On the 25th May 2018, the General Data Protection Regulation (GDPR) came into effect across all EU member states. The GDPR provides one framework data protection law for Europe, representing a significant harmonisation of data protection requirements and standards across the EU.
Contracting PLUS is committed to satisfying all GDPR requirements to provide confidence to our clients, that their data is being managed to the highest standards. This policy has been updated to reflect the requirements of GDPR and hopefully will give you clarity on how we manage the lifecycle of your data.
If you have any questions about this policy or your data, you can email us at email@example.com
Before we get into the policy, it’s important you understand some of the key terms used as they are mentioned within the policy document.
Personal Data: Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated.
Processing: means performing any operation or set of operations on personal data, including:
Data Controller: A Data Controller is the person or organisation who decides the purposes for which, and the means by which, personal data is processed. The purpose of processing data involves ‘why’ the personal data is being processed and the ‘means’ of the processing involves ‘how’ the data is processed. For the purposes of this document,Contracting Plus is the Data Controller.
Data Processor: A person or organisation that processes personal data on the behalf of a data controller.
Data subject: A Data subject is the individual the personal data relates to.
Model Contract: A ‘model contract’ is a general type of contract that includes specific provisions dealing with data protection, and that has been approved either by the EU Commission or by the Data Protection Commissioner. A data controller in Ireland, which wishes to transfer personal data outside of the EEA, can use the model contract as the basis for its relationship with the third-country organisation.
When we use the term “Contracting Plus “ or “us” or “we”, within this document, we are referring to Contracting Plus Consultants Ltd which includes all associated branch locations. Contracting Plus is Irelands most trusted and experienced provider of contractor solutions. We provide peace of mind to individuals that want to manage their tax, accounting and financial needs whilst protecting and growing their wealth. Our mission is to make Professional Contracting easier by providing accessible and friendly solutions for all your personal tax service needs.
Contracting Plus has an appointed Data Protection Office (DPO) and has the following responsibilities:
If you wish to contact Contracting Plus’s DPO, please email firstname.lastname@example.org.
Our data collection process aims to be open and transparent at all times. Contracting Plus gathers personal data via a number of mediums i.e. telephone, web forms, email, apps, social media, etc for the following reasons:
In addition, our web sites use ‘cookie’ technology. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. They help us make the sites work better for you as well as provide Contracting Plus with analytics on how the service is being used.
Contracting PLUS’ most important concern is the protection and reliability of customer data. Contracting PLUS use a mixture of Private and Public cloud infrastructure providers to ensure customer data is secure and available at all times. All our Cloud Providers are located within the EU and adhere to the highest compliancy standards including the following certifications/regulations:
– DoD SRG, FedRAMP, FIPS, IRAP, ISO 9001, ISO 27001, ISO 27017, ISO 27018, MLPS Level 3, MTCS, PCI DSS Level 1, SEC Rule 17-a-4(f), SOC 1, SOC 2, SOC 3
– EU Data Protection Directive, HIPAA
All client data is regularly backed up with robust disaster recovery procedures in place.
In addition, Contracting PLUS use a number of third-party web based systems for uses such as Survey gathering, form data collection, etc. where the data gathered may reside outside of the EU jurisdiction. To comply with Data Protection Legislation, the countries must be considered as offering an adequate level of protection in accordance with Article 25 of the Data Protection Directive. In these cases, where the third-party companies reside in the US we will ensure that the party is either registered under the EU-U.S. Privacy Shield Framework or where this is not in place we will work to ensure a ‘Model Contract’ is put in place with any effected supplier as soon as possible to ensure there is no dilution in your data privacy rights or obligations.
When an individual engages with Contracting PLUS we term this person an “Interested Party”. If the individual opts to use the services of Contracting PLUS they then become an “Active Contractor”. Once the individual leaves our services they then become an “In-active Contractor”.
Below is the data retention policy for each class of individual:
An “Interested Party” is a person who has pro-actively engaged with Contracting PLUS. Engagement might be a phone call or email correspondence to learn more about or services. It might also include a download from our website or registering to attend an event held (online or offline) by Contracting PLUS.
It can often take several weeks or months before it’s definitively clear that an individual does not wish to sign up with us. We will continue to keep in touch with Interested Parties until such time as they specifically opt out of further communications.
Once that happens we will purge the personal data obtained within 30 days of the data subject opting out.
For “Active Contractors” Contracting PLUS deletes permanently the following classes of information where the information in question is over seven years old post the end of the accounting year-end (end of December for Ireland, end April for the UK). This may include but would not be limited to:
For “In-active Contractors” Contracting PLUS deletes permanently all classes of information (electronic and paper) where the information in question is over seven years old post the inactivity date of the contractor. We will maintain basic contact information for the purpose of marketing. In-active Contractors can specifically opt out of further communications. Once that happens we will use an automated process to purge the personal data obtained within 30 days of opting out.
