zde59e4e6eb0e09cfe9fe7ef2c7cdfc8ae
top of page

Data Protection Policy

(Last Reviewed 1 July. 2024)

1                       Introduction and scope

 

The purpose of this Policy is to describe and regulate how Scott Group manages the personal data to comply with the requirements of the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) as implemented in Ireland with regard to the collection, storage, processing, transfer and disclosure of personal data. 

 

“Personal data” means any information relating to an identified or identifiable natural person (a “data subject”).  An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

 

Personal data includes ‘sensitive personal data’.  Examples of personal data include:

  • marital status and dependants

  • email address

  • date of birth

  • passport number

  • any government-issued identification numbers for insurance, social welfare, residency or taxation purposes (e.g. National Insurance (NI) Number, Personal Public Service number (PPS))

  • bank account details

  • mobile telephone number

 

‘Sensitive personal data’ includes personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life or criminal convictions.

 

This Policy applies to all personal data regardless of (1) the medium on which personal data is stored (i.e. handheld devices, computer hard drives, hard copy paper files) and (2) whether the personal data relates to current or former employees, workers or other personnel, client personnel, suppliers, shareholders, website users or any other data subject located within the European Economic Area (EEA). 

 

In addition, the protections of the GDPR apply to Scott Group ’s employees and workers.  Any breach of this policy or failure to comply with any requirement stated in this policy by a Scott Group employee or worker may result in disciplinary action.

 

The GDPR introduces widespread changes to data protection law.  Organisations that breach the GDPR will face serious penalties including fines of up to 4% of global turnover or €20 million (whichever is greater). 

 

Scott Group’s personnel should contact the Data Protection Champion by email: privacy@scottgroup.ie if they have any questions about the operation of this Policy or the GDPR and/or if they have any concerns that this policy is not being adhered to.

 

2                       Principles relating to the processing of Personal Data

 

Scott Group adheres to the principles relating to the processing of personal data set out in the GDPR.  “Process” or “processing” means any activity that involves the use of personal data and includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it.  Processing personal data can also include transmitting or transferring personal data to third parties.

 

The GDPR principles provide that personal data shall be:

  • obtained and processed lawfully, fairly and in a transparent manner in relation to a data subject (‘’ principle)

  • collected only for specified, explicit and legitimate purposes (‘principle)

  • adequate, relevant and limited to what is necessary in relation to the purposes for which personal data is processed (‘principle)

  • accurate and where necessary, kept up to date (‘’ principle)

  • kept in a form which permits identification of data subjects only for as long as is necessary for the purposes for which the data is being processed (‘’ principle)

  • processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or lawful processing and against accidental loss, destruction or damage (‘’ principle)

  • not transferred to another country without appropriate safeguards being in place (‘’ principle)

  • make available to data subjects their personal data and allow data subjects to exercise certain rights in relation to their data, including the ‘right to be forgotten’ (‘’ principle).

 

Scott Group is responsible for and must be able to demonstrate compliance with the principles listed above at all times.

 

3                       Purposes for which personal data is collected and processed

 

GDPR allows processing of personal data for specific purposes, including:

  • the data subject has given his or her consent

  • the processing is necessary for the performance of a contract with the data subject

  • to meet Scott Group legal compliance obligations

  • to protect a data subject’s vital interests

 

Scott Group may collect, process and share personal data for some or all of the following purposes relating to the performance of contracts with clients, sub-consultants and/or sub-contractors, the performance of employment contracts with employees and the performance of service agreements with independent service providers to Scott Group , including, but not limited to:

 

  • administering and maintaining personal records

  • paying and reviewing salary and other remuneration and benefits

  • paying independent services providers

  • providing and administering benefits (including if relevant; pension, life assurance, permanent disability insurance and medical insurance)

  • undertaking performance appraisals and reviews

  • undertaking career and organisational planning

  • maintaining sickness and other absence records

  • taking decisions as to fitness for work

  • enabling Scott Group to comply in full with its obligations under health and safety legislation

  • providing references and information to potential future employers where requested by a former Scott Group employee or personnel and, where necessary, governmental, regulatory and quasi-governmental bodies for social security and taxation purposes

