who we are
Our website address is: https://foodmatterstv.ie.
GIY Ireland CLG and GIY Ireland Activities Ltd (collectively referred to in this policy as “GIY”), support people around the world to live healthier, happier and more sustainable lives by growing some of their own food. Our mission is to educate and enable a global movement of food growers whose collective actions will help to rebuild a sustainable food system. GIY will aims to inspire people to grow, cook and eat some of their own food at home, school, work and in the community.
- are open and transparent in relation to how we collect, store and process individuals’ Personal Data,
- are compliant with the relevant data protection legislation and follow what is considered good practice in protecting the Personal Data collected, stored, and processed,
- protect the rights of our staff, volunteers, partners, visitors to our website or any other parties whose data we process, and
- implement appropriate technical and organisational measures to protect the Personal Data
we process and keep it secure.
The key definitions are set out in the Data Protection Act 2018 and the GDPR and are summarised below.
The term “Personal Data” is information related to a living individual who is or who can be identified:
- from the data, or
- from the data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller, and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.
The term “special categories of Personal Data” means Personal Data revealing:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic data,
- biometric data for the purposes of uniquely identifying a natural person,
- any form of health information, and
- a natural person’s sex life or sexual orientation.
Data “processing” includes obtaining, recording or holding information and carrying out any operation on the information such as organising, altering, using, disclosing, erasing or destroying it.
A “data subject” is an individual who is the subject of Personal Data. This includes partnerships and groups of individuals, but not limited companies.
A “Data Controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.
A “Data Processor” means any person (other than an employee of GIY) who processes the data on our behalf.
“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
Principles of Data Processing
Article (5)(1) of the GDPR covers the principles of data processing. We are mindful of these principles at all times, and we ensure that Personal Data is:
- processed lawfully and fairly and that we are transparent about how and why we process data (‘lawfulness, fairness and transparency’),
- only collected when there is a specific purpose to do so and that we do not further process data in a manner that is incompatible with the original purpose (‘purpose limitation’),
- adequate, relevant and limited to what is necessary for the purpose for which it was collected (‘data minimisation’),
- accurate and, where necessary, kept up to date (‘accuracy’),
- only kept for as long as it is necessary for the purpose for which it was collected (‘storage limitation’),
- kept secure at all times and is protected against any unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’),
As per Article (5)(2) of the GDPR we must also be able to demonstrate compliance with, the above listed principles and be held accountable at all times (‘accountability’).
Data Subject Rights
Individuals have certain rights regarding their Personal Data, and it is important to us that we respect these rights so that you feel in control of your data. There are certain exemptions to these rights; should you look to exercise any of these rights, we will always be clear in our communications with you and inform you if an exemption applies.
Right of access: You have the right to ask if we hold any of your Personal Data and, if we do, to receive copies of this data as well as details relating to the processing and any third parties in receipt of the data. However, we cannot give you access to a copy of your data if this would adversely affect the rights and freedoms of others.
Right of rectification: If any of the Personal Data we hold is inaccurate, you have the right to request us to correct it.
Right to be forgotten: In certain circumstances, you have the right to request that we delete your Personal Data. Examples include:
- where the data is no longer needed for the purpose for which it was originally collected,
- you have withdrawn your consent for us to use your data (where there is no other legal reason us to use it),
- there is no legal reason for us to process your data,
- deleting the data is a legal requirement.
Right of restriction: You can restrict the use of your data unless we have an overriding legitimate lawful purpose for continuing to process the data.
Right to data portability: You have the right to ask for your Personal Data to be returned to you or given to another Data Controller in a commonly used format. This right only applies to Personal Data being processed under the lawful basis of consent, or pursuant to a contract, and where the processing is automated and not manual. It does not apply where it would adversely affect the rights and freedoms of others.
Right to object: The instances where you have the right to object to the processing of your data are:
- when your objection is based on the grounds of public interest or legitimate interest including profiling based on these grounds;
- when data is used for direct marketing purposes.
