Our Website and Web Server recognizes no information regarding Web domain or email address for each visitor to our Web Page.

 

We collect aggregate information regarding pages accessed by consumers and visitors and other information volunteered by the consumer, such as surveys and registrations to the website.

 

 

___________________________

 

Cookies

What are cookies?

 

A “cookie” is a small piece of data which will usually include unique identifying components which is sent to your computer or phone (both referred to as “device”) browser from a websites computer. The Cookie is stored on your device’s hard drive, mobile device, set top box or other device.

 

Different cookies have different functions, some allowing you to navigate between webpages efficiently, whilst remembering your preferences on a certain website, improving your overall experience of using the website. Other cookies can provide the visitor with advertisement which is tailored to their online interests, or measure the most frequently viewed or favourite websites of a given visitor.

 

 Most web browsers automatically accept cookies but you can disable this function by changing your browser settings if you so wish.

 

Our website uses cookies to store customer’s preferences, record information regarding sessions including items added to your shopping cart. We use cookies to store visitors’ preferences, record session information, such as items that consumers add to their shopping cart. Without cookies your orders would be unable to progress from page to page - some cookies are necessary for vital on-site navigation.

____________________________

 

 

If you provide your postal address to us online, you will only receive the information for which the postal address was obtained. You will not receive additional unrelated post.

 

Similarly, those supplying us with their telephone numbers will receive only information about orders they have placed online, by telephone.

 

Occasionally, Phelansmobilityaids.ie may use customer information for new, unanticipated uses which may not be previously disclosed in our privacy policy notice. Should our information practices change in the future, we will post any changes to our Website in order to notify visitors and provide visitors with the opportunity to opt-out of these new practices. If you have concerns about how your information is used, you should regularly check our website for changes to our policy.

 

Site visitors may request to view the information which we maintain about them including proprietary information, transactional information (e.g. dates of purchase, amounts and types of purchases), communications that the consumer has directed to our site (e.g. e-mails, customer enquiries), and contact information (e.g. name, address, telephone number, e-mail address). This information may be obtained by e-mailing the above address or writing to us at the above address to request this information. Customers can have this information corrected in the same way.

 

With respect to security: during the transfer and receiving of sensitive information such as financial or health information, our website will redirect the visitor to a secure server. Visitors will be notified of this through a pop-up which will appear on-screen.

 

How do I find out about changes to the privacy policy?

 

We regularly review and update our privacy policy. When any changes are made to this policy, they will be updated on our website. We reserve the right to change the content or services on our website at any time, without notice. Hence, our privacy policy may change at any time in the future. Your continued use of the website will mean that you agree to the new changes.

 

 

 

If you feel that this website does not comply with its stated information policy, you may contact us at the above address, e-mail or telephone number.

Privacy Policy

Collection and use of personal information

Personal information: information that is associated with your name or personal identity. This website does not collect any personal data about you on this Website, apart from information which you volunteer (for example, by emailing us, or registering with us). Any information which you provide in this way is not made available to any third parties, and is used by this site only in line with the purpose for which you provided it.

Collection and use of non-personal information

Non-personal information: data collected for statistical purposes which is not associated with a specific identity. This site collects and analyses technical information in order to evaluate our Website. The type of technical information we log is confined to the following: · The IP address*1 of the visitor’s Web server · The top-level domain-name used (for example .ie, .com, .org, .net) · The pages visited on the this site Website, i.e. URL’s*2 visited · The previous Website address from which the visitor reached us, including any search terms used · Data which shows the traffic of visitors around this Website (for example, pages accessed) *1 An IP address is an identifier for a computer or device on a Transmission Control Protocol/Internet Protocol (TCP/IP) network, such as the World Wide Web. Networks use the TCP/IP protocol to route information based on the IP address of the destination. In other words, an IP address is a number that is automatically assigned to your computer whenever you are surfing the Web, allowing Web servers to locate and identify your computer. Computers require IP addresses in order for users to communicate on the Internet, browse and shop. *2 A URL (Uniform Resource Locator) is the global address of documents and other resources on the World Wide Web.

Third party websites

The website may contain links to other websites. We are not responsible for the privacy policies or practices of third party websites.