  • providing information to potential investors in Scott Group

  • transferring information concerning a data subject to a country or territory outside the EEA, should this be required for Scott Group to undertake certain client assignments or enter into secondments, joint ventures, consortia or alliances

  • providing CVs to prospective clients or business partners for the purposes of undertaking client engagements or partnering/alliance arrangements

  • communicating with client personnel in relation to the performance of services or potential performance of services for clients

 

Scott Group shall provide data subjects with privacy notices whenever it directly collects data from data subjects.  Privacy notices shall comply with the transparency principle stated in the GDPR by providing data subjects with information as to how and why Scott Group will use, process, disclose, protect and retain personal data.  Such privacy notices must be provided to a data subject when the personal data is first collected from a data subject.

 

Specific privacy notices may be required for designated Scott Group client projects and will be produced as and when required.  A data privacy notice and cookie policy relating to website users and personal data of client personnel is included on the

Scott Group website.  For further information on preparing privacy notices, please contact either the HR or Legal Departments of Scott Group.

 

4                       Accuracy

Scott Group shall ensure that all personal data held by it is kept up to date, is accurate and complete.  Inaccurate personal data shall be corrected or deleted without delay when found to be inaccurate.  Scott Group shall endeavour not to hold information which is unnecessary or excessive for its intended purpose and will take reasonable steps to destroy or amend inaccurate or out-of-date personal data.

 

Where the accuracy of personal data of Scott Group personnel held is in question, the employee, or personnel concerned will be requested to assist Scott Group in updating the personal data. 

 

All employees and personnel are requested to notify Scott Group in writing of a change in personal details such as changes of address, emergency contact details, marital status or any other information which the organisation holds to facilitate communication with the employee and next of kin, in an emergency and to ensure benefits etc. are correctly provided.  Written notification should be provided to the local HR Department.

 

All data subject requests relating to correction of the personal data of a data subject shall be corrected or completed without delay in accordance with the requirements specified in the GDPR.

 

5                       Retention and Storage

Personal data must not be kept for longer than is necessary for the purpose for which the data was collected and/or processed.  Scott Group personnel should regularly review their computers and handheld devices to ensure that personal data which is no longer necessary is deleted.

 

Scott Group will take all reasonable steps to destroy or erase from our systems (and procure that third parties within Scott Group ’s control delete from their systems) all personal data that is no longer required.

 

Scott Group’s employees and personnel should not store any personal data of any data subject (i.e. CVs of third parties) collected in the course of their work for Scott Group on any local drives on their laptops or any personal devices such as ipads, mobile phones.

 

Privacy notices shall notify data subjects of the period for which their data will be stored and how that period is determined.

 

No CVs should be stored by individuals within Scott Group.  Where a CV belongs to current Scott Group personnel, the CV should be stored solely by HR on the HR.net application.  Where a CV is provided by an individual who does not yet work with Scott Group and the CV is deemed to be current (dated within the past year), the CV should be stored and retained solely by Scott Group Recruitment, who shall store CVs in a central database in accordance with a relevant recruitment privacy notice.

 

6                       Rights of Data Subjects

 

Scott Group recognises that data subjects have various individual rights under GDPR with respect to their personal data, including:

  • withdrawing consent to processing of their person data at any time

  • receiving certain information about Scott Group’s processing activities

  • requesting access to any personal data held by Scott Group (see: Section 7 (Data Subject Access Requests) below)

  • preventing Scott Group’s use of their personal data for direct marketing purposes

  • asking Scott Group to erase personal data if it is no longer necessary in relation to the purpose/s for which it was collected or processed (known as the ‘’) or to rectify inaccurate data or incomplete data

  • restricting processing of personal data to specific purposes only

  • challenging the basis of processing which has been justified on the basis of Scott Group’s legitimate interests or in the public interest

  • requesting a copy of any agreement under which personal data is transferred outside of the EEA

  • objecting to decisions based solely on automated processing, including profiling

  • preventing processing that is likely to cause damage or distress to a data subject or anyone else

  • being notified of a personal data breach which is likely to result in a high risk to the data subject’s rights and freedoms (See: Section 9 (Data Breach) below)

  • making a complaint to a supervisory authority, such as:

