ESRI Website Privacy Notice
Under Data Protection legislation, individuals have a number of rights in relation to the personal data an organisation holds about them. The purpose of this notice is to inform you of the personal data processed through this website, how this data is handled and what your rights are.
Who we are and how to contact us?
The ESRI is a research institute that undertakes economic and social research to advance evidence-based policymaking in these areas. It is a company limited by guarantee and is registered as a charity. Its sources of income are multi-annual programmes of research funded by a number of government departments and agencies, commissioned research projects, competitive research grants and a government grant-in-aid. Our contact details are as follows:
Economic & Social Research Institute, Whitaker Square, Sir John Rogerson’s Quay, Dublin 2.
Tel: 01 863 2000; Email: firstname.lastname@example.org
The Institute’s Data Protection Officer is Ms Claire Buckley. Data Protection related queries can be sent to DataProtection@esri.ie
What personal data do we process through our website?
Job Applications: Applications for ESRI job opportunities are submitted through the careers portal on our website. Application data are handled strictly in accordance with data protection legislation and retained in line with relevant equality and employment legislation. More information is available in the Privacy Notice for Applicants or by contacting DataProtection@esri.ie
Newsletter, Event and Publication Notifications: Individuals may sign-up to receive our newsletter and/or publications and events notifications via email. Subscribers are asked to submit their email address and if they wish they can also submit their name. We process this data on the basis of consent and you may withdraw your consent at any time.
Event Registration: Individuals may register to attend conferences, events, and seminars at the ESRI via our website. They are asked to provide details such as name, email address and organisation. They submit these details on the basis of consent and can choose whether or not their details can be retained for the purposes of similar communications on future ESRI events.
The ESRI issues direct invitations to events to specific policy, research and academic stakeholders via email. The ESRI maintains databases of professional/business contacts on the basis of legitimate business interests. Contacts may opt out of receiving direct email invitations by replying to the email invitation or contacting the ESRI directly at DataProtection@esri.ie
Requests to Receive ESRI Media Releases: The ESRI maintains a database of media contacts in order to disseminate media releases on ESRI news, publications and events. This information is processed on the basis of legitimate interest. Contact information held in this media db is sourced from individual requests, and from publicly available information. Members of the media who no longer wish to receive ESRI media releases may email email@example.com and request to be removed from the media db, or may click unsubscribe on any media release email communication. Members of the media who wish to request to be added to the ESRI media database may email firstname.lastname@example.org, providing contact details and the name of the media organisation they work for.
Do we share personal data with any third parties?
The Institute does not disclose your personal data to any third parties.
We use third party cloud software to host and manage communications and event registration. The Institute ensures that specific data protection guarantees have been provided by the service providers including where data are hosted and security credentials. The privacy notices of these service providers are available here:
Communications Distribution via Poppulo: https://www.poppulo.com/data-privacy/
Event Registration via Microsoft Forms: https://www.microsoft.com/en-us/trustcenter/default.aspx
Event Registration via Survey Monkey https://www.surveymonkey.com/mp/legal/privacy-policy/
What is the legal basis for processing the data?
Under data protection law, there are six available lawful bases under which an organisation may process personal data. They are consent, contractual purposes, legal obligations, vital interests, public task, and legitimate interests.
The legal bases for which we process each category of personal data are as follows:
Application data: Legitimate Interest; Legal obligations
Newsletter, Event and Publication Notifications: Consent via subscription;
Direct Event Invitations: Legitimate Interest
Event Registration: Consent via online registration
Media Notifications: Legitimate Interest
Consent means that an individual has given us clear, explicit consent to process their personal data for a specific purpose. Consent may be withdrawn at any time.
Legitimate interest means we have a legitimate business interest. When we process your Personal Data based on our legitimate interests, we make sure to consider and balance any potential impact on you and your data protection rights. We will not use your Personal Data for activities where privacy impact may override legitimate business interests (unless we have your consent or are otherwise required or permitted by law).
Legal obligation means the processing is necessary for us to comply with the law.
How long will the data be stored for?
For data processed on a consent basis, it is retained as long as the individual wishes us to retain it for. Consent may be withdrawn at any time. For data processed on a legitimate interest basis, it will be retained for as long as there is a purpose associated with the legitimate interest. An individual may object to their data being processed on this basis. For data processed on the basis of a legal obligation, it will be retained in accordance with the requirements of the associated statute or regulation.
What rights do you as the data subject have?
Data protection legislation confers the following rights on individuals:
1. The right to be informed
An individual has a right to know whether an organisation processes personal information relating to them and certain additional information in relation to the processing, such as its purposes, the categories of data, the recipients of the data, and the existence of additional rights such as the rights to erasure and objection (where applicable).
