“The CCD” (referred to as “we”, “us”, “our” or “The CCD” in this policy) in this notice primarily refers to Spencer Dock Convention Centre Dublin (No.2) DAC, the company contracted to operate The Convention Centre Dublin, and, where appropriate, to other companies in the Convention Centre Dublin group. Spencer Dock Convention Centre Dublin (No.2) DAC is registered in Ireland with registration number 419130 with its registered office at Spencer Dock, North Wall Quay, Dublin 1.
What is personal data?
Personal data is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Collection of personal data
We may collect personal information from you in the course of our business, including but not limited to, through your use of our website and / or app and other websites accessible through our website and / or app, participation in a survey or competition, when you contact us or request information from us, when you hold or attend an event at The CCD, when you engage our services or as a result of your relationship with us, or one or more of our staff, subcontractors and clients.
What information do we collect about you?
The personal information that we may collect and process includes:
Basic information, such as your name (including name, prefix or title), the company you work for, your title or position;
Contact information, such as your postal address, email address and phone number(s);
Financial information, such as payment-related information;
Technical information, such as information from your visits to our website or applications or in relation to materials and communications we send to you electronically;
Information you provide to us for the purposes of organising or while attending, speaking or participating in meetings and events at The Convention Centre Dublin;
Information you may provide to us for recruitment;
Information which may be provided in the course of you or your employer providing services to us;
Identification and background information provided by you or collected as part of our business acceptance processes;
Images capture on CCTV;
Personal information provided to us by you, your employer or by our clients or their delegates or exhibitors or generated by us in the course of providing services, which may include special categories of data, including access and dietary requirements;
Personal information for the purposes of maintaining safety in the workplace and for contact tracing purposes, in light of the Covid-19 pandemic;
Any other information relating to you which you may provide to us, including on our service desk.
How do we obtain your personal data?
We collect information from you as part of our business acceptance processes and about you and others as necessary in the course of providing our services;
We collect your personal information while monitoring our technology tools and services, including our websites and email communications sent to and from The CCD;
We collect data on our service desk, which may at times include personal data;
We collect personal information in the course of monitoring the health and safety of persons and property at The Convention Centre Dublin, through CCTV cameras throughout the building;
We gather information about you when you provide it to us, or interact with us directly, for instance when you fill out a building check in and check out form, engaging with our staff, sending us your CV, contacting us directly via letters, emails, calls and social media or registering on one of our digital platforms or applications;
We collect computer and connection information such as statistics on your page views, traffic to and from the sites, referral URL, ad data, your IP address, your browsing history and your web log information;
We may collect or receive information about you from other sources, such as keeping the contact details we already hold for you accurate and up to date using publicly available sources.
How do we use your personal data?
The CCD collects and processes personal information about you in a number of ways. We use that information:
To provide and improve our website, including auditing and monitoring its use;
To provide and improve our services to you and to our clients, including handling the personal information of others on behalf of our clients;
To provide information or services requested by you;
To organise and schedule events/services requested by you and to document information given using event management software;
To monitor customer satisfaction using event management software in order to ascertain and improve our services;
To provide purchase orders;
For the purposes of recruitment;
To promote our services, including sending updates, publications and details of events;
To manage and administer our relationship with you and our clients;
To fulfil our legal, regulatory, contractual, management and risk management obligations;
To fulfil our legal and contractual obligations under our public private partnership agreement with the Office of Public Works;
To ensure the health and safety of persons at The Convention Centre Dublin;
To ensure the safety and security of property at The Convention Centre Dublin, in particular to prevent, detect, mitigate and investigate any incidents, including but not limited to theft, fraud, security breaches or potential or actual prohibited or illegal activities;
For the purposes of maintaining health and safety within the workplace in connection with the COVID-19 pandemic and for contact tracing purposes in line with the COVID-19 Work Safely Protocol – the National Protocol for Employers and Workers.
Use of The CCD website
A number of facilities on our website invite you to provide us with personal information, such as the vacancy application facility in the ‘Careers’ section of our website and our email query facilities. The purpose of these facilities is apparent at the point that you provide your personal information and we only use that information for those purposes.
