GDPR Privacy Statement

Introduction

Carlow Tourism was formally established in October 2001. Through its work Carlow Tourism aims to ensure that County Carlow is a welcoming and high-quality destination offering visitors a diverse range of experiences based on the county’s heritage – an opportunity for visitors to discover historic big houses, spectacular gardens and unique spiritual/ecclesiastical and historic/cultural attractions, and to easily engage in outdoor recreation, set amidst the county’s unspoilt environment, with choices to stay overnight in vibrant towns and villages.

In order to provide the most effective and targeted range of services to meet the needs of visitors, communities and businesses of County Carlow, Carlow Tourism is required to collect, process and use certain types of information about people and organisations.

Depending on the service being offered, the information sought may include ‘personal data’ as defined by the Data Protection Acts and by the General Data Protection Regulation (GDPR) and may relate to current, past and future service users, current and prospective employees, suppliers and members of the public who may engage in communications with Carlow Tourism staff. In addition staff may be required, from time to time, to collect, process and use certain types of personal data to comply with regulatory and legislative requirements. Data in this policy document means both personal data and sensitive personal data.

Carlow Tourism is committed to protecting the rights and privacy of all individuals in accordance with the EU General Data Protection Regulation, under the General Data Protection Regulation (GDPR). This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us, and applies to all of your data irrespective of the medium or method by which we obtained/received your personal data. This policy should be read in conjunction with the Data Protection Act and Regulation EU No. 2016/679 the General Data Protection Regulations.

Definitions  

Article 4 (1) defines ‘Personal Data’

In this policy, the term ‘personal data’ means data relating to a living individual who is or can be identified either from the data in conjunction with other information, that is in, or is likely to come into, our possession, and includes data as described in data protection legislation.

Article 4 (2)‘ defines ‘Processing’ as

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

What and who is a Data Controller?

A Data Controller under Article 4 (7) of the General Data Protection Regulation (EU) No. 2016/679 means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

Carlow Tourism is the Data Controller.

Policy in Respect of Compliance with the Data Protection Acts:

It is the policy of Carlow Tourism to comply fully with the Data Protection Acts. It will, as a Data Control Authority, carry out all duties and functions as set out in the Acts and ensure that the gathering and holding of data is done so solely within the terms of the Acts.

Appointment and Role of a Data Protection Officer Under Article 37 (1)

In accordance with the GDPR, Carlow Tourism is not required to appoint a Data Protection Officer, as the processing of personal data is not being carried out by a public authority or body. Additionally, the core activity of Carlow Tourism does not consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale.

Why do we have a privacy policy and statement?

Carlow Tourism has created this Privacy Policy (the ‘policy’) in order to demonstrate the firm commitment of the organisation to privacy and assure you that in all your dealings with Carlow Tourism, we will ensure the security of the data you provide to us. Carlow Tourism’s commitment is that all personal data processed in the course of its work will be dealt with in compliance with the Principles relating to Processing Personal Data laid down in Article 5 (1) of the General Data Protection Regulation set out hereunder:

  • Lawfulness, Fairness and Transparency – Obtained lawfully, fairly and in a transparent manner
  • Purpose limitation – Obtained for only specified, explicit and legitimate purposes
  • Data Minimisation – Adequate, relevant and limited to what is necessary for purpose for which it was obtained
  • Accuracy – Recorded, stored accurately and securely and where necessary kept up to date
  • Storage limitation – Kept only for as long as is necessary for the purposes for which it was obtained
  • Accountability, integrity and confidentiality – Kept in a form which permits identification of the data subject
  • Processed only in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing

Rights for individuals under the GDPR:

  1. Subject access
  2. To have inaccuracies corrected
  3. To have information erased
  4. To object to direct marketing
  5. To restrict the processing of information, including automated decision making
  6. Data portability

This policy sets out how Carlow Tourism will handle and process data, deal with a data request by a data subject and manage a breach of data.

