Bord na Móna Plc, its subsidiaries and their subsidiaries (for the avoidance of doubt including Advanced Environmental Solutions (Ireland) Limited (AES)) (“we” or “AES”) collect, use, share and hold certain Personal Data about current, past and prospective consumers, customers, suppliers, business contacts, employees and other people in the course of its business activities. Personal Data must be Processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and other applicable national and European privacy legislation and regulations (together the “Data Protection Law”).
A person whose personal data we hold hereafter referred to as “you” and “your” shall have a corresponding meaning.
We use the words Personal Data to describe information that is about you or others from which you or they are identifiable. Other key data protection terms are defined in Schedule 1 (Definitions of key data protection terms).
This policy is part of the appropriate arrangements and structures put in place that are, in the Directors' opinion, designed to secure material compliance with the company’s “relevant obligations” under the Companies Act 2014.
AES holds personal data in relation to current, past and prospective:
We endeavour to keep the Personal Data we process accurate and up to date and held securely.
Furthermore, Personal Data is stored in as few places, with as few copies, as is reasonably possible.
Our staff are trained not to create any unnecessary additional copies of Personal Data.
We use Personal Data to carry out our business activities. The purposes for which we use your Personal Data may differ based on our relationship, including the type of communications between us and the services we provide.
The main purposes include using Personal Data to:
We may use automated decision-making tools (i.e. where a person is not involved in the decision).We typically use these tools when making straightforward decisions about you. Where this is the case we may provide you with more information at the time to aid your understanding of what is involved.
When employees or others that work on AES’s behalf handle Personal Data we will always ask that they treat Personal Data in a confidential and secure manner and will require them to comply with the Confidentiality Code of Conduct set out in Schedule 2.
In connection with the purposes described above, we may need to share your Personal Data with third parties. The types of third parties with which we may share your Personal Data are further described in the Third Party Disclosures set out in Schedule 3.
When we provide Personal Data to third parties, the third parties will be selected carefully and required to use appropriate measures to protect the confidentiality and security of the Personal Data. Those third parties will assume certain responsibilities under the Data Protection Law for looking after the Personal Data that they receive from us.
In certain circumstances, Data Protection Law allows Personal Data to be disclosed to law enforcement agencies without the consent of the Data Subject. In such circumstances, we will disclose requested Personal Data to the extent permitted by, and in accordance with, applicable Data Protection Law.
Where necessary, line managers can be given proxy access to a direct reports email account where this has been authorised. For example, when a user is off sick, on leave or has left the company, access may be necessary for the proper and uninterrupted functioning of the business. Proxy access will be enabled for a 2-week period to administer the account.
When making these transfers, we will take steps to ensure that your Personal Data is adequately protected and transferred in accordance with the requirements of the Data Protection Law.
This may involve the use of data transfer agreements in the form approved by the European Commission or another mechanism recognised by data protection law as ensuring an adequate level of protection for Personal Data transferred outside the EEA (for example, standard contractual clauses).
For further information about these transfers and to request details of the safeguards in place, please contact by email at: firstname.lastname@example.org.
AES uses appropriate technical, physical, legal and organisational measures, which comply with data protection laws to keep Personal Data secure.
As most of the Data we hold is stored electronically we have implemented appropriate IT security measures to ensure this Personal Data is kept secure. For example, we may use anti-virus protection systems, firewalls, and data encryption technologies. We have procedures in place at our premises to keep any hard copy records physically secure. We also train our staff regularly on data protection and information security. It is the responsibility of all employees to handle Personal Data securely and in line with such data security and storage guidelines set out by AES from time to time.
When AES provides Personal Data to a third party (including our service providers) or engages a third party to collect Personal Data on our behalf, the third party will be selected carefully and required to use appropriate security measures to protect the confidentiality and security of Personal Data. For example, Personal Data is encrypted / password protected where appropriate.
Unfortunately, no data transmission over the Internet or electronic data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any Personal Data you might have sent to us has been compromised), please immediately notify us at email@example.com.
If there is ever a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, AES will follow the AES Data Breach Procedure.
To comply with Data Protection Law, we are obliged to advise you of the legal justification we rely on for using your Personal Data for our purposes.
While the law provides for several legal justifications, the main legal justifications that apply to our purposes for using Personal Data are:
In order to enable us to fulfil the terms of our contract with you (or someone else) or in preparation of entering into a contract with you (or someone else), we may be required to obtain certain Personal Data from you. We will inform you of the legal justifications for which we are obtaining your personal data when we obtain your Personal Data. In some circumstances, we may be legally required to obtain certain personal data from you. In these instances, we may not be able to provide our products or services to you if you do not provide the relevant Personal Data to us. If you would like further information, please contact us at firstname.lastname@example.org.
Where we rely on our legitimate business interests or the legitimate interests of a third party to justify the purposes for using your Personal Data, our legitimate interests will usually be:
For Processing of more Sensitive Personal Data we will rely on either:
Processing of Personal Data relating to criminal convictions and offences is subject to the requirements of applicable law.
We may record telephone calls with you so that we can:
In addition, we monitor electronic communications between us (for example, emails) to protect you, our business and IT infrastructure, and third parties including by:
Our use of CCTV involves Processing of Personal Data. Further information on how we Process Personal Data using CCTV is set out in Schedule 4.
We will keep Personal Data for as long as is necessary for the purposes for which we collect it. Where we hold Personal Data to comply with a legal or regulatory obligation, we will keep the information for at least as long as is required to comply with that obligation. In some cases a retention period will apply once the initial purpose has ceased e.g. financial information is kept for 7 years, payroll files are required to be kept for current year plus 6 years.
Where we hold Personal Data in order to provide a product or service, we will keep the information for at least as long as we provide the product or service, and for a number of years thereafter. The number of years varies depending on the nature of the product or service provided.
AES endeavours to ensure that Personal Data will only be kept for a period which is relevant and not excessive to achieve the purposes for which it is being held. Personal Data will be deleted once that purpose is achieved or it is no longer required.
Schedule 5 sets out a summary of the data protection rights available to individuals in the EEA in connection with their Personal Data. These rights may only apply in certain circumstances and are subject to certain legal exemptions.
Any request to exercise your rights should be sent to the Information Office at email@example.com..
To help us to respond to your request, please be as specific as possible. For example, if you wish to exercise your right to access your Personal Data, please specify the Personal Data of which you wish to obtain a copy.
Please include any additional details that would help us to respond to your request - for example, your customer account number, a staff reference number, names of departments/offices that you were associated with, etc.
If you wish a third party to submit a request to exercise your rights on your behalf (e.g. a family member or solicitor), you must provide written authorisation to allow us to disclose your Personal Data to that third party.
You may be asked to provide further information in order for AES to confirm your identity.
If you have any questions or concerns about the way your Personal Data is used by us, you can contact us by email at: firstname.lastname@example.org.