Data Subjects’ Rights Notes to Document Note 1: Individuals (called ‘data subjects’ in the legislation) have several rights under European data protection law that they can exercise in particular circumstances. In brief the main rights are: The right to access data about them (called ‘personal data’); the right to rectify/correct their personal data; The right to erase/delete their personal data (i.e. the “right to be forgotten”); The right to ‘port’ their personal data from one organisation to another; The right to restrict the processing of their personal data; and The right to object to processing of their personal data. Note 2: Controllers and Processors The legislation (‘GDPR’) applies to both ‘controllers’ and ‘processors’. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. A controller determines the purposes and means of processing personal data, basically the owner of the data. A processor is responsible for processing personal data for a controller. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. This Policy applies to Phelan’s Pharmacy Ltd and all associated companies defacto within ("Phelan’s Group") structure and /or also as defined in section 2 subsection 6 of the Companies act 2013. Phelan’s Pharmacy Ltd is the controller of the data subject’s personal data (“Data”). If we use a processor, the GDPR places specific legal obligations on both Phelan’s Pharmacy Ltd and the processor; for example, Phelan’s Pharmacy Ltd are required to have a specific written contract with the processor and they must maintain records of personal data and processing activities. Both Phelan’s Pharmacy Ltd and the processor may also have legal liability if responsible for a breach, such as unauthorized people accessing the Data, or the Data being lost. Note 3: These guidelines set out a sample template for how Phelan’s Pharmacy Ltd as controller, should respond to requests from individuals to any company within Phelan’s Group to exercise their rights under EU law. Note 4: The policy assumes that Phelan’s Group is responding to a specific, individual request, ideally using a Phelan’s Group Form. BUT NOTE that a data subject does NOT have to use this form and can submit a request in any format they choose. Phelan’s Group may in the future choose to make a “Dashboard” or “My Account” page available that contains the elements subject to access requests, to attempt to streamline the process, but the policy / procedures below assume that either no such dashboard is yet in place, or that Phelan’s Group has received a specific request that cannot be satisfied by the information available in such a dashboard. Note 5: Each Company within Phelan’s Group should assign a Department, Section or individual with responsibility for responding to requests with the control resting with the Privacy Co-Ordinator (privacy@phelans.ie). It might be the HR team with respect to requests from employees and the Marketing Manager for marketing issues, and different Departments for other types of requests, and they in turn will need to liaise and they will need to be provided with oversight by Privacy Co-Ordinator who will have to insure timely compliance within the 30 days’ time frame. Note 6: The Policy document sets out how Phelan’s Group should respond to specific requests of the exercise each of the rights set out in Note 1 above. Note 7: The Privacy Co-Ordinator is at privacy@phelans.ie Dealing with Data Subject Rights under the GDPR THE RIGHTS 1 – SUBJECT ACCESS REQUESTS Data subjects (i.e. individuals relating to whom we hold data) should be encouraged to use FORM No. 1a below when submitting a request to exercise their right of access (Access Request"). All data subjects have the right to have access to a copy of all information (called ‘personal data’) that Phelan’s Group holds and processes relating to them. Additional information that may be required before responding to an Access Request. The Scope of the searches If it is not clear from the request what information the data subject seeks to obtain, Phelan’s Group can confirm the scope of the search(es) it will carry out for that individual's personal data. Phelan’s Group is expected to make extensive efforts to search for all information that the data subject wishes to obtain. Phelan’s Group cannot insist that the data subject narrow the scope of the proposed searches. Phelan’s Group can refuse requests if they are ‘manifestly unfounded’, or ‘excessive’ particularly if the requests are repetitive. Phelan’s Group can ask the data subject if there is particular data being sought by them, which would satisfy their request, whilst always making it clear that Phelan’s Group will furnish a complete response if required. Where the request can readily be complied with, no narrowing should be sought. When sending the data subject confirmation of the request Phelan’s Group can describe the scope of the searches to be carried out and request confirmation that these are appropriate. When reviewing the relevant form and confirming the scope of the searches, Phelan’s Group may suggest to the data subject an agreed scope, for example, searches of the email folders of relevant individuals (e.g. if they are an employee, the data subject, their line manager, and any employees with whom they worked closely), folders of network hard drives such as HR folders, and any other areas particularly relevant to that individual. Specific search terms could can also be agreed with the data subject. Generally, these will be the name of the data subject, along with a reasonable date range, and any other relevant identifiers. This can allow electronic documents to be searched quickly. The following considerations may be relevant when determining the scope of the search: Date ranges: if there is a particular matter in which the data subject is interested, it may be appropriate to limit the date range to when the matter was active. This can be particularly important with respect to CCTV footage. The data subject can, however, insist on any date range, provided it is not manifestly unfounded or excessive. Back-up data: With respect to back-up data, if Phelan’s Group is satisfied that the back-up replicates the data held in live systems, it is unlikely that searches of back-up data would be required. Archived data: Archived data should be searched, this is data that Phelan’s Group has decided it may wish to retrieve at a later date. Hard copy documents: Hard copy documents that are stored in such a way that information about individuals is accessible are within the scope of an Access Request. This would include a HR file about that individual, although it might not include notes made by individuals in a personal notebook, or data which is ad hoc, and not organized, or intended to be put on any organized system. When is an Access Request valid? Phelan’s Group is not required to respond to repeated requests that are made at unreasonably frequent intervals, provided Phelan’s Group can show that the request is manifestly unfounded or excessive in character. If the requestor fails to provide the necessary identification verification, Phelan’s Group may request additional information to confirm the identity of the data subject. If the request is for specific personal data that is protected for some reason (e.g. is privileged, contains personal data of others, etc.) then the request should be declined on those grounds. If you receive a repeated request from the same individual and the previous request was very recent, you should take into account whether the personal data is particularly sensitive, whether the processing might affect the data subject's rights and whether the personal data is likely to have changed since the last request before determining whether the interval between requests is unreasonable. If you have any doubts about whether a repeat request has been made unreasonably soon, please refer to specialist expertise. In the event of a repeated request, you could offer only to provide information that has changed since the previous request, but if the data subject insists on receiving all the personal data again, Phelan’s Group must provide this, unless you deem the request to be manifestly unfounded or excessive in character, particularly because of its repetitious nature. Information relevant to carrying out an Access Request As well as the documents held by Phelan’s Group in hard copy or electronic form, the scope of the searches may refer to information held by third parties such as service providers. In this case, Phelan’s Group should consider whether third parties may be holding information to which Phelan’s Group would not have access. If the third party is a ‘controller’ in respect of that data, (i.e. if it is that third party’s data, not Phelan’s Group’s data) Phelan’s Group should advise the data subject to contact that controller. If, however, the third party is a processor on behalf of Phelan’s Group, the personal data should be provided. After the searches are carried out, the documents returned should be reviewed by Phelan’s Group as quickly as possible. The following considerations may be relevant to the review process: If the documents contain any personal data of individuals other than the data subject, this information should be redacted (made illegible) in order to provide only the personal data of the data subject and can only be disclosed if the other individual has consented to its disclosure; If information might be subject to a legal privilege, for example personal data included in legal advice provided to Phelan’s Group or has been prepared by lawyers in reasonable anticipation of litigation, it should not be disclosed to the data subject and the request must be referred to specialist expertise; or If personal data is included in information that relates to the prevention or detection of a crime, it should not be disclosed if doing so might prejudice the investigation into that crime; What must Phelan’s Group provide in response to an Access Request? Phelan’s Group will provide the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients outside the EU or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the following statement “You have the right in some circumstances to request from us rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing”; the following statement “You have the right to lodge a complaint with the Data Protection Commission; where the personal data is not collected from the data subject, any available information as to their source; this if there is any automated decision-making, including profiling, which produces legal effects on or significantly affects the data subject and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. In addition to the above Phelan’s Group and the cover letter set out here, Phelan’s Group will provide the data subject with a copy of all personal data deemed validly requested in the relevant Access Request. An individual who makes an Access Request is only entitled to receive a copy of the personal data processed by Phelan’s Group relating to them. They are not entitled to full copies of the documents containing personal data as these may, for example, contain personal data relating to other individuals. Therefore, when responding to these requests, ensure that the response is limited to only data relating to the data subject, rather than the entire documents containing their personal data. This may involve redactions, particularly of names or other identifiers of other people. Where the data subject makes their request by electronic means, the information should be provided in a commonly used electronic form, except when the data subject asks for it to be provided otherwise. FORM NO. 1a ACCESS REQUEST FORM You have the right to access and receive a copy of the personal information we hold about you. We ask that you complete this form, so we can determine the details of your request, and respond to and implement your request as quickly as possible. This process will provide you with the personal information we hold about you, and information relating to you, in manual or electronic form. Information relating to third parties or other information exempt under applicable law(s) will not be provided. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to: Privacy Co Ordinator at privacy@phelans.ie Agent of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject: (Title) (First) (Surname) Present Address: Street Town County Postcode Other contact details: Telephone No. e-mail Mobile If applicable; Current/last post held in Phelan’s Group Department Office location Your employee no. (if any) Any other relevant Information: Details of the Agent or Requestor (if any) Name: Address: Phone Number: Email address Proof of entitlement to act (enclose authorisation) Details regarding what information you are looking for. The more details you can give to us the better we will be able to respond to you! Hard copy files (please specify department & location, if known) Search criteria (i.e. name, key word, date), Connection to file (i.e. employee/partner/staff/client/supplier) Electronic data (please specify system, if known) Search Criteria (please specify the search criteria, e.g. system name, identifier no., if known) Connection to file (i.e. employee/partner/staff/client/customer/supplier) Any other filing system Search criteria Any other information you feel might assist us in responding to your request: We promise to make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 1b REQUEST FOR FURTHER INFORMATION Date: To: [Data Subject’s address or email] Bcc: [Insert Responder’s Address or email] Subject: Your request to exercise your rights – further information required. Dear [Data Subject’s name] We have received your request to exercise your right to access dated [date] and received by us on [date] However, to determine whether this request is valid, we require further information from you. [If identification is in doubt] Please provide a copy of your passport or driving licence or other form of official identification so that we can confirm your identity. This is a legal requirement to ensure we do not comply with a request about you from somebody posing as you. [Clarification of Request Needed] We require further information about the precise details of your request in order to be able to comply with it appropriately. Please could you provide us: [Here advise the Data Subject as precisely as possible what it is that you need to clarify] Please do not hesitate to contact us if you have any queries about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 1c Acknowledgement of Rights Request Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Acknowledgement of you request to exercise your rights Dear [Data Subject’s name] We have received your request to exercise your right to access dated [insert date]. We aim to respond to this request within 1 calendar month, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 1d REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Your request to exercise your rights. Dear [Data Subject’s name] Dear [Data Subject’s name] We have received your request to exercise your right to access dated [insert date]. Unfortunately, we are not able to comply with such request for the following reasons: [Set out the reason/s for refusal to comply] Please do not hesitate to get in touch with me if you have any further questions about the reasons we were not able to comply with your request. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Yours etc., Signature ____________________ Date _____________________ *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie FORM NO. 1e REQUEST TO THIRD PARTY PROCESSOR ACTING ON PHELAN’S GROUP’S BEHALF Date: To: [Third Party’s address or email address] Bcc: [Responder’s address or email address] Subject: Request to exercise rights for [Data Subject’s name] Dear [Third Party] We received a request from [Data Subject’s name and identifying features] to exercise their right to access. Because of the services you provide to Phelan’s Group, relevant personal information is held in your systems and you carry out relevant processing activities that are subject to this request. Please action this request in accordance with our contract with you and with applicable law within 7 business days. Please complete the information requested below and return a copy to me at this address. If you should have any questions about this request, please contact me at [Responder’s contact information]. We appreciate your prompt response. Signature ____________________ Date _____________________ _____________________________________________________________________________ Third Party Notes: ◻ The request has been implemented as requested. ◻ The request has been complied with, but with the following exceptions:-_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ◻ A full Report has been sent to Phelan’s Group. FORM NO. 1f LETTER ADVISING DELAYED RESPONSE Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Delay in our response to your request to exercise your rights Dear [Data Subject’s Name] We are still processing your request to exercise your right to access dated [insert date] and expect to respond to this request by [insert date]. The reason for this delay is that [insert reason]. We appreciate your understanding as we work to process this request. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 1g COMPLETION OF RIGHTS REQUEST Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Your request to exercise your rights. Dear [Data Subject’s name] We have now implemented your request to exercise your right to access dated [insert date]. We have prepared the attached Report to provide details of how this has been carried out. We trust that this satisfies your request to exercise your rights, but if you have any further questions please contact us at ___________________________. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Signature ____________________ Date _____________________ Attached or Enclosed: Report and any other information required. *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 (761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie THE RIGHT OF RECTIFICATION & CORRECTION Data subjects should be encouraged to use Form 2a below when submitting a request to exercise their right of rectification/correction (a "Rectification Request"). Individuals have the right to require Phelan’s Group to correct their personal data if it is inaccurate. For example, if a data subject’s name is incorrectly recorded, Phelan’s Group must update their records on receipt of a Rectification Request. Individuals also have the right for any other personal data that is incomplete to be updated, taking into account the purposes of the processing. Additional information that may be required before responding to a Rectification Request: Upon receipt of a Rectification Request, Phelan’s Group should verify, in so far as possible, that the personal data provided as a correction to the existing personal data is factually correct. For example, if a data subject who is a staff member is provided additional information about their qualifications, this could be verified by the provision of certifications. If there are doubts about the accuracy of the provided information, further information should be requested from the data subject who made the Rectification Request, and they should be informed what information would be required by Phelan’s Group verify the changes. When is a Rectification Request valid? A Rectification Request is valid if the information that Phelan’s Group has on file is incorrect, and the updated information provided by the data subject is correct as described above. Information relevant to carrying out a Rectification Request Set out the operational steps required for the records to be updated, to reflect changes under a Rectification Request. This process will of necessity vary according to the category of data requiring correction. Phelan’s Group will inform any external entities that have received the personal data that was subject to the Rectification Request of the updated personal data, unless doing so would be impossible or take disproportionate effort. Phelan’s Group should have a list of Phelan’s Group’s principal service providers, for example CRM services, payroll providers, payment processing providers and IT service providers, and a summary of the data held by that processor, and the contact personnel at each one. Please see Data Inventory as supplied. Phelan’s Group should keep a record of all communications to such entities and their response. e.g.: - Name of Processor; service provided/data processed; contact person. What must Phelan’s Group provide in response to a Rectification Request? Let the data subject know what changes have been made. Phelan’s Group must also provide the data subject with information on what providers have been contacted and informed of the changes to the data. FORM NO. 2a DATA CORRECTION/UPDATE REQUEST FORM You have the right to correct and update any personal information about you that is inaccurate. We ask that you complete this form, so we can determine the details of your request and, where applicable, implement your request. If your request is valid, we will correct and update the information requested. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to the Privacy Compliance Co-Ordinator at privacy@phelans.ie Please also provide any documentation you have to prove that the information you wish to update needs to be updated or corrected. Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the requestor’s behalf. Please complete as much of the following information as you can: Full name of data subject: (Title) (First) (Surname) Present Address: Street Town County Postcode Other contact details: Telephone Email Mobile Details of the Agent or Requestor (if any) Name: Address: Phone Number: Email address Proof of entitlement to act (enclose authorisation) Category of personal information Personal Information Currently on File Corrected Personal Information e.g. name, address. We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 2b REQUEST FOR FURTHER INFORMATION Date: To: [Data Subject’s address or email] Bcc: [Insert Responder’s Address or email] Subject: Your request to exercise your rights – further information required. Dear [Data Subject’s name] We have received your request to exercise your right to rectification dated [date] and received by us on [date] However, to determine whether this request is valid, we require further information from you. [If identification is in doubt] Please provide a copy of your passport or driving licence or other form of official identification so that we can confirm your identity. This is a legal requirement to ensure we do not comply with a request about you from somebody posing as you. [Clarification of Request Needed] We require further information about the precise details of your request in order to be able to comply with it appropriately. Please could you provide us: [Here advise the Data Subject as precisely as possible what it is that you need to clarify] Please do not hesitate to contact us if you have any queries about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 2c Acknowledgement of Rights Request Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Acknowledgement of you request to exercise your rights Dear [Data Subject’s name] We have received your request to exercise your right to rectification dated [insert date]. We aim to respond to this request within 1 calendar month, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 2d REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Your request to exercise your rights. Dear [Data Subject’s name] Dear [Data Subject’s name] We have received your request to exercise your right to rectification dated [insert date]. Unfortunately, we are not able to comply with such request for the following reasons: [Set out the reason/s for refusal to comply] Please do not hesitate to get in touch with me if you have any further questions about the reasons we were not able to comply with your request. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Yours etc., Signature ____________________ Date _____________________ *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie FORM NO. 2e REQUEST TO THIRD PARTY PROCESSOR ACTING ON PHELAN’S GROUP’S BEHALF Date: To: [Third Party’s address or email address] Bcc: [Responder’s address or email address] Subject: Request to exercise rights for [Data Subject’s name] Dear [Third Party] We received a request from [Data Subject’s name and identifying features] to exercise their right to rectification. Because of the services you provide to Phelan’s Group, relevant personal information is held in your systems and you carry out relevant processing activities that are subject to this request. Please action this request in accordance with our contract with you and with applicable law within 10 business days. Please complete the information requested below and return a copy to me at this address. If you should have any questions about this request, please contact me at [Responder’s contact information]. We appreciate your prompt response. Signature ____________________ Date _____________________ _____________________________________________________________________________ Third Party Notes: ◻ The request has been implemented as requested. ◻ The request has been complied with, but with the following exceptions:-_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ◻ A full Report has been sent to Phelan’s Group. FORM NO. 2f LETTER ADVISING DELAYED RESPONSE Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Delay in our response to your request to exercise your rights Dear [Data Subject’s Name] We are still processing your request to exercise your right to rectification dated [insert date] and expect to respond to this request by [insert date]. The reason for this delay is that [insert reason]. We appreciate your understanding as we work to process this request. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 2g COMPLETION OF RIGHTS REQUEST Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Your request to exercise your rights. Dear [Data Subject’s name] We have now implemented your request to exercise your right to rectification dated [insert date]. We have prepared the attached Report to provide details of how this has been carried out. We trust that this satisfies your request to exercise your rights, but if you have any further questions please contact us at ___________________________. