Data Protection Notice For Donors and Supporters
1 Who we are
Focus Ireland CLG is a charity which challenges homelessness in Ireland. We are driven by the fundamental belief that homelessness is wrong. We provide housing, advocacy and homeless support services and other supports to our customers to achieve our mission.
Focus Housing Association CLG is also covered by this Data Protection Statement. Focus Housing Association is an approved housing body and a registered charity.
You can find out more information on who Focus Ireland is and what we do on our website – www.focusireland.ie.
2 About this Data Protection Notice
The General Data Protection Regulation (GDPR) is an important EU regulation that sets out the rules for Data Controllers (such as Focus Ireland) to follow when they handle your personal data. The purpose of these rules is to ensure that your rights and freedoms are protected when your data is processed.
One of the many rules under GDPR is that data controllers must be transparent about how they process your data. This means we must give you certain information such as what data we collect, why we collect it, who we share it with, where it is stored and how long we keep it for.
This Data Protection Notice aims to provide you with such information and relates to the handling of personal data by Focus Ireland.
This notice covers our processing of data relating to individuals or entities that make donations to us, our “donors” and individuals or entities that support us, our “supporters” (e.g. participation in or support of fundraising activities, those on our marketing lists).
3 Our contact details
If you have any queries or concerns in relation to our processing of personal data or the contents of this Data Protection Notice, we would be happy to help. You can contact us by writing to, emailing, or phoning our head office:
Focus Ireland
9-12 High Street info@focusireland.ie
Christchurch
Dublin 8 +353 (0) 1 881 5900
D08 E1W0
Contact details for Data Protection Officer (DPO):
You can also contact our Data Protection Officer (DPO) directly using the contact details below:
Data Protection Officer (DPO) dpo@focusireland.ie
9-12 High Street
Christchurch
Dublin 8 +353 (0) 1 881 5900
D08 E1W0
4 What Personal Data do we process?
Personal data is any information which identifies you or could identify you.
The below table summarises the type of data we process, sectioned into different processing activities.
Business Activity | Personal Data Processed | Lawful Basis for Processing |
Processing Donations | · Name
· Address · Contact Details (email, phone number) · Donation amount · Card number and details (if donation was made by card, this information is not held by Focus Ireland, but is processed by our payment processor who is PCI DSS compliant) · Account number (If donation was made by bank transfer) · Employer (if donation was made by a wage deduction)
|
Legal Duty
The Charities Act 2009, Section 47 has a duty to correctly record and explain the transactions of the Charity.
If you donate to Focus Ireland via Direct Debit, we have certain legal obligations to process certain data under the SEPA Rule Book.
|
Event registration | · Name
· Address · Contact Details (email, phone number)
|
Consent:
We will seek your consent to process your data when you sign up to our events |
Direct Marketing Lists | · Name
· Email address · Postal Address |
Consent:
We will seek your consent to send you direct marketing materials |
Phone Recordings | Some of our phone calls are recorded, where phone recording is in operation you will be notified. Call recordings capture your voice and any information disclosed on the call. Call recordings will not capture card details.
|
Legitimate Interest
For training, monitoring and quality control
Legal Obligation We may set up, cancel or amend a direct debit over the phone and record the phone call as evidence of compliance with the SEPA Rulebook. We may also complete revenue tax reclaims over the phone and record the phone call for evidence of compliance with Revenue requirements. |
CCTV & Monitoring | Information gathered through the Company’s monitoring of its IT systems, building access records and CCTV recording.
