Privacy Statement regarding use of Your Personal Data by the European Recycling Platform (Ireland) – Effective from 14th May 2018

Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of their personal information, in both paper and electronic format.

European Recycling Platform Ireland DAC (“we”, “us”, “our” or “ERP”) is committed to protecting the privacy and security of your personal data, which is data identifying you or from which you can be identified.

This privacy statement is a privacy statement that we must provide to you in accordance with Irish data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as such laws may be updated from time to time, (“data protection laws”).

Where we need to process your personal data in connection with our operations or services, or where we have a legal obligation to process your personal data (for example, in order to comply with our legal obligations), we will not be able to provide you with the full benefit of our operations or services if you do not provide this information to us.

This privacy statement applies to all of ERP’s participating members (each a “member”), former members and any other living individual about whom we process personal data in the course of our operations (“you” and “your”) except for those people whose personal data we receive through our waste processing of their data-containing devices. Please see Privacy for data containing devices for our privacy statement that is applicable to people whose personal data we receive through our waste processing of their data-containing devices.

ERP is a “controller”.  This means that we are responsible for deciding how we hold and use personal data about you.  It is important that you read this privacy statement so that you are aware of how and why we are using your personal data.

1. The personal data we collect and use about you

In this privacy statement when we refer to “personal data” this means any information identifying you (such as your name, address, email address, telephone number(s), and job title) or information from which you can be identified.   If you are a member (or former member), or are otherwise requesting services from us or involved in a business relationship with us, we will collect, store and use the following categories of personal data about you:

  • your personal contact details such as your name, title, address(es), telephone numbers and email addresses; and
  • your employer and your location of employment or workplace.

2. How your personal data is collected by us

We collect personal data about you directly from you, for example through the membership application form which you provide to us, through our website https://erp-recycling.org/ie/ when you contact us, or when you correspond or communicate with us (including by telephone) in connection with our business.  If you are an employee or an agent of a member, your employer may provide us with your information.

3. How we will use information about you and the basis for that use

We gather and process your personal information for a variety of reasons and rely on a number of different legal bases to use that information.  For example, we use your personal information to process membership benefits and obligations, to manage your requirements in relation to collection points, when auditing members, processing payments, to give you information about your participation in our scheme, to prevent unauthorised access to your information and to meet our legal and regulatory obligations.

We need all the categories of information in the list above (in section 1) primarily to enable us to carry out the following actions with your personal data:

Use of your personal data by ERP ERP’s Bases for Processing
To determine how best to perform our roles, and to take decisions about your membership For each of the situations listed in which your personal data is processed, one, several, or all of the following grounds justify this use of your personal data:

  • processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to your entering into our recycling scheme;
  • processing is necessary to comply with our legal obligations, including those contained in waste recycling laws; and/or
  • to pursue legitimate interests of our own or those of third parties, such as for the proper operation and administration of the scheme, provided your interests and fundamental rights do not override our legitimate interests.
To provide services to you or others, including the destruction and recycling of data-containing devices or the provision of battery boxes
To verify the personal information provided to us, to determine your eligibility to join the scheme and to continue to benefit from the scheme, and to comply with anti-money laundering, anti-terrorist financing and fraud prevention rules
To comply with applicable data protection laws, tax and regulatory reporting obligations

 

Some of these grounds for processing will overlap, and there may be several grounds which justify our use of your personal data.

4. What happens if you do not give us personal data or tell us when it changes?

It is important that the personal data we hold about you is accurate and current. You agree to notify us without delay in the event of any change in the personal data that we hold about you, to enable us to comply with our obligations, including to keep information up to date. If you fail to provide certain information when requested by us, or by our processor(s) on our behalf, we will not be able to accept you into the scheme and/or will not be able to give you the full benefit of our services.  In addition, we may be prevented from complying with our obligations to you as we require your personal data to perform our obligations, or we may be prevented from complying with our legal obligations or applicable laws.  This may also be the case if you exercise your rights to erasure or restriction of processing, or object to our processing of your personal data (as described in section 9).