This policy was approved by the Board of Carlow Tourism on November 12th 2020 and it also refers to the websites:

www.carlowtourism.com

www.carlowgardentrail.com

and any other websites operated by Carlow Tourism, whose principal place of business is at College Street, Carlow.

1. What information do we collect?

Carlow Tourism may collect various types of personal information, which can vary depending on the nature of the activity, including:

A. Tourism queries to the offices of Carlow Tourist Information Office or Carlow Tourism: Tourism staff provide a point of contact to the public in relation to tourism queries received by e-mail/telephone/face-to-face/website and social media. Processing is necessary for the performance of a task carried out in the public interest and is required for communication purposes. The public will be asked for contact details in order to communicate with them. They do not have to provide all contact details but providing more, such as name, address, e-mail address and phone number, makes it easier to communicate. To undertake this activity Carlow Tourism will collect their name, address, e-mail address and phone number or some of the foregoing dependent on the nature of the enquiry.

It may be necessary to share contact information in order to successfully deal with the query. Otherwise it is not intended to share this personal data. However, if the query is made via the suite of websites operated by the company, the company’s website provider, Big Top Multimedia may be able to access same. A low risk data processing agreement is in place with this company.  It may also be necessary to share information amongst staff members in order to deal with the enquiry fully. Personal data is retained until the query has been dealt with and then appropriately disposed of via a shredding machine.

B. Direct marketing: contact information is collected at two points: competitions at promotional shows and events and via the website sign up form. It is used to send e-zines containing tourist information on County Carlow, and information related to Carlow Tourism members. Information usually consists of tourism news, festival and events, special offers from accommodation, restaurants and activity providers.

B1. Direct marketing via website sign-up form: The public will be asked for contact details in order to communicate with them. To undertake this activity Carlow Tourism will need their first name, surname, email address and areas of interest to determine their preferences.

B2. Direct marketing via tourism competitions: competitions are carried out at promotional shows including for example Holiday World Dublin, Bloom in the Phoenix Park, or the National Ploughing Championships. The competition entrant must give their name and contact details and winners are chosen randomly. The individual is given the choice to opt-in to receive Carlow Tourism e-zines. Processing is only ever carried out on the basis of receiving consent. If they choose to opt in and they have given their email address details, they are added to the direct marketing database. If they decide against this option or have not provided an e-mail address their entry sheet is securely shredded once the competition is over. To undertake this activity Carlow Tourism needs their first name, surname, address and e-mail address and/or telephone number. A physical address, phone number or e-mail address is required to contact the winning entrant.

C. Business purposes: Carlow Tourism will collect personal and business contact information of all members of Carlow Tourism such as name, business name, address, Eircode, phone number, job title, e-mail address, website address and social media handles in order to promote and raise awareness of the different businesses located in County Carlow. A membership application form is circulated with all membership requests. As this information relates to members of Carlow Tourism who pay an annual membership fee, an “opt-in” to obtain this information is unnecessary.

On an annual basis Carlow Tourism also contacts other providers operating in the tourism sector whose details are publicly available. These operators may or may not opt to become members of Carlow Tourism. The option to decline further communication in respect of membership fees is clearly communicated at the start of each e-mail.

D. Billing and processing payments: Carlow Tourism collects the following data necessary for processing the payment of invoices: name of company, bank account number including BIC and IBAN, billing address, e-mail address and VAT registration number.

E. Payment receipts: payment receipts are normally processed at three points:

E1. Carlow Tourist Office for payment of sale items available in Carlow Tourist Office

If a member of the public is making a payment in person using their credit/debit card details to purchase a saleable item, their credit/debit card details will be required.

E2. Carlow Tourism Office for payment of items relating to festivals and events and membership fees

If a member of the public is making a payment either in person or in absentia using their credit/debit card details in relation to attendance tickets at a festival or event, their name will be required for inputting into the appropriate accounting spreadsheet and credit/debit card details.

If a member of Carlow Tourism is making a payment in person or in absentia using their credit/debit card details in relation to membership details, their name, address, Eircode, phone number, e-mail address and website address is required. 