Rights relating to automated decision making/profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which has significant effects on you. This right shall not apply where the processing:
- is necessary for entering into, or performance of, a contract,
- is based on your consent, or
- is authorised by law.
Right to make a complaint: You have the right to make a complaint to a relevant Supervisory Authority, in Ireland this is the Data Protection Commission (“DPC”). The contact details are:
Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
Tel: 1890 252 231
how we collect information
In order to run our business and provide our services to the public, we must process certain Personal Data. This data may be collected by various means including:
The general operation of our business: We receive and store information you provide directly to us when:
- you make inquiries about our business,
- you engage with us in connection with any service or event,
- you sign up to become a volunteer,
- you sign up to our programmes,
- you participate in a camp or programme run directly by us,
- you sign up to receive marketing information.
Provided to us by third parties: We will receive personal information from third-parties when:
- you participate in a programme with one of our partners,
- your employer takes part in one of our corporate programmes,
- you register to participate in an event,
- your school participates in one of our school programmes.
From our website, social media pages or events: We may collect any personal information through the operation of social media pages or other online platforms when:
- you visit our website, we collect certain information related to your device,
- if you engage with us through our social media platforms,
- when you attend an event where video footage is taken.
types of personal data
We require certain Personal Data in order to operate our business and run our programmes, this includes:
- Identity – Name, gender, parent/guardian details (if under 18)
- Communication & correspondence – Address, email, phone number/s
- Employment information – Place of employment (for our Corporate Programmes only)
- Financial Data – Payment information (transactions only we store do not store card details)
- Health Data – Allergies, special dietary information, state of health (related to Covid-19 prevention only for non-staff)
- Web, events & social media –
Website: your device’s IP address, referring website, what pages your device visited, date and time of visit,
Events: contact details,
Social Media: photos, videos, general personal information publicly available.
- Volunteer Data – Identity, contact details, a biography and any other criteria relevant to your volunteer application
- Employee Data – Identity, contact details, date of birth, education, qualification and training information, occupation, work history, salary details, PPSN, health data, leave details, performance, disciplinary, time-keeping, bank details and all other information that we are obliged to process under our duties as an employer.
- Other – Garda vetting details
lawfulness of processing
For all processing of Personal Data, we are required by law to identify a lawful basis on which the processing is based. These are defined in Article (6)(1) of the GDPR. Here we provide further information about the legal grounds we have for processing Personal Data:
Performance of a contract:
– to register you for events, programmes or courses run by GIY,
– to manage our programmes and events,
– to provide you with the products you have requested,
– to process payments for our products or services or to contact you regarding payments
– to send direct electronic marketing material to individuals where consent applies,
– to share images or videos of you on social media platforms or on our website (when relating to the school’s programme, this consent will be the responsibility of the school and only a confirmation of consent will be sought from the school by GIY),
– to use certain non-essential cookies on our website.
When using this lawful basis, we will ensure that the legitimate interest pursed does not infringe on your privacy rights. Our legitimate interests include:
– to carry out optional, anonymous surveys, to inform individuals of changes to events or cancelled events,
– to ensure the appropriate governance of our business,
– to handle complaints or appeals,
– to promote our products and services to other businesses,
– to liaise with community groups as part of our Community Programme,
– to liaise with schools as part of our Grow at School Programme,
– to liaise with various businesses as part of our Corporate Programme,
– for sourcing and recruiting volunteers,
– for sourcing and recruiting staff and contractors.
– to carry out Garda Vetting checks,
– to ensure the health & safety of our staff, volunteers and any individuals participating in our programmes or events,
– to report any accidents or incidents,
– to meet our insurance requirements,
– to meet our legislative and regulatory requirements,
– to maintain proper accounts,
– to fulfil our obligations as an employer,
– to meet our obligations to prevent the spread of Covid-19,
– to share relevant information with Public Health Authorities regarding Covid-19
– to meet our obligations regarding contact tracing
Vital Interests of the data subject:
– to protect the vital interests of individuals participating in events regarding any allergies or special dietary information
Article (9) of the GDPR deals with processing special categories of data.
