CDI Privacy Policy: Data Protection and Privacy Practices
Who we are
“Data controllers” are the people or organisations that determine the purposes for which, and the way, any personal data is processed, and make independent decisions in relation to the personal data and/or who or which otherwise controls that personal data.
For the purposes of the GDPR, the Childhood Development Initiative (CDI) is the data controller regarding the personal data described in this Privacy Policy.
The Childhood Development Initiative (CDI) coordinates early intervention and prevention programmes to improve outcomes for children in disadvantaged areas.
Our Data Protection Officer can be contacted directly here:
- Email: info@cdi.ie
- Phone: 01 494 0030
- Postal address Childhood Development Initiative, St Mark’s Family and Youth Centre, Cookstown Lane, Fettercairn, Tallaght, Dublin 24,
D24 PK6P
Purpose and Scope of this Policy
The purpose of this Privacy Policy is to provide you, as our data subject, with a statement regarding the Data Protection and Privacy practices and obligations of the CDI and an explanation of your rights as a data subject.
This Data Protection and Privacy Policy and Notice apply to our business practices and our website, which is accessible at https://www.cdi.ie.
As the CDI is established in Ireland, this document is written in the vein of the GDPR and Irish Data Protection Law, and the CDI falls under the jurisdiction of the Data Protection Commission Ireland. This Privacy Policy sets out what personal data we collect and process about you in connection with the services and functions of the CDI. We are not responsible for the content or the privacy notices for any websites to which we may provide external links.
Laws that apply to us:
• General Data Protection Regulation (EU Regulation 679/2016)
• Regulations flowing from Data Protection Act 2018
• ePrivacy Regulations 2011 implementing EU Privacy and Electronic
Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD)
Why and how do we ensure compliance?
Data protection and privacy laws provide rights to individuals regarding the use of their Personal Data by organisations, including our organisation. EU laws on data protection govern all activities we engage in regarding our collection, storage, handling, disclosure, and other uses of personal data.
We must comply with data protection and privacy laws because the law requires us to, but we also would like you to have confidence in dealing with us, and compliance with data protection laws helps us to maintain a positive reputation in relation to how we handle personal data.
We are required to demonstrate accountability for our data protection obligations. This means that we must be able to show how we comply with the applicable data protection and privacy laws, and that we have in fact complied with the laws.
We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our systems and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by acting if our representatives, including employees or contractors, fail to follow the rules.
We also have certain obligations in relation to keeping records about our data processing.
Who must comply?
All our representatives, which include employees and contractors, are required to comply with our Data Protection Policies and Procedures which inform this Privacy Policy when they process personal data on our behalf.
What are the data protection principles and rules?
We aim to comply with the following principles found in Data Protection Law:
- Lawfulness, fairness, and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose Limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation – Personal data must be adequate, relevant, and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal data should be corrected or deleted.
- Retention – Personal data should be kept in an identifiable format for no longer than is necessary.
- Integrity and confidentiality – Personal data should be kept secure.
- Accountability – Under the GDPR, we must not only comply with the above six general principles, but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.
What is personal data?
Personal data is any data that identifies you, or could be used to identify you, which is submitted and/or collected by the Childhood Development Initiative. It does not include anonymised data where your identity has been removed.
Any personal data that you share with us is treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).
How do we collect information from you?
We obtain information from you:
- When you use our website and social media sites
- If you subscribe to receive our newsletters
- While providing our services/ programmes/trainings
- When conducting surveys
- When you communicate with us on social media
- When you apply for opportunities available in CDI
- When donating or payment online to CDI.
What personal data do we process?
We may collect the following categories of personal data:
- Name, Title
- Email Address
- Address/es
- Phone number/s
- Date of Birth
- Social media data e.g., Facebook name, profile ID, Instagram handle, comments made on posts, messages you may send to us via social media and your activity on our pages via insight tools
- Marketing and Communications preferences
- Technical data such as operating system (OS), internet protocol (IP) address, browser type/version, time zone and location, browser plug-in types and versions
- Usage data (e.g., how you use our website via Cookies, Log Files, and other similar technologies)
- Any data sent via email, text, or other electronic communications
- Photos or videos
- Surveys & questionnaires
Payment details, for example, credit or debit card details, when making a payment or donation online.
Special Category Data
We may collect sensitive data—or ‘Special Category’Data’—about you to assist you and provide our service(s).
- Data regarding your or your child’s health, for example, speech and language therapy assessments
- Data concerning a natural person’s sex life or sexual orientation (e.g., gender)
- Personal data revealing racial or ethnic origin (e.g., your nationality)
Children’s Data
We collect children’s data to provide our services to children. This is done with parental or guardian consent where a child is under the age of 16 years old and consent is the legal basis relied upon for processing the data.
Criminal Convictions / Offence Data
The CDI does not collect any information about criminal convictions and offences[MQ1] .
Aggregated Data
As with most websites, we gather statistical data and other analytical information (for example, demographic information, usage data, etc.) collected on an aggregated basis from all visitors to our website. This data is not considered personal data in law as it does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this policy.
How and why we use your data?
- To contact and communicate with you
- To process and deliver our services to you, including providing you with information about our services.
- To provide information on CDI’s newsletters and invitations to events, and to share the learning from other organisations.
- To receive feedback
- To understand the use of our website,
- To administer and protect our website and business (including troubleshooting, data analysis, testing, maintenance, support, reporting, and hosting of data),
- To improve the quality of experience when you interact with Services
- For compliance with legislation relevant to the CDI
- For marketing and promotional purposes in connection with the services
- To meet specific legal obligations to maintain audit documentation in the case of statutory audits
- For the management and administration of the CDI (now and in the future).