F. Images and Visual content: this is particularly relevant to the provision of images/footage and content which may promote members’ businesses but also contain images of people.

G. Website: Carlow Tourism fully respects the rights and privacy of website browsers in relation to their interactions with the company websites and endeavour to be transparent in our dealings with browsers as to what information is collected and how this information will be managed. Carlow Tourism only collects and uses individual user details where we have legitimate business reasons, and where we are legally entitled to do so.

H. Mobile devices and Social Media: Applications developed in connection with the website for mobile devices will operate and capture information as set out above. Applications developed by Carlow Tourism but deployed on other platforms such as social media channels may provide feedback to us on activity and usage specific to a user.

I. CCTV footage: Carlow Tourism operates Carlow Tourist Office which has a CCTV system owned by Carlow County Council. Please refer to the Carlow County Council Privacy Policy for further details.

The policy provides for a 28-day deletion of images, restricted access to monitors, servers and recording equipment and security to ensure images are neither deleted or modified.

J. Footfall counter: Carlow Tourism purchased the footfall counter which is located in Duckett’s Grove Historic House and Walled Gardens, a Carlow County Council owned property, in a joint agreement with Carlow County Council. The footfall counter is GDPR compliant. Information from the footfall counter is downloaded by a staff member of Carlow County Council and/or Carlow Tourism.

K. Employee Records: Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc. See Appendix 3 for more information.

2. How does Carlow Tourism collect information from users?

Direct marketing via website sign-up form

If users wish to utilise certain services located on specific sections of the websites, they are requested to sign up. Services that currently require some form of sign up include:

  • E-mail newsletters from the website
  • Registering with the website for services including tickets for festivals and events for example

To register as a user of such services Carlow Tourism needs to collect information such as, at a minimum, an e-mail address. Further questions may in some cases be asked to gain a clearer understanding of what the user is interested in, in order to personalise the information being given.

The website sign-up form is designed as a double opt-in to ensure full transparency (member of the public opts in to receive the company e-zine and then subsequently receives an e-mail to their e-mail address to re-confirm this decision). Members of the public can unsubscribe from the direct marketing list at any time and additionally each e-zine distributed clearly features an unsubscribe option at the end of each e-mail.  Personal information can also be updated. Questions asked may vary dependent on the service being delivered. Carlow Tourism may also ask users to complete surveys that are used for research purposes, although there is no obligation to respond to them.

E-mail newsletter services are provided through MailChimp.com. MailChimp is certified to the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework and are fully compliant with EU data protection legislation and the General Data Protection Regulation (GDPR).

Website, mobile device and social media

Most browser and landing pages collect certain information automatically, for example, type and version of operating system, screen resolution, device manufacturer and model, language, internet browser type and version, and the name. Carlow Tourism uses this information, for example, to make sure that the services provided by Carlow Tourism are functioning properly, to analyse the performance of services, and to make any necessary adjustments with a view to improving services.

  • IP Addresses: IP addresses are automatically transmitted as part of any internet communication and collecting IP addresses is a common practice. Carlow Tourism collects IP addresses from visitors to the company’s website (an IP address is a number that can uniquely identify a specific computer or other network device on the internet). This allows Carlow Tourism to identify the location of users, to block disruptive use and to establish the number of visits from different countries. This data is analysed for trend and statistical reasons, such as which parts of the website users are visiting and how long they spend there.
  • Cookies: A cookie is a block of data that a web server places on a user’s PC. Typically, it is used to ease navigation through the site. However, it is also a useful means for the website to identify the user, track the user’s path through the site, and identify repeat visits to the site by the same user (or same user’s machine). Carlow Tourism collates information on the company’s website traffic that is represented in an aggregate format through cookies. Carlow Tourism uses third parties such as Google Analytics to collect user information, including through the use of cookies (flash and non-flash).
  • Web beacons: The beacon is usually a small transparent graphic, one pixel in size, which may be located on a web page or in an e-mail. The transparent pixel is normally set to load an image from a different location on the web and may pass user information to the web server, such as the IP address, the duration of the visit and browser type. Cookies and web beacons assist Carlow Tourism in improving the website and to deliver many of the functions that make the browser experience more user friendly. A list of cookies used and the purposes for which they are used are outlined in the tables below.