We have CCTV in operational at our offices and properties. You will be notified of any CCTV recording by signs. CCTV Cameras capture images only.
|
Our Legitimate Interest
For the purpose of crime prevention and detection and Health, Safety and Welfare. |
Visitors to our offices and properties | If you visit our offices or, you may be asked to sign a visitors log which will include your name.
|
Our Legitimate Interest
Visitor logs may be used at our premises for security reasons
Health, Safety and Welfare We may also use visitor logs to protect the health, safety and welfare of all those at our premises.
|
Cookies and Tracking Technologies | If you consent to the use of cookies and other tracking technology when visiting our website, we may process information relating to your interactions with our website. For more information on the type of cookies and tracking technologies we use, please see our Cookie Notice.
|
Consent
We will seek your consent before processing your information using cookies and tracking technologies. Consent is captured on our website by means of a cookie banner and can be amended or withdrawn at any time on the website. |
Charitable Donation Scheme | The Charitable Donation Scheme allows tax relief on qualifying donations made to Focus Ireland. If an individual donates €250 or more in a year, Focus Ireland can claim a refund of tax paid on that donation.
To process this, Focus Ireland will need to process a donor’s name, postal address, phone number, email address and PPSN.
|
Our legitimate Interest in contacting you about the tax reclaim:
To maximise the funds available to Focus Ireland.
Our Legal Duty in processing your tax reclaim: Under Section 848A of the Taxes Consolidation Act (TCA) 1997 we are required to process certain information as evidence of our compliance with the Tax Reclaim program by Revenue.
|
Major Donor and Corporate Donor Research | We like to learn about your personal motivation for supporting Focus Ireland and your experiences as a supporter. This helps us to give you the information about events, campaigns and services which are most relevant and important to you.
We may carry out research, segmentation and/or analysis of the personal information that you have provided to us and add publicly available information to help us tailor our communications to you, to better understand your preferences and to continue to find the most cost-effective ways to campaign, fundraise, raise awareness, and provide our services. This information is appended to the information
Focus Ireland analyses data in a responsible way, balancing the research and analysis we undertake with the privacy of our donors and supporters.
|
Our Legitimate Interests
We have a legitimate interest to build rapport and understand our supporters. |
Communications (non-marketing) | We send you communications such as thank you letters or emails for your donation or notifications that your donations are eligible for the Charitable Donation Scheme or inviting you to events such as thank you events. | Our legitimate interest:
Thanking and appreciating our supporters |
Administrative and Operational Management | Your data may be processed to allow for the administration required for your donation or support us. This may include your name on reports, in assessments, in skills gap analysis, budget preparation, correspondence and communications and so on.
|
Our legitimate interest:
Focus Ireland needs to process this data to ensure the efficient and smooth operation of the business.
|
Charity Governance | Your data may be processed if required for the delivery of our charitable purposes, statutory and financial reporting, and other regulatory compliance purposes under legislation such as The Charities Act 2009.
|
Legal Obligation
The Charities Act 2009. |
Media / Content Creation | We may use your personal information including your photo, video, audio and experiences in our media publications for the purpose of promoting Focus Ireland and awareness raising. We will only do this with your prior consent. | Consent
We will seek your consent before using your personal data any media publications or content creation. |
Legacy Donations
/Bequests |
Your data may be processed if you are the executor or administrator of a will, which includes Focus Ireland as a beneficiary.
Your data will be processed for the purpose of distributing the donation to Focus Ireland.
|
Legal Obligation
This is in line with The Charities Act 2009, Section 47 which states Focus Ireland must correctly record and explain the transactions of the Charity and also in line with Successions Act.
|
4.1 Processing Special Categories of Personal Data
Certain data is considered “special” under the GDPR. Special category data requires greater levels of protection than other types of personal data. This is because the misuse of special category data may have worse effects on you or your rights.
Focus Ireland does not seek to process special category data in relation to our Donors or Supporters, however, this information may be inadvertently revealed to Focus Ireland, for example:
- Your Sexual Orientation may be inadvertently revealed to Focus Ireland if the gender of your partner or spouse is known e.g. you make a joint donation.
- Your Religious belief may be inadvertently revealed to Focus Ireland if you make a donation on behalf of a religious body or by use or titles that reveal religious affiliation e.g. Fr. Rev. etc.
- Your Political Opinions may be inadvertently revealed to Focus Ireland if you make a donation or otherwise support Focus Ireland via your involvement with a particular political party.