Legal Basis for using your data
We use your personal data for the purposes outlined above. In doing so we rely on a number of separate and overlapping legal bases to lawfully process your personal data. These may include:
- Where necessary to perform our contract with you
- Where you have consented to the processing
- Where necessary for statutory obligations
- Where necessary for us to comply with a legal obligation or to establish, exercise or defend legal claims
- For the purposes of our legitimate interests, provided that those interests are not overridden by your interests or fundamental rights and freedoms.
How long do we keep your data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We have a Retention Policy and Retention Schedule in place, and we ensure data is destroyed confidentially when it is required to do so.
In some circumstances, you can ask us to delete your data: see below for further information. In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
If you have any questions about our retention periods, you can contact us at info@cdi.ie
Third Parties and Disclosures of your Personal Data
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below.
The CDI has contracts in place and carries out due diligence regarding our suppliers and relevant third parties.
Third Parties we may disclose your data to
- Third-party payment processors: If you make an online payment, the CDI does not hold your card information; it is collected by our secure third-party payment processors, who specialise in the secure online capture and processing of credit and debit card transactions. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be encrypted using secured encryption technology.
- Mailchimp: If you subscribe to the CDI’s newsletters, your position, name, address, email address, and phone number is shared with Mailchimp. See their Privacy Policy.
- Service providers acting as processors based in Ireland and Europe who provide development, IT, and system administration services.
- Technical providers are other entities that interact with us in connection with the services we provide.
- Professional advisers acting as processors, controllers, or joint controllers, including lawyers, bankers, auditors, and insurers based in Ireland and the EU who provide consultancy, banking, legal, insurance, and accounting services.
- Regulators and other authorities, such as processors, controllers, or joint controllers based in Ireland and the EU, require reporting of processing activities in certain circumstances.
International Transfers
Google Analytics:
Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies,” which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
The CDI shares personal data with the following third parties as part of their processing activities.[PM15]
Third country & organisation name | Safeguards in place |
---|---|
United States: Dollywood Foundation | Fully compliant with EU regulation through the Privacy Shield FrameworkSubject users consent to data transfer when signing up.Has internal data protection policies and procedures. |
United States: KoBo toolbox | Fully compliant with the GDPR and provides Data Processing Agreements. All data is encrypted. |
Stripe: Ireland and United States | Fully compliant with the GDPR and has EU-approved Standard Contractual Clauses for international data transfers. Provides Data Processing Agreements. |
Mailchimp / Intuit | Fully compliant with the GDPR and has EU-approved Standard Contractual Clauses for international data transfers. Provides Data Processing Agreements. |
Security features and data location
If the CDI has received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way.
The CDI utilises encryption, access controls (physical access control, electronic access control, internal access control) and other features to ensure the security of your data.
The CDI’s data is stored in the EU. Should the CDI engage a data processor or controller outside of the EU (subject to adequacy findings), standard contractual clauses and a transfer impact assessment would be carried out.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
The CDI limits access to your personal data to those employees, contractors, and other third parties on a need-to-know basis and under contract. We will only process your personal data for the purposes for which it was collected, and third parties are only permitted to process your data on our instructions.
Information on Consent
By consenting, where this is the appropriate and identified lawful basis for processing, to our processing of your personal data in line with this Data Protection and Privacy Policy and Notice, you are giving us permission to process your personal data specifically for the purposes identified.
You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of personal data relating to you. If you have any queries relating to withdrawing your consent, please contact our Data Protection Officer using the contact details set out below.
Withdrawal of consent shall be without effect on the lawfulness of processing based on consent before its withdrawal.
Your Rights
Under certain circumstances, and dependent on the legal basis on which your personal data is processed, you have the right to:
- Request information about whether we hold personal data about you and, if so, what that personal data is and why we are holding or using it.
- Request access to your personal data (commonly known as a “Data Subject Access Request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request the erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data if you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your personal data or profiling of you.
- Request a restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data in an electronic and structured form to you or another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically usable format and to be able to transfer your data to another party in an electronically usable format.
How do you exercise your rights?
We have appointed a Data Protection Officer to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the Data Protection Officer.
If you wish to exercise your rights, please contact our Data Protection Officer, who will respond to the request within one calendar month.
Our Data Protection Officer can be contacted as follows:
The Data Protection Officer
Childhood Development Initiative
St Mark’s Family and Youth Centre
Cookstown Lane,
Fettercairn,
Dublin 24
Email: info@cdi.ie
Phone: 01 494 0030
Your Right to Lodge a Complaint
You, as the data subject, have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your personal data. We would like to hear from you first if you have a complaint about how we use your data so that we may rectify the issue.
As our organisation is in Ireland, and since we conduct our data processing here, we are regulated for data protection purposes by the Data Protection Commission.
You can contact the Data Protection Commission:
Website: www.dataprotection.ie
Phone: +353 57 8684800 or +353 1 7650100 / 1800437 737
Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland
Updates
Our practices, as described in this Privacy Policy, may be changed, but any changes will be posted, and changes will only apply to activities and information in the future, not on a retroactive basis.
You are encouraged to review this Privacy Policy periodically to ensure you understand how any personal information you provide will be used.
We may also email you in certain circumstances to let you know when we update this Privacy Policy to ensure you are informed.
Any changes to this Privacy Policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any time we decide to use personal data in a manner significantly different from that stated in this Privacy Policy or otherwise disclosed to you at the time it was collected, we will notify you by email, and you will have a choice as to whether or not we use your personal data in a new manner.
Cookies
Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your computer’s hard drive. Like many sites, we use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may be unable to use some portions of our Site.
Review our Cookie Policy.
Effective as of 21 August 2023