Cookies which are found in other companies’ internet tools are also used to enhance the company’s website. ‘Social buttons’ are also used on the website, which enable browsers to share or bookmark the web pages.

By using the website, browsers are agreeing to the use of cookies as described. The help menu on the menu bar informs how to prevent the browser from accepting new cookies, how to have the browser notify the user when they receive a new cookie and how to disable cookies altogether. Users can also disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-on settings or visiting the website of its manufacturer. For more information about cookies and managing them, including how to turn them off, users are advised to visit www.cookiecentral.com. However, because cookies allow the user to take advantage of some of Carlow Tourism’s essential website features, it is recommended that they remain turned on.

Note: If an individual is aged 18 or under, a parent/guardian’s permission must be sought before any personal information is provided to Carlow Tourism. Users without this consent are not allowed to provide the company with personal information.

Mobile devices and social media

Applications developed in connection with the website for mobile devices will operate and capture information as set out above. Applications developed by Carlow Tourism but deployed on other platforms such as social media channels may provide feedback to the company on activity and usage specific to a user.

Note: If a user is aged 18 or under, parental/guardian permission is required before any personal information is provided to Carlow Tourism. Users without this consent are not allowed to provide any personal information to Carlow Tourism.

Mobile applications developed in connection with the website for mobile devices operate and capture information as set out for browsers and devices and are also subject to this policy. Applications developed by Carlow Tourism but deployed on other platforms such as social media channels may provide feedback to Carlow Tourism on activity and usage specific to a user.

Images and Visual Content:

Carlow Tourism acts as a service provider to allow members and entities of County Carlow to promote themselves to visitors. If members of Carlow Tourism avail of this service they will be required to provide certain business information, including images. Members submit such content, in full acknowledgement that copyright of such images rests with them and that permission is being given to Carlow Tourism to use the content. Members also submit content on the basis that they can provide Carlow Tourism with evidence of the necessary waivers and permissions from persons in the images/footage so that such content can be shared with Carlow Tourism on the necessary websites.

Carlow Tourism, on occasion, takes photographs of participants at its events and festivals and endeavours to check that they are happy to feature in a photo wherever possible. However often photos are of a large group and it is not possible to check with each individual person in advance. Part of the terms of acceptance to attend festivals and events organised by the company is acceptance to be included in photographs, and by doing so giving Carlow Tourism permission to use these photos for legitimate business purposes such as evidencing the event took place, local, national or internal publicity or promoting similar events.

Where close up photographs are being taken which include individuals, a photo release form is presented and signed by the individuals and retained on file by Carlow Tourism.

3. How do we use the information we collect?

Carlow Tourism collects different types of information about users for the following purposes:

  • To personalise the way content is presented to users and to ensure that content from the company website and other sources is presented in the most effective manner for usage on computers or mobile devices
  • To assist in monitoring and improving the services offered, including those offered by the company website. As part of this process, information may be used and disclosed in aggregate format (so that no individuals are identified)
  • To carry out any legal obligations arising from a user’s interaction with the website
  • To provide users with information about the company’s services, activities or online content. Users will only receive e-zines, newsletters, updates or similar correspondence from Carlow Tourism if they have “opted-in” to receive such information i.e. on the company’s websites via “Join Our Mailing List”, on the company’s face book pages or via a physical form. Where such choices exist it will be made clear to you.
  • To promote and raise awareness of the different businesses located in County Carlow
  • To contact winning entrants in tourism competitions
  • To communicate with users in respect of their tourism queries
  • To communicate with event and festival attendees
  • To complete and fulfil a purchase i.e. to process a payment, complete an order or to communicate specific information in relation to festival and company events
  • Surveys are used from time to time for business purposes amongst members of Carlow Tourism, to develop an overview of members requirements, to track business performance, to ascertain the effectiveness of potential new marketing experiences or to determine the effectiveness of promotional and development campaigns. Surveys are also used amongst those who have already “opted in” to the e-zine listing to determine views on particular services or visitor experiences. Please note that participation is always voluntary
  • To facilitate the performance of accounting functions including accounting, auditing, billing and payments
  • To send administrative information and service notifications to members of Carlow Tourism related to services for which members have signed up i.e. to provide you with relevant information or to notify you about a particular service or activity, to advise that online content has been suspended for maintenance, or in response to a question

