View Cart

Hello, World!

☰

Event privacy statement

Chartered Accountants Ireland (the “Institute”) respects data subjects right to privacy, and this statement sets out the Institute's policy towards safeguarding information which is disclosed by data subjects.

Any personal information which data subjects volunteer to the Institute will be treated with the highest standards of security and confidentiality, strictly in accordance with applicable data protection rules, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (the “GDPR”).

The Institute acts as the Data Controller. The Institute’s registered address is Chartered Accountants House, 47-49 Pearse Street, Dublin 2, D02 YN40.

In any case, where the Institute asks a data subject for personal information, such as a name and address, from which a data subject can be identified on an individual basis, the Institute will only do this where the information is required for specific purposes, for example registration for an event. In every case, the Institute will let data subjects know what the information is required for before collecting it.

Definitions

Reference	Definition
Data	Data is information, which is stored electronically, on a computer or in certain paper-based filing systems.
Data Controllers	Data Controllers are the people or organisations who determine the purposes for which, and the manner in which any personal data is processed. The Institute is responsible for establishing practices and policies in line with the relevant laws and regulations. The Institute is the data controller of all personal data used in their business for their own commercial purposes.
Data Processors	Data Processors include any person or organisation that processes personal data on the Institute’s behalf and on Institute’s instructions. Employees of data controllers are excluded from this definition, but it could include suppliers which handle personal data on the Institute’s behalf.
Data Processing Agreement (DPA)	A Data Processing Agreement is a legally binding document that outlines the responsibilities and liabilities of data controllers and processors regarding the handling of personal data.
Data subjects	Data subjects include all living individuals about whom the Institute hold personal data (including applicants and students). All data subjects have legal rights in relation to their personal information.
Events	Events refer to gatherings that bring together professionals from a specific sector to share knowledge, network, and discuss trends amongst other things. These can include conferences, trade shows, annual dinners and meetings and so on.
Personal data	Personal data is data relating to a living individual who can be identified from the data in conjunction with other information that is in or is likely to come into the Institute’s possession. Examples of personal data include name, address, date of birth, telephone number, email address, membership number and so on.
Processing of personal data	Processing of personal data is any activity that involves the use of the data. The Institute requires this information to understand data subject needs to provide a better service.
Sensitive Personal Data (special category data)	Sensitive Personal Data relates to specific categories of data such as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence and trade union membership. The Institute may collect sensitive personal data, such as limited health data in the event that specialised services are required.

Obligations of the Institute as Data Controller

Data Controllers processing personal data must comply with the following Data Protection principles of good practice. These provide that personal data must be:

Be obtained and processed lawfully and fairly.
Be collected and kept only for specified, explicit and legitimate purposes and not be used or disclosed in a manner incompatible with those purposes for which it was given initially
Be protected against unauthorised access, alteration, disclosure or destruction, or unlawful processing.
Be accurate, complete and where necessary, kept up to date.
Be adequate, relevant and not excessive in relation to the purpose for which they were collected.
Not be kept for longer than is necessary.

How the Institute obtains data subjects personal data

The Institute collects personal information about event attendees when the Institute interact directly with data subjects about Institute events. The Institute may also obtain personal information directly from data subjects through its website when a data subject:

Fills out an event application form.
Signs up to the Institute’s mailing list.
The Institute may from time to time collect additional personal information from the data subject’s employer or during a particular event.

