Privacy statement
Chartered Accountants Ireland (the “Institute”) respects data subjects right to privacy, and this statement sets out the Institute's policy towards safeguarding information which data subjects disclose to the Institute. Any personal information which a data subject volunteer to the Institute will be treated with the highest standards of security and confidentiality, strictly in accordance with applicable data protection rules, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (the “GDPR”).
In any case, where the Institute processes data of an individual, such as a name and address, from which an individual can be identified, the Institute will only do this where that information is required for specific purposes.
The Institute acts as the Data Controller. The Institute’s registered address is Chartered Accountants House, 47-49 Pearse Street, Dublin 2, D02 YN40.
Definitions
| Reference |
Definition |
| Data |
Data is information, which is stored electronically, on a computer or in certain paper-based filing systems. |
| Data Controllers |
Data Controllers are the people or organisations who determine the purposes for which, and the manner in which any personal data is processed. The Institute is responsible for establishing practices and policies in line with the relevant laws and regulations. The Institute is the data controller of all personal data used in their business for their own commercial purposes. |
| Data Processors |
Data Processors include any person or organisation that processes personal data on the Institute’s behalf and on Institute’s instructions. Employees of data controllers are excluded from this definition, but it could include suppliers which handle personal data on the Institute’s behalf. |
| Data subjects |
Data subjects include all living individuals about whom the Institute hold personal data (including employees). All data subjects have legal rights in relation to their personal information. |
| Data Subject Access Request (DSAR) |
A DSAR allows data subjects to request access to their personal data held by an organisation. |
| Personal data |
Personal data is data relating to a living individual who can be identified from the data in conjunction with other information that is in or is likely to come into the Institute’s possession. Examples of Personal Data include name, address, date of birth, telephone number, email address, membership number etc. |
| Processing of personal data |
Processing of personal data is any activity that involves the use of the data. The Institute requires this information to understand data subject needs to provide a better service. |
| Sensitive Personal Data (Special Category Data) |
Sensitive Personal Data relates to specific categories of data such as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence and trade union membership. The Institute may collect sensitive personal data, such as limited health data in the event that specialised services are required. |
| Supervisory authority |
A supervisory authority is an oversight body responsible for overseeing compliance with data protection laws, such as GDPR, ensuring organisations handle personal data properly and safeguarding individuals’ privacy rights. |
| Standard Contractual Clauses (SCC’s) |
Standard Contractual Clauses (SCCs) are pre-approved model contracts by the European Commission that facilitate the transfer of personal data from the EU to non-EU countries while ensuring compliance with GDPR data protection standards. |
Obligations of the Institute as Data Controller
As a Data Controller, the Institute is required to comply with the following Data Protection principles of good practice. These provide that personal data must be:
- Be obtained and processed lawfully and fairly.
- Be collected and kept only for specified, explicit and legitimate purposes and not be used or disclosed in a manner incompatible with those purposes for which it was given initially
- Be protected against unauthorised access, alteration, disclosure or destruction, or unlawful processing.
- Be accurate, complete and where necessary, kept up to date.
- Be adequate, relevant and not excessive in relation to the purpose for which they were collected.
- Not be kept for longer than is necessary.
Types of information the Institute collect
The Institute collects information, which includes personal data, about its members (including affiliate and reciprocal members), students, prospective students, non-member customers, members of council and committees, prospective employees, and the directors, officers, employees, agents and/or authorised signatories of other regulatory and oversight bodies, the Institute's suppliers, service providers, vendors and other commercial entities with which the Institute deals, member's firms, law enforcement, and members of the public with whom the Institute interacts (collectively “individuals”) for the purposes of and in connection with the Institute's dealings with those individuals and/or relevant commercial entities. You may be such an individual.
How the Institute collects personal data of data subjects
The Institute will obtain personal data directly from individuals where it interacts directly in the course of its business. The Institute may also obtain personal data directly from individuals through the website, including:
- When an enquiry is made about Institute services or professional courses and seminars
- On sign up to the Institute mailing list, or
- On application for a position within the Institute.
The Institute cookie notice also sets out details of the targeting or advertising cookies, which will collect and use data subjects’ personal data, which are used by or via the website.
This information may be collected indirectly from a variety of sources, such as other regulatory and oversight bodies (including where the data subject requests that such bodies provide information directly to the Institute), or the Individuals employer, the commercial entity which the data subject represents, and publicly available sources including media reports and social media, such as LinkedIn.