Where Carlow Tourism wishes to use personal information in any other way, the company will ensure to notify users first. Users will also be given the opportunity to withhold or withdraw consent for the use of personal information for purposes other than those listed in this document.

4. Meeting legal and regulatory obligations

Carlow Tourism’s main role is to support the tourism sector operating in the county and to work to promote County Carlow as a tourism destination of repute in domestic and international markets.

  • Processing personal data is recognised as being necessary in the context of the company’s objectives and is required for the performance of a task carried out in the interests of the economic, social and cultural life of Carlow residents
  • Processing data is necessary for the performance of a contract which has been entered into i.e. purchase of tickets
  • Processing is necessary for compliance with legal obligations which Carlow Tourism must adhere to under the GDPR Regulations
  • In the context of consent provided for the processing of information under [Article 6(1)(a) of the General Data Protection Regulations, 2016].
  • It is the policy of Carlow Tourism to adhere to all guidelines issued by the Office of the Data Protection Commissioner. These include guidance on such matters as CCTV, records management as well as rulings in respect of complaints made to that office
  • It is the policy of Carlow Tourism to detect, report and investigate a personal data breach in accordance with the Data Protection Act (DPA) and guidelines are issued by the Office of the Data Protection Commissioner in this regard. A data protection breach occurs where personal data or sensitive personal data is released without authority or consent. Such breaches may occur in the event of the loss of USB keys, disks, laptops, digital cameras and mobile phones, or other such electronic devices on which data is held as well as paper records containing data. A breach may also occur due to inappropriate access to such data on Carlow Tourism systems or the sending of data to the wrong individuals. In the event of a data protection breach, the breach is analysed and measures put in place to prevent a repetition of the incident.Note: a Personal Data Breach Policy and Procedures has been prepared by Carlow Tourism CLG and should be read in the context of this policy.
  • Carlow Tourism will provide support, assistance, advice and data protection awareness training to staff to ensure compliance with the GDPR

The legal basis and legitimate interest for processing personal data are included in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 Development Strategies and Data Protection Act 1988 to 2018.

5. Linked services, third-party sites and content

In some of the company’s marketing collateral which includes brochures, articles, videos, posts and blogs, Carlow Tourism may reference other websites and provide links which are outside of their control. This Privacy Statement applies only to personal data that the company collects/processes through use of the website and other Carlow Tourism services. It does not apply to any links to third-party websites and/or services, such as third-party applications, that users may encounter when using the website or services of Carlow Tourism. Carlow Tourism does not accept any responsibility or liability for other sites’ privacy notices, statements or policies. If users access other websites using the links provided, they are encouraged to familiarise themselves with the terms of usage and privacy policies applicable to any websites and/or services operated by third parties. Users are advised to carefully read specific notices before submitting any of their personal information.

6. Who is data shared with?

Personal information may be shared or disclosed to:

  • Any company or other corporate entity under the control and direction of Carlow Tourism
  • Authorised service providers and suppliers who provide services to Carlow Tourism such as website hosting, data analysis, payment processing, event organisation, information technology and related infrastructure provision, customer service, e-mail delivery, credit card processing, auditing and other similar services.

Any third parties who access your data in the course of providing services to Carlow Tourism  are subject to contractual restrictions to ensure that data is protected, in compliance with data protection legislation. Carlow Tourism does not share or sell information with non-affiliated third parties for their own marketing or commercial use.