Our website uses Google Analytics, a web-based analytics tool that tracks and reports on the manner in which the website is used to help us to improve it. Google Analytics does this by placing small text files called ‘cookies’ on your device. The information that the cookies collect, such as the number of visitors to the site, the pages visited and the length of time spent on the site, is aggregated and therefore anonymous.
Marketing and other emails.
We use personal information to understand whether you open e-zines and other e-marketing materials, such as e-newsletters and e-invitations, that we may send to you.
We may also use a relationship management tool to assess the strength of the relationship between individuals in The CCD and our clients or potential clients based on the frequency of email contact between them. We use that information in order to assess, analyse and improve the services that we provide.
If you receive marketing communications from us and no longer wish to do so, you may unsubscribe at any time by emailing us here.
Provision of services
We process personal information provided to us by or on behalf of our clients for the purposes of the services we provide for them. The information may be disclosed to third parties to the extent reasonably necessary in connection with that.
We collect and process personal information about you in relation to your attendance at an event at The CCD. We will only process and use special categories of personal information, for example about your dietary or access requirements in order to cater for your needs and to meet any other legal or regulatory obligations we may have. We may share your information with our service providers involved in organising or hosting the relevant event.
We will process identification and background information as part of our business acceptance, finance, administration and marketing processes, including anti-money laundering, conflict, reputational and financial checks.
On what basis do we use your personal information?
We use the personal information we collect from you for a range of different business purposes and according to different legal bases of processing. We may use your personal information to fulfil a contract with you or your conference organiser and to provide you with our services, to comply with our legal and regulatory obligations, to protect your vital interest, or as may be required for the public good. We may also use personal data for the purposes of health and safety of persons and safety and security of property, to prevent, detect, mitigate, and investigate any incidents, including but not limited to theft, fraud, security breaches or other potentially prohibited or illegal activities. We also use your personal information to pursue our legitimate business interests, so that we can continue to keep you informed, maintain business relationships and update you on matters that continue to be of interest to you. We may also use your data for customer services to manage our relationship with you as our customer and to improve our services and enhance your experience with us. We collect sensitive personal data for the purposes of maintaining health and safety within the workplace in light of the COVID-19 pandemic. The legal basis for collecting this data is based on vital public health interests, maintaining occupational health and compliance with a legal obligation, including the Covid-19 Work Safely Protocol – the National Protocol for Employers and Workers.
How long do we keep your personal data?
Your personal information will be retained in accordance with our data retention policy. Those periods are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used, taking into account legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action, good practice and The CCD’s business purposes. We must also consider periods for which we might need to retain personal data in order to meet our legal obligations (e.g. in relation to claims) or to deal with complaints, queries and to protect our legal rights in the event of a claim being made. After it is no longer necessary for us to retain your personal information, we will dispose of it in a secure manner according to our data retention and deletion policies.
Who do we share your personal data with?
We may share your personal information with certain trusted third parties, including:
Our professional advisers and auditors;
Our insurers and underwriters and third party insurers in the case of the investigation of a potential insurance claim;
Our digital marketing agency, which has access to some of our social media platforms;
Our web designers and email marketing providers;
Printing and postal fulfilment providers;
Service providers to whom we outsource certain support services (cleaning, catering and facilities management), (e.g. our service desk) and to enable them to fulfil their contractual obligations or policies;
Subcontractors engaged in the provision of some of the services we provide to clients;
Third parties involved in hosting or organising events, meetings or seminars;
IT service providers to The CCD, some of which are hosted in the cloud;
Our web-based events management provider;
The Office of Public Works and their advisers;
Where necessary, in the case of incidents or alleged incidents involving health and safety or security of property, personal information (including CCTV footage) may also be shared with other third parties, including employers, insurers and specialist CCTV masking service providers;
Where necessary or where required by law or for other reasons set out in this policy, personal information may also be shared with regulatory authorities, courts, tribunals, government agencies and law enforcement agencies, including An Garda Siochana;
Where necessary with health authorities for contact tracing purposes in connection with Covid-19;
We may be required to disclose your information to comply with legal, contractual or regulatory requirements;
We do not sell, rent or otherwise make personal information commercially available to any third party.
