DATA PROTECTION STATEMENT FOR OVACARE
Last Updated: September 2021
1. ABOUT US
We are OvaCare, a charity registered in Ireland (CHY20484 / 20081300) that provides support for all those affected by Ovarian Cancer in Ireland.
You can find us at:
|Address:||Acorn Business Centre Mahon Industrial Estate BlackRock Cork T12 K7CV|
|Telephone:||+ 353 (0)21 242 8108|
References to “We”, “Us” the “Charity” and “OvaCare” shall apply to OvaCare throughout this statement.
We are a registered charity that provides support for patients, friends and families who are affected by Ovarian Cancer in Ireland. Our mission is to elevate awareness, accelerate diagnosis and to educate women affected by Ovarian Cancer within Ireland. We do this through sharing knowledge about ovarian cancer with the OvaCare community and by providing support and advocacy through the OvaCare support network.
In order to provide our services, we need to process Personal Data. We are committed to protecting the rights personal data of individuals in accordance with data protection legislation including the General Data Protection Regulation in Europe (the “GDPR”).
2. CONTACT DETAILS
If you have any questions about this Data Protection Statement or the way in which your Personal Data is being used by us, please contact us directly by post or email:
|Address:||Attn: Data Protection|
Acorn Business Centre
Mahon Industrial Estate
3. THE PURPOSE OF THIS DATA PROTECTION STATEMENT
This Data Protection Statement applies to Personal Data. The definition of Personal Data is as follows:
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special Categories of Personal Data” means Personal Data that is afforded additional protection under the GDPR because of its sensitive nature. This includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. While OvaCare may process health data as a result of your interaction with us, we make every effort to minimise our processing wherever possible.
This Data Protection Statement describes our approach to data protection and sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be used by us where we are controllers of that Personal Data for the purposes of the GDPR. Please read this Data Protection Statement carefully to understand our views and practices regarding the Personal Data we collect, as controllers under the GDPR, and how we will treat it.
4. WHO THIS DATA PROTECTION STATEMENT APPLIES TO
This Data Protection Statement provides specific information relating to the following individuals whose Personal Data we process:
- OvaCare community members who engage with our services to support their own journey or the journey of a friend or relative who has been diagnosed with Ovarian Cancer “Community Member”;
- donors who provide financial support to our charity enabling us to support our community “Donors”;
- volunteers who help us fundraise, help us host our events or speak at our events “Volunteers”; and
- users/guests of our Website “Website Users”.
5. SOURCES OF PERSONAL DATA
MEMBER PERSONAL DATA
We collect Personal Data from our Community Members including patients diagnosed with Ovarian Cancer or their friends or relatives.
We source Personal Data in order to enable you to actively engage with our supports and connect to the OvaCare community. We will only ever source Personal Data that is necessary and in a way that would be generally expected.
We receive Personal Data about our OvaCare Community Members from a variety of sources, as follows:
- the Personal Data is often provided by the Community Member who completes a web form or contact us directly via email, post or phone;
- the Personal Data may be collected from your interaction with the OvaCare community on Health Unlocked;
- the Personal Data may be collected as a result of Community Members engaging with our social media accounts on Facebook or twitter
- the Personal Data may be collected when you register to attend an OvaCare event such as a coffee morning or patient day;
- the Personal Data may be collected when you attend a webinar, virtual coffee morning or other online event; or
- the Personal Data may be collected through our website.
DONOR PERSONAL DATA
We collect Personal Data from our Donors in order to process your payment, provide receipts or to acknowledge your generosity or to facilitate tax claims under the Charitable Donation Scheme.
We receive Personal Data relating to Donors who support us financially as follows:
- the Personal Data is provided by the Donor making a direct donation on our website;
- the Personal Data is provided by the Donor through our just giving page;
- the Personal Data is provided when you complete a sponsorship card; or
- the Personal Data is provided by the Donor in response to a request to facilitate tax claims.
VOLUNTEER PERSONAL DATA
We collect Personal Data from our Volunteers who contribute to our member supports.
We source Personal Data in order to enable you to help us run an event, moderate our online forums or to provide service content such as a talk or an online video.