Carlow Tourism reserves the right to access and disclose personal data to comply with applicable laws and lawful government requests, to operate their systems properly and to protect both themselves and their users.

7. How long is data retained?

In order to meet legal and statutory obligations, any information provided to Carlow Tourism will be kept and stored for such period of time as is deemed necessary taking into account the purpose for which it was collected in the first instance, and Carlow Tourism’s obligations under data protection legislation.

Carlow Tourism commits to reviewing data every three years from the last date of contact or transaction to ensure that data isonly kept for as long as is necessary for the purposes for which it was obtained. Additionally the following time limits are in place for specific types of information collected:

TYPE OF PERSONAL DATA COLLECTED TIME PERSONAL DATA IS RETAINED
A. Tourism queries to the offices of Carlow Tourist Information Office or Carlow Tourism Personal data is retained until the query has been dealt with and then appropriately disposed of via a shredding machine.
B. Direct marketing

B1. Direct marketing via website sign-up form

B2. Direct marketing via tourism competitions:.

B1: Processing is only carried out on the basis of receiving consent. Individual has the choice to opt-out at any time.

B2: Processing is only carried out on the basis of receiving consent. Individual has the choice to opt-out at any time. If email address is not provided or decide against being added to the direct marketing database, their entry sheet is securely shredded once the competition is over.

C. Business purposes Annually
D. Billing and process payments Data is erased after 6 years.
E. Payment receipts Data is erased after 6 years.
F. Images and Visual content For the duration of photographic requirement
G. Website See Section 2 for details
H. Mobile devices and Social Media: See Section 2 for details
I. CCTV footage Images are erased after 28 days
J. Footfall counter
K. Employee Records See Appendix 3 for details

8. Rights of data subjects?

Each data subject has the following rights under data protection legislation:

  • the right to request access to personal data held by you
  • the right to obtain confirmation as to whether data concerning you exists
  • the right to be informed of the content and source of data and check its accuracy
  • if the data held by Carlow Tourism is found to be inaccurate you have the right to change, remove, block, or object to the use, of personal data held by Carlow Tourism
  • the right to ask Carlow Tourism to stop contacting you with direct marketing
  • the right to restrict or prevent your personal data being processed
  • the right to data portability
  • the right to erasure
  • the right to complain to the Data Protection Commissioner (DPC) if you believe Carlow Tourism has not handled personal data in accordance with the data legislation

Carlow Tourism endeavours to keep all personal data that you provide accurate and up to date. In this regard data subjects are asked to inform Carlow Tourism about any changes to such information as soon as possible.

9. Policy in respect of Subject Access request (SAR)

It is the policy of Carlow Tourism to have a central point of access for data protection requests as well as providing assistance to requesters.

If a data subject feels that their personal data has not been processed in accordance with this policy, please contact Carlow Tourism, free of charge, in writing as set out below. Carlow Tourism endeavours to respond without undue delay and no later than one month from receipt of any such request. If Carlow Tourism is unable to deal with your request within a calendar month (due to complexity or number of requests) this period may be extended by a further two calendar months and the reason for the extension request provided.

You may also wish to complete a Personal Data Request Form.

Please note that Carlow Tourism will request proof of identity and address (e.g a copy of a driving licence or passport) to protect the security of your data. Carlow Tourism should be contacted in the first instance at the following:

Email address: info@carlowtourism.com

Or writing to:

Data Controller
Carlow Tourism
College Street, Carlow
Co. Carlow
R93 H738

If not satisfied, the data subject can complain to the Data Protection Commissioner or exercise any of other rights pursuant to data protection legislation. Information about how to do this is available on the DPC website at https://www.dataprotection.ie/

10. Updates to this privacy policy

This Privacy Policy may be updated from time to time, and at least annually in November so please check each time personal information is submitted. The date of the most recent revisions will appear on this page. If you do not agree to these changes, please do not continue to use the website or other channels to submit personal information. If material changes are made to the Privacy Policy, users will be notified by placing a prominent notice on the company website.