“Data Controller” means a person, organisation or body that determines the purposes for which, and the manner in which, any Personal Data is processed. A Data Controller is responsible for complying with the data protection laws including the GDPR and establishing practices and policies in line with them.
“Data Processor” means any person, organisation or body that Processes personal data on behalf of and on the instruction of the Order. Data Processors have a duty to protect the information they process by following data protection laws.
“Data Subject” means a living individual about whom the Order processes Personal Data and who can be identified from the Personal Data. A Data Subject need not be an Irish national or resident. All Data Subjects have legal rights in relation to their Personal Data and the information that the Order holds about them.
“Personal Data” means any information relating to a living individual who can be identified from that information or in conjunction with other information which is in, or is likely to come into, the Order’s possession. Personal Data can be factual (such as a name, address or date of birth) or it can be an opinion (e.g. a performance appraisal). It can even include a simple e-mail address. A mere mention of someone’s name in a document does not necessarily constitute Personal Data, but personal details such as someone’s contact details or salary (if it enabled an individual to be identified) would fall within the definition.
“Processing” means any activity that involves use of Personal Data. It includes obtaining, recording or holding the information or carrying out any operation or set of operations on it, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring or disclosing Personal Data to third parties.
“Special Categories of Personal Data” (previously called sensitive personal data) means information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexuality. It also includes genetic and biometric data. Special Categories of Personal Data can only be processed under strict conditions and such processing will usually, although not always, require the explicit consent of the Data Subject.
This policy was approved by the Trustees of the Order on: May 15th 2018
The next review is due on or before: May 14th 2019