    • the Data Protection Commissioner (Ireland); or

    • the Information Commissioner’s Office (UK); or

  • asking for personal data to be transferred to a third party in a structured, commonly used and machine-readable format (i.e. ‘)

 

7                       Data Subject Requests

 

The GDPR imposes various obligations on Scott Group when responding to data subject requests.  These include that Scott Group must:

  •  respond within one (1) month of receiving a request unless it extends the response time

  • inform the data subject within one (1) month of receiving the request if Scott Group needs to extend the response time (by no more than two (2) additional months), along with providing an explanation for the delay

  • inform the data subject without delay and no later than one (1) month after receiving the request if Scott Group is not taking action in response to a request, including the reasons why and informing the data subject that it has a right to make a complaint to a supervisory authority or seek a judicial remedy

  • respond to the request via electronic means, if possible, where the data subject makes the request to Scott Group electronically, unless the data subject requests a response in another format

  • respond to data subject access requests free of charge unless the requests are deemed to be ‘excessive’ or ‘manifestly unfounded’.Where the latter, Scott Group may (1) seek to charge a reasonable fee considering the administrative cost of either providing the requested information or taking the action requested by the data subject OR (2) refuse to act on the request

 

Scott Group personnel should contact the HR Department upon receiving any type of data subject request and further refer to the procedure set out at Appendix 1 (Procedure for Data Subject Requests).  All data subject requests received by Scott Group should be recorded in a Data Subject Request log.

7.1                  Access requests

Data subjects have the right to obtain confirmation from Scott Group that it is processing their personal data, the right to have Scott Group provide information about the processing and the right to access their personal data, including being provided with a copy of any personal data held by Scott Group  within 1 month of making a request to Scott Group .

 

7.2                  Correction requests

Scott Group  must correct or complete inaccurate or incomplete personal data without undue delay.

 

7.3                  Erasure (right to be forgotten) requests

Scott Group  must erase/delete personal data without delay unless an exception applies (as set out in the GDPR) that permits Scott Group ’s continued processing.  NOTE: the time or expense involved in deleting personal data is not likely to be a legitimate ground of exception.

Where Scott Group  has made the personal data public, Scott Group  must take reasonable steps or technical measures to inform other data controllers processing that personal data about the erasure request received.

 

7.4                  Restriction requests

Scott Group may only store personal data that is subject to a processing restriction or process restricted data with the consent of the data subject or for the establishment, exercise or defence of legal claims or to protect the rights of another individual or entity.

 

7.5                  Objection requests

Scott Group is required to cease processing personal data for certain purposes when the data subject objects under certain grounds set out in the GDPR (e.g. where the data subject is a child).

 

8                       Transfer of Personal Data to Third Parties

Scott Group  may from time to time transfer personal data to third parties, such as our clients or pension administrators, for business purposes (such as the storing of personal data on cloud-based back-up storage) and pursuing the legitimate interests of

 

Scott Group or the legitimate interests of the data subject.  An example of this would be where CVs of Scott Group personnel are included in a tender to a client, for the purpose of demonstrating the experience and qualifications of the relevant

 

Scott Group personnel.

In all such cases, either express consent will be obtained from a data subject prior to the transfer of such personal data or Scott Group  will otherwise rely upon one of the grounds for processing of personal data set out in the GDPR (including the performance of a contract between Scott Group  and the data subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent and, in some limited cases, for Scott Group ’s legitimate interest), and which grounds shall be further described in a relevant privacy notice. 

 

Scott Group shall only transfer personal data to third parties where it has a written confidentiality or non-disclosure agreement or written contract in place which ensures that the third party is obliged to only process personal data shared by Scott Group in accordance with the GDPR.

 

The type of personal data of Scott Group personnel which may be required to be transferred by Scott Group to third parties, such as a client, includes:

  • Scott Group email address

  • mobile telephone number

  • indicative remuneration – typically a banded remuneration rate for a category of worker

  • education and career experience relevant to a proposal or project

In cases where an individual who is required to work out of the office on a client assignment/site has a medical condition (e.g. diabetes or epilepsy etc.), Scott Group  will obtain permission from a data subject to provide such medical information to an agreed third party on a confidential basis for health and safety reasons, such as the provision of appropriate assistance in a medical emergency.