How do we protect your personal data?
We use industry standard security measures to protect your information and to prevent the loss, misuse or alteration of any information in our control. As effective as modern security practices are, no physical or electronic security system is entirely secure and we cannot ensure that all of your personally identifiable information provided (i.e. via our website) will never be accessed. However, we will use industry standard security measures to ensure that such information is kept as secure as possible.
Who may we transfer your personal data to?
In order to provide our services we may need to transfer your personal information to locations outside the European Economic Area (the “EEA”). The level of information protection in countries outside the EEA may be less than that offered within the EEA. Where this is the case, we will implement reasonably appropriate measures to ensure that your personal information remains protected and secure, in accordance with applicable data protection laws. We utilise standard means under EU law to legitimise data transfers outside the EEA.
Your rights regarding your personal data
The GDPR and other applicable data protection laws provide certain rights for data subjects. You are entitled to request details of the information we hold about you and how we process it. You may also have a right to have it rectified or deleted, to restrict our processing of that information, to stop unauthorised transfers of your personal information to a third party and, in some circumstances, to have personal information relating to you transferred to another organisation. You also have the right to object where we are processing your personal information for direct marketing purposes. A right you have is the right of data portability, including the transfer to you of personal data. You may also have the right to lodge a complaint in relation to The CCD’s processing of your personal information.
Your objection (or withdrawal of any previously given consent) could mean that we are unable to perform the actions necessary to achieve the purposes set out above or that you may not be able to make use of the services and products offered by us. Please note that even after you have chosen to withdraw your consent, we may be able to continue to process your personal information to the extent required or otherwise permitted by law, in particular in connection with exercising and defending our legal rights or meeting our legal and regulatory obligations. We may also retain some information to record that you have withdrawn your consent or do not consent.
Chief Data Officer
Our Chief Data Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled.
Data Access Request
If you wish to access the information we hold about you, please contact our Chief Data Officer. For more information on how to make an access request, please see our separate document on our Access Request Policy on our website.
Update of Personal Information
We must ensure that your personal information is accurate and up to date. Therefore, please advise us of any changes to your information by emailing us.
Changes to our Privacy Statement
Purpose of this policy
This document outlines The CCD’s Access Request Policy and Procedures to help ensure that we comply with data access request made under the standards introduced by the European data protection law, known as the General Data Protection Regulation (GDPR), which came into effect under Irish law on 25 May 2018.
“The CCD” (referred to as “we”, “us”, “our” or “The CCD” in this policy) in this notice primarily refers to Spencer Dock Convention Centre Dublin (No2) DAC, the company contracted to operate the Convention Centre Dublin, and, where appropriate, to other companies in the Convention Centre Dublin group. Spencer Dock Convention Centre Dublin (No2) DAC is registered in Ireland with registration number 419130 with its registered office at Spencer Dock, North Wall Quay, Dublin 1.
An individual may make a request from The CCD as follows:
- Right to establish existence of personal data
An individual may contact us to ascertain whether personal data relating to that individual has been or is being processed by or on behalf of us and where such data has been or is being so processed, seeking all or any of the following information:
(i) A description of-
(I) The purpose of, and the legal basis for, the processing,
(II) The categories of personal data concerned,
(III) The recipients or categories of recipients to whom the personal data concerned have been disclosed, and
(IV) The period for which the personal data concerned will be retained, or where it is not possible to determine the said period at the time of the giving of the information, the criteria used to determine the said period;
(ii) Information detailing the right of the data subject to request from us the rectification or erasure of the personal data concerned;
(iii) Information detailing the right of the data subject to lodge a complaint with the Data Protection Commission (the “Commission”) and the contact details of the Commission;
(iv) A communication of the personal data concerned;
(v) Any available information as to the origin of the personal data concerned, unless the communication of that information is contrary to the public interest.
