyond upholding your legal rights, our aim is to provide our services fairly to you, and to be transparent in the way we process your data.
- We will always provide you with a clear statement of the purpose behind a data processing.
- We will always provide you with a clear statement on how that processing is compatible with your legal rights, also known as the legal or lawful basis for processing.
- One common example of a lawful basis is where processing is necessary for a service or contract that you have requested. Another common basis is where we have a legal obligation to process your data, such as to protect against fraud. Your consent can sometimes also be a legal basis for processing.
- Purpose limitation
- We aim to collect your data only for specific, limited purposes that we will specify to you in advance as clearly as we can.
- Moreover, in the event we ever rearrange how we do things, we aim never to process your data in a way that is incompatible with the original purposes.
- Data Minimisation
We try only to process the personal data that we really need –no more and no less.
We will try to correct or erase, depending on what is appropriate in the context, personal data that are inaccurate.
- Storage Limitation
No one needs or wants their data floating around for eternity, so we try to delete data when we no longer need them.
- Integrity and Confidentiality
We protect your data with the appropriate technologies and business practices. We guard against unauthorised or unlawful processing, and against accidental loss, destruction, or damage to your data.
- We aim to document, as necessary and appropriate, the things we do for your protection.
- You also have a number of rights that you can use to check up on us and hold us accountable.
- Finally, in addition to holding ourselves accountable, we also demand that our processors commit themselves to the protections you deserve. We aim to be transparent in our choice of processors so that you can hold them accountable too.
Rights to Object or Restrict Processing
You enjoy certain rights and privileges too that are important enough that they get their own section. We’d especially like to draw your attention to your rights to object and to restrict processing.
Right to Object
European law provides you with a right to object. This means you have an absolute right to tell us to stop processing your personal data for direct marketing.
Where the processing is for purposes other than direct marketing, you should explain to us what it is you’re objecting to and why it is that you’re objecting. EPIC Ireland Group is then entitled at law to consider whether any legitimate grounds override those objections. If not, then EPIC Ireland Group will cease that processing right away.
Right to Restrict Processing
European law also provides you with a right called restriction of processing. If objection is like a stop button, then restriction of processing is the pause button: It lets you put a pause on all or certain types of processing.
Right to Withdraw Consent
For any processing that is based on your consent, you can withdraw that consent at any time. This means that we will stop that processing, unless there is another basis to continue processing, such as a legal obligation. Withdrawing consent does not affect any processing that has already taken place.
Further Rights to Hold Us Accountable
You have a number of legal rights that will help you hold us accountable and abide by the above privacy principles. Here’s a listing of rights that you should keep in mind:
- Rights to Information and Access
- Right to correct inaccurate data, or supplement incomplete data
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to avoid automated individual decision-making
Rights to Information and Access
- “Who?” You have a legal right to know who we are, who our representative(s) is/are, who our data protection officer is, and contact information for each.
- “Who else??” You have the right to know who, if anyone will receive your information from us. If we didn’t get your personal data from you, we will tell you where we got it.
- “What are you doing?” You have the right to know in advance the purposes behind our data processing. Moreover, you have the legal right to know in advance the legal basis for our processing. We will always tell you where we processing is necessary for our legitimate interests.
- “Why should I?” We will always tell you whether providing your personal data is voluntary or obligatory, and what would be the result if you choose not to provide your personal data. In particular, we will tell you if you are legally or contractually required to provide us with personal data.
- “Where?” Not all jurisdictions or countries provide the same legal protections for personal data and privacy as the European Union and its Member States. Therefore, you have the right to know if your data is being sent outside the EU and if so, what appropriate safeguards have been put in place especially to protect your data protection and privacy rights. Whenever this arises, we’ll tell you how to get a copy of the protections in place for your personal data.
You have a right to receive other information too. We’ll always provide the following specifics to you at the appropriate, relevant time, but here’s a list of what you have a right to receive:
- “How long?” You have a right to know how long we’ll keep your data. If we can’t state a hard number, then we’ll tell you the criteria that will determine when we will delete your personal data.
- “What does EPIC Ireland Group have?” You have a right to hear from us what it is that we have about you. If you see anything that needs correction or that you’d like deleted, please contact us through our data protection officer at firstname.lastname@example.org.
- “I don’t consent.” If the basis for our processing is your consent, you have a right to withdraw that consent at any time. Withdrawing consent does not affect any processing we’ve already undertaken. It also doesn’t have any effect where processing is not based on your consent.
- “I’m still unhappy…” If you think your rights have been violated, you have a right to file a complaint with Ireland’s Data Protection Commissioner.