 

9                       Transfer of Personal Data outside of the EEA

 

The GDPR restricts personal data transfers to countries outside the EEA to ensure that the level of data protection afforded to individuals by the GDPR is not undermined.

Personal data is transferred to another country when data originating in one country is sent across borders so that such data is received, viewed, accessed or otherwise processed in a different country.  An example of where this may arise is where the Dublin office of

 

Scott Group emails a CV to a Scott Group office located outside of the EEA (e.g. Boston, Shanghai, offices).

 

Scott Group shall only transfer personal data outside the EEA if one of the following conditions applies:

  • the European Commission has issued a decision confirming that the country to which Scott Group transfers personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;

  • appropriate safeguards are in place such as binding corporate rules (BCR) or standard contractual clauses approved by the European Commission;

  • a data subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or

  • the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between Scott Group and the data subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent and, in some limited cases, for Scott Group ’s legitimate interest.

All Scott Group personnel must comply with this policy with respect to cross-border data transfers to non-EEA countries.

 

10                   Data Breach Notification

A data security breach may include:

  • loss or theft of data or equipment on which data is stored;

  • inappropriate access controls allowing unauthorised use;

  • equipment failure;

  • human error;

  • unforeseen circumstances such as a fire or flood;

  • hacking or cyber-attack;

  • ‘blagging’ offences where personal data may be obtained by deceiving a data controller or data processor

 

The GDPR requires Scott Group  to notify any data breach within 72 hours to the applicable national supervisory authority (in most cases, the Irish Data Protection Commissioner) where the unauthorised release of personnel data is likely to infringe on the rights and freedoms (i.e. privacy) of natural persons (i.e. data subjects), and, where a breach of personal data is likely to result in a high risk to the rights and freedoms of data subjects, those data subjects must also be notified. 

 

Scott Group has put in place procedures to deal with any suspected personal data breach and will notify data subjects or any applicable regulator where Scott Group  is legally required to do so. 

 

If Scott Group personnel know or suspect that a personal data breach has occurred, they should not attempt to investigate the matter themselves.

 

Scott Group  personnel should immediately contact the Scott Group  Data Protection Champion at: privacy@scottgroup.ie  who is designated as the key point of contact for data breaches and should preserve all evidence relating to the potential personal data breach.

 

11                   Sensitive Personal Data

 

Scott Group  personnel should note that processing of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited by the GDPR unless certain limited exceptions arise.

 

12                   Record Keeping

 

The GDPR requires Scott Group to keep full and accurate records of all data processing activities undertaken by Scott Group  including records of data subject consents.

 

Records of data processing activities shall be maintained in written or electronic form by the Scott Group Data Protection Champion substantially in the form of the inventory set out at Appendix 2 (Record of Processing Activities) and shall include the following minimum details:

  • name and contact details of the nominated Scott Group representatives with responsibility for data protection compliance;

  • clear descriptions of personal data types;

  • data subject types;

  • description of processing activities;

  • description of processing purposes;

  • any third party recipients of personal data;

  • personal data storage locations;

  • personal data transfers;

  • personal data retention periods;

 

 

Appendix 1 – Procedure for Data Subject Requests

 

Initial Steps for Responding to all Data Subject Requests

 

Upon receipt by Scott Group of any request from a data subject, the person who has received such request should immediately contact the HR Department.  Upon receiving a data subject request, a member of the HR Department will appoint an appropriate person to oversee the handling of the request. 

 

The person nominated by the HR Department to handle the request should then:

 

  • confirm receipt of the request by responding to the data subject in writing;

  • verify the identity of the person making the request using reasonable means. Where the data subject is a former employee, identifying information might include asking for a date of birth, address and the dates during which the data subject worked for Scott Group.If the data subject provides insufficient information to confirm his/her identity, Scott Group may (but is not required to) request more information (Articles 12(2) and 12(6) GDPR). Do not proceed without confirming the identity of the data subject, where reasonable doubt exists as to the identity of the data subject;

  • confirm that the request provides enough information to locate the personal data relating to the data subject and his or her request. If the data subject provides insufficient information to locate the personal data, request more information;

  • refuse to respond to the request when:

•        Scott Group cannot verify the identity of the data subject (Article 12(2) GDPR); or

•        local law contains an exemption permitting Scott Group to refuse to respond.