In the context of our role as an employer, we may be obliged to process certain health data to meet legislative requirements. It may also be necessary for us to collect specific health data from individuals so as to ensure their health and safety where there are relevant medial conditions which may affect their participation in events.
Due to the Covid-19 pandemic, it may be necessary for us to process some special category data. When we do this, our lawful basis is “processing is necessary for reasons of public interest in the area of public health”. We will act upon the guidance of Public Health Authorities at all times to protect the health and safety of our staff, customers and the wider public when it is necessary to do so.
GIY as a data processor
In certain instances, we may be deemed a Data Processor rather than a Data Controller. This may arise where we are partnering with another business as part of an event or programme and where they collect the data from individuals as the Data Controller and share it with us to carry out our services or provide our products.
We will maintain the same level of security and confidentiality over the data as we apply to all the data we collect, process and store and will ensure that there are appropriate technical and organisation measures in place to protect the data.
if you do not provide data
In order to provide you with our products and services and if you wish to participate in any of our programmes, we must process certain personal information relating to you. Failing to provide certain personal information will reflect how we can interact with you and what services you can avail of.
data sharing and transfers
We do not sell any personal information, nor do we share it with unaffiliated third parties unless we are required to do so by law. Where we engage the services of Data Processors on our behalf, we ensure that this processing is done with respect for the security of Personal Data and will be protected in line with data protection law. A written contract will be in place with any Processors prior to any information being shared, this contract places specific obligations on Processors and guarantees the security of the data.
Ways in which we may share personal information include:
- with affiliated business partners in connection with a joint event of project (eg. Innocent Big Grow)
- with volunteers so as to enable them to perform their duties, all volunteers are bound by obligations of confidentiality,
- to avail of web-based hosted services (eg. Microsoft, Smart Sheet, Shopify, Google)
- when contracting suppliers (Data Processors) to carry out processing on our behalf (eg. payroll and staff management, dispatch of goods),
- to engage external IT providers so as to ensure the security of our IT systems in order to protect Personal Data (currently Radius Technologies),
- to engage the professional services of third parties, such as consultants, auditors, solicitors or any other such business advisers. Any such parties are bound by obligations of confidentiality,
- if we are collaborating with external parties in organising an event, or similar activity,
- we engage providers to administer and evaluate our website,
- with our insurers or assessors when providing or reviewing information if an incident occurs,
- in line with our Child Protection Policy, we may be obliged to share information with the HSE Children & Family Services and the Garda Síochána,
- to assist the Gardaí and other competent authorities with investigations including criminal and safeguarding investigations,
- we reserve the right to report to law enforcement any activities that we, in good faith, believe to be illegal.
In cases where we transfer your data outside the EEA (European Economic Area), we will ensure that specific safeguards are in place prior to sharing your data. Such safeguards will be in line with Article 46 GDPR and will include:
- with an organisation signed up to Binding Corporate Rules,
- with an organisation based in a country with an EU approved Adequacy Agreement, or
- where we have a set of signed Standard Contractual Clauses (SCCs) in place with an organisaiton.
We ensure the confidentiality, integrity, availability, and resilience all data of which we are a Data Controller. We are obliged to protect the data from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing and our organisational and technical security measures deliver on our commitment.
- When accessing our systems, access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their task,
- Staff are identified by a unique user ID,
- We instruct users to apply strong password (length, complexity),
- In certain cases, third parties are given access to specific systems to facilitate them providing us with their services. In such cases, access level controls are implemented. At present, this access is in place for dispatching goods order via Shopify.