You can contact us at any time using the details set out in section 11.

5. Third Party Information

Where you provide us with personal data relating to other people, you represent and warrant that you will only do so in accordance with applicable laws. You will ensure that before doing so, the individuals in question are made aware of the fact that we will hold information relating to them and that we may use it for any of the purposes set out in this privacy statement and the relevant terms and conditions, and where necessary you will obtain their consent to our use of their information.  You will provide anyone that you provide us with personal data about with a copy of this privacy statement.   We may notify those individuals that you have provided their details to us and provide them with a copy of this privacy statement (however we are under no obligation to do so).

6. Sharing your personal data

We may share your personal data with third parties, including third-party service providers.  We require third parties to respect the security of your personal data and to treat it in accordance with applicable laws, including data protection laws.

We will only ever share your personal data with third parties for your benefit as a member or in connection with our obligations to you.  We will share your personal data with third parties where required by law or where we have a legitimate interest in doing so, such as where it is necessary to the proper operation and administration of our recycling scheme and compliance with our legal obligations.

We may need to share your data with An Post for the purposes of the operation of services on www.licences.ie, for both retailers and members as part of our legal and regulatory obligations. You should refer to the terms and conditions (and privacy statements) of An Post in respect of that data sharing.

We envisage sharing the following personal data with the following entities for the following purposes:

Third Party to whom your personal data may be given Data shared by ERP Purposes for which the data is shared
Recycling operators and sub-contractors Contact details, such as names, titles, work details, telephone numbers and email addresses. To ensure that you receive the full benefit of services that we provide to you
Marketing and support service providers Contact details, such as names, titles, work details, telephone numbers and email addresses. To ensure that you receive the full benefit of services that we provide to you
Auditors Your personal contact details such as your name, title, address(es), telephone numbers and email addresses; your employer and your location of employment or workplace.

 

To carry out the year-end audit and any control or governance work we deem necessary in connection with our operations

 

Legal advisors Your personal contact details such as your name, title, address(es), telephone numbers and email addresses; your employer and your location of employment or workplace. To obtain legal advice about our rights and obligations
Regulators and other government authorities Your personal contact details such as your name, title, address(es), telephone numbers and email addresses; your employer and your location of employment or workplace. To comply with our legal obligations or other lawful requests for information

 

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  In addition, we limit access to your personal data to ERP, its agents, contractors and other third parties who have a business need to know about the information in connection with our scheme.  They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Although we cannot guarantee against any loss, misuse, unauthorised disclosure, alteration or destruction of data, we take reasonable steps to prevent this from happening.  We have put in place measures to protect the security of your personal data.

Third parties which process your personal data on our behalf are required to agree to only process your personal data on our instructions, and to treat the information as confidential and to keep it secure.  We only authorise these service providers to use your personal data for specified purposes to provide services and in accordance with our instructions, or in order to comply with applicable laws.  We disclose only the personal data about you that is necessary for the third party to perform a service for ERP, or to carry out the actions described in this privacy statement.  We have a contract in place that requires these third parties to keep your information secure and not to use it for their own purposes.

Please note however that where you are transmitting information to us or to our service provider over the internet or another telecommunications network this can never be guaranteed to be 100% secure.  For any payments which we take from you or pay to you online we will use a recognised third party online secure payment system, and we are not responsible for the security of this system.  You should contact these third parties for information about the security of these internet, telecommunications systems or payment systems if you need further information.

8. How long will we hold and use your personal data for?

We will hold some personal data about you for as long as you are a member of our scheme, or are otherwise involved in a business relationship with us.  We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for; see section 3 of this privacy statement.  Your personal data will be retained by us for any period required by law.  Some of your personal data may need to be retained because of circumstances such as a legal dispute or regulatory investigation, which would not normally be subject to retention.