  • locate the relevant personal data ()

  • for any third-party personal data collected in response to the request:

  • consider seeking the third party's consent to disclose the data; or

  • redact the third party's personal data from the information gathered in response to the request.

  • respond in writing or electronically when the data subject makes an electronic request, unless the data subject requests the response in another format (Article 12(3) GDPR). Only respond orally to the data subject when the data subject has requested this and the data subject’s identity has been verified;

  • needs additional time to respond (Article 12(3) GDPR); or

  • will not take the requested action (Article 12(4) GDPR).

  • When responding to and complying with an access request, ensure that the personal data provided to the data subject is within the scope of the original request made or otherwise as agreed with the data subject, that the personal data is provided in a secure manner and where possible, request an acknowledgement of safe receipt of the personal data by the data subject for Scott Group records.

  • If Scott Group cannot provide the response to the data subject within one month of receipt of a request, and after taking into account the complexity and volume of requests, Scott Group should inform the data subject within one month of receipt of the request of the fact that it shall avail of an additional two month period in which to respond and provide to the data subject reasons for the delay (Article 12(3) GDPR).

  • the reasons why it will not take action; and

  • the data subject's right to make a complaint with a supervisory authority or seek a judicial remedy (Article 12(4) GDPR).

  • respond free of charge unless the request is:

  • unfounded; or

  • for unfounded or excessive requests Scott Group must demonstrate the unfounded or excessive nature of the request and may either:

  • charge a reasonable fee (taking into consideration the administrative costs of providing the information or taking the requested action); or

  • refuse to act on the request (Articles 12(6) GDPR).

  • take any additional steps required for each specific type of data subject request ()

  • where relevant, notify third parties processing the data subject's personal data about any correction, rectification, or restriction requests (Articles 17(2) and 19 GDPR).

  • follow all procedures for documenting and tracking responses to data subject requests, including any responses provided orally (

 

Locate Relevant Personal Data

 

To locate the personal data relevant to a data subject request, Scott Group  should:

 

  • keep in mind that Scott Group may store personal data in several places;

  • check with all departments that might reasonably be considered to hold personal data relevant to the request and check with third party service providers who act as data processors on behalf of Scott Group and with whom Scott Group may have shared personal data for business purposes, i.e. Bond Adapt, Willis Tower Watson;

  • collect the personal data about the data subject from all relevant sources such as:

  • automated systems such as door entry or key card access systems;

  • word processing systems;

  • computer hard drives;

  • hard copy files;

  • voice recordings;

  • monitoring records and CCTV images;

  • internet logs;

  • telephone records;

  • back-up files, in cases where the personal data is capable of retrieval; and

  • third-party data processors' systems.

 

  • review the files and the documents collected and identify whether the information gathered is personal data relevant to the request.Where in doubt as to how to respond to a data subject request, contact Scott Group Legal for further advice.

 

Data Subject Request log: Track Requests and Responses

 

  • record requests received and track responses in the Data Subject Request log, including the following minimum information:

 

  • the date when Scott Group received the request;

  • confirmation of requestor's identity;

  • how the data subject made the request (for example, phone, postal mail or electronic mail, or through a website);

  • the type of request, i.e. access request or erasure request etc.

  • how Scott Group determined whether and how to respond to the request;

  • a mechanism to categorize and filter requests by status, for example, new, in progress, and completed;

  • who received and responded to the request;

  • the response provided to the request; and

  • any correspondence with the data subject.

 

Additional Steps for Specific Types of Data Subject Requests

 

For each type of data subject request below Scott Group must take the following actions in addition to the steps that apply generally to all types of data subject requests – see below for further details.

 

Requests to Provide Information

 

When responding to a personal data access request from a data subject, Scott Group must:

 

  • confirm to the data subject whether it processes the data subject's personal data;

 

  • provide certain information to the data subject about the data processing including:

  • purposes of data processing;

  • categories of personal data processed;

  • recipients or categories of recipients who receive personal data from Scott Group;

  • information on the personal data's source if Scott Group does not collect it directly from the data subject;

  • whether Scott Group transfers personal data outside of the jurisdiction to a country that does not provide an adequate level of data protection, and if so, the safeguards used to secure the transfer; and

  • whether Scott Group uses automated decision-making, including profiling, the auto-decision logic used, and the consequences of this processing for the data subject.