Use of personal data

Personal data, or personal information, means any information about an individual from which that person can be identified. The Institute have detailed in the table below, personal data which the Institute may from time to time collect, the purpose or purposes for which this personal data is processed, as well as the legal basis for such processing:

Personal data	Purpose of processing	Legal basis for processing
1. Basic information about the data subject such as name, email, address, and telephone number and, where applicable, documentation for confirming the data subject’s identity at events.	For the general administration, organisation and planning of events, such as to reserve a place for the data subject at the event and to ensure that the event is properly hosted and attended.	In order to pursue the Institute’s legitimate interests (per Article 6(1)(f) GDPR). of conducting the proper organisation of an Institute event.
2. Data subject’s job title, role and position in your company.	To facilitate and manage member interactions at events.	In order to pursue the Institute’s legitimate interests (per Article 6(1)(f) GDPR) of managing Institute relationships with members and facilitating business connections between members.
3. Information about data subject’s prior and future attendance at Institute events, including communications with Institute staff and social media posts.	To improve and enhance Institute events and attendee engagement with event offerings.	In order to pursue the Institute’s legitimate interests (per Article 6(1)(f) GDPR) of developing Institute events to suit the needs of attendees and facilitating business connections between members.
4. Information about data subject’s dietary requirements.	For determining the food and beverages that should be served to attendees at events.	In the Institute’s legitimate interests (per Article 6(1)(f) GDPR) of providing an enjoyable event experience. The Institute will only process information relating to data subject’s health with explicit consent under Article 6(1)(a) and Article 9(2)(a). In respect of health information, where necessary for the purposes of exercising Institute’s or data subjects specific rights in relation to attendance at Institute events.
5. Information about particular attendance needs or accessibility requirements data subjects may have, including disability, hearing and speech needs.	To provide information about accessibility, transportation and parking and to facilitate the attendance and enjoyment of an event.	In order to comply with legal requirements (per Article 6(1)(c) GDPR) and to pursue the Institute’s legitimate interests (per Article 6(1)(f) GDPR) of facilitating access to Institute events. The Institute will only process information relating to the data subject’s health with explicit consent under Article 6(1)(a) and Article 9(2)(a). In respect of health information, where necessary for the purposes of exercising the Institute’s or data subject’s specific rights in relation to the data subject’s attendance at Institute events.
6. Information relating to the data subject’s subscription to, receipt of or interest in any of Institute mailing lists.	To inform the data subject about upcoming events similar to those that the data subject has previously attended and to analyse the effectiveness of Institute event offerings.	In order to pursue the Institute’s legitimate interests (per Article 6(1)(f) GDPR) of growing their event attendee and membership numbers and to improve membership engagement with events.
7. Financial information such as data subject credit card number and expiration date and any other information necessary to receive payments.	To process data subject’s payments should it be required for a particular event.	With data subjects’ explicit consent (per Article 6(1)(a) GDPR) of receiving payment for event attendance where required.
8. Feedback information provided by data subjects at events.	To receive attendee feedback and improve future events.	In order to pursue the Institute’s legitimate interests (per Article 6(1)(f) GDPR) of improving future events.
9. Photographs and videos and comments given by attendees of the event, including photos and videos of speakers and attendees.	To capture events and promote future events in order to develop and grow events and facilitate business connections. Photographs and videos may be published online (for example on a website or in social media). Photographs may also be published in Institute publications (for example, magazines, updates and so on).	In order to pursue the Institute’s legitimate interests (per Article 6(1)(f) GDPR) of growing Institute events and promoting future events and for facilitating business connections between members.
10. CCTV footage when data subjects visit Institute events.	For safety and security purposes.	To pursue the Institute’s legitimate interest (per Article 6(1)(f) GDPR) of ensuring safety and security at their events.

Disclosures of personal data

The Institute may, from time to time, send some of data subjects’ personal data to certain recipients as detailed below. Details on how data subjects can opt-out are detailed in section 8.

Other event attendees: for District Society events, in order to encourage networking, the Institute may circulate event attendee lists to other attendees of the same event prior to, during or after that event. This will only occur with the data subject’s explicit consent. At the time of sign up to the event, the data subject will provide their consent by way of ticking the consent box consenting to their data being shared. The data subject can ask for further information in relation to these attendance lists through the ‘Contacting the Institute’ details below.
Publication in print and online: the Institute may use photographs or videos from events on its website or social media channels.
Transfers to service providers: the Institute may transfer a data subject’s personal details to third parties involved in the hosting or organising of events, such as sponsors, catering companies, exhibitors, stationery providers or hospitality staff at event locations.Such transfers are made for the legitimate interests pursued by the Institute in order to ensure the effective operation of their events. The data subject can ask for further information in relation to these third-party service providers though the ‘Contact us’ details below.