We receive Personal Data relating to Volunteers as follows:
- the Personal Data is provided by the Volunteer who completes a web form or contact us directly via email, post or phone;
- the Personal Data is provided by the Volunteer who agrees to speak at an event, a webinar or to provide a video story to be posted on our web page.
We may collect Website User Personal Data from all visitors to our website in order to improve our services and develop the Website.
For more details please refer to our Cookie Notice.
6. CATEGORIES OF PERSONAL DATA
We process the following categories of Personal Data. For each category we have included an example of the type of Personal Data that may be part of that category:
|Personal Data Category||Description|
|Identification Data||may include a person’s name, photograph.|
|Contact Data||may include a person’s email address, phone number, postal address, other communication details (e.g., Social Media links).|
|Communication Data||may include phone calls, texts, email correspondence and hard copy correspondence.|
|Marketing Data||may include Identification Data and Contact Data and any preferences in receiving information from us and your communication preferences.|
|Financial Data||may include payment related information or bank account details and tax information.|
|Special Category Health Data||May include specific or implied information about your health, symptoms you experience or have experienced, mental wellbeing, and treatment details.|
|Web Data||may include Personal Data provided on any forms on our website and, to the extent that it includes Personal Data, information on the type of device you’re using, its IP address, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use.|
7. OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA
We process all Personal Data lawfully and in accordance with the requirements of the law. The GDPR sets out the legal grounds for processing Personal Data.
When the Charity processes Personal Data it is generally on one of the following legal basis:
We will process Personal Data where necessary to perform our obligations relating to or in accordance with any contract that we may have with you or to take steps at your request prior to entering into that contract;
For certain processing activities we may rely on your consent.
We sometimes process Personal Data on the basis of consent where we take photographs at events and publish them on the OvaCare website.
Where we are unable to collect consent for a particular processing activity, we will only process the Personal Data if we have another lawful basis for doing so.
You can withdraw consent provided by you at any time by contacting us at privacy@OvaCare.ie .
At times we will need to process your Personal Data to pursue our legitimate business interests, for example for administrative purposes, to collect debts owing to us, to provide information to you, to expand our business opportunities, to operate, evaluate, maintain, develop and improve our websites and services or to maintain their security and protect intellectual property rights.
We will not process your Personal Data on a legitimate interest basis where the impact of the processing on your interests or fundamental rights and freedoms outweigh our legitimate interests.
You may object to any processing we undertake on this basis. If you do not want us to process your Personal Data on the basis of our legitimate interests, contact us at privacy@OvaCare.ie and we will review our processing activities.
If we have a legal obligation to process Personal Data, such as the payment of taxes, we will process Personal Data on this legal ground.
LEGAL BASIS FOR PROCESSING HEALTH DATA
Special category Personal Data includes Personal Data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, and trade union membership, as well as Personal Data concerning health, or Personal Data concerning a person’s sex life or sexual orientation.
When we process special category Personal Data it relates to health data that you share with us when you interact with us. We apply one of the following two additional lawful bases for processing health data, depending on the circumstances.
8. OUR PROCESSING ACTIVITIES
We use your Personal Data to provide you with our services and to assist us in the operation of our Charity. Under data protection law, we must ensure that the purpose of processing is clear.
We have set out below the general purpose of processing, the categories of Personal Data processed and the related lawful basis for processing.
|Purpose of Processing||Categories of Personal Data||Lawful Basis|
|To provide Ovarian Cancer information and support services: |
to provide you with online information about Ovarian Cancer
to provide information about other relevant online information sources
to provide information packs at our events
to keep you informed about what we’re doing
to support people affected by cancer
to share member experiences for the benefit of other members
to enable you to register for and attend events
to run webinars and virtual coffee mornings
Legitimate activities of the charity
|To facilitate our online community: |
to run our social media accounts
to moderate activity and manage content on our social media accounts
to enable our members
to engage with each other via our social media platforms
to engage with our online community on Health Unlocked
Legitimate activities of the charity
|To process donations: |
to process payments to our charity
to provide receipts and acknowledgement of donations or gifts
to manage and administer our tax affairs
|Marketing activities |
to send newsletters and other information that maybe of interest
to inform you of events or webinars that might be of interest
to deliver and organise our webinars and events
|Website Delivery |
to respond to web forms completed by you
to promote our products and servicesto improve and administer the Website; and
for internal operations, including support, troubleshooting, data analysis, testing, research, statistical and survey purposes
to ensure the safety and security of our website and our services.