  • notify the data subject of their rights to:

  • request correction or erasure of their personal data;

  • restrict or object to certain types of personal data processing; and

  • make a complaint with the local data protection authority (such as the Irish Data Protection Commissioner).

  • provide one copy of the personal data processed:

  • in a commonly used electronic form when the data subject makes the request electronically; or

  • in another form if requested by the data subject (Article 15 GDPR).

 

Requests to Correct or Complete Personal Data

 

When responding to a personal data correction request, Scott Group must:

 

  • correct or complete inaccurate or incomplete personal data without undue delay (Article 16).

  • consider whether to restrict processing the affected personal data while Scott Group reviews the correction request and makes the corrections ().

  • communicate the correction request to each recipient of the personal data, unless this is impossible or requires disproportionate effort (Article 19 GDPR).

  • inform the data subject about the recipients of the personal data if the data subject requests (Article 19 GDPR).

 

Requests to Erase Personal Data Unless Continued Retention is Necessary for Certain Purposes

 

The GDPR grants data subjects the right to request the erasure of the personal data that Scott Group holds about them, also known as ‘the right to be forgotten’, under certain circumstances.

When responding to a personal data erasure request, Scott Group must:

 

  • erase the personal data , unless continued retention is necessary for:

  • exercising the right of freedom of expression and information;

  • complying with a legal obligation under EU or member state law;

  • the performance of a task carried out in the public interest;

  • exercising official authority vested in Scott Group;

  • public health reasons consistent with the exceptions for processing sensitive personal data such as health information, as outlined in GDPR Articles 9(2)(h) and (i) and 9(3);

  • archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; or

  • the establishment, exercise, or defence of legal claims (Article 17(3) GDPR).

 

If Scott Group made the personal data public, it should take reasonable steps, including technical measures, to inform other data controllers processing that personal data that the data subject requested erasure of any links to, or copy or replication of, the personal data by those data controllers (Article 17(2) GDPR):

  • communicate the erasure request to each recipient of the personal data, unless this is impossible or requires disproportionate effort (Article 19 GDPR).

  • inform the data subject about the recipients of the personal data if the data subject requests it (Article 19 GDPR).

 

Review and Honour Processing Restriction Requests

 

The GDPR grants data subjects the right to restrict the processing of their personal data under certain circumstances which may require Scott Group to stop or limit processing the affected personal data.

 

When a data subject makes a processing restriction request, Scott Group should verify the basis of the request, for example, the data subject may base a processing restriction request on:

  • the inaccuracy of the personal data;

  • the unlawful processing of the personal data;

 

For requests based on inaccuracy, Scott Group should stop the data processing for a period of time enabling Scott Group to verify the accuracy of the personal data.

For requests based on unlawful processing, Scott Group should stop processing personal data for any purpose other than those notified to the data subject at the time of collection.

 

For requests based on Scott Group no longer needing the personal data for the intended purposes of processing, Scott Group  should:

 

  • stop processing personal data; and

 

If the data subject objects to processing carried out in the public interest or that is necessary for Scott Group  or a third party to pursue its legitimate interests, Scott Group  should:

 

  • stop processing personal data for these purposes; and

  • verify whether Scott Group 's or third party's legitimate interests override the data subject's interests.

 

Consider methods to restrict processing, for example:

 

  • temporarily move affected personal data to another processing system;

  • make the affected personal data unavailable to users;

  • temporarily remove published data from a website; and

Only process personal data that is subject to a processing restriction:

 

•        with data subject consent;

•        for the establishment, exercise, or defense of legal claims; or

•        to protect the rights of another individual or entity (Article 18(2) GDPR)

 

Communicate the processing restriction to each recipient of the personal data, unless this is impossible or requires disproportionate effort (Article 19 GDPR).

Inform the data subject before lifting any processing restrictions (Article 18(3) GDPR).

Inform the data subject about the recipients of the personal data if the data subject requests it (Article 19 GDPR).