All users who have access to our systems are instructed to:
- lock their devices whenever they are not in use,
- always abide by the Password Management Policy for managing and use of passwords,
- never download or use software that is not for business use,
- never copy or remove company information from any devices,
- keep sensitive or confidential information secure at all times,
- always log off completely when finishing work,
- ensure they apply the same duty of confidentiality and security of data when working
- protect the Personal Data they handle during the course of their work.
Any third parties who process Personal Data on our behalf are contractually bound to process Personal Data in line with current data protection law practices and principles thus ensuring the security of the data.
Our IT partners ensure that our systems are protected, and all information is stored securely,
- Anti-malware scans our emails for malicious links,
- All anti-virus software is kept up to date on all devices.
We have implemented a cookie management tool on our website offering you the option to select your preferences in relation to what cookies you permit us to use during your visit to our website.
We only keep your data as long as it is necessary for the purposes for which it was originally collected or to comply with legal or regulatory requirements. When determining the retention period, we take into account various criteria, such as the type of services requested by or provided to you, the nature and length of our relationship with you, mandatory retention periods provided by law and the statute of limitations.
Should you require any specific information regarding the retention of your data, please contact us directly.
privacy by design and default
Article 25 of the GDPR stresses the importance of Privacy by Design and Default. It puts an obligation on organisations to ensure that privacy is considered at all levels of the design and development of processing and this is particularly relevant to new technologies.
In any instances where we are introducing new technology for the processing of Personal Data, we will ensure that privacy is not an afterthought and will liaise with providers to address any concerns.
personal data breaches
Article 4(12) GDPR defines a ‘personal data breach’ as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
GIY may suffer a breach for a number of reasons including:
- the disclosure of confidential data to unauthorised individuals,
- improper disposal of documents,
- loss or theft of data or equipment on which data is kept,
- loss or theft of paper records,
- inappropriate access controls allowing unauthorised use of information,
- suspected or actual breach of our IT security,
- attempts to gain unauthorised access to computer systems, e.g. hacking,
- viruses or other security attacks on our IT systems or cloud storage,
- breaches of physical security,
- breach as a result of third-party breach, and
- emails containing personal or sensitive information sent in error to the wrong recipient.
In the event of a breach of personal data occurring, we will ensure that it is dealt with immediately and appropriately to minimise the impact of the breach and prevent a recurrence.
Each breach will be handled on a case-by-case basis and the level of risk to individuals caused by the breach will determine our notification. Where we deem there to be a significant risk to individuals, we will inform the Data Protection Commission within 72 hours of becoming aware of the breach. Where it is deemed necessary, individuals will also be notified without undue delay.
subject access requests
You have the right to be informed whether we hold data/information about you and to be given a description of the data together with details of the purposes for which your data is being kept.
You must make this request to us in writing (electronic or by post), and we will accede to the request within one month if it is deemed valid. In certain cases, it may be necessary for us to first verify your identity to ensure the request is legitimate.
Where a subsequent or similar request is made soon after a request has just been dealt with, it is at our discretion as to whether or not we need to comply with the second request. This will be determined on a case-by-case basis.
No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable, we must refuse to furnish the data to the applicant.
There are exemptions to the right of access and should we deem the request to fall under an exemption, the individual will be informed within the initial one month period.
data protection and COVID-19
In order to ensure that we comply with the Public Health guidelines about what organisations must do to play their part in containing the spread of Covid-19, we may be obliged to process certain special categories of data, such as health data. Other additional details may be sought including: name, address and contact details, travel information, details of close contacts and other relevant information where it is deemed necessary and proportionate to collect this data.
The collection of data in relation to managing our response to the Covid-19 pandemic, is carried out on the lawful basis of Article 9(2)(i) GDPR Section 53 of the Data Protection Act 2018 which states:
Processing is necessary for reasons of public interest in the area of public health”
Also, Recital 46 GDPR states:
Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”
We may be obliged to share this data with certain Public Health Authorities should they instruct us to do so.
Address: Grow HQ, Farronshoneen, Dunmore Road, Waterford
Tel: 051 584422