|Web Data||Consent |
|Administration of Our Relationship |
to manage/respond to a complaint
to notify you of updates to this Data Protection Statement
|Management of Charity Affairs |
to take minutes at board meetings
to contact Medical Panel/Patron
to enter into advocacy
to meet our obligations as a registered charity
9. DISCLOSURE OF PERSONAL DATA
In certain circumstances, we may disclose Personal Data to third parties as follows:
- to business partners and subcontractors for the performance of any contract relating to our services, including email, Communication Platforms, Customer Relationship Management (CRM) system, web developers, payment(donation) processors, data aggregators, hosting service providers, external consultants, auditors, IT consultants and lawyers;
- to analytics and search engine providers that assist us in the improvement and optimisation of the Website;
- on social media platform who facilitate online member engagement with our services and with other members;
- if we or substantially all of our charity is merged with another charity or acquired by a third party, in which case Personal Data held by us will be one of the transferred assets;
- if we are under a duty to disclose or share Personal Data in order to comply with any legal obligation (including tax, audit or other authorities), or in order to enforce or apply any contracts that we have;
- to the HSE (or any health authority) to facilitate any pandemic contact tracing activity;
- to protect our rights, property, or safety, or that of our Community Members or others. This may include exchanging Personal Data with other companies and organisations for the purpose of fraud protection. When we engage another organisation to perform services for us, we may provide them with information including Personal Data, in connection with the performance of those functions. We do not allow third parties to use Personal Data except for the purpose of providing these services.
10. SECURITY MEASURES
We will take all steps reasonably necessary to ensure that all Personal Data is treated securely in accordance with this Data Protection Statement and the relevant law, including the GDPR.
In particular, we have put in place appropriate technical and organisational procedures to safeguard and secure the Personal Data we process.
- Storing member data – contact details and lists – only on one laptop which is accessible to one person.
- Setting up 2 Factor authentication to all OvaCare email accounts.
Once we have received your Personal Data, we will use security features for the purpose of preventing unauthorised access and ensuring that only those who need to have access to your Personal Data can access it.
We also use secure connections to protect Personal Data during its transmission – for instance when you fill our forms on our website.
If you think that there has been any loss or unauthorised access to Personal Data of any individual, please let us know immediately.
11. TRANSFERS OUTSIDE THE EEA
In order to provide our services, we may need to transfer Personal Data outside the European Economic Area (EEA). We ensure that any transfer of Personal Data outside the EEA is undertaken using legally compliant transfer mechanisms and in accordance with the GDPR.
If we transfer Personal Data outside of the EEA, we generally rely on the Adequacy mechanism for transfers to the UK and Standard Contractual Clauses under Article 46.2 of the GDPR adopted by the EU Commission for all other locations. We may also rely on some of the other legally compliant transfer mechanisms provided under the GDPR.
Cookies are small text files placed on your computer or mobile device by websites that you visit, and they help us improve the products and services that we offer you. They are used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies may allow a website to remember your activity over a period of time. Cookies are optional and you do not have to accept them.
Further information on the cookies we use on the website and the purpose behind their respective uses are set out in our Cookie Notice.
13. THIRD PARTY WEBSITES
Our website contains links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy settings, and these are not endorsed by us. We do not accept any responsibility or liability for these third-party websites. Please undertake the appropriate due diligence before submitting any Personal Data to these websites.
In some circumstances it is not possible for us to specify in advance the period for which we will retain your Personal Data. In such cases we will determine the appropriate retention period based on balancing your rights against our legitimate business interests. We may also retain certain Personal Data beyond the periods specified herein in some circumstances such as where required for the purposes of legal claims.