 

Stop Processing Personal Data

 

The GDPR grants data subjects the right to object to the processing of their personal data under certain circumstances. Scott Group  must stop processing personal data as soon as possible after receipt of an objection from a data subject:

  • needs to process the personal data to establish, exercise, or defend legal claims. (Article 21(1) GDPR).

 

Determine Whether the Data Portability Right Applies

 

The GDPR grants data subjects the right, in certain circumstances, to receive a copy of their personal data from Scott Group in a commonly used and machine-readable format, or transmit or have its personal data transmitted to another data controller where technically possible.

Upon receipt of any data subject request, Scott Group  should review data portability requests and determine whether the data sought qualifies for the portability right (consult with the Legal Department for further advice). 

As a general rule, Scott Group should only honour data portability requests when all of the following apply:

 

  • the data subject provided the personal data to Scott Group or Scott Group generated the personal data from the data subject's activities using the service or device, for example, search history;

  • the data sought does not include personal data that Scott Group generated as part of data processing, for example, data derived in the process of profiling from personal data provided by the data subject;

  • Scott Group processes the personal data automatically; and

  • Scott Group bases the processing on data subject consent or necessity to perform a contract between Scott Group and the data subject. (Article 20 GDPR.)

 

Transmit the Personal Data Covered by the Data Portability Right

 

•       provide the personal data to the data subject in a commonly used and machine-readable format that allows the data subject to reuse their personal data (Article 20(1) GDPR).

•       comply with a data subject's request to transmit the personal data to a third party data controller where technically feasible (Article 20(2) GDPR).

•       redact third parties' personal data from the data provided in the response, or seek third-party consent to disclose the personal data.

•       consider ways to automate data portability requests or implement self-help procedures for authenticated system users.

 

 

Appendix 2 – Template Record of Processing Activities for Scott Group as Data Controller

 

This Record of Processing Activities (Record) describes how Scott Group [and its subsidiaries and affiliates] [[processes/process] personal data. It shall be maintained and held by the Scott Group Data Protection Champion.

Scott Group recognizes that Article 30 of the EU General Data Protection Regulation (GDPR) imposes documentation requirements on controllers and processors of data. This Record is company confidential information but Scott Group will provide it to the appropriate supervisory authority on request as required by Article 30.

 

    Data Controller Details:

 

    Name: SH Integration T/A Scott Group

 

    Address: Unit 19, Building 5, Port Tunnel Business Park, Clonshaugh, D17 EE02

 

    Telephone Number: [+353 1 2452451

 

    Website: www.scottgroup.ie          

 

    [Joint controller: James Preston

 

    Representative: Stephen Higgins

 

    Data Protection Champion: James Preston

 ‌                                                                                                                                       ‌

Categories of Data Subjects  

    Scott Group collects personal data from the following categories of data subjects:

 

  • [[Scott Group ] clients.

  • Scott Group vendors or suppliers.

  • Scott Group employees, independent service providers (ISPs) and job applicants.] 

 

 

Categories of Personal Data  

[Scott Group collects the following categories of personal data about clients:]

 

  • Personal details including name and contact information.

  • Family and lifestyle details.

  • Device details.

  • User activity details and user preferences.

  • Browser history details.

  • Location details.

  • Electronic identification data including IP address and information collected through cookies.

  • Financial details.

  • Expense receipts, which may include credit card information and payment details.

  • Contractual details including the goods and services provided.

  • Special categories of personal data including biometric data.]

Scott Group collects the following categories of personal data about employees and job applicants:

 

  • Personal details including name and contact information.

  • Date of birth.

  • Marital status.

  • Beneficiary and emergency contact information.

  • Government identification numbers.

  • Education and training details.

  • Bank account details and payroll information.

  • Wage and benefit information.

  • Performance information.

  • Employment details.]

[Scott Group collects the following categories of personal data about vendors or suppliers:]

 

  • Name and contact information.

  • Financial and payment details.

 

Purposes of Data Processing  

[Scott Group collects and processes personal data about [customers/consumers] for the following purposes:

 

  • Maintaining and enhancing Scott Group ’s products and services.

  • Providing products and services and customer management.

  • Account management.

  • Direct marketing.