Legitimate Interest Assessment
The Institute carries out a Legitimate Interests Assessment ("LIA") to determine if we can process Personal Data on the legal basis of our legitimate interests (Article 6(1)(f) of the GDPR).
A Legitimate Interests Assessment requires us to:
- identify our legitimate interests in processing personal data;
- demonstrate that the processing is necessary to achieve the legitimate interests; and
- consider carefully the Institute's right to process Personal Data in the context of the individuals’ rights as a Data Subject to privacy.
Where data is processed for the purposes of the Institute’s legitimate interests, the Institute will prepare a Legitimate Interest Assessment (LIA) to ensure that the Institute’s interest does not override the interests or fundamental rights and freedoms of the data subject.
Where RPA technology is used to process any data, the Institute will prepare a Data Protection Impact Assessment (DPIA) to identify, assess and mitigate risks to individuals’ privacy when processing personal data. When using RPA technology that involves automated decision making, we will ensure there is a ‘human in the loop’ during this processing activity.
Use of personal data
The Institute processes individual’s personal data for specific purposes and in accordance with legal bases under applicable data protection laws. Please refer to the table below for detailed information on categories of personal data in scope, purposes and legal bases of processing.
Definitions
| Personal data |
Categories of personal data processed |
Lawful basis under GDPR |
|
(a) For the purposes of the Institute performing a contract with the data subject, in anticipation of the data subject becoming a member or student at the Institute or achieving a qualification, namely:
for the purpose of providing services to the data subject, registering the data subject as a member or student, enrolment for examinations, providing an accreditation/qualification when achieved and other related administration services, as the case may be:
- for the collection of membership subscription fees and exam fees.
- for education and maintenance of CPD requirements; and
- to deal with data subject queries or complaints.
Communications can be in the form of letter, email or SMS.
If personal data is not provided for this purpose, the Institute will not be able to comply with its contract with the data subject.
|
- Student/member name, address, email, date of birth and mobile, member/student number, Country of residence
- Photograph
- Image of Identification Document for exams
- Video and audio recording of the exam session
- Flags indicating non-conformance with exam rules
- IP Address from which exams are taken
- Exam script, exam adjustments arising from Reasonable Accommodation
- Exam grade
- A unique identifier which denotes a candidate and each specific exam
- PC browser & Operating System
- Cookies are placed on the candidate’s PC
- Employer details
- IBAN details
|
Necessary for the performance of a contract with the data subject (per Article 6(1)(b) GDPR).
In respect of health information, where necessary for the purposes of exercising the Institute’s or data subject’s specific rights in relation to membership and/or examinations |
|
(b) Where the Institute has a legitimate interest in using it, including:
- for the purposes of managing Institute contracts and relationships with members, students, non-member customers, suppliers, service providers, vendors and other commercial entities.
- for the purposes of discharging the Institute’s regulatory obligations including, without limitation, assessment, ongoing inspection and monitoring, and certification or licensing of the data subject or the data subject’s firm or employer, including without limitation as an audit firm or insolvency practitioner.
- for the processing of complaints and disciplinary matters in accordance with the Institute’s disciplinary byelaws, regulations, policies and guidance (this includes, without limitation, undertaking in-house ethical, investigatory and disciplinary proceedings howsoever called).
- maintenance of and/or provision of information to public registers.
- ensuring compliance with CPD requirements
- for day-to-day operational and business purposes.
- board and Council reporting and management purposes.
- management of the benevolent association.
- in the event of a merger, reorganisation or disposal of, or a proposed merger, reorganisation of disposal of all or any part of the Institute’s business; and
- to take advice from Institute external legal and other advisors.
|
- Name, address, email, mobile, DOB, CCTV images, IBAN details, supplier/contractor tax number, health details (where applicable) for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and members of the public.
- Firm name, address, email, mobile, tax number, directors details, health details (where applicable) for firms directors and/or employees.
- Complainant name, address, email, DOB, mobile, health details (where applicable).
Name of employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and their employees and members of the public involved in the complaint.
- Name of firm, its partners, firm address. Members’ name, employer’s name and address, job title, membership number.
- Firm name and address. Members names, membership numbers.
- Name, address, email, DOB, mobile, CCTV images, supplier/contractor tax number, health details (where applicable) for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and members of the public.
- Name, email, DOB of board and council members.
- Name, address, email, mobile, DOB, CCTV images, supplier/contractor tax number, health details (where applicable) for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and members of the public.