2. The right of access
Individuals have the right to access their personal data, be aware of and verify the lawful basis on which it is processed.
3. The right to rectification
Individuals have a right to have inaccurate personal data rectified, or completed if it is incomplete.
4. The right to erasure
Individuals have a right to have their personal data erased in certain circumstances. This right applies where personal data is processed on the basis of consent or when the personal data is no longer necessary for the purpose which it was originally collected or processed it for; it doesn’t apply where personal data is being processed or retained in order for the organisation to comply with a legal obligation.
5. The right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data in certain circumstances. When processing is restricted, an organisation may store the personal data, but not use it. This right applies where
- an individual contests the accuracy of their personal data and this is being verified
- the data has been unlawfully processed (ie in breach of the lawfulness basis on which it is processed) and the individual opposes erasure and requests restriction instead
- an organisation no longer needs the personal data but the individual needs it to be kept in order to establish, exercise or defend a legal claim
- the individual has objected to the processing of their data where it is being processed on the basis of public interest task or legitimate interests and the organisation is considering whether their legitimate grounds override those of the individual.
6. The right to data portability
This right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies where the lawful basis for processing this information is consent or for the performance of a contract, and the processing is being carried out by automated means.
7. The right to object
An individuals have the right to object to the processing of their personal data where
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
8. Rights in relation to automated decision making and profiling
Automated decision making and profiling is defined as:
- automated individual decision-making (making a decision solely by automated means without any human involvement); and
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
An organisation can only process personal data in this way when it’s:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.
How can I submit a Subject Access Request?
Subject Access Requests can be submitted to the Institute’s Data Protection Officer, ESRI, Whitaker Square, Sir John Rogerson’s Quay, D02 K138 or DataProtection@esri.ie
How will the information be provided?
Where the data subject makes the request by electronic form means, where possible, the information must be provided by electronic means, unless otherwise requested by you. When requested by you, the information may be provided orally, provided that identity is verified.
What are the timeframes for dealing with personal data access requests?
- Within 1 month of receipt of the request
- The 1-month period may be extended by a 2 further months, where necessary, taking into account the complexity and number of requests, where necessary. In this case, we will inform you of any extension within 1 month of receipt of the request and the reasons for the delay. If we do not take action on foot of your request, we will inform you without delay and, at the latest, within 1 month of receipt of your request, of:
- The reasons for not taking action
- The possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
What are the charges?
Requests are dealt with free of charge.
However, where requests from a data subject are considered ‘manifestly unfounded or excessive’ (for example where an individual continues to make unnecessary repeat requests or the problems associated with identifying one individual from a collection of data are too great) the data controller may:
- Charge a reasonable fee, taking into account the administrative costs of providing the information/ taking the action requested; or
- Refuse to act on your request.
Right to lodge a complaint to the Supervisory Authority
Under data protection legislation an individual has a right to lodge a complaint with the Data Protection Commission if they consider that processing of their personal data is contrary to the GDPR.
The contact details of the Commission are
The Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois. The Data Protection Commissioner also operates a helpdesk function, which is contactable at 0761 104 800 or LoCall 1890 252231.
ESRI Subject Access Request Procedures
Making and submitting a Subject Access Request
If you wish to make a Subject Access Request, please do so in writing to the Data Protection Officer, ESRI, Sir John Rogerson’s Quay, Dublin 2 or DataProtection@esri.ie
To order to facilitate processing of your request and timely retrieval of your personal data, we ask that individuals provide the following details:
- Name of Requester
- Details of the personal data that you are requesting e.g., application form, emails of a specific subject matter, letters etc.
- Data Subject Right you wish to exercise (where applicable) e.g., right to rectification, erasure
- Any other relevant information
- The form you wish data to be provided to you
In order to ensure that personal data is not disclosed to the wrong person, proof of identity will be required with your data access request.
If a request is being made on your behalf by a third party such as a solicitor, authority and verification will be sought.
Data pertaining to your information only
You are entitled to your own data only. If data from additional parties to the request are required by you, it is necessary for each party to consent to the release of their personal data in writing to the Data Protection Officer. Data pertaining to individuals not party to the request will not be released to you.
We will respond to your request without undue delay and your request will be concluded no later than 1 month from when it is received.
The timeline may be extended by up to 2 months taking into account the complexity and whether it is a repeat request.
Your data will be provided to you free of charge.
However, a reasonable fee may apply when a request is manifestly unfounded or excessive.
Right to complain to Data Protection Commissioner
If you are unhappy with the outcome of your request, you may make a complaint to the Data Protection Commissioner (Canal House, Station Road, Portarlington, Co. Laois), who will investigate the matter for you. Further details on your rights under the Data Protection Acts are available on the Data Protection Commissioner’s website www.dataprotection.ie.