Further information about our retention practices are set out below:
|Purpose of Processing||Categories of Personal Data||Retention Period|
|Support Service Delivery Activities||Identification Data|
|24 months after completion of service delivery activities in the case where there is no further meaningful engagement.|
|Marketing and Promotion Activities||Marketing Data|
|12 months in the case where no meaningful engagement or earlier in the case you unsubscribe.|
|Website Delivery||Web Data||12 months Where you have given us explicit consent to post content we will remove after a maximum of 10 years or earlier on your request.|
|Managing donations and administration of tax affairs||Identification Data|
|Management of Charity Governance||Identification Data|
|7 years unless required to retain indefinitely|
In certain cases, we may retain Personal Data for longer than specified here if required under relevant laws or in the event of any legal claim.
15. YOUR RIGHTS
You have various rights relating to how your Personal Data is used.
Right of access to the Personal Data we hold on you
You have the right to ask for all the Personal Data we have about you. When we receive a request from you in writing, we must give you access to everything we’ve recorded about you as well as details of the processing, the categories of Personal Data concerned and the recipients of the Personal Data.
We will provide the first copy of your Personal Data free of charge, but we may charge you a reasonable fee for any additional copies.
We cannot give you access to a copy of your Personal Data in some limited cases including where this might adversely affect the rights and freedoms of others.
Right of rectification of Personal Data
You should let us know if there is something inaccurate in your Personal Data.
We may not always be able to change or remove that Personal Data, but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
Right of erasure of Personal Data (right to be forgotten)
In some circumstances you can ask for your Personal Data to be deleted, for example, where:
- your Personal Data is no longer needed for the reason that it was collected in the first place
- you have removed your consent for us to use your Personal Data (where there is no other lawful basis for us to use it)
- there is no lawful basis for the use of your Personal Data
- deleting the Personal Data is a legal requirement
Where your Personal Data has been shared with others, we will do what we can to make sure those using your Personal Data comply with your request for erasure.
Please note that we can’t delete your Personal Data where:
- we are required to have it by law
- it is used for freedom of expression
- it is used for public health purposes
- it is used for scientific or historical research or statistical purposes where deleting the Personal Data would make it difficult or impossible to achieve the objectives of the processing
- it is necessary for legal claims.
Right to restrict what we use your Personal Data for
You have the right to ask us to restrict what we use your Personal Data for where:
- you have identified inaccurate Personal Data, and have told us of it
- where we have no legal reason to use the Personal Data, but you want us to restrict what we use it for rather than erase the Personal Data altogether
When Personal Data is restricted, it can’t be used other than to securely store the Personal Data and with your consent to handle legal claims and protect others, or where it’s for important public interests.
Right to have your Personal Data moved to another provider (data portability)
You have the right to ask for your Personal Data to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
This right only applies if we’re using your Personal Data with consent and if decisions were made by a computer and not a human being. It does not apply where it would adversely affect the rights and freedoms of others.
Right to object
You have the right to object to processing of your Personal Data which is based on public interest or legitimate interest processing. We will no longer process the Personal Data unless we can demonstrate a compelling ground for the processing.
Right not to be subject to automated decision-making
You have the right not to be subject to a decision based solely on automated processing. This right shall not apply where the processing is necessary for a contract with you, or the processing is undertaken with your explicit consent or the processing is authorised by law.
You can make a complaint
You have the right to lodge a complaint with the local supervisory authority for data protection in the EU member state where you usually reside, where you work or where you think an infringement of data protection law took place.
16. AMENDMENTS TO THIS DATA PROTECTION STATEMENT
We will post any changes on the Website and when doing so will change the effective date at the top of this Data Protection Statement. Please make sure to check the date when you use our services to see if there have been any changes since you last used those services.
In some cases, we may provide you with additional notice of changes to this Data Protection Statement, such as via email. We will always provide you with any notice in advance of the changes taking effect where we consider the changes to be material.
Thank you for reading our Data Protection Statement. Please contact us at privacy@OvaCare.ie if you have any questions. If we are unable to resolve your concerns, you have the right to contact the supervisory authority in the country where you live or work, or where you consider that the data protection rules have been breached
Contact Details for the Irish Supervisory Authority is set out below for your information:
|Country||Supervisory Authority||Contact Details|
|Ireland||Data Protection Commission||Online Form: https://forms.dataprotection.ie/contact Address: |
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Tel: +353 578 684 800
or +353 761 104 800