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Signature ____________________ Date _____________________ Attached or Enclosed: Report and any other information required. *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie RIGHT TO OBJECT TO PROCESSING Data subjects should be encouraged to use Form 3a below when submitting a request to exercise their right to object to processing (an "Objection Form”). Individuals have the right to object to the processing activities that Phelan’s Group carries out with respect to their own personal data, in certain circumstances. Additional information that may be required before responding to an Objection Request. If it is not clear from the Objection Form, Phelan’s Group should confirm which uses or processing of personal data the data subject objects to. When is an Objection Form valid? Individuals have the right to object to the processing activities that Phelan’s Group carry out with respect to their personal data. An objection will be valid where the processing activity in question takes place on the basis of Phelan’s Group's 'legitimate interests' without Phelan’s Group having compelling legitimate grounds which overrides the interests of the data subject. Refer to legal basis for processing to determine if the personal data is processed on the basis of Phelan’s Groups’ legitimate interest grounds or for the establishment exercise or defence of legal claims. To determine whether Phelan’s Group has compelling legitimate grounds which override the interests, freedoms and rights of the data subject in continuing to process the personal data, Phelan’s Group must consider what business reason Phelan’s Group has for using it. This must then be balanced this against the data subject's right to control their personal data. For example, while Phelan’s Group may track its users' behavior on its websites and apps in order to understand how they are used and to improve the functionality and individually customize the appearance on the basis of how they use the websites or apps. Collecting website history is intrusive and if users object, their privacy interests will probably override Phelan’s Group's business interests. With the exception of processing related to direct marketing, where the data subject continues to use Phelan’s Group’s services, Phelan’s Group’s legitimate interests, if such processing is necessary to provide the service, may override the data subject's interests. Alternatively, the processing may be legitimized as being necessary to perform the contract or on consent. You can refer to the records of processing activities that Phelan’s Group keeps determining the basis for processing; the processing takes place for the purposes of carrying out direct marketing activities (such as sending marketing emails, letters, SMS messages, push notifications or serving online behavioral advertising). In this case, Phelan’s Group should immediately cease the processing related to those direct marketing activities. For example, if there is an objection to the creation of a profile about a customer that is used to send targeted direct marketing, Phelan’s Group should immediately cease using that profile to serve advertising to that customer. If, however, Phelan’s Group is required to keep the personal data by virtue of other legislation (e.g. for Revenue reasons, or by virtue of employment law), or in order to make or defend legal claims (for example if a former employee is making a claim against Phelan’s Group, or if the processing was not based on the legitimate interest ground but on some other lawful ground, an objection would not be valid. If Phelan’s Group has questions about whether an Objection is valid, please seek specialist advice from Business Legal. Information relevant to responding to an Objection Form Set out any operational steps required for Phelan’s Group processing activities to be altered, to reflect changes after a valid objection. This process will of necessity vary according to the category of data being processed. Taking into account the costs of implementation, Phelan’s Group should inform any entities that carry out processing activities that were subject to the objection of the request, unless doing so would be impossible or take disproportionate effort. Phelan’s Group should have a list of Phelan’s Group’s principal service providers, for example CRM services, payroll providers, payment processing providers and IT service providers, and a summary of the data being processed by that processor, and the contact personnel at each one. Please see the Data Inventory as provided. Phelan’s Group should keep a record of all communications to such entities and their response. e.g.: - Name of processor; service provided/data processed; contact person What must Phelan’s Group provide in response to an Objection Form? Phelan’s Group must inform the data subject, where such is the case, that the processing of their personal data has ceased in line with their request and provide details of which processing activities have ceased. FORM NO. 3a OBJECTION TO PROCESSING FORM You have the right to object to our processing of your personal information in certain circumstances. We ask that you complete this form, so we can determine the details of your request and, where applicable, implement your request. If your request is valid, we will cease processing your personal information for the purposes to which you object. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to the Privacy Compliance Co-Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject: (title) (First) (Surname) Present Address: Street Town County Postcode Other contact details: Telephone Email Mobile Details of the Agent or Requestor (if any) Name: Address: Phone Number: Email address Proof of entitlement to act (enclose authorisation) Uses of personal information that you object to Reason for objecting to these uses of your personal information Please make reference to the uses of personal information set out in our privacy notice e.g. our uses of the personal information are unlawful, specifying precisely why; you no longer want to receive direct marketing messages from us We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 3b REQUEST FOR FURTHER INFORMATION Date: To: [Data Subject’s address or email] Bcc: [Insert Responder’s Address or email] Subject: Your request to exercise your rights – further information required. Dear [Data Subject’s name] We have received your request to exercise your right to object dated [date] and received by us on [date] However, to determine whether this request is valid, we require further information from you. [If identification is in doubt] Please provide a copy of your passport or driving licence or other form of official identification so that we can confirm your identity. This is a legal requirement to ensure we do not comply with a request about you from somebody posing as you. [Clarification of Request Needed] We require further information about the precise details of your request in order to be able to comply with it appropriately. Please could you provide us: [Here advise the Data Subject as precisely as possible what it is that you need to clarify] Please do not hesitate to contact us if you have any queries about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 3c Acknowledgement of Rights Request Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Acknowledgement of you request to exercise your rights Dear [Data Subject’s name] We have received your request to exercise your right to object dated [insert date]. We aim to respond to this request within 1 calendar month, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 3d REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Your request to exercise your rights. Dear [Data Subject’s name] Dear [Data Subject’s name] We have received your request to exercise your right to object dated [insert date]. Unfortunately, we are not able to comply with such request for the following reasons: [Set out the reason/s for refusal to comply] Please do not hesitate to get in touch with me if you have any further questions about the reasons we were not able to comply with your request. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Yours etc., Signature ____________________ Date _____________________ *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie FORM NO. 3e REQUEST TO THIRD PARTY PROCESSOR ACTING ON PHELAN’S GROUP’S BEHALF Date: To: [Third Party’s address or email address] Bcc: [Responder’s address or email address] Subject: Request to exercise rights for [Data Subject’s name] Dear [Third Party] We received a request from [Data Subject’s name and identifying features] to exercise their right to object. Because of the services you provide to Phelan’s Group, relevant personal information is held in your systems and you carry out relevant processing activities that are subject to this request. Please action this request in accordance with our contract with you and with applicable law within 7 business days. Please complete the information requested below and return a copy to me at this address. If you should have any questions about this request, please contact me at [Responder’s contact information]. We appreciate your prompt response. Signature ____________________ Date _____________________ _____________________________________________________________________________ Third Party Notes: ◻ The request has been implemented as requested. ◻ The request has been complied with, but with the following exceptions:-_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ◻ A full Report has been sent to Phelan’s Group. FORM NO. 3f LETTER ADVISING DELAYED RESPONSE Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Delay in our response to your request to exercise your rights Dear [Data Subject’s Name] We are still processing your request to exercise your right to object dated [insert date] and expect to respond to this request by [insert date]. The reason for this delay is that [insert reason]. We appreciate your understanding as we work to process this request. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 3g COMPLETION OF RIGHTS REQUEST Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Your request to exercise your rights. Dear [Data Subject’s name] We have now implemented your request to exercise your right to object dated [insert date]. We have prepared the attached Report to provide details of how this has been carried out. We trust that this satisfies your request to exercise your rights, but if you have any further questions please contact us at ___________________________. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Signature ____________________ Date _____________________ Attached or Enclosed: Report and any other information required. *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie THE RIGHT TO RESTRICTION OF PROCESSING Individuals should be encouraged to use FORM No 4a below when submitting a request to exercise their right of restriction of Phelan’s Group’s processing of their personal data (a "Restriction Request”). Individuals have the right to restrict the processing activities that Phelan’s Group can carry out with respect to their personal data. Additional information that may be required before responding to a Restriction Request If it is not clear from the Restriction Request, Phelan’s Group should confirm which uses of personal data the data subject wishes to restrict. When is a Restriction Request valid? A Restriction Request is valid only where: the accuracy of the personal data is contested by the data subject for a period to enable Phelan’s Group to check the accuracy of the data; the processing is unlawful but, the individual does not wish to have the personal data erased and wishes to restrict its use instead; Phelan’s Group no longer requires the personal data for a lawful purpose, but the individual requires the personal data for the establishment, exercise or defence of legal claims; or the individual has objected to the processing (see section 3 above) and pending verification of whether the legitimate interests of Phelan’s Group override those of the individual. If a Restriction Request is found to be valid, Phelan’s Group cannot process the individual's personal data other than where the individual has consented to the processing; for the establishment, exercise or defence of legal claims; to protect the rights of another person; or for reasons of important public interest to the EU or a Member State. If you have any questions about whether a restriction request is valid, please seek specialist expertise. Information relevant to implementing a Restriction Request. Phelan’s Group should set out the operational steps required for Phelan’s Group’s processing activities to be altered, to reflect restrictions in operation after implementing a valid request. This process will of necessity vary according to the nature of processing being undertaken. Phelan’s Group should have a list of Phelan’s Group's principal service providers, for example CRM services, payroll providers, payment processing providers and IT service providers, and a summary of the data being processed by that processor, and the contact personnel at each one. Phelan’s Group should keep a record of all communications to such entities and their response. e.g.: - Name of Processor; service provided/data processed; contact person What must Phelan’s Group provide in response to a Restriction Request? Phelan’s Group must inform the data subject that the processing of their personal data has been restricted in line with their request and provide details of which processing activities have ceased or being amended. Phelan’s Group must also provide a list of all the entities that process the relevant personal data, and that have been contacted by Phelan’s Group in accordance with Section 4.5 above and should provide a copy of their response. FORM NO. 4a RESTRICTION REQUEST FORM You have the right to restrict our processing of your personal information in certain circumstances. We ask that you complete this form, so we can establish the details of your request and, where possible, implement your request. If your request is valid, we will restrict our processing of your personal information unless you give your consent to us using it in the future, or we need to use it for other legal reasons. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Privacy Compliance Co-Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject: (title) (First) (Surname) Present Address: Street Town County Postcode Other contact details: Telephone Email Mobile Details of the Agent or Requestor (if any) Name: Address: Phone Number: Email address Proof of entitlement to act (enclose authorisation) Uses of personal information to be restricted Reason for restricting these uses of your personal information Please refer to the uses of personal information set out in our privacy notice e.g. the personal information is inaccurate, our uses of it are unlawful, etc. Uses of personal information to be restricted Reason for restricting these uses of your personal information We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, considering the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 4b REQUEST FOR FURTHER INFORMATION Date: To: [Data Subject’s address or email] Bcc: [Insert Responder’s Address or email] Subject: Your request to exercise your rights – further information required. Dear [Data Subject’s name] We have received your request to exercise your right to restriction dated [date] and received by us on [date] However, to determine whether this request is valid, we require further information from you. [If identification is in doubt] Please provide a copy of your passport or driving licence or other form of official identification so that we can confirm your identity. This is a legal requirement to ensure we do not comply with a request about you from somebody posing as you. [Clarification of Request Needed] We require further information about the precise details of your request to be able to comply with it appropriately. Please could you provide us: [Here advise the Data Subject as precisely as possible what it is that you need to clarify] Please do not hesitate to contact us if you have any queries about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 4c Acknowledgement of Rights Request Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Acknowledgement of you request to exercise your rights Dear [Data Subject’s name] We have received your request to exercise your right to restriction dated [insert date]. We aim to respond to this request within 1 calendar month, but please note that this time may be extended to 3 months, when necessary, considering the complexity and number of requests. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 4d REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Your request to exercise your rights. Dear [Data Subject’s name] Dear [Data Subject’s name] We have received your request to exercise your right to restriction dated [insert date]. Unfortunately, we are not able to comply with such request for the following reasons: [Set out the reason/s for refusal to comply] Please do not hesitate to get in touch with me if you have any further questions about the reasons we were not able to comply with your request. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Yours etc., Signature ____________________ Date _____________________ *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie FORM NO. 4e REQUEST TO THIRD PARTY PROCESSOR ACTING ON Phelan’s Group's BEHALF Date: To: [Third Party’s address or email address] Bcc: [Responder’s address or email address] Subject: Request to exercise rights for [Data Subject’s name] Dear [Third Party] We received a request from [Data Subject’s name and identifying features] to exercise their right to restriction. Because of the services you provide to Phelan’s Group, relevant personal information is held in your systems and you carry out relevant processing activities that are subject to this request. Please action this request in accordance with our contract with you and with applicable law within 10 business days. Please complete the information requested below and return a copy to me at this address. If you should have any questions about this request, please contact me at [Responder’s contact information]. We appreciate your prompt response. Signature ____________________ Date _____________________ Third Party Notes: ◻ The request has been implemented as requested. ◻ The request has been complied with, but with the following exceptions:-_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ◻ A full Report has been sent to Phelan’s Group. FORM NO. 4f LETTER ADVISING DELAYED RESPONSE Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Delay in our response to your request to exercise your rights Dear [Data Subject’s Name] We are still processing your request to exercise your right to restriction dated [insert date] and expect to respond to this request by [insert date]. The reason for this delay is that [insert reason]. We appreciate your understanding as we work to process this request. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 4g COMPLETION OF RIGHTS REQUEST Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Your request to exercise your rights. Dear [Data Subject’s name] We have now implemented your request to exercise your right to restriction dated [insert date]. We have prepared the attached Report to provide details of how this has been carried out. We trust that this satisfies your request to exercise your rights, but if you have any further questions please contact us at ___________________________. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Signature ____________________ Date _____________________ Attached or Enclosed: Report and any other information required. *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 (761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie THE RIGHT OF ERASURE/DELETION Individuals (‘data subjects’) should be encouraged to use Form 5a below when submitting a request to exercise their right of erasure/deletion (an "Erasure Request”) to require Phelan’s Group to delete their personal data in certain circumstances. Additional information, which may be required before responding to an Erasure Request. If it is not clear from the Erasure Request, Phelan’s Group may need to verify precisely which personal data the requestor wishes to be deleted, and it may also be helpful to understand why the requestor wishes to have that information deleted. When is an Erasure Request valid? Phelan’s Group must delete personal data on receipt of an Erasure Request where the Phelan’s Group no longer has a valid reason to continue that processing. Examples are set out below: the personal data is no longer necessary for the purpose for which it was collected or otherwise lawfully processed. For example, if a contact at a client no longer works for that client and makes an Erasure Request, there would be no need to retain that information as the information was originally collected for processing in the context of that client relationship; the personal data is processed only on the basis of the consent of the requestor, and the requestor withdraws that consent. In general, making an Erasure Request would be considered a withdrawal of consent; the requestor objects to processing being carried out in the legitimate interests of Phelan’s Group and there are no overriding legitimate grounds for Phelan’s Group to continue processing the personal data: - To determine whether Phelan’s Group has an overriding interest in retaining the personal data, you should consider what business reason(s)Phelan’s Group has for retaining it. You should then balance these against the requestor's right to control their personal data. For example, while Phelan’s Group may retain customer information to conduct analytics and create appropriate marketing segments on the basis that this allows it to manage its business most effectively, using a customer's personal data after that customer has not used their account for a significant period is not a particularly compelling business interest. As a rule of thumb, an individual with whom Phelan’s Group has had no contact for a year or more is no longer considered a customer. If that customer actively objects to the retention of their personal data, their privacy interests would likely outweigh Phelan’s Group's business interests. In general, if the requestor continues using Phelan’s Group's services for which their personal data is processed on the basis of Phelan’s Group's legitimate interests, these legitimate interests may outweigh the requestor's interest in having their personal data deleted, and therefore the personal data need not be deleted. You can refer to the records of processing activities that Phelan’s Group keeps in determining the basis for processing; the personal data is being processed without a valid basis, for example if Phelan’s Group was processing on the basis that the processing was necessary for the performance of a contract with the requestor, but that contract has now been terminated; the personal data must be deleted to comply with a legal obligation under EU law or the law of an EU Member State to which Phelan’s Group is subject; or the personal data relates to a child under the age of 13 that was processed on the basis of parental consent in the context of providing an 'information society service', including any service provided over the internet. Phelan’s Group is not required to delete personal data which is subject to an Erasure Request where Phelan’s Group's processing of the personal data is necessary: For exercising Phelan’s Group's right of freedom of expression and information. This is unlikely to apply to Phelan’s Group, but if you consider it might, seek specialist expertise; For compliance with a legal obligation under EU law or the law of an EU Member State to which Phelan’s Group is subject, or for the performance of a task carried out in the public interest. This is unlikely to apply to Phelan’s Group; For reasons of public interest in the area of public health. This is unlikely to apply to Phelan’s Group; For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and only if erasing the personal data would be likely to render impossible or seriously impair the achievement of these objectives. This is unlikely to arise for Phelan’s Group; or For the establishment, exercise or defence of legal claims. For example, Phelan’s Group would not be required to delete personal data about a former employee with whom there is an existing or potential employment dispute. If you have any questions about whether these factors apply, you should seek specialist expertise. Information relevant to complying with an Erasure Request Phelan’s Group should set out the operational steps required for Phelan’s Group’s records to be updated, to reflect changes under an Erasure Request. This process will of necessity vary according to the category of data requiring correction. Phelan’s Group should inform any external entities that have received the personal data that was subject to the Erasure Request of the updated personal data, unless doing so would be impossible or take disproportionate effort. Phelan’s Group should have a list of Phelan’s Group’s principal service providers, for example CRM services, payroll providers, payment processing providers and IT service providers, and a summary of the data held by that processor, and the contact personnel at each one. Please see Data Inventory as provided. Phelan’s Group should keep a record of all communications to such entities and their response. e.g.: - Name of Processor; service provided/data processed; contact] Implementing the Erasure Request Phelan’s Group should list out the specific steps, it might have to take to implement a specific Erasure Request. These might include, for example, a system identifying where particular types of data are stored within Phelan’s Groups' systems. What must Phelan’s Group provide in response to an Erasure Request? Once an Erasure Request has been implemented, Phelan’s Group should contact the requestor to inform them that their personal data has been deleted, as requested. If requested, Phelan’s Group must also provide a list of all the entities that have received the personal data and that have been contacted by Phelan’s Group in accordance with section 5.6 above. FORM NO. 5a ERASURE REQUEST FORM You have the right to have your personal information deleted in certain circumstances. We ask that you complete this form, so we can determine the details of your request and, where applicable, implement your request. If your request is valid, we will delete the information requested, unless we are required by law to keep it - in this case we will advise you of what we are keeping, and the reasons why. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and address) to the Privacy Compliance Co Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject: (Title) (First) (Surname) Present Address: Street Town County Postcode Other contact details: Telephone Email Mobile Details of the Agent or Requestor (if any) Name: Address: Phone Number: Email address Proof of entitlement to act (enclose authorisation) Personal Information Currently on File to be deleted Reason why that personal information should be deleted e.g. name, mobile number, email address e.g. is the information inaccurate or out of date? We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 5b REQUEST FOR FURTHER INFORMATION Date: To: [Data Subject’s address or email] Bcc: [Insert Responder’s Address or email] Subject: Your request to exercise your rights – further information required. Dear [Data Subject’s name] We have received your request to exercise your right to erasure dated [date] and received by us on [date] However, to determine whether this request is valid, we require further information from you. [If identification is in doubt] Please provide a copy of your passport or driving licence or other form of official identification so that we can confirm your identity. This is a legal requirement to ensure we do not comply with a request about you from somebody posing as you. [Clarification of Request Needed] We require further information about the precise details of your request in order to be able to comply with it appropriately. Please could you provide us: [Here advise the Data Subject as precisely as possible what it is that you need to clarify] Please do not hesitate to contact us if you have any queries about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 5c Acknowledgement of Rights Request Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Acknowledgement of you request to exercise your rights Dear [Data Subject’s name] We have received your request to exercise your right to erasure dated [insert date]. We aim to respond to this request within 1 calendar month, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 5d REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Your request to exercise your rights. Dear [Data Subject’s name] Dear [Data Subject’s name] We have received your request to exercise your right to erasure dated [insert date]. Unfortunately, we are not able to comply with such request for the following reasons: [Set out the reason/s for refusal to comply] Please do not hesitate to get in touch with me if you have any further questions about the reasons we were not able to comply with your request. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Yours etc., Signature ____________________ Date _____________________ *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie FORM NO. 5e REQUEST TO THIRD PARTY PROCESSOR ACTING ON PHELAN’S GROUP’S BEHALF Date: To: [Third Party’s address or email address] Bcc: [Responder’s address or email address] Subject: Request to exercise rights for [Data Subject’s name] Dear [Third Party] We received a request from [Data Subject’s name and identifying features] to exercise their right to erasure. Because of the services you provide to Phelan’s Group, relevant personal information is held in your systems and you carry out relevant processing activities that are subject to this request. Please action this request in accordance with our contract with you and with applicable law within 10 business days. Please complete the information requested below and return a copy to me at this address. If you should have any questions about this request, please contact me at [Responder’s contact information]. We appreciate your prompt response. Signature ____________________ Date _____________________ Third Party Notes: ◻ The request has been implemented as requested. ◻ The request has been complied with, but with the following exceptions:-_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ◻ A full Report has been sent to Phelan’s Group. FORM NO. 5f LETTER ADVISING DELAYED RESPONSE Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Delay in our response to your request to exercise your rights Dear [Data Subject’s Name] We are still processing your request to exercise your right to erasure dated [insert date] and expect to respond to this request by [insert date]. The reason for this delay is that [insert reason]. We appreciate your understanding as we work to process this request. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 5g COMPLETION OF RIGHTS REQUEST Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Your request to exercise your rights. Dear [Data Subject’s name] We have now implemented your request to exercise your right to erasure dated [insert date]. We have prepared the attached Report to provide details of how this has been carried out. We trust that this satisfies your request to exercise your rights, but if you have any further questions please contact us at ___________________________. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Signature ____________________ Date _____________________ Attached or Enclosed: Report and any other information required. *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie THE RIGHT TO DATA PORTABILITY Individuals should be encouraged to use Form No. 6a below when submitting a request to exercise their right of data portability (a "Portability Request"). Data Subjects have the right: To retrieve data relating to them processed by an organization, for personal use, and to store the data on a device or a private cloud, for example. This right allows them to manage their personal data more easily and by themselves. To transfer their personal data from one controller to another. The personal data can thus be transmitted to a new controller, for example, to a competitor by the person themselves directly by Phelan’s Group, if the direct transfer is "technically possible”. Additional information that may be required before responding to a Portability Request Phelan’s Group should have in place appropriate procedures for the data subject to make a request for portability and to receive data about him (such as Form No. 4). In particular, data controllers must propose an authentication procedure that verifies the identity of the data subject exercising the right to portability. Phelan’s Group may also wish to contact the data subject to confirm the data controller or data controllers to which their personal data should be transmitted, including a means by which this personal data should be transmitted. When is a Portability Request valid? This right applies if ALL these three conditions are met The right to portability is limited to the personal data provided by the data subject, AND The data is processed automatically (paper files are not included) and on the basis of: the prior consent of the data subject or the execution of a contract concluded with the data subject, AND The exercise of the right to portability must not affect the rights and freedoms of third parties. (See para 6.7 below). Information relevant to carrying out a Portability Request The phrase “provided by the data subject” means data actively and consciously given by the data subject, such as data provided to create an online account (e.g. email address, username, age), and data generated by the data subject's activity when using a service or device (e.g. purchases recorded on a loyalty card, history of searches made on the internet, invoices, e-mails sent or received, records of Phelan’s Group stays, etc.) It does not include personal data that is derived, calculated or inferred from data provided by the data subject. This data is excluded from the right to portability, to the extent that the data is not provided by the data subject but created by Phelan’s Group. If the portability right applies, Phelan’s Group should compile the personal data about the data subject that meets the requirements set out above. To do this Phelan’s Group should set out the operational steps Phelan’s Group has in place to extract data that is subject to the right to data portability. This might include running a script to extract particular categories of personal data from databases. Phelan’s Group should also consider the format into which the data should be extracted. This should retain as much metadata as is practicable, while also being sufficiently abstract from any proprietary data formats that might reveal information about the ways that Phelan’s Group operates its systems (for example XML, JSON or CSV). The format can be made sufficiently abstract, so it does not reveal any of Phelan’s Group’s intellectual property rights or trade secrets. In practice, this may need to be outsourced. Can all the data provided by the person concerned be subject to the right to portability? The right to portability does not apply to personal data processed on any legal basis other than the consent of the data subject or the performance of a contract. For example, personal data processed by Phelan’s Group only on the basis of legitimate interest of legal obligations are not affected by the right to portability. It is recommended that Portability Requests be analysed on a case-by-case basis, whether for data processing in human resources management or in other areas. Phelan’s Group’s response to and implementation of a Portability Request should not adversely affect the rights of others (e.g. individuals whose contact details appear in an online address book that is subject to a Portability Request). When Phelan’s Group wishes to transmit such data to a third party, it can in no way transmit the data without a legal basis to do so. Phelan’s Group should not provide personal data of other individuals included in the data subject’s files. An organization can respond to a request for portability through the provision of a file containing all portable data, or by providing automated tools and APIs that allow the extraction of relevant data. Whatever the means of provision proposed, it must be easy to use, accessible, allow the reception of data in a secure manner and minimize the risk of violation of the data processed by the organisation. The organisation must therefore research and analyse each of the methods intended to be used to remove any obstacle and facilitate the access of the right to portability to the data subject concerned. Outsourcing of this is recommended. What are the controller’s responsibilities after transmitting the Data? Phelan’s Group responding to a person exercising the portability right is not responsible for the data subject's processing of their own data once it has been received by the data subject. It is also not responsible for the processing carried out by the recipient controller receiving said data at the request of the person exercising his right to portability. What if Phelan’s Group is receiving data from a Portability Request If Phelan’s Group is receiving data at the request of a data subject as part of their right to portability, Phelan’s Group is required to ensure that such data is relevant and not excessive in view of the purpose of the new processing of the data that the data subject wishes to be transferred to Phelan’s Group. Phelan’s Group must also clearly inform the data subject concerned of the purpose of the new processing and, more generally, the principles of data protection of the personal data applicable to this new processing. FORM NO. 6a PORTABILITY REQUEST FORM Where we use your personal information to fulfill our contractual obligations to you, or where you have consented to our use of your personal information, you have the right to 'port' any such personal information you provide to us. This means you have the right to receive a copy of it in a machine-readable format and to have it transmitted to another company. We ask that you complete this form, so we can determine the details of your request and implement your request. This process will provide you with certain personal information that you have provided to us in a format that can be read electronically, and, if you wish this, can be sent to another data controller. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Privacy Compliance Co-Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject: (title) (first) (surname) Present Address: Street Town County Postcode Other contact details: Telephone Email Mobile Details of the Agent or Requestor (if any) Name: Address: Phone Number: Email address Proof of entitlement to act (enclose authorisation) To help us to respond to your request as quickly as possible, please provide as much detail as possible regarding the personal information you seek. If you wish to 'port' all applicable personal information, please write 'all' below Names and contact details of companies to which that data should be transmitted e.g. all information I have uploaded to the website; payment details; or billing and delivery addresses. We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 6b REQUEST FOR FURTHER INFORMATION Date: To: [Data Subject’s address or email] Bcc: [Insert Responder’s Address or email] Subject: Your request to exercise your rights – further information required. Dear [Data Subject’s name] We have received your request to exercise your right to data portability dated [date] and received by us on [date] However, to determine whether this request is valid, we require further information from you. [If identification is in doubt] Please provide a copy of your passport or driving licence or other form of official identification so that we can confirm your identity. This is a legal requirement to ensure we do not comply with a request about you from somebody posing as you. [Clarification of Request Needed] We require further information about the precise details of your request in order to be able to comply with it appropriately. Please could you provide us: [Here advise the Data Subject as precisely as possible what it is that you need to clarify] Please do not hesitate to contact us if you have any queries about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 6c Acknowledgement of Rights Request Date: To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Acknowledgement of you request to exercise your rights Dear [Data Subject’s name] We have received your request to exercise your right to data portability dated [insert date]. We aim to respond to this request within 1 calendar month, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 6d REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY Date: 6 To: [Data Subject’s Address/email address] Bcc: [Responder’s address/email address] Subject: Your request to exercise your rights. Dear [Data Subject’s name] Dear [Data Subject’s name] We have received your request to exercise your right to data portability dated [insert date]. Unfortunately, we are not able to comply with such request for the following reasons: [Set out the reason/s for refusal to comply] Please do not hesitate to get in touch with me if you have any further questions about the reasons we were not able to comply with your request. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Yours etc., Signature ____________________ Date _____________________ *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie FORM NO. 6e REQUEST TO THIRD PARTY PROCESSOR ACTING ON PHELAN’S GROUP’S BEHALF Date: To: [Third Party’s address or email address] Bcc: [Responder’s address or email address] Subject: Request to exercise rights for [Data Subject’s name] Dear [Third Party] We received a request from [Data Subject’s name and identifying features] to exercise their right to data portability. Because of the services you provide to Phelan’s Group, relevant personal information is held in your systems and you carry out relevant processing activities that are subject to this request. Please action this request in accordance with our contract with you and with applicable law within 7 business days. Please complete the information requested below and return a copy to me at this address. If you should have any questions about this request, please contact me at [Responder’s contact information]. We appreciate your prompt response. Signature ____________________ Date _____________________ Third Party Notes: ◻ The request has been implemented as requested. ◻ The request has been complied with, but with the following exceptions:-_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ◻ A full Report has been sent to Phelan’s Group. FORM NO. 6f LETTER ADVISING DELAYED RESPONSE Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Delay in our response to your request to exercise your rights Dear [Data Subject’s Name] We are still processing your request to exercise your right to data portability dated [insert date] and expect to respond to this request by [insert date]. The reason for this delay is that [insert reason]. We appreciate your understanding as we work to process this request. Please do not hesitate to get in touch if you have any questions about the progress of your request. Signature ____________________ Date _____________________ FORM NO. 6g COMPLETION OF RIGHTS REQUEST Date: To: [Data Subject’s address or email] Bcc: [Responder’s address or email] Subject: Your request to exercise your rights. Dear [Data Subject’s name] We have now implemented your request to exercise your right to data portability dated [insert date]. We have prepared the attached Report to provide details of how this has been carried out. We trust that this satisfies your request to exercise your rights, but if you have any further questions please contact us at ___________________________. Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie Signature ____________________ Date _____________________ Attached or Enclosed: Report and any other information required. *Contact Details: Data Protection Commission. Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. Phone +353 761 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 email: info@dataprotection.ie Privacy Policy This Policy applies to Phelan’s Pharmacy Ltd and all associated companies defacto within the Phelan Group structure and /or as defined in section 2 subsection 6 of the Companies Act 2013 (“Phelan’s Group”). Phelan’s Group is committed to protecting and respecting your privacy. We adhere to this Privacy Policy (the “Policy”) which together with any disclaimers sets out the basis on which any personal data relating to you (“Data”) that we collect from you (or that you provide to us, or that is provided to us relating to you by any means) will be processed. Please read the following carefully to understand our use of Data. Please note that the Policy relates only to living individuals in relation to Data relating directly to themselves, and not to persons in any other capacity. Information we may collect from you We collect Data from you which you volunteer when you provide such Data to us, or via our services with which you interact. We may also be given other Data relating to you by other persons, or we may obtain such other Data about you as may be provided to us in the course of our legitimate business activities. We may collect and process Data; including the following in the course of providing services to you, which could contain your Data: Your full name; your address; your various email addresses; your various phone numbers including mobile phone numbers; your nationality; your address; financial information about you, including your bank account details, credit card details, or other payment details; details of contracts you have entered with third parties for us to provide services to you; details of your relationship to other parties; your date of birth and age; details of your children and other relations including their age; medical details, genetic details including details of allergies and other health information to include sensitive health data, details of your driving licence; and details of your passport and pps numbers. We may also process other data, which is not personal data. When you use our services, some of the information we collect may be about your health and include data from healthcare providers such as your GP or hospital. We understand the sensitivity of this information and will only use it to provide you with these services and fulfil our legal, ethical and contractual obligations. A copy of your data may be shared with the PCRS (HSE) who in many cases pay us for the service/prescription provided. We may send you offers on healthcare or other products or services that we offer. We will never use information about your prescriptions for postal or email or social media marketing, although we may use it to let you know about services or products we provide that might be useful and relevant to you. For example, when you collect a prescription a Pharmacist might ask if you would like to take advantage of our Flu Vaccination Service or other similar services that may be relevant and useful to you. We may use your information to contact you about orders you have placed, appointments you have booked or to send you reminders (e.g. about repeat prescriptions or when your next flu vaccination is due). We may also contact you in emergency situations such as an urgent product recall or where we have a duty of care to notify you of information that relates to your health. These services are voluntary but if you choose to use them we will need to ask you some health-related questions. The information you give us in response will only be shared with the relevant health bodies or your medical practitioner where applicable. We do not use it for any other purpose. Research As a Pharmacy-based retailer, research is vital to our business. Occasionally, we contact customers and we may invite you to take part in market research activities such as customer surveys, questionnaires or focus groups. Again, we will never pass your personal Data to external companies for this purpose without your consent. Online Shopping We may collect Data from users of our online shopping applications in a variety of ways, including, but not limited to, when users visit our site or our App, register on our site or our App, place an order, subscribe to a newsletter, respond to a survey, fill out a form, and in connection with other activities, services, features or resources we make available on our site. Security and where we store your Data We are committed to protecting the security of your Data. We use a variety of security technologies and procedures to help protect your Data from unauthorised access and use. As effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our databases, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. We will continue to revise policies and implement additional security features as new technologies become available. The transmission of information via the internet is not completely secure and may involve the transfer of data to countries outside of the European Economic Area (EEA). This occurs typically through use of cloud solutions for web hosting, email hosting or proprietary software solutions delivered to us through the Cloud. We do not however authorise any third party to use your Data for their own purposes. Non-EEA countries may not provide an adequate level of protection in relation to processing your Data. By submitting your data, you agree to this transfer, storing and processing. Although we will do our best to protect your Data, we cannot guarantee the security of your Data transmitted to us. Any transmission of data is at your own risk. Once we receive your Data, we use appropriate security measures to seek to prevent unauthorised access. Uses made of your Data We use your Data that we hold to: in our legitimate interest of advertising our services, provide you with information, products or services that you request from us, or deal with us on, or which we feel may interest you, or where you have consented to be contacted for such purposes; carry out our obligations arising from any contracts entered into between you and us; in our legitimate interest of advertising our services, provide details of any loyalty scheme or promotion; comply with legislation; and/or notify you about changes to our services. List of services Retail and online shopping Pharmaceutical services Drug dispensing services Health care services including flu vaccines, contraceptive pill and bool pressure monitoring Photography development services HSE needle exchange scheme We may use your data to send you information relating to our services, events and products which may be of interest to you. If you do not want us to use your data in this way, please notify us to that effect, at privacy@phelans.ie. We keep your Data for as long as is necessary for the performance of the contract between you and us and to comply with our legal obligations. If you no longer want us to use your Data to provide this service to you, you can request that we erase your Data and close your account with us. Please note that if you request the erasure of your Data: We may retain some of your Data as necessary for our legitimate business interests, such as fraud detection and prevention and enhancing safety We may retain and use your Data to the extent necessary to comply with our legal obligations. For example, we may keep some of your information for tax, legal reporting and auditing obligations. Because we maintain our records to protect from accidental or malicious loss and destruction, residual copies of your Data may not be removed from our backup systems for a limited period of time. Disclosure of your information We may disclose your Data to third parties who provide a service to us or in the event that we sell or buy any business or assets, in which case we may disclose your Data to the prospective seller or buyer of such business or assets or if we are under a duty to disclose or share your Data in order to comply with any legal obligation, or to protect our rights, property, or safety of staff or customers. Currently we disclose your Data to the following providers. Provider/Recipient State “EU” or “Non-EU” or alternatively state jurisdiction to which the Data is transferred Third parties with whom: (i) we need to share your information to facilitate transactions you have requested, and (ii) you ask us to share your information EU and Non-EU Service providers who provide us with support services Your authorised representatives including family members EU and Non-EU EU and Non-EU Statutory and regulatory bodies (including central and local government) and law enforcement authorities in order to any applicable laws, grant applications and /or court orders; EU Third parties in connection with a sale or purchase of assets by us: EU and Non-EU Service providers who provide us with marketing including online marketing services, wifi services, website and social media services including Phelan app and facebook page. The HSE, hospitals, your GP and other health professionals