Where we hold such personal data on you, we shall respond to your request and provide the information specified above as soon as may be and subject to the section below on Access Request Requirements, not later than one month after the date on which the request is made.
- Access Request Requirements
When making a request, the individual making the request must provide us with such information as we may reasonably require to satisfy us of the identity of the individual concerned and to locate any relevant personal data or information. Where we have reasonable doubts as to the identity of the individual making a request or reasonably require additional information to locate any relevant personal data, we may request such additional information from the individual making the request as may be necessary to confirm his or her identity or to enable us to locate such personal data or information and the period of time from the making of such a request for additional information until the request is complied with shall not be counted in the one month time period.
- Extension of the Time Period for responding to a Request
Where taking into account the complexity of a request and the number of such requests received by us, we are of the opinion that we require additional time to consider the request, we may once and within one month of the date of the receipt of the request, extend the time period by such further period not exceeding two months as we may specify in writing. Such notice in writing shall include the reason for which we are of the opinion that we require additional time to consider the request.
- Making an Access Request
You may be entitled to receive a copy of your personal data held by The CCD upon request. Ideally to enable us to deal expeditiously with the request we would ask that you send the request to us at: Chief Data Officer, The Convention Centre Dublin, Spencer Dock, North Wall Quay, Dublin 1, D01 T1W6, Ireland stating that you are making an access request. Alternatively, you may make a request by email to email@example.com. This does not preclude you making a request otherwise than by in writing.
If you choose to make the request in writing, we ask (but do not require) you to:
- Download the Access Request Form;
- Please complete, sign and date the Access Request Form and be as specific as possible about the information you wish to access.
- Attach a photocopy of your proof of identity and address to the Access Request Form; and:
- Post the Access Request Form or other request to Chief Data Officer, The Convention Centre Dublin, Spencer Dock, North Wall Quay, Dublin 1, D01 T1W6, Ireland or email it to firstname.lastname@example.org
Use of the Access Request Form is not mandatory, nor does it preclude you making a request otherwise than by in writing. However, completing the Access Request Form should enable us to process your access request more efficiently.
Please note that we reserve the right not to process and release data requested where you have not provided us with such information as we may reasonably require to satisfy us of the identity of the individual making the request or to enable us to locate relevant personal data.
You do not have to pay a fee for making an access request. However, where a request is considered to be manifestly unfounded or excessive, we may charge a reasonable fee in respect of a request, having regard to the administrative cost to us of complying with the request.
- Responding to your Access Request
Once we have received your request together with your proof of identity and address, we shall respond to you within the statutory period of one month, subject to the above provisions on Extension of the Time Period for responding to a Request. If you are not satisfied with the outcome of your access request, you are entitled to make a complaint to the Data Protection Commission who may investigate the matter for you.
- Restrictions to Access Request Responses
Individuals are only entitled to access personal data about themselves. Data that consists of an expression of opinion about the data subject given in confidence or on the understanding that it would be treated in confidence may not be provided. In other circumstances where relevant exemptions apply under applicable data protection legislation, certain personal data may not be provided under an access request.
We may also refuse a request that is manifestly unfounded or excessive in nature having regard to the number of requests made by the data subject. We may also restrict, wholly or partly a right of access request where we are satisfied that restricting the exercise of a right constitutes a necessary and proportionate measure for the purposes of avoiding obstructing official or legal enquiries, investigations or procedures, avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, protecting public security, protecting national security or protecting the rights and freedoms of other persons.
If we refuse or limit access upon a request, we shall in writing notify the individual making the request as soon as practicable.
Overall responsibility for ensuring compliance with the requests made under the Data Protection Acts rests with The CCD. However, our responsibility varies, depending upon whether we are acting as either a data controller or a data processor.
- Chief Data Officer
The Chief Data Officer co-ordinates the provision of support, assistance, advice, and training throughout the company to ensure we are in a position to comply with the legislation.
This Access Request Policy will be reviewed regularly in light of any legislative or other relevant developments. Where there is any conflict between the provisions of applicable Data Protection legislation and this Policy, then, the applicable legislation shall take precedence.