- Name, address, email, DOB, mobile, financial or health details (where applicable) for members, students, affiliates.
- Name, address, email, DOB, mobile, CCTV images, supplier/contractor tax number, health details (where applicable) for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and members of the public.
|
Necessary for the purposes of the Institute’s legitimate interests in promoting the proper and efficient administration of the Institute’s business, where such interests are not overridden by the data subject’s fundamental rights (per Art. 6 (1)(f) GDPR)
In respect of health information, where necessary for the purposes of exercising the Institute’s or data subject’s specific rights in relation to membership and/or examinations. |
|
(c) For compliance with Institute legal obligations, including:
- for the purposes of discharging Institute’s regulatory obligations including, without limitation, assessment, ongoing inspection and monitoring, and certification or licensing of the data subject or the data subject’s firm or employer, including without limitation as an audit firm or insolvency practitioner.
- to comply with the Institute’s obligations under anti-money laundering law and regulations.
- for the processing of complaints and disciplinary matters in accordance with the Institute’s Charter, Principal Bye- Laws, Disciplinary Bye-Laws and Regulations (this includes, without limitation, undertaking in-house ethical, investigatory and disciplinary proceedings howsoever called);
- maintenance of and/or provision of information to public registers.
- tax and regulatory reporting obligations; and
- Where the Institute are ordered to disclose information by a court with appropriate jurisdiction.
If personal data is not provided for this purpose, the Institute will not be able to comply with these legal obligations. |
(a) Name, address, email, mobile, DOB, CCTV images, supplier/contractor tax number, health details (where applicable) for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and members of the public.
(b) Name, address, email, DOB, mobile of employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms, supplier/contractor tax number.
(c) Complainant name, address, email, DOB, mobile, health details (where applicable). Name of employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and their employees and members of the public.
(d) Name of firm, its partners, firm address. Members’ name, employer’s name and address, job title, membership number.
(e) Name, address, email, DOB, mobile, health details (where applicable). Name of employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and their employees and members of the public.
(f) Will depend on the request at hand. |
Necessary to comply with the Institute’s legal obligations (per Art. 6(1)(c) GDPR).
See Appendix A for list of all laws applicable.
In respect of health information, where necessary for the purposes of exercising the Institute’s or data subject’s specific rights in relation to membership and/or examinations. |
| (d) Where use or sharing is for a legitimate interest of a third party to which the Institute provides the personal data, including for day-to-day operational and business purposes. |
As notified to the data subject from time to time. |
Necessary for the purposes of a third party’s legitimate interests in promoting the proper and efficient administration of its business, where such interests are not overridden by the data subject’s fundamental rights (per Art. 6 (1)(f) GDPR). |
| (e) Where necessary to establish, exercise or defend legal rights or for the purpose of legal proceedings. |
As notified to the data subject from time to time. |
Necessary for the purposes of the Institute’s legitimate interests in establishing, exercising or defending legal rights, where such interests are not overridden by the data subject’s fundamental rights (per Art. 6 (1)(f) GDPR). |
| (f) If the Institute needs and the data subject have provided their consent to use their personal data for a particular purpose. If the data subject does not give their consent for the Institute to use their Personal Data for a particular purpose, the data subject has the right at any time to withdraw consent to the Institute’s future use of the data subject’s Personal Data for some or all of those purposes by contacting the Privacy Manager. Such withdrawal does not affect the lawfulness of processing based on consent before the withdrawal. |
As notified to the data subject from time to time. |
You have given consent to the processing of data subject personal data for one or more specific purposes (per Art. 6(1)(a) GDPR). |
Where the Institute has the permission of the data subject, the Institute may direct information relating to topics, goods, or services to the data subject which it feels will be of interest to the data subject. If the data subject subsequently decides that it no longer wishes to receive such information, it can be changed through your preference centre.
The Institute will only use the data subject’s personal data for the purposes for which it was collected, unless the Institute consider that it is needed for another reason and that reason is compatible with the original purposes and applicable laws. If the Institute need to use your personal data for a purpose unrelated to the original purpose for which it was collected, the Institute will notify the data subject and will explain the legal basis which allows the Institute to process the data.