  • Supporting network and system security.

  • Detecting and preventing fraud.

  • Complying with legal obligations.

  • Conducting web analytics.]

[Scott Group collects and processes personal data about employees and job applicants for the following purposes:

 

  • Recruitment and selection of employees.

  • Personnel management.

  • Workplace monitoring.

  • Human resources administration including payroll and benefits.

  • Complying with legal obligations.

  • Education, training, and development activities.]

   

[Scott Group collects and processes personal data about vendors or suppliers for the following purposes:

 

  • To obtain products and services.

  • Vendor administration, order management, and accounts payable.

  • Evaluating potential suppliers.

 

Categories of Personal Data Recipients  

Scott Group discloses personal data to the following categories of recipients[, some of which [may be located in third countries] [or] [may be international organizations as defined in Article 4(26) of the GDPR]]:

 

  • [[Scott Group ’s] parent company, subsidiaries, and affiliated entities, including branches.

  • Business partners.

  • Auditors and professional advisors, such as lawyers and consultants.

  • Federal, state, and local law enforcement officials.

  • Third-party service providers, such as providers of:

  • IT system management;

  • information security;

  • human resources management;

  • payroll administration; or

  • retirement/pension plan administration.]

    Scott Group does not transfer personal data to the following [third countries] [and] [international organizations]:

 

  • [[INTERNATIONAL ORGANIZATION].]]

    [Scott Group makes limited personal data transfers subject to the second subparagraph of Article 49(1) which are necessary for Scott Group ’s compelling legitimate interests. Scott Group provides appropriate safeguards for these limited personal data transfers through [contractual clauses/[OTHER MECHANISM]].]

 ‌                                                                                                                                                             ‌Personal Data Retention Periods  

 

Except as otherwise permitted or required by applicable law or regulation, Scott Group only retains personal data for as long as necessary to fulfil the purposes Scott Group collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, Scott Group considers the amount,

 

nature, and sensitivity of personal data, the potential risk of harm from unauthorized use or disclosure of personal data, the purposes for processing the personal data, whether the employer can fulfil the purposes of processing by other means, and any applicable legal requirements.

Scott Group typically retains personal data for the periods set out below, subject to any exceptional circumstances or to comply with laws or regulations that require a specific retention period:

 

 [Information about clients:

  • personal details including name and contact information: [NUMBER] years;

  • family and lifestyle details: [NUMBER] years;

  • device details: [NUMBER] years;

  • user activity details and user preferences: [NUMBER] years;

  • browser history details: [NUMBER] years;

  • location details: [NUMBER] years;

  • electronic identification data including IP address and information collected through cookies: [NUMBER] years;

  • contractual details including the goods and services provided: [NUMBER] years.]

  • [Information about employees and job applicants:

  • personal details including name and contact information: [NUMBER] years;

  • date of birth: [NUMBER] years;

  • gender: [NUMBER] years;

  • marital status: [NUMBER] years;

  • beneficiary and emergency contact information: [NUMBER] years;

  • government identification numbers: [NUMBER] years;

  • education and training details: [NUMBER] years;

  • bank account details and payroll information: [NUMBER] years;

  • wage and benefit information: [NUMBER] years;

  • performance information: [NUMBER] years;

  • employment details: [NUMBER] years;

  • special categories of personal data, including information that relates to an employee’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetics or health, and sex life or sexual orientation: [NUMBER] years.]

  • [Information about vendors or suppliers:

  • name and contact information: [NUMBER] years;

  • financial and payment details: [NUMBER] years.]                                                                                                                                       ‌

[Technical and Organizational Security Measures  

 

Scott Group has implemented the following technical and organizational security measures to protect personal data:

 

  • [Pseudonymisation of personal data.

  • Encryption of personal data.

  • Segregation of personal data from other networks.

  • Access control and user authentication.

  • Employee training on information security.

  • Written information security policies and procedures.]]

‌                                                                                                                                 

 ‌Changes to this Record of Processing Activities  

    Scott Group reserves the right to amend this Record of Processing Activities from time to time consistent with the GDPR and other applicable data protection requirements.

 

Effective Date:  

    1st July 2024

 Last modified:   

   1st July 2024

bottom of page