This policy statement is to protect the rights and privacy of individuals in accordance with the Data Protection Act.

Who We Are

This data protection policy and privacy notice provide you with details of who we are and how we collect and process you and your client’s personal data.

This is the data protection policy and privacy statement of Devaney and Durkin whose place of business and registered address is 1 Ontario Terrace, Portobello Bridge, Rathmines, Dublin 6.  Our Website address is https://www.devaneyanddurkin.ie/

Devaney and Durkin Statuary Auditors and Chartered Accountants “the Firm” (referred to as “we”, “us” or “our” in this data protection policy and privacy notice” is a data controller due to our professional obligations which oblige us to take responsibility for your personal data. In terms of processing payroll vendor services we are a data processor.

Individuals’ Responsibilities

Any staff member of Devaney and Durkin who is involved in the collection, storage or processing of personal data has responsibilities under the legislation.

Any staff member involved in the processing/storing of personal data should make sure;

  • To obtain and process personal data fairly.
  • To keep such data only for explicit and lawful purposes.
  • To disclose such data only in ways compatible with these purposes
  • To keep such data safe and secure.
  • To keep such data accurate, complete and up-to-date.
  • To ensure that such data is adequate, relevant and not excessive.
  • To retain such data for no longer than is necessary for the explicit purpose.
  • To give, on request, a copy of the data to the individual to whom they relate (Known as an “Access Request”).
  • Any data access requests received should be forwarded immediately to Richard Durkin.

Individual Rights

The individuals for whom Devaney and Durkin stores personal data have the following rights:

  • To have their personal data obtained and processed fairly
  • To have personal data kept securely and not illegitimately disclosed to others.
  • To be informed of the identity of the Data Champion and of the purpose for which the information is held.
  • To get a copy of their personal data.
  • To have their personal data corrected or deleted if inaccurate.
  • To prevent their personal data from being used for certain purposes: for example, one might want to have the data blocked for research purposes where it is held for other purposes.
  • Under Employment Rights, not to be forced to disclose information to a prospective employer. No one can force another person to make an access request, or reveal the results of an access request, as a condition of recruitment, employment or provision of a service. Where vetting for employment purposes is necessary, this can be facilitated where the individual gives consent to the data controller to release personal data to a third party.

 

Principles of the Act

Devaney and Durkin will administer its responsibilities under the legislation in accordance with the eight stated data protection principles outlined in the Act as follows:

  1. Obtain and process information fairly. Devaney and Durkin will obtain and process personal data fairly and in accordance with the fulfilment of its functions.
  2. Keep data only for one or more specified, explicit and lawful purposes. Devaney and Durkin will keep data for purposes that are specific, lawful and clearly stated and the data will only be processed in a manner compatible with these purposes.
  3. Use and disclose data only in ways compatible with these purposes. Devaney and Durkin will only disclose personal data that is necessary for the purpose/s or compatible with the purpose/s for which it collects and keeps the data.
  4. Keep data safe and secure. Devaney and Durkin will take appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. Devaney and Durkin is aware that high standards of security are essential for all personal data.
  5. Keep data accurate, complete and up-to-date. Devaney and Durkin will have procedures that are adequate to ensure high levels of data accuracy. Devaney and Durkin will examine the general requirement to keep personal data up-to-date. Devaney and Durkin will put in place appropriate procedures to assist staff in keeping data up-to-date.
  6. Ensure that data are adequate, relevant and not excessive. Personal data held by Devaney and Durkin will be adequate, relevant and not excessive in relation to the purpose/s for which it is kept.
  7. Retain data for no longer than is necessary for the purpose or purposes for which they are kept. Devaney and Durkin has retention periods for personal data.
  8. Give a copy of his/her personal data to that individual, on request. Devaney and Durkin has procedures in place to ensure that data subjects can exercise their rights under the Data Protection legislation.

GDPR – Introduction

The General Data Protection Regulation (GDPR) is a new EU Regulation that replaces previous data protection legislation. Written before mass Internet and mobile connectivity, before it was socially acceptable to share personal information online, data protection law was considerably out of date and replacement legislation long overdue. The GDPR is also being introduced to legislate for certain individual rights that were not covered by the previous legislation (e.g. ‘right to be forgotten’). The GDPR comes into force on 25 May 2018. In Ireland, the Data Protection Commissioner (DPC), whose functions include the enforcement of the GDPR, expects organisations to be ‘GDPR-ready’. This means that organisations must review and update their personal data processes and be able to demonstrate compliance with the new legislation.

