DATA PROTECTION POLICY

INTRODUCTION

As individuals, we want to know that personal information about ourselves is handled properly and we and others have specific rights in this regard. In the course of its activities, Pluto collects, stores and processes personal data, and it recognizes that the correct and lawful treatment of this data will maintain confidence in the organization and will provide for successful business operations.

 

Status of the policy

This policy sets out Pluto’s rules on data protection, data subject rights, and the data protection principles. These principles specify the legal conditions that must be satisfied in relation to the obtaining, handling, processing, transportation, and storage of personal data.

We do not knowingly collect data relating to children unless expressly requested by a data controller and with the full consent of a parent/guardian or if allowable by law.  Anyone who considers that this policy has not been followed in respect of personal data about themselves or others should raise the matter with the Pluto’s Data Protection Officer in the first instance.

This version was last updated in April 2020.

This privacy notice is provided in a layered format so you can click through to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this privacy notice.

  1. [WHO WE ARE]
  2. [GLOSSARY OF DATA PROTECTION TERMS]
  3. [THE DATA WE COLLECT ABOUT YOU AND HOW IT IS COLLECTED]
  4. [HOW IS PERSONAL DATA COLLECTED?]
  5. [HOW WE USE PERSONAL DATA]
  6. [DISCLOSURES/SHARING OF PERSONAL DATA]
  7. [DATA PROTECTION PRINCIPLES]
  8. [YOUR LEGAL RIGHTS]
  9. [DATA SECURITY]

 

 

1. Who we are

 

We are Pluto, a company incorporated in Frankfort House, Vergemount Hall, Clonskeagh, Dublin 6 whose registered number is 432810.  We provide event management services, digital marketing, and shopper marketing services.

Our address is

Frankfort House,

Vergemount Hall,

Clonskeagh,

Dublin 6

Our contact number is (01) 260 4001.

For queries regarding personal data, our Data Protection Officer can be contacted at the address and number stated above.

All users of Pluto’s services and website have the right to complain to the Data Protection Commission (DPC), the Irish supervisory authority for data protection issues (www.dataprotection.ie), and to seek compensation through the Courts.

 

2. Glossary of data protected terms

 

 

Data is recorded information whether stored electronically, on a computer, or in certain paper-based filing systems.

Data subjects for the purpose of this policy include all living individuals about whom Pluto holds personal data. A data subject need not be an Irish or EU national or resident. All data subjects have legal rights in relation to their personal information.  Data subjects can be clients, employees, competition entrants, shoppers, event attendees, and client employees.

Personal data means data relating to a living individual who can be identified from that data (or from that data and other information Pluto holds).  Personal data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as a performance appraisal).  It can even include a simple e-mail address. It is important that the information has the data subject as its focus and affects the individual’s privacy in some way. Personal details such as someone’s contact details or salary fall within the scope of The General Data Protection Regulation 2016/679.

Sensitive personal data includes information about a person’s political opinions, racial or ethnic origin, religious or similar beliefs, trade union membership, sexual orientation, genetic, biometric, and health data. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

Data controllers are the people or organizations who determine the purposes for which, and the manner in which, any personal data is processed.  They have a responsibility to establish practices and policies in line with GDPR. Pluto is the data controller of all personal data belonging to employees and clients of our company only.  Our clients are data controllers for all of their customers’ and employees’ personal data. Only they determine the purposes and means of the processing of personal data that we carry out.

Data users include employees whose work involves using personal data.  Data users have a duty to protect the information they handle by following Pluto’s data protection and security policies at all times.

Data processors include any person or entity who processes personal data on behalf of a Data Controller. Pluto is a processor of the personal data entrusted to us by our clients, who are the Data Controllers of their supporters’ personal data

Processing is any activity that involves the use of the data.  It includes obtaining, recording, or storing the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, or destroying it.  Processing can also include transferring personal data to third parties but only with the express permission of the controller.

Recipient means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.

 

 

3. The data we collect and how it is collected

 

 

Pluto is the Data Controller for all personal data provided by employees, our customers (clients) own personal data, and the personal data of potential customers. We are the Data Processor for all personal data that is provided to us by our clients (in particular, their customer and employee records).

The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in The General Data Protection Regulation 2016/679 (GDPR), the  Data Protection Act 2018, S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 and other regulations.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may, depending on the processing, collect, use, store, and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, username or similar identifier, title.
  • Contact Data includes job title, employer information, work contact information, billing address, email address, and telephone numbers
  • Technical Data includes internet protocol (IP) address, browser type, and version, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Usage Data includes information about how you use our website
  • Marketing and Communications Data includes your preferences in receiving marketing from our clients which we may process on their behalf
  • We may process Special Categories of Personal Data (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) only where this has been collected by our clients, who in this instance are the data controllers.
  • Financial/transaction data – only of our clients for the purpose of payment for our services

WEB BEACONS

We may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, which includes Web Beacons. Pages of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

PERSONAL DATA NEEDED TO PROVIDE YOU WITH OUR SERVICES

Where we need to collect personal data under the terms of a contract we have with our clients and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

 

 

4. How is personal data collected?

 

 

We use different methods to collect data from and about you including through:

Direct interactions with clients/customers. You may give us your identity and contact details through a business interaction by filling in online or paper forms or by corresponding with us by post, phone, email, or otherwise.

Direct interactions with data subjects on behalf of clients/customers.  For instance, invited attendees at an event, gathering customer names, addresses, phone numbers, etc. on behalf of clients and with the fully informed, specific consent of the data subjects

Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies.  You can refuse cookies by enabling cookie-blocking technology. Alternatively, you can decide which cookies to allow when you visit our website for the first time (or after clearing your browser history).

 

 

5. How we use personal data

 

We will only use personal data when the law allows us to. Most commonly, we will process personal data in the following circumstances:

  • When we are contacting you in response to an explicit request from you to learn more about Pluto
  • When we need your data in order to perform a contract with you at your request
  • When it is necessary for our legitimate interests and these interests do not override your interests and fundamental rights
  • When we need to comply with a legal or regulatory obligation.
  • When you have given your consent, for example where you give explicit consent to receiving direct marketing or allow us to pass your information to another recipient

LAWFUL BASES 

Below are the lawful bases we rely on to process personal data:

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Where the data subject has given consent to the processing of his or her personal data for one or more specific purposes

PURPOSES FOR WHICH WE USE PERSONAL DATA

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

CHANGE OF PURPOSE 

We will only use your personal data for the purposes for which we collected it.  If we need to use your data for any other purpose, we will contact you directly.

 

 

6. Disclosures/sharing of personal data

 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Whenever we transfer personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring where we use certain service providers and using specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

 

 

7. Data protection principles

 

Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:

  • Processed fairly and lawfully and transparently
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”)
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)
  • Accurate and up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”)
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”)

Pluto is responsible for our clients, their customers, employees, and clients and our employee’s personal data and must be able to demonstrate compliance with all of the above principles through our policies, actions, and documentation.

Fair, Transparent and lawful processing

GDPR is intended not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is, the purpose for which the data is to be processed by Pluto, and the identities of anyone to whom the data may be disclosed or transferred.

For personal data to be processed lawfully by Pluto, at least one of the following conditions must be met:

  1. The data subject has explicitly consented to the processing
  2. The processing forms part of a contract or steps taken at the request of the data subject to enter a contract
  3. The processing is necessary for the legitimate interests of the data controller or by a third party
  4. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  5. The processing is necessary for compliance with a legal obligation to which the controller is subject
  6. The processing is necessary in order to protect the vital interests of the data subject or of another natural person

When sensitive personal data is being processed, additional conditions will be met by Pluto and our clients to ensure high levels of protection and security. In most cases, the data subject’s explicit consent to the processing of such data will be required.

Purpose limitation

Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by GDPR. Any data which is not necessary for that purpose should not be collected in the first place. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed and explicit consent given before any processing occurs.

Data minimization

Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject or as instructed by our clients. Any data which is not necessary for that purpose should not be collected in the first place.

Accuracy

Personal data must be accurate and kept up to date. Information that is incorrect or misleading is not accurate and steps should, therefore, be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterward. Inaccurate or out-of-date data should be destroyed.

Storage limitation

Personal data should not be kept longer than is necessary for the purpose. This means that data is destroyed or erased from Pluto’s systems when it is no longer required.

Integrity and Confidentiality

Maintaining data security means guaranteeing the confidentiality, integrity, and availability of the personal data, defined as follows:

  • Confidentiality means that only people who are authorized to use the data can access it
  • Integrity means that personal data should be accurate and suitable for the purpose for which it is processed
  • Availability means that authorized users should be able to access the data if they need it for authorized purposes. Personal data is, therefore, be stored on Pluto’s computer system until such time that it is no longer needed or can be lawfully retained

In the event of an incident affecting the security of personal data as Processor, it is Pluto’s responsibility to notify our clients (Controllers) as soon as the issue is detected.

Pluto uses physical and digital security protocols to ensure that any personal data being processed is done securely with the objective of safeguarding the data against all and any unauthorized or illegal access.

Pluto must ensure that appropriate security measures are taken against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to, personal data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss.

We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if we have full agreement from the controller and the third party agrees to comply with those procedures and policies and or if they put in place adequate measures themselves.

 

 

8. Data Subjects’ Rights

 

Data must be processed in line with data subjects’ rights.

Data subjects have a right to:

  • Request access to any data held about them by a data controller. Enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Have any inaccurate personal data corrected or updated (rectified). This enables you to have any incomplete or inaccurate data we hold about you corrected or appended. We may need to verify the accuracy of the new data you provide to us.
  • Object to the processing of your data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request erasure of your data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that this is not an absolute right and we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Restrict the processing of personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Transfer personal data to a third party on request, where the data was obtained by consent or contract. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.