1.1 Board Excellence Limited (“Board Excellence”, or ‘we’, ‘us’ or ‘our’) are strongly committed to protecting your Personal Data (as defined in section 1.2 below). This notice (“Notice”) sets out how we collect, use and protect your Personal Data, either when collected via our website www.boardexcellence.ie (our “Website”) or as part of our provision of board consultancy services to you, your employer or a company or organisation related or relevant to you (our “Clients”). Please read the following carefully to understand our practices regarding your Personal Data and how we treat and safeguard it. In the event you wish to withdraw your consent to the data practices described in this Notice that are based on consent, please contact us through the “Contact us” section below.
1.2 This Notice has been developed to ensure that individuals whose Personal Data we process feel confident about the privacy and security of Personal Data provided to us in relation to our activities and, being our board consultancy services to Clients, and to meet our obligations under the Data Protection Acts 1988 to 2018 (the “Acts”) and Directive (EU) 2016/679 General Data Protection Regulation (the “GDPR” and together with the Acts, “Data Protection Law”). Under Data Protection Law, personal data is information that identifies you as an individual or is capable of doing so (“Personal Data”).
1.3 We must comply with the data protection principles set down in Data Protection Law and this Notice applies to all Personal Data collected, processed and stored by us. By providing us with information, you accept and agree to the practices described in this Notice.
1.4 For the purposes of Data Protection Law, we are the data controller of your Personal Data. You will find our contact details in the “Contact us” section below.
1.5 Terms such as ‘data subject’, ‘controller’, ‘processor’ and ‘process’, when used in this Notice, have the meanings given to them in Data Protection Law, unless otherwise indicated.
WHAT KINDS OF PERSONAL DATA DO WE COLLECT?
2.1 We may collect the following types of Personal Data from you or from a third party in relation to you (such as Clients, to which our board consultancy services are provided, or other parties providing information to us on behalf of Clients):
(a) name and contact details (including email address and telephone number) for the purposes of conducting online surveys and interviews as part of our services to Clients;
(b) personal data contained in any unredacted or not anonymised materials supplied by Clients or third parties on Clients’ behalf to us for the purposes of our provision of services to it (such materials to include, by way of example only, minutes of board meetings, other board materials, organisational charts, boardlevel policies and other governance materials);
(c) information contained in or relating to any enquiry or other communication that you send to us via our Website (which may include the communication content and metadata associated with the communication);
(d) other information which you supply to us through any independent website or social media channel, for example www.linkedin.com; and
(e) information collected automatically from you when browsing our Website via cookies or other device identifiers, such as IP addresses or other identifiers constituting Personal Data (see further at sections 2.2 to 2.5 below).
2.2 As noted above, even if you do not explicitly provide us with data when you interact with the Website, we may collect certain data. For example, the Website may use cookies and our servers may keep an activity log that tracks all visitors to the Website. The information collected will often be anonymous and therefore may not identity you individually, however such information, or such information in conjunction with other information that we hold, may be capable of identifying you and so may constitute Personal Data (“Website Data”). Website Data may include among, other data:
(a) the country in which you reside;
(b) referring/exit URLS and other information that does not identify you directly or indirectly but may correspond with you or a particular device; and
(c) information about your browser type, device type and unique device information as well as your operating system, websites you visited before and after visiting the Website, standard server log information and IP address.
2.3 We collect this Website Data passively using technologies such as cookies (see our cookie policy). We use Website Data to administer, operate, and improve the Website.
2.4 If any Website Data constitutes Personal Data (whether directly or through linking or associating any Website Data with any other information), the terms of this Notice will apply. Otherwise, we use and disclose Website Data in a non-personally identifiable form.
2.5 The Website may now or in the future interact with other sites, including social media websites such as LinkedIn, (and may use social media plugins) to facilitate social media functions. We have no control over the information that other websites or social media websites or plugins collect, store, or use. Before you choose to access other websites or social media platforms from our Website, please be certain that you review the privacy notice of that social media platform or website.
LEGAL BASIS FOR PROCESSING
We rely on the following legal bases under GDPR in processing Personal Data:
(a) consent (for example, where you voluntarily provide Personal Data via the Website, agree to supply your Personal Data to participate in surveys or interviews, or otherwise);
(b) compliance with legal obligations; and
(c) legitimate interests (for example, in order to fulfil our obligation to provide services to our Clients, or in the event of a complaint or legal action being taken against us).
HOW WE COLLECT PERSONAL DATA
4.1 We may collect Personal Data from your interaction with us, for example, when you contact us through the Website or via email.
4.2 Personal Data is not always collected from you directly. Our Client, who may also be a controller of your Personal Data (for example, if it is your employer), may share your Personal Data with us for the purpose of the provision by us of services to that Client. Third parties may also provide your Personal Data directly to us on behalf of our Clients.
HOW WE MAY USE YOUR PERSONAL DATA
5.1 Except as set out in in this Notice, we will not disclose Personal Data that we collect to any parties other than those with whom we partner or are affiliated with, without your consent. Except as described below, we will not sell, share, trade, rent, or give away your Personal Data.
5.2 We may use your Personal Data in the provision of services to our Clients, or, for example, upon your consent for the purposes of contacting you regarding our services or any other matter in relation to which you make contact with us.
5.3 As noted at section 2.3 above, we use Website Data to administer, operate, and improve the Website.
5.4 We shall not use your Personal Data for any other reason. Do we disclose Personal Data to anyone else?
5.5 We shall disclose your Personal Data to third parties only when it is necessary as part of services or when there is a legal or statutory obligation to do so. Whenever we disclose your Personal Data to third parties, we will only disclose that amount of your Personal Data necessary to meet such business need or legal requirement. Third parties that receive your Personal Data from us must satisfy us as to the measures taken to protect the Personal Data such parties receive, in accordance with Data Protection Law and as stated in this Notice. Appropriate measures will be taken to ensure that all such disclosures or transfers of your Personal Data to third parties will be completed in a secure manner and pursuant to contractual safeguards.