EU and Non-EU EU and Non-EU Trade associations and professional bodies, non-statutory bodies and members of trade associations; EU and Non-EU Business or joint venture partners EU and Non-EU Some jurisdictions may not have adequate safeguards for the protection of personal data, and where this is the case we comply with Chapter 5 of the General Data Protection Regulation (“GDPR”) to provide an alternative method of safeguarding your personal data. Miscellaneous We do not conduct profiling. Where we process your Data based only on your consent, you may withdraw your consent. You have the right to bring a complaint to a supervisory authority if you have any complaints about the processing of your Data. In Ireland the Data Protection Commission is the supervisory authority. In circumstances where the provision of your Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, we will advise you at the point of collecting your Data whether the Data is a required field, and the consequences of not providing the Data. Where the Data is not provided by you we will set out what the categories of Data are, and where we obtained the Data here. Payments We may need to collect the following information, as it is necessary for the adequate performance of the contract with you and to comply with applicable law (such as anti-money laundering regulations). Payment Information. When you make payments, we require certain financial information (like your bank account or credit card information) in order to process payments and comply with applicable law. Identity Verification and Other Information. We may require identity verification information, in order to verify your identity and comply with applicable law. How we use the payment data collected Enable you to pay for our products and services. Detect and prevent fraud, abuse, security incidents, and other harmful activity. Conduct security investigations and risk assessments. Conduct checks against databases and other information sources. Comply with legal obligations (such as anti-money laundering regulations). Enforce our payment terms. We process this information in our legitimate interest in providing goods and services and where it is necessary for the adequate performance of the contract with you and to comply with applicable laws. Digital Marketing If you are not a customer, you may still opt to receive electronic or telephonic marketing communications from us which we consider may be of interest to you. You will be asked to opt-in if you wish to receive these. If you wish to be removed from our list (opt-out), at any time, you can do so by clicking on the unsubscribe link at the bottom of each communication you receive from us. You can also opt out by contacting our Privacy Co-Ordinator at privacy@phelans.ie Business Transfers If Phelan’s Group undertakes or is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your Data in connection with such transaction or in contemplation of such transaction (e.g., due diligence). Acquiring or disposing of pharmacy businesses If you are a customer of a pharmacy business that has been taken over by us or from us, we will receive your Data from them or give your Data to them as part of the handover process. Your rights As an individual, under EU law you have certain rights to apply to us to provide information or make amendments to how we process data relating to you. These rights apply in certain circumstances and are set out below: - The right to access data relating to you (‘access right’). Please see Form 1a here; The right to rectify/correct data relating to you (‘right to rectification’). Please see Form 2a here; The right to object to processing of data relating to you (‘right to object’). Please see Form 3a here. The right to restrict the processing of data relating to you (‘right to restriction’). Please see Form 4a here; The right to erase/delete data relating to you (i.e. the “right to erasure”). Please see Form 5a here; and The right to ‘port’ certain data relating to you from one organisation to another (‘right to data portability’). Please see Form 6a here; Cookies Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result. Other websites Our website contains links to other websites. This privacy policy only applies to Phelan’s Group websites so when you link to other websites you should read their own privacy policies The controller of your Data for the purposes of GDPR is Phelan’s Pharmacy Ltd. Changes to this policy We reserve the right to change this Policy from time to time in our sole discretion. If we make any changes, we will post those changes here so that you can see what information we gather, how we might use that Data and in what circumstances we may disclose it. By continuing to use our site or our services or otherwise provide Data after we post any such changes, you accept and agree to this Policy as modified. Contact Us Questions, comments, requests and complaints regarding this Policy and the information we hold are welcome and should be addressed to us at Privacy Co-Ordinator at privacy@phelans.ie All requests will be dealt with promptly and efficiently. This Privacy Policy will take effect from 25 May 2018 FORM NO. 1a ACCESS REQUEST FORM You have the right to access and receive a copy of personal data relating to you (“Data”). We ask that you complete this form, so we can determine the details of your request, and respond to and implement your request as quickly as possible. This process will provide you with Data in manual or electronic form. Information relating to third parties or other information exempt under applicable law(s) will not be provided. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to: Privacy Co Ordinator at privacy@phelans.ie Agent of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject (Title) (First name) (Surname) Present Address Street Town County Postcode Other contact details Telephone No e-mail Mobile If applicable; Current/last post held in Group Department Office location Your employee no. (if any) Any other relevant Information: Details of the Agent or Requestor (if any) Name Address Phone Number Email address Proof of entitlement to act (enclose authorisation) Details regarding what information you are looking for. The more details you can give to us the better we will be able to respond to you! Hard copy files (please specify department & location, if known) Search criteria (i.e. name, key word, date), Connection to file (i.e. employee/partner/staff/client/supplier) Electronic data (please specify system, if known) Search Criteria (please specify the search criteria, e.g. system name, identifier no., if known) Connection to file (i.e. employee/partner/staff/client/customer/supplier) Any other filing system Search criteria Any other information you feel might assist us in responding to your request We promise to make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 2a DATA CORRECTION/UPDATE REQUEST FORM You have the right to correct and update personal data relating to you (“Data”) that is inaccurate. We ask that you complete this form, so we can determine the details of your request and, where applicable, implement your request. If your request is valid, we will correct and update the information requested. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Privacy Co Ordinator at privacy@phelans.ie Please also provide any documentation you have to prove that the information you wish to update needs to be updated or corrected. Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the requestor’s behalf. Please complete as much of the following information as you can: Full name of data subject (Title) (First name) (Surname) Present Address Street Town County Postcode Other contact details Telephone Email Mobile Details of the Agent or Requestor (if any) Name Address Phone Number Email address Proof of entitlement to act (enclose authorisation) Category of personal information Personal Information Currently on File Corrected Personal Information e.g. name, address. We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 3a OBJECTION TO PROCESSING FORM You have the right to object to our processing of personal data relating to you (“Data”) in certain circumstances. We ask that you complete this form, so we can determine the details of your request and, where applicable, implement your request. If your request is valid, we will cease processing this Data for the purposes to which you object. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to the Privacy Co Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject (Title) (First name) (Surname) Present Address Street Town County Postcode Other contact details Telephone Email Mobile Details of the Agent or Requestor (if any) Name Address Phone Number Email address Proof of entitlement to act (enclose authorisation) Uses of personal information that you object to Reason for objecting to these uses of your personal information Please make reference to the uses of personal information set out in our privacy notice e.g. our uses of the personal information are unlawful, specifying precisely why; you no longer want to receive direct marketing messages from us We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 4a RESTRICTION REQUEST FORM You have the right to restrict our processing of personal data relating to you (“Data”) in certain circumstances. We ask that you complete this form, so we can establish the details of your request and, where possible, implement your request. If your request is valid, we will restrict our processing of this Data unless you give your consent to us using it in the future, or we need to use it for other legal reasons. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Privacy Co Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject (Title) (First name) (Surname) Present Address Street Town County Postcode Other contact details Telephone Email Mobile Details of the Agent or Requestor (if any) Name Address Phone Number Email address Proof of entitlement to act (enclose authorisation) Uses of personal information to be restricted Reason for restricting these uses of your personal information Please refer to the uses of personal information set out in our privacy notice e.g. the personal information is inaccurate, our uses of it are unlawful, etc. Uses of personal information to be restricted Reason for restricting these uses of your personal information We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, considering the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 5a ERASURE REQUEST FORM You have the right to have personal data relating to you (“Data”) deleted in certain circumstances. We ask that you complete this form, so we can determine the details of your request and, where applicable, implement your request. If your request is valid, we will delete the information requested, unless we are required by law to keep it - in this case we will advise you of what we are keeping, and the reasons why. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and address) to Privacy Co Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject (Title) (First name) (Surname) Present Address Street Town County Postcode Other contact details Telephone Email Mobile Details of the Agent or Requestor (if any) Name Address Phone Number Email address Proof of entitlement to act (enclose authorisation) Personal Information Currently on File to be deleted Reason why that personal information should be deleted e.g. name, mobile number, email address e.g. is the information inaccurate or out of date? We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________ FORM NO. 6a PORTABILITY REQUEST FORM Where we use your personal information to fulfill our contractual obligations to you, or where you have consented to our use of personal data relating to you (“Data”), and where this Data is processed by us automatically, you have the right to 'port' any such Data you provide to us subject to certain requirements. This means you have the right to receive a copy of it in a machine-readable format and to have it transmitted to another company. We ask that you complete this form, so we can determine the details of your request and implement your request. This process will provide you with certain personal information that you have provided to us, in a format that can be read electronically and, if you wish this, can be sent to another data controller. Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Privacy Co Ordinator at privacy@phelans.ie Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf. Please complete as much of the following information as you can: Full name of data subject (Title) (First name) (Surname) Present Address Street Town County Postcode Other contact details Telephone Email Mobile Details of the Agent or Requestor (if any) Name Address Phone Number Email address Proof of entitlement to act (enclose authorisation) To help us to respond to your request as quickly as possible, please provide as much detail as possible regarding the personal information you seek. If you wish to 'port' all applicable personal information, please write 'all' below Names and contact details of companies to which that data should be transmitted e.g. all information I have uploaded to the website; payment details; or billing and delivery addresses. We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests. Signature ____________________ Date _____________________