Disclosures of personal data
The Institute will not disclose any personal data to any third party, except as outlined in this policy and/or as follows:
| Category of recipients |
Personal data shared by the Institute |
Purposes for which the personal data is shared |
|
(a) Suppliers, service providers, vendors, other commercial entities
|
Name, address, email, DOB, mobile, CCTV images, supplier/contractor tax number, health details (where applicable), for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and members of the public. |
To enable the Institute to carry out the obligations under and enforce its contracts with the Institute’s non-member customers, suppliers, service providers, vendors and other commercial entities.
|
|
(b) Auditors, legal advisors, other advisors
|
Name, address, email, DOB, mobile, CCTV images, supplier/contractor tax number, health details (where applicable) for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms and members of the public.
|
Where necessary for audit, legal and other advisory purposes.
|
|
(c) Other regulatory or oversight bodies
|
Name, address, email, DOB, mobile, supplier/contractor tax number, health details (where applicable) for- members, students, affiliates, council members, committee members, Chartered firms. |
Where the Institute is required or requested to share information with another regulatory or oversight body, including where a member requests that the Institute confirms details with such bodies.
|
| (d) Employer sponsors |
Name, address, email, DOB, mobile, health details (where applicable) for- employees. |
Where the data subject is a student and their employer is their sponsor, the Institute will share the data subject’s personal data with their employer. |
| (e) Proposed Assignee, Transferee or Successor in Title and their respective officers, employees, agents and advisors |
Name, address, email, DOB, mobile, supplier/contractor tax number, health details (where applicable), for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms |
In the event of a merger or proposed merger, any (or any proposed) transferee of, or successor in title to, the whole or any part of Institute business, and their respective officers, employees, agents, and advisers, to the extent necessary to give effect to such transaction. |
| (f) Recipients as required by law or regulation, court or administrative order having force of law, regulators, other regulatory and oversight bodies, member’s firms or law enforcement agencies |
Specified as per each request. |
If the disclosure is required by law or regulation (including but not limited to anti-money laundering law and regulations), or court or administrative order having force of law, or is required to be made to any regulators or law enforcement agencies. |
| (g) Another Recognised Accountancy Body (“RAB”) |
Name, address, email, DOB, mobile, supplier/contractor tax number for- employees, members, students, affiliates, council members, committee members, legal advisors, contractors, suppliers, Chartered firms |
The Institute may generally share personal data with another RAB where it perceives there is a legitimate interest in doing so. |
Regulatory and Oversight Bodies (ROB’s)
The Institute interacts and shares personal data with the following bodies (including but not limited to):
- The Irish Auditing and Accounting Supervisory Authority
- The Central Bank of Ireland
- The Financial Reporting Council
- Office of the Director of Corporate Enforcement
- An Garda Siochana
- Revenue Commissioners Ireland
- National Crime Agency
- Office for Professional Body AML Supervision (“OPBAS”)
- GB/NI Insolvency Service
- Other RABs
- Disciplinary panel members
- Committee members
- External disciplinary committees.
International transfers
Personal data may be transferred outside Ireland and United Kingdom (“UK”) in connection with the purposes described in this Policy and/or as otherwise required or permitted by law.
Many transfers will be to countries within the European Economic Area (the “EEA”) or UK or to jurisdictions formally recognised by the European Commission as providing an equivalent level of protection (known as an “adequacy decision”) (such as the UK).
Where transfers are made to countries without an adequacy provision the Institute shall rely on appropriate legal safeguards as required under the GDPR for your Personal Data, including the use of the EU Standard Contractual Clauses (SCC’s) and any supplementary measures where appropriate. Further information in relation to international data transfers can be obtained by contacting us at the address specified in this Policy.
Third party personal data
Where the data subject provides the Institute with personal data relating to other individuals, (such as that of directors, officers, employees, advisors, or other related persons), the data subject represents and warrants that they will only do so in accordance with applicable data protection laws.
The data subject must ensure
- The individuals in question are made aware of the fact that the Institute will hold information relating to them and that the Institute may use it for any of the purposes set out in this statement.
- Where necessary the data subject obtains the individual’s consent to the Institute’s use of their information. The Institute may, where required under applicable law, notify those individuals that their details have been provided.
Third party providers of information
The Institute may obtain personal data relating to the data subject indirectly, such as where their employer provides their contact details to the Institute in connection with its business. The person providing the information will in the ordinary course be asked to warrant that it will only do so in accordance with applicable data protection laws, and that it will ensure that before doing so, the data subject is made aware of the fact that the Institute will hold information relating to the data subject and that it may use it for any of the purposes set out in this statement, and where necessary that it will obtain consent to use the information.
In certain circumstances, such as where a complaint is made against a member, the Institute have an obligation to act based on the information which is provided.
Recipients of personal data
In any case where the Institute share personal data with a third-party data controller (including, as appropriate, other regulatory and oversight bodies), the use by that third party of the personal data will be subject to the third party’s own privacy policies.
Updates to personal data
Reasonable efforts will be made to keep personal data up to date. However, data subjects will need to notify without delay in the event of any change in personal or business circumstances, so that the Institute can keep the personal data up to date.
Data security
Appropriate physical, organisational and technical security measures are in place to protect the individual’s personal data from accidental loss, unauthorised access, use, alteration or disclosure. Strict internal guidelines are in place to ensure that privacy is safeguarded at every level in the Institute. We limit access to personal data to only those employees and processors who have a legitimate business need to access such data. We will continue to revise our policies and implement additional security features as new technologies become available.
Retention of personal data
The Institute are obliged to retain certain information to ensure accuracy, meet legal and regulatory obligations, and for legitimate business purposes.
Information will be retained for no longer than is necessary for the purpose for which it was obtained by the Institute, or as required or permitted for legal and regulatory purposes (including disciplinary procedures), and for legitimate business purposes. In general, the Institute (or its service providers) In most cases this is seven years after a data subject ceases to interact with the Institute, unless obliged to hold it for a longer period under law or applicable regulations. In certain circumstances, where required by law or applicable regulations or where the Institute deems it necessary for the Institute’s legitimate business, regulatory and/or disciplinary purposes, hold may be held for a longer or shorter period.
Exam scripts will only be retained for the period during which an appeal may be lodged plus one month, or if an appeal is lodged, for a month after the end of the appeal process. There is no appeal period for interim assessments therefore the interim assessment scripts are retained for one month after the relevant results are published.
Privacy rights in relation to personal data processed
Data subjects have the following rights, in certain circumstances, under Articles 12-22 of the GDPR:
- The right to be informed about what personal data is collected and how it is used.
- The right of access to the personal data controlled by the Institute.
- The right to correct any inaccuracies in the personal data.
- In some instances, subject to the Examinations and Appeals Regulations and in accordance with the need to provide fair examinations to all Institute Candidates, there is the right to erasure of personal data (also known as the “Right to be Forgotten”).
- The right to restrict the processing of the personal data.
- The right to object to the processing of your personal data in certain circumstances, this includes the right to opt-out of receiving marketing communications from the Institute.
- The right not to be subject to automated decision making and profiling in certain circumstances. This right does not apply if the processing is based on explicit consent.
- There is the right to data portability of the personal data that data subjects provide to the Institute and where it is processed based on the data subjects consent or for the performance of a contract.
In any case where the Institute are relying on consent to process data subjects’ personal data, individuals have the right to change their mind and withdraw consent by writing to the address specified below, without affecting the lawfulness of processing based on consent before its withdrawal
How to exercise privacy rights
Data Subjects can exercise any of the listed rights above by contacting the Institute’s Privacy Manager at the details listed below.
Data Subjects also have the right to lodge a complaint about the Institute processing of personal data with the relevant supervisory authority in accordance with Article 77 GDPR, details as follows:
Republic of Ireland:
Telephone: 1890 252 231
Email: info@dataprotection.ie
Address:
Data Protection Commission,
6 Pembroke Row,
Dublin 2,
D02 X963,
Ireland
Northern Ireland:
Telephone: 028-9027-8757
Email: ni@ico.org.uk
Address:
Information Commissioner’s Office,
10th Floor Causeway Tower,
9 James Street South,
Belfast,
BT7 2JB
Northern Ireland
You can read more about the Institute's Data Privacy Complaints Procedures. All questions in relation to this privacy statement can be directed to the Privacy Manager at the details below.
Updates to this statement
The Institute reserves the right in its sole discretion to amend this statement at any time (for example, to comply with changes in laws or regulations, Institute practices, procedures and organisational structures, requirements imposed or recommended by supervisory authorities or otherwise). Changes to this statement will be communicated by the Institute where legally required to do so.
Contacting the Institute
Any queries or complaints regarding the use of data subjects’ personal data and/or the exercise of individual rights, please contact the Privacy Manager whose contact details are as follows:
Email: privacy@charteredaccountants.ie
Address:
Privacy Manager,
Chartered Accountants Ireland,
Chartered Accountants House,
47-49 Pearse Street,
Dublin 2
D02 YN40
LOADING...