5.6 We use/employ other companies and individuals to perform functions on our behalf, including independent consultants engaged by us to assist with the provision of Services to our Clients, as well as the online survey provider Alchemer. These third-party service providers are authorised to use Personal Data only as needed to perform their functions on our behalf and are required to maintain the security of your Personal Data.
5.7 We may transfer your Personal Data to another company that is affiliated with us, with which we have merged, or which has acquired all or some of our assets. We will advise you if such a change of ownership or change of corporate structure takes place and we will update this Notice accordingly.
5.8 We may provide your Personal Data when obliged to do so under Data Protection Law and in response to properly made requests, for example, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. In the case of any such disclosure, we will do so only in accordance with Data Protection Law.
5.9 We may disclose your Personal Data to our insurers and/or professional advisers (including legal counsel) insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. We may also provide your Personal Data when required to do so by law, for example under a court order.
5.10 We store your Personal Data on servers based in Ireland and the European Economic Area (“EEA”), provided to us as a service by third party providers. The storage and/or processing of Personal Data by such parties constitutes a sharing of Personal Data with those parties on a controller-to-processor basis, meaning that such parties process your Personal Data on our instructions only.
TRANSFER OF DATA OUT OF EUROPE
6.1 Your Personal Data may be processed by our trusted third party partners outside of the EEA. Data privacy laws in the countries to which your personal data is transferred may not be equivalent to, or as protective as, the laws in the EEA.
6.2 We will implement appropriate measures to ensure that your Personal Data remains protected and secure when it is transferred outside of the EEA, in accordance with applicable Data Protection Law. Because many countries to which Personal Data may be transferred have not received an “adequacy finding” regarding their privacy laws from the European Commission, Board Excellence will either rely on Standard Contractual Clauses or derogations in Article 49 of the GDPR to transfer your Personal Data to such countries.
6.3 Board Excellence continues to monitor all developments regarding the legal bases for the international transfer of Personal Data and shall update its processes as necessary.
HOW LONG DO WE KEEP PERSONAL DATA?
7.1 The period for which we retain Personal Data varies according to the use of that information. In some cases, there are legal requirements to keep Personal Data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain Personal Data no longer than is necessary for the purposes for which the Personal Data were collected and processed (as described above).
7.2 Personal Data of customers will be retained for no longer than is necessary for the purposes for which it was collected. We will retain your Personal Data for as long as is necessary for the provision of our services to the relevant Client. We will retain your Personal Data as follows:
(a) Personal Data used for the purposes of completion of online surveys or interviews will be retained only for as long as necessary to complete our provision of board consultancy services to the relevant Client; after this point, such Personal Data will be deleted; and
(b) Personal Data contained in any Materials will be retained for up to one month following the completion of our provision of board consultancy services to the relevant Client, after which it shall be deleted.
7.3 In some cases it is not possible for us to specify in advance the periods for which your Personal Data will be retained; in such cases, we will determine the period of retention based on criteria that comply with the requirements of Data Protection Law.
7.4 Following termination of the provision of services to you, your Personal Data shall be retained for as long as is necessary and permissible in accordance with statutory limitation periods. We may retain your Personal Data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
HOW YOU CAN EXERCISE YOUR RIGHTS IN RESPECT OF PERSONAL DATA WE HOLD ABOUT YOU
Your rights 8.1 We shall vindicate all rights under Data Protection Law. These rights are as follows:
(a) the right to request access to Personal Data and to have any incorrect Personal Data rectified;
(b) the right to the restriction of processing of Personal Data or to object to processing;
(c) the right to have Personal Data erased;
(d) the right to data portability; and
(e) where processing is based on consent, the right to withdraw consent at any time.
8.2 Vindication of these rights shall not affect any rights which we may have under GDPR. Exercising your rights and managing information
8.3 You can update or correct your Personal Data, remove it from our system or exercise any of your rights by making a request to us at the contact information provided below. If for some reason these rights are denied, we will provide an explanation of why this is the case.
8.4 We will process your request within 30 days of receipt.
SECURITY OF YOUR INFORMATION
9.1 We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
9.2 Personal Data is stored on servers based in Ireland and on computer hard drives.
9.3 Once we have received your Personal Data, we will use strict procedures and security features to try to prevent unauthorised access.
9.4 Unfortunately, the transmission of information through the internet is not completely secure. Although we will do our best to protect your Personal Data and apply appropriate safeguards, we cannot guarantee the security of your data transmitted via the internet (in particular, to the extent that any network or website is not owned by us or otherwise under our control) and any transmission is at your own risk.
HOW CAN YOU MAKE A COMPLAINT ABOUT THE USE OF PERSONAL DATA?
10.1 Complaints on the use, retention and disposal of personal data can submitted via email to Kieran Moynihan at kieran@board-excellence.com
10.2 You also have the right to lodge a complaint with the Data Protection Commission.
REVIEW
11.1 This Notice will be reviewed and updated from time to time to consider changes in the law and the experience of the Notice in practice. Any and all changes will be advised to you and, if necessary, we will obtain your consent prior to applying any changes to any Personal Data collected from you prior to the date the change becomes effective. We encourage you to periodically review this Notice to stay informed about how we collect, use, and disclose Personal Data.
CONTACT INFORMATION
12.1 If you have questions about this Notice or our treatment of the information provided to us, please contact us at: