ESRI Privacy Information
Under Data Protection legislation, individuals have a number of rights in relation to the personal data an organisation holds about them. The purpose of this notice is to inform you of the types of personal data the ESRI processes, how we handle it and what your rights are in relation to it.
Who we are and how to contact us?
The ESRI is a research institute that undertakes economic and social research to advance evidence-based policymaking in these areas. It is a company limited by guarantee and is registered as a charity. Its sources of income are multi-annual programmes of research funded by a number of government departments and agencies, commissioned research projects, competitive research grants and a government grant-in-aid.
Our contact details are as follows:
Economic & Social Research Institute, Whitaker Square, Sir John Rogerson’s Quay, Dublin 2
Tel: 01 863 2000
Email: admin@esri.ie
Data Protection related queries can be sent to DataProtection@esri.ie
The information below this section provides details of what your data subject rights are and how you can submit a request to the ESRI.
More specific information on the different types of data we process, what our lawful basis is, and how long we retain data for are available at the following links:
How we process personal data for research purposes
How we process the personal data of job applicants
How we process personal data for events/communications
Data protection legislation confers a number of rights for people in relation to their personal data (outlined below). The extent to which some of these rights apply may depend on the lawful basis for processing or the specific purpose. For example, the GDPR provisions in some circumstances for potential restrictions where data are processed for scientific research and statistical purposes. Where processing is carried on the basis of legal or contractual grounds, restrictions may also apply to some of these rights. Any request submitted will be considered fully and should any restrictions apply to the particular circumstances, this will be explained to the requester.
i. The right to be informed
An individual has a right to know whether an organisation processes personal information relating to them and certain additional information in relation to the processing, such as its purposes, the categories of data, the recipients of the data, and the existence of additional rights such as the rights to erasure and objection (where applicable).
ii. The right of access
Individuals have the right to access their personal data, be aware of and verify the lawful basis on which it is processed.
iii. The right to rectification
Individuals have a right to have inaccurate personal data rectified, or completed if it is incomplete.
iv. The right to erasure
Individuals have a right to have their personal data erased in certain circumstances. This right applies where personal data is processed on the basis of consent or when the personal data is no longer necessary for the purpose which it was originally collected or processed it for; it doesn’t apply where personal data is being processed or retained in order for the organisation to comply with a legal obligation.
v. The right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data in certain circumstances. When processing is restricted, an organisation may store the personal data, but not use it. This right applies where
- an individual contests the accuracy of their personal data and this is being verified
- the data has been unlawfully processed (ie in breach of the lawfulness basis on which it is processed) and the individual opposes erasure and requests restriction instead
- an organisation no longer needs the personal data but the individual needs it to be kept in order to establish, exercise or defend a legal claim
- the individual has objected to the processing of their data where it is being processed on the basis of public interest task or legitimate interests and the organisation is considering whether their legitimate grounds override those of the individual.
vi. The right to data portability
This right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies where the lawful basis for processing this information is consent or for the performance of a contract, and the processing is being carried out by automated means.
vii. The right to object
An individual has the right to object to the processing of their personal data where
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
viii. Rights in relation to automated decision making and profiling
Automated decision making and profiling is defined as:
- automated individual decision-making (making a decision solely by automated means without any human involvement); and
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
An organisation can only process personal data in this way when it’s:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.
If you would like to make a Subject Access Request, or exercise any other of your data protection rights, please contact our Data Protection Officer at
Tel: +353 1 8632009
Email: DataProtection@esri.ie
Postal: Data Protection Officer, ESRI, Sir John Rogerson’s Quay, Dublin D02K138
To order to facilitate processing of your request and timely retrieval of your personal data, we ask that you provide the following details:
- Your Name
- Details of the personal data that you are requesting
- Data Subject Right you wish to exercise (where applicable) e.g., right to rectification, erasure
- Any other relevant information
- The format you request data to be provided to you (e.g. electronic, hard copy)
Identification
In order to ensure that personal data is not disclosed to the wrong person, proof of identity will be required with your data access request.
If a request is being made on your behalf by a third party such as a solicitor, authority and verification will be sought.
Data pertaining to your information only
You are entitled to your own data only. If data from additional parties to the request are required by you, it is necessary for each party to consent to the release of their personal data in writing to the Data Protection Officer. Data pertaining to individuals not party to the request will not be released to you.
Response Times
We will respond to your request without undue delay and your request will be concluded no later than 1 month from when it is received.
The timeline may be extended by up to 2 months taking into account the complexity and whether it is a repeat request.
Fees
Your data will be provided to you free of charge.
However, a reasonable fee may apply when a request is manifestly unfounded or excessive.
Right to complain to Data Protection Commissioner
If you are unhappy with the outcome of your request, you may make a complaint to the Data Protection Commission. They can be contacted through their website www.dataprotection.ie or in writing at
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Further details on your rights under Data Protection legislation are also available on their website.
Update: October 2019