- Your health data may be processed if you sign up to one of our events and your data concerning your health is required for participation for example the Camino walk, hikes or abseiling.
We are not permitted to process special categories of data unless one of the exemptions under Article 9 of the GDPR apply. The Article 9 exemptions we may rely on include:
- Seeking your explicit consent to the processing of your data
- Within our Legitimate Interests as a not-for-profit body
- The data has been manifestly made public by you
4.2 Sources of Data
As well as collecting information from you directly, we may also obtain data from other sources such as:
4.2.1 Bought in Marketing Lists
We may obtain your data from third party companies that sell marketing lists or leads. Where this is the case, we will ensure the third-party organisation has your consent to share the data with us. We will also check the list against our own system for any preferences indicated by you and against the National Directory Database (for phone) and Electoral Register (for post).
4.2.2 Third party event organisers
Where you sign up an event organised by a third party, and choose Focus Ireland as your chosen charity, your details may be shared by the third-party event organiser with Focus Ireland for the purpose of processing your donation and support.
4.2.3 Your employer
If you choose to donate to Focus Ireland by means of a pay deduction from your wages, your employer may share your data with us for the purpose of processing the donations.
4.2.4 Publicly available information:
We may also use publicly available information from sources such as the internet, media channels or LinkedIn for the purpose of building rapport with supports such as business supporters.
4.3 Consequences of not providing us with your personal data
Where it is necessary for us to process your personal data to comply with our legal obligations, or the data is necessary for you to perform your duties under a contract, failure to provide the information may limit your relationship with Focus Ireland.
If you have any concerns over the processing of your personal data, you should speak with a member of our Donor Care Team. Where possible, we will try to facilitate your wishes not to have certain data processed. Where we cannot facilitate your request, we will outline the rationale for this along with the specific consequences.
5 Profiling and Automated Decision Making
You have the right not to be subject to a decision based solely on automated processing of data, including profiling, which would produce legal effects concerning you or significantly affect you.
Focus Ireland does not use automated decision making.
6 Data Sharing
From time to time, we may need to share your personal data outside of Focus Ireland. This section outlines our data sharing practices.
6.1 Data Processors
We use services and systems provided by third parties to help us fulfil our business needs. We often need to share personal data with these third parties. All our third-party service providers are required to take appropriate security measures to protect your personal data in line with the GDPR. We do not allow our third-party service providers to use your personal data for their own purposes unless they are deemed to be controllers in their own right. We only permit them to process your personal data for specified purposes and in accordance with our instructions. The recipient of the information will also be bound by confidentiality obligations.
We have data processors acting on our behalf for the following business processes:
- Outsourced IT Support
- File Share Provider
- Video Conferencing Platform
- Email Account Provider
- CRM system
- Payment processing system for donations made
- Direct Marketing tools
- Call Centres for donations
- Donation platforms
- Consultants
- Social Media Platforms
- Project management tools
- Finance system for processing invoices
6.2 Funders
We may share statistical or aggregated data with our corporate funders or supports to show them the impact their donation is having on supporting the charity.
6.3 Third Party Recipients
For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:
- Tax authorities (e.g., Irish Revenue Commissioners)
- Law enforcement (where required for the investigation, detection, or prosecution of criminal offences)
- Standards bodies
- Statutory bodies
- Legal representatives
- Insurers
- Financial Institutions
- Companies you have authorised a pay deduction from your wages
7 Data transfers outside of the EEA
Some of the companies we use to help us achieve our business objectives may process your data outside of the European Union (EU) or the European Economic Area (EEA) from time to time.
Countries outside of the EU/EEA may not have robust data protection regulations such as the General Data Protection Regulation (GDPR). Where this is the case, we will ensure appropriate safeguards are in place to protect your data.
- Adequacy Decision:
An adequacy decision is a formal decision made by the EU Commission which recognises that another country, provides an equivalent level of protection for personal data as the EU does. You can find a list of countries which have been granted an adequacy decision here- Adequacy decisions | European Commission (europa.eu).