Why is GDPR Important?

The right to privacy is a fundamental human right. Organisations must always balance this right with their need to use ‘personal data’, i.e. “any information relating to an identified or identifiable natural person” (the ‘data subject’). Organisations that gather, store and/or otherwise ‘process’ personal data are legally obliged to safeguard the privacy of the individuals with whose data they are entrusted. In introducing stricter measures, including consequences for non-compliance, the GDPR is intended to further ensure that this right to privacy is protected. An organisation’s need for personal data must be carefully considered and have a legal basis. The gathering and processing of that data must be proportionate to that need.

What we are doing to be GDPR Compliant

We are complying to the below principles of the GDPR as set out below:

  1. Lawfulness, Fairness and Transparency: Have a ‘legal basis’ for obtaining personal data, obtain the data fairly and be fully transparent as to your purpose for gathering it.
  2. Purpose Limitation: Only use personal data for the purpose(s) for which you have obtained it under Principle 1 above.
  3. Data Minimisation: Only collect personal data that is necessary relevant to the purposes for which you are collecting it.
  4. Accuracy: Make every reasonable effort to keep personal data accurate and up to date
  5. Storage Limitation: Do not retain data for longer than the purposes for which it was collected or legal requirements.
  6. Integrity and Confidentiality: Keep personal data secure and protected from any form of data breach.
  7. Accountability: Be prepared to demonstrate compliance with our obligations under GDPR
  8. Upholding Data Subject Rights: Uphold the rights of data subjects including rights to
    1. access to data
    2. have data erased or corrected (a qualified right)
    3. have their data transferable and moved on request
    4. object to their data being processed or to restrict it being processed

Key Terms associated with GDPR

  • Data Subject = means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.
  • Data Processor = in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Data Controller = means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Key changes under the GDPR

The GDPR is more robust than previous legislation, enhancing the powers of the DPC and the rights of data subjects. Key changes under the GDPR are as follows:

  1. Fines The DPC now has the power to impose fines on any organisation holding personal data and in breach of the GDPR. These fines can be up to € 20 million or 4% of turnover, whichever is greater. The DPC can take into account measures taken to comply with the GDPR when deciding on what fines, if any, to impose.
  2. Compensation in the Courts Data subjects will have a right to sue data controllers or data processors that have infringed their rights under the GDPR. Where a breach occurs that infringes the rights of a numbers of data subjects,  each of them may seek judicial remedy from the effendi ng data controller and/or data processor. For example, if a record of 100 individuals is breached, then potentially 100 people will have suffered a loss for which they can seek compensation through the courts
  3. New Obligations for Data Processors Previous data protection legislation required that, generally, only data controllers (those that initially obtain the personal data) had to comply. GDPR extends the legal obligation to include organisations that are data processors (those that process personal data on behalf of data controllers).
  4. Accountability The GDPR introduces the legal obligation of accountability for the handling of personal data and for being able to demonstrate compliance with the data protection principles (see below). The GDPR requires that the processing of personal data is recorded are each stage: as it enters, is held and used by an organisation.
  5. Consent While the legal bases for processing personal data will not change under the GDPR, if you are relying on the consent of the data subject, there are stricter rules about how such consent is captured, recorded and managed (covered in more detail below in relation to direct marketing – see Step 10).
  6. Enhanced Rights of Data Subjects While individuals always had rights under data protection legislation, these have been enhanced under the GDPR, including: • Changes to the conditions around the right of access to personal data: the fee organisations could charge has been abolished; and the time limit for complying with a data request is reduced from 40 to 30 days; • A qualified right to erasure of personal data (the ‘right to be forgotten’); • A right of rectification (to have any inaccuracies corrected); • A right to ‘data portability’ (personal data must be stored so that it is readily identifiable and transferable to another organisation if so requested by the data subject); and • A right to object to personal data being processed or to restrict it being processed
  7. Reporting of Data Breaches A ‘data breach’ occurs when the security of personal data is compromised, e.g. when emails containing personal data are sent to the wrong person. Before the GDPR, it was not mandatory to report data breaches; now, in certain circumstances, it is mandatory to report breaches to the DPC, including where the personal data of a large number of data subjects is involved, or where special category data has been breached (e.g. medical records). Reported or not, all organisations are obliged to maintain a record of all data breaches.
  8. Data Protection Officers Some organisations, including public authorities or bodies, are now obliged to appoint a data protection officer (DPO), who must have the knowledge, support and authority to take responsibility for data protection compliance. Devaney and Durkin
  9. ‘Privacy by Design’ and Data Protection Impact Assessments Organisations are now required to build data protection into all new products and services, and all new processes that involve the use of personal data. Data protection impact assessments (DPIAs) will identify, assess and  minimise risks with the processing of personal data. DPIAs are particularly relevant when a new data process of system is being introduced. DPIAs are mandatory where data processing is likely to pose a high risk to the protection of data subjects’ personal data. Documenting DPIAs will help to demonstrate compliance (accountability).
  10. Global Applicability The GDPR applies to organisations throughout the world that obtain or otherwise process the personal data of individuals resident in the EU.