Employees – we recognise that our employees are also data subjects to whom we owe a duty of care in relation to their data, we have internal data protection policies in relation to our employees, and in general we keep data for as long as is necessitated by law, here is a summary of our data retention
|Source of Obligation||Retention Period|
|Revenue Commissioners, Collector General, Companies Acts legislative provisions||7 years rolling retention of records|
|Personal Injuries related records||Records are retained for a period of 3 years past the date of the cause of action, unless it involves a minor, in which case the retention period will be up until 3 years after the minor reaches the age of 18.|
|Breach of Contract related records||Records are retained 6 years from the date of the breach|
|Employment contract/terms of employment related information||Duration of the employment – this includes everything from the application form, interview notes, contract related, performance appraisals, references|
|Organisation of Working Time – time sheets/holiday and public holiday records National Minimum Wages Protection of Employment – Temporary Agency Workers, Part Time Workers, Fixed Term Workers Protection of Young Persons||3 years post the termination of the employment. Records kept are sufficient to show compliance with legal obligations in accordance with the statutory provisions.|
|Parental Leave Related||8 years – records kept show the dates when a qualifying employee availed of the parental leave and force majeure leave provisions|
|Employment Equality||All records, including interviews and applications are kept for a period of one year.|
|Health and Safety Records||All records relating to health and safety will be kept for a period of 10 years|
|Data Law Compliance||Records in relation to our compliance with Data Law and GDPR will be kept for a five year period.|
To use your information lawfully, we can rely on four of the six legal bases set out in GDPR Regulation and these are:
When an individual who has signalled that they were interested in our services and whom we have designated “an interested party” does not sign up to use the services provided by Contracting PLUS, we will use point 6 to continue to keep you informed of the benefits of contracting, the services offered by Contracting PLUS and other related communications. All of these communications will include a specific opt-out option.
Clients: We will utilise personal data in the form of email addresses and contact telephone numbers in order to keep our clients and potential clients informed in relation to our services and contractor market related information. We consider that this is in the legitimate interest of our business to maintain our market presence.
In balancing your data protection rights against this legitimate interest of our company, we have considered:
Contracting PLUS holds and processes information about clients and agencies for all necessary and customary business purposes, such as:
We do not ask for more information than is required in order to provide you a service and we only use that data in the provision of that service.
Contracting PLUS, as a rule do not disclose any information on our clients or agencies to third parties, but when necessary and in the course of the provision of our service to you and/or the common directors in the company through which you operate, we may make such data available to trustworthy reputable bodies/ advisors/partners/connected Contracting Plus parties and regulatory authorities such as the Revenue Commissioners and the Company’s Registration Office (CRO).
All client data received is processed by Contracting PLUS and CWM Wealth Management Ltd which is the Pensions, Protection and Financial advice arm of Contracting PLUS. This data sharing is necessary to offer our contractors the best service in maximising wealth management.
If disclosure of personal data to a third party is required which exceeds the terms of the provision within the consent declaration on the Contracting PLUS registration form, consent will always be sought in such cases.
There are special circumstances under which disclosure of personal data to third parties is allowed. These are provided for under the Data Protection legislation and are:
Contracting PLUS does not transfer or share client data with third parties in International locations. However, the employees of Contracting PLUS are based in offices outside of the EEA and as part of our service employees based outside the EEA will be part of the Contracting PLUS employees processing your data in order to deliver our service.
This is all done within the normal security protocols adhered to by Contracting PLUS.
In accordance with the GDPR, you have the right as a data subject to:
Note: an individual’s right to erasure (in accordance Article 17 GDPR) does not apply where said information is required to be retained in accordance with relevant legislation. Our policy would be that :-
– we retain data for as long as statute or regulations demand; and
– we normally destroy files after seven years as per section 5.
Note: When you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your information. Any questions or queries please email email@example.com
If you have a complaint about the use of your personal information, please contact us at firstname.lastname@example.org to allow us to quickly rectify the situation.
In the unlikely event that you do not get a response within 30 days you can complain to the DATA PROTECTION COMMISSION, Supervising Authority of Ireland.
Data Protection Commissioner
R32 AP23 Co. Laois
Telephone +353 57 8684800
Lo Call Number 1890 252 231
This policy will be reviewed regularly in light of any legislative or other relevant developments. You can always find an up-to-date copy of our policy on our web site which will hold the date of the most recent revision at http://contractingplus.com/index.php/privacy-policy
As a client of Contracting Plus you are entitled to receive a copy of your personal data held by Contracting PLUS upon written request, at no cost (for the initial request, subsequent requests will be charged).
In order to respond to your request we ask you to download the Access Request Form
If you cannot download the Access Request Form from the internet please write to us requesting a form from: Data Protection Officer, Contracting PLUS, Unit 26J, Block 6500, Cork Airport Business Park, Cork, Ireland and we shall send you a copy by return post.
Use of the “Access Request Form” is not mandatory. Completing the Access Request Form should enable us to process your request more efficiently.
We do not accept access requests via telephone or text message.
TO ACCESS WHAT PERSONAL DATA IS HELD, IDENTIFICATION WILL BE REQUIRED We will accept the following forms of ID when information on your personal data is requested: a copy of your national ID card, driving license, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If we are dissatisfied with the quality, further information may be sought before personal data can be released.
This Policy will be reviewed regularly in light of any legislative or other relevant developments