In general, we will hold your personal data for a period of seven years after you (or the organisation you work for) cease being a member or otherwise stop your involvement with us, unless we are obliged to hold it for a longer period of time under applicable law or regulations, or in connection with a legal dispute or regulatory investigation.  To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We review our retention of personal data regularly, to establish whether we are still entitled to process it.  If we decide that we are not entitled to do so, we will stop processing your personal data except that we will retain your personal data in an archived form in order to be able to comply with future legal obligations.

When it is no longer necessary for us to hold your personal data, we will securely destroy it in accordance with applicable laws and regulations.

9. Your rights in connection with the personal data we hold about you

You have the right, subject to some conditions and limited exceptions contained in the data protection laws (such as those set out below), to:

  • Request access to your personal data that we hold about you. This right enables you to receive a copy of this personal data from us;
  • Request correction of the personal data that we hold about you. This right enables you to have any incomplete or inaccurate information we hold about you corrected;
  • Request erasure of your personal data. This right enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below);
  • Where we hold and process your personal data in order to comply with legal obligations, such as compliance with tax requirements and exemptions, or for the establishment exercise or defence of legal claims, your right to ask us to delete or remove your personal data is limited;
  • Object to our processing your personal data where we are relying on a legitimate interest (or those of a third party) in order to justify the basis for our processing your personal data and there is something about your particular situation which makes you wish to object to processing on this ground;
  • Request that we restrict processing of your personal data. This right enables you to ask us to suspend the processing of your personal data, g., if you want us to establish its accuracy or the reason for processing it; and
  • Request the transfer of your personal data to another party where you provided that information to us.

We are not under an obligation to rectify or delete your personal information where to do so would prevent us from meeting our contractual obligations to you, or where we are required or permitted to process your personal information for legal purposes or otherwise in accordance with our legal obligations.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us by post at Chief Executive Officer, ERP Ireland, 2-4 Ely Place, Dublin 2, D02 FR58 or by email at ireland@erp-recycling.org setting out in writing your request clearly, including by specifying the personal data to which the request relates.  We recommend that you provide as much detail as possible in your when sending requests to us, and that you identify yourself clearly, so that we can deal with your query properly and efficiently.

  • What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the personal data, or to exercise any of your other rights.  We may ask you to provide us with your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), and once verified we will delete this data.  This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

  • Fees for our response to your requests

Generally you will not have to pay a fee to access, or to exercise any of your other rights in connection with, your personal data.  However, we may charge you a reasonable fee if your request for access to your data is clearly unfounded or excessive and/or we are permitted by data protection laws to do so; alternatively, we may refuse to comply with the request in such circumstances.

10. Changes to this privacy statement

This privacy statement is introduced with effect from 14th May 2018.   We reserve the right to change this privacy statement at any time (for example, to comply with changes in laws or regulations, our practices, procedures and organisational structures, requirements imposed or recommended by supervisory authorities or otherwise).  Any changes to the privacy statement will be communicated to you in writing by us where we are legally required to do so.

Changes to this privacy statement shall be applicable on the effective date set out in the updated privacy statement.  The latest version of this privacy statement will be available to view on the ERP internet site available at https://www.erp-recycling.org/ie/

If you wish to see a copy of the latest version of this privacy statement, please contact us by post at Chief Executive Officer, ERP Ireland, 2-4 Ely Place, Dublin 2, D02 FR58 or by email at ireland@erp-recycling.org

11. How to contact us

If you have any queries or complaints regarding our use of your personal data or the contents of this privacy statement you may contact us by post at Chief Executive Officer, ERP Ireland, 2-4 Ely Place, Dublin 2, D02 FR58 or by email at ireland@erp-recycling.org.

If you are still dissatisfied with how we have handled your complaint, you may contact the Data Commission’s Office and may lodge a complaint by emailing info@dataprotection.ie or writing to the following address:

Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois.

You can visit the website of the Data Protection Commission at www.dataprotection.ie for more details.