Third parties with whom the Institute share data with must maintain the same high level of data protection as the Institute. The Institute will enter into Data Processing Agreements (DPAs) with all key third-party organisations. These DPAs will detail the responsibilities of the Institute and the third party in relation to the processing of data subjects’ data.

Data security

The Institute have put in place appropriate security measures (for example, encrypting emails, sharing links to documents rather than emails, cyber security measures and so on) to protect data subjects’ personal data, including measures preventing personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, access to personal information will be limited to only those employees, agents and contractors who are authorised to access data subjects’ data.

Retention of personal data

The Institute will only retain data subjects’ personal information for as long as necessary to fulfil the purposes it was collected it for. To determine the appropriate retention period for personal data collected, the Institute will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which the personal data is processed and whether those purposes can be achieved through other means, and the applicable legal requirements.

The Institute will use data subjects’ personal data that is collected to notify data subjects about any Institute upcoming events that may be of interest. Data subjects can opt-out at any time by contacting the Institute at the details below and remove your details from the Institute’s marketing database.

Privacy rights in relation to personal data processed

Data subjects have the following rights, in certain circumstances, under Articles 12-22 of the GDPR:

The right to be informed about what personal data is collected and how it is used.
The right of access to the personal data controlled by the Institute.
The right to correct any inaccuracies in the personal data.

The right to erasure of personal data (also known as the “Right to be Forgotten”).

The right to restrict the processing of the personal data.
The right to object to the processing of your personal data in certain circumstances, this includes the right to opt-out of receiving marketing communications from the Institute.
The right not to be subject to automated decision making and profiling in certain circumstances. This right does not apply if the processing is based on explicit consent.
There is the right to data portability of the personal data that data subjects provide to the Institute and where it is processed based on the data subjects consent or for the performance of a contract.

In any case where the Institute are relying on consent to process data subjects’ personal data, individuals have the right to change their mind and withdraw consent by writing to the address specified below, without affecting the lawfulness of processing based on consent before its withdrawal.

How to exercise privacy rights

Data subjects can exercise any of the listed rights above by contacting the Institute’s Privacy Manager at the details listed in Section 12.

Data subjects also have the right to lodge a complaint about the Institute processing of personal data with the relevant supervisory authority in accordance with Article 77 GDPR, details as follows:

Republic of Ireland

Telephone:1890 252 231

Email: info@dataprotection.ie

Address:
Data Protection Commission,
6 Pembroke Row,
Dublin 2,
D02 X963,
Ireland

Northern Ireland

Telephone: 028-9027-8757

Email: ni@ico.org.uk

Address:
Information Commissioner’s Office,
10^th Floor Causeway Tower,
9 James Street South,
Belfast,
BT7 2JB,
Northern Ireland

You can read the Institute Data Privacy Complaints Procedures. All questions in relation to this procedure can be directed to the Privacy Manager at the details below.

Updates to this statement

The Institute reserves the right in its sole discretion to amend this statement at any time (for example, to comply with changes in laws or regulations, Institute practices, procedures and organisational structures, requirements imposed or recommended by supervisory authorities or otherwise). Changes to this statement will be communicated by the Institute where legally required to do so.

Contacting the Institute

Any queries or complaints regarding the use of data subjects’ personal data and/or the exercise of individual rights, please contact the Privacy Manager whose contact details are as follows:

Email: privacy@charteredaccountants.ie

Address:
Privacy Manager
Chartered Accountants Ireland,
Chartered Accountants House,
47-49 Pearse Street,
Dublin 2,
D02 YN40