Right to correct inaccurate data, or supplement incomplete data
We will take every reasonable step to ensure the personal data we process are accurate and up to date. You have the right to inform us of an inaccuracy in data that we process and expect that we will correct it without undue delay. Likewise, if you find that the data we’re processing is incomplete considering the purposes of the processing, you have to right to submit supplementary information. Depending on the circumstances, we might have to ask for some verification of your identity. We’ll do our best to keep those questions to a minimum and to avoid asking for new personal data we don’t already have.
Right to Erasure
In many cases, you have the right to have your personal data deleted. For more information, email our data protection officer at email@example.com.
Right to Data Portability
We understand that sometimes you’ll need to take your data with you. At your request, we’ll provide you with a transferable copy of your data or send it directly (if possible) to your designated recipient. To make this request, please get in touch with the data protection officer at firstname.lastname@example.org.
[NB: This only applies where the lawful basis was either consent or performance of a contract and processing was automated]
Right to Avoid Automated Individual Decision-Making
At EPIC Ireland Group, all decisions that could affect your rights are human-made. While we use computers to help us in our work, all decisions are made by real people.
Exercising Your Rights
The easiest way for you to exercise the rights above is to contact our data protection officer (DPO) directly via email. Let our DPO know, if possible, what it is that you’re looking for, and what it is that you’d like us to do. If you have multiple requests, please do make sure you state them all clearly so we can act on them all.
We train and instruct all our employees to identify and appropriately escalate what appear to be subject requests based on the above rights. Employees should usually escalate requests to their managers, who will be in touch with the DPO. The DPO may or may not require the assistance of an outside lawyer.
Sources of Information
We process the following information:
- Information you give us
- Information your computer shares with us
- Information from third party sources
Information you give us
There are a number of ways that you can provide information to us for processing: When you subscribe to our newsletter, send us any sort of message (text, email, post), or ring us on the phone, you might provide us with information like:
- Your identity, including name and other information like mailing address
- Your credit card information, such as the card number, security code, billing address, and bank or issuer details
We will always process your information according to the privacy principles we explained above. In particular, we would like to say again that all our processing is limited to the specific purpose that we tell you at the time we collect your data, and is only stored for as long as is strictly necessary.
Information your computer shares with us
In order for computers to be able to talk to each other, they absolutely have to disclose some minimum information. This can include technical information or practical information.
- Technical information means data like your IP address, browser type and version, any browser plug-ins, your time zone and language settings, any login information, and your operating system
- Practical information means information like whether you open or respond to our emails, whether you came to our website by clicking on a link at a different website, products or services you searched, browsed, or purchased.
Some of these data are necessary for us to run our website or to respond to your requests, like ticket bookings. Other data are a huge help to us in providing you with better services and maintaining a well-run company. We will always tell you what is necessary and what is voluntary.
Information other parties give us
Sometimes we receive information about you from other parties. We process personal data received from those parties by the same rules and principles as personal data that you give us directly. Moreover, we will always tell you who gave us your information and their contact information. That way, if you prefer, you can instruct those parties to stop sharing your information (we don’t have the authority to do that).
Use of Personal Data
We and our partners process your data to do the following
- Provide you with the information, products, or services that you have requested
- Fulfil our obligations to you, including:
- Provide you with EPIC Ireland Group services, products, and experiences
- Fulfil our legal obligations to you and financial or other institutions
- Improve and develop our business, such as our website, products, services, and experiences
- Provide you with information that we think would be of interest to you, sometimes pertaining to new products, services, and experiences
- To enforce our rights under our terms and conditions or any other contracts with you
- To prevent fraud
- To protect the rights, property, and safety of EPIC Ireland Group employees and customers or other relevant persons
- To respond, when necessary, to valid law enforcement requests
- To comply with applicable laws
- To gather your opinions and input
- To manage any situation where processing or other transactions are disputed
- To handle and resolve complaints
We care deeply about our relationship with our customers and our community. Therefore, we look to see what people are saying about us in public forums. Some of those include:
Again, we only see what you share with the general public or share directly with us.
We use the following technologies and measures to help protect your data:
- Locked physical storage;
- Restricted access areas;
- Confidentiality agreements;
- Regular reviews for personal data we should delete because it’s outdated or unnecessary for the original purpose;
- Shredding and secure disposal;
While no system is absolutely secure, we take every reasonable precaution to protect your data and to respect your privacy.