The Data we collect, the purpose for which we collect it and the grounds upon which we process it

Key Terms associated with GDPR

Disclosures of personal data

Personal Data: Personal data means any information capable of identifying an individual. It does not include anonymised data.

For the purposes of this policy the firm provides the following service;

  • Accounts Preparation
  • Bookkeeping
  • Audit Assignments
  • Taxation compliance and advisory services
  • Payroll Services

You shall only disclose client personal data to us where;

  • You have provided the necessary information to the relevant data subjects regarding its use (and you may use or refer to our privacy notice available at https://www.devaneyanddurkin.ie/
  • You have a lawful basis upon which to do so, which, in the absence of any other lawful basis shall be with the relevant data subjects consent and
  • You have complied with the necessary requirements under the data protection legislation to enable you to do so

We shall only process your personal data:

  • In order to provide our services to you and perform any other obligations in accordance with our engagement with you
  • In order to comply with our legal or regulatory obligations and
  • Where it is necessary for the purposes of our legitimate interest and those interests are not over ridden by the data subjects own privacy rights

Methods of collecting personal data

  • We may collect data from you where you supply this directly to us via email, post or telephone.
  • We may collect data from your where you complete a form on our website, in our office or via sending this to us via email, post, telephone or in a meeting.
  • We may collect data from you via third parties who you authorise us to obtain data from on your behalf example, Revenue Commissioners, VHI, Irish Life, The Companies Registration Office, Financial Instruction or another professional or adviser

Data Security

We have put in place commercially reasonably and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so

Data Security

  • We have made improvements to how we retain personal data
  • We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements
  • We ensure personal data is saved in a secure location
  • We will comply with our obligations under all relevant data protection legislation in relation to the personal data we hold about you.
  • We hold onto personal data for the sole purpose of providing our services – ie processing payroll, processing income tax returns and accounting services. We retain this for the length of period as required by our Regulatory and Tax obligations – ie 6 years plus current year.
  • At the beginning of each tax year – we will erase and destroy (in a safe manner) any documentation in excess of our retention period. This would

Devaney and Durkin – GDPR

We respect your trust in us to use, store and keep your information secure and safe. Please be assured that at Devaney and Durkin – we take the security and safety of personal information very seriously. As a result of this, Devaney and Durkin have made all the necessary changes to ensure that we are now fully GDPR compliant

Roles/Responsibilities of Devaney and Durkin

Devaney and Durkin has overall responsibility for ensuring compliance with the Data Protection legislation. However, all employees Devaney and Durkin who collect and/or control the contents and use of personal data are also responsible for compliance with the Data Protection legislation. Devaney and Durkin will provide support, assistance, advice and training to all relevant Departments, Offices and staff to ensure it is in a position to comply with the legislation. Devaney and Durkin is registered as a Data Controller and a Data Processor in compliance with the Act

Retention of Personal Data

We may have to share your personal data with the parties set out below;

  • Service providers who provide IT and system administration services including cloud based services and applications
  • Professional advisers including other accountants, solicitors, bankers, auditors and insurers who provide consultancy, banking, legal, insurance, accounting services and regulatory support and compliance services   Risk management auditors and quality control companies.
  • The Revenue Commissioners, the Chartered Accountants Ireland / Association of Chartered Certified Accountants / the Institute of Certified Public Accountants in Ireland.
  • The Data Protection Commission, the Central Statistics Office, and other regulators and authorities based in Ireland and other relevant jurisdictions who require reporting of processing activities in certain circumstances.

We have put in place commercially reasonably and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so

  • Data Subject = means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.
  • Data Processor = in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Data Controller = means … a person who (either alone or jointly or in common