Confidentiality of Personal Data
EPIC Ireland Group requires all its employees to maintain the confidentiality of the personal data you handle. Further, we expect you to voice or escalate any concerns you have about the way EPIC Ireland Group handles personal data. Data and privacy protections are only as strong as the weakest link, so we rely on a solid team effort!
In order to provide the services and experiences that we offer, we rely on a little help from our partners to process your information, such as sales and bookings, payments and communication. We will always tell you who those partners are for your specific situation, and what it is that they do. We will also always tell you whether or not they have any access to your personal data, or if they only handle your data in its encrypted form. Our contracts with these third parties require them to maintain the confidentiality of the personal information we provide to them, only act on our behalf and under our instructions, and not use information for purposes other than the product or service they’re providing to us or on our behalf.
We aim to reviewing our data protection and privacy policies and procedures at least once a year, and more often if necessary to account for changes in the law or in the way we do things.
Purpose of CCTV:
- The CCTV images are monitored for crime prevention and public safety only. Please contact email@example.com for any CCTV requests.
Retention period of CCTV footage:
- CCTV footage is stored for 30 days and then deleted.
Security arrangements for CCTV footage:
- CCTV footage is stored in a secure room with access to only authorised personnel.
- A log of access is kept in order to ensure full security.
CCTV footage access request:
- Any person who is being recorded has the right to seek and be supplied with a copy of their own personal data from the footage
- The requester should email the data protection officer (DPO) at firstname.lastname@example.org for any CCTV requests with the approximate time and the specific dates on which their image was recorded.
- Requesters should be aware that CCTV footage is deleted within one month of being recorded.
- If any other individuals are visible in the footage, their images would be redacted i.e. blur out the faces of other individuals.
- The access will be responded within one month.
CCTV footage access request by state agencies (An Garda Síochána etc.)
- State agencies can request a copy of CCTV footage by contacting the DPO at email@example.com.
- To expedite a request speedily in urgent situations, a verbal request may be sufficient; however any such verbal request must be followed by a formal written request on headed paper.
- A log of all An Garda Síochána will be kept by the DPO.
Website Data Processing
Here’s what we do on EPIC Ireland Group’s website:
- Purpose – We collect and process your personal data to:
- Provide you with the services you seek from our website,
- Information you provide helps us respond to your customer service requests and support needs more efficiently.
- Improve our website and our services,
- We may use the feedback you provide to improve our products and services.
- Ensure the security of our website.
- Improve our marketing.
- Send you periodic emails,
- We may use the email address to respond to enquiries, questions and other requests.
- Relevant Cookies
- Cookie/tracker types
- Required – Enable navigation and basic functionality
- Functional – Enable analysis of website usage to offer settings and personal experience
- Advertising – Enable us to assess the effectiveness of our marketing and advertising efforts. The cookies are from third-parties, but they are for our use, namely, to analyse and track site visit and sign-ups.
- Categories of Personal Data
- Categories of personal data
- Name (for all tickets)
- Email Address (for all tickets)
- Contact number (for all tickets)
- Child’s Name (for our Santa’s Grotto tickets)
- Child’s Age (for our Santa’s Grotto tickets)
- Provided by data subject
- Without prior consent, will not make use of personal data such as IP address, device and browser information, or time and number of times you click on links or open emails.
- Without prior consent, will not make use of personal data such as IP address, device and browser information, or time and number of times you click on links or open emails.
- Data Recipients
- Do not sell, or rent; do not share except as provided herein
- Use third party processors
- Disclaim responsibility for links to third party references
- Respond to law enforcement requests, or to protect rights, personal property, or personal safety of EPIC Ireland Group, customers, or any third party.
- Email Communication
- Only will email if you opt-in
- Can unsubscribe any time
- Can consent to let EPIC Ireland Group track success of email campaigns
- Limited access
- Limited purpose
- Technical and Organisational Protection
- Use adequate physical and technological security measures to protect data
- Limit organisational use and access to personal data
- Provide training to employees on data protection and privacy best practices, require them to enter into confidentiality agreement
- Use all reasonable efforts, but cannot guarantee absolute security.
- Rights of data subjects:
- Withdraw Consent
- Information & Access
- The subject has the right to access their personal data at any time by sending an email to firstname.lastname@example.org.
- The subject has the right to object any of his personal data to be processed by EPIC Ireland Group.
- Data portability
- The subject has the right to request EPIC Ireland Group to transfer their personal data to another controller in a plain simple electronic form by sending an email to email@example.com.
- Rights of state agency:
- A state agency can request to access subject data by sending an email to firstname.lastname@example.org
- Contact Info