We rely on an adequacy decision granted by the European Commission for transfers of data to the United Kingdom (UK).
- Standard Contractual Clauses (SCCs)
Where we use service providers that transfer data to a country outside of the EU/EEA to a country which has not been granted an adequacy decision, we will put in place additional safeguards to protection your personal data.
An example of such safeguards includes Standard Contractual Clauses (SCCs). SCCs are standard sets of contractual terms and conditions which both the sender and the receiver of the personal data sign up to and ensure that the rights and freedoms of the individual are considered and upheld. Where we are relying on SCCs, we will also carry out a Data Transfer Impact Assessment (DTIA).
Country of Transfer | Reason for Transfer | Method we use to protect your information |
UK | · Some of our outsourced call centres for donations are located in the UK.
· If you provide your data to GivePanel as part your donation to Focus Ireland on social media (such as Facebook), your data will be processed in the UK. |
Adequacy Decision |
New Zealand | · Our outsourced IT support provide a 24-hour service which is managed in New Zealand outside of the working times of the office in Ireland. Data may be accessed by the team in New Zealand (note the data itself is stored on servers in the EU) | Adequacy Decision |
USA | · If you donate to us using your card, the payment will be processed by Stripe who transfer data to their headquarters in the US.
· If you make a donation to us via PayPal, your data may be processed by their headquarters in the US. · If you use Meta Products such as Facebook and Instagram to engage with us or donate to us, your data will be transferred to their headquarters in the US. · If you attend any online events hosted by Focus Ireland on Zoom, your data may transfer data to the US. |
Standard Contractual Clauses (SCCs) accompanied with a Data Transfer Impact Assessment (DTIA)
Copy of SCCs available on request. |
8 Data Retention
We will only keep your data for as long as necessary. See below some of our retention periods. For more information or a full list of our retention periods please contact dpo@focusireland.ie or donorcare@focusireland.ie
Category | Retention |
Transactional data relating to donations | 7 years after the donation was made |
Direct Debit Mandates | Retain for minimum of 13 months from the date the mandate is no longer valid (e.g. cancelled, expired) |
CCTV | 30 days |
Email Communications | No longer than 7 years but may be deleted sooner where the employee deletes the email or leaves the organisation |
Donor information | 7 years from the date the last transaction occurred |
Legacy information | 7 years from the date of receipt of bequest |
- Transactional data including donations are retained for 7 years following the date of the donation
- Direct Debit Mandates are retained for 13 months from the date of the last payment
- CCTV is retained for 30 days
9 Your rights
You have certain rights under the General Data Protection Regulation (GDPR):
Right | Description | Reference |
The right to be informed | You have a right to receive information from us in relation to how we process your data | Article 13 & 14 of the GDPR |
The right to access information | You have a right to access a copy of your personal data that Focus Ireland processes | Article 15 of the GDPR |
The right to rectification | You have the right to have any inaccurate data about you rectified.
If you need to rectify or update the personal information we hold about you, please contact donorcare@focusireland.ie. |
Articles 16 & 19 of the GDPR |
The right to erasure | You have the right to request erasure of your personal data where it is no longer required for the purpose for which it was obtained. | Articles 17 & 19 of the GDPR |
The right of restriction | You have a limited right of restriction of processing of your personal data by a data controller. Where processing of your data is restricted, it can be stored by the data controller, but most other processing actions, such as deletion, will require your permission | Article 18 of the GDPR |
The right to data portability | In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing | Article 20 of the GDPR |
The right to object to processing of personal data | You have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks such as the legitimate interests of others.
You have a stronger right to object to processing of your personal data where the processing relates to direct marketing. |
Article 21 of the GDPR |
The right not to be included in automated decision making, including profiling | You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you. | Article 22 of the GDPR |
If you wish to exercise any of your rights, please make a request to the Data Protection Officer (DPO) by emailing dpo@focusireland.ie. Upon receiving your request, we will have one calendar month to respond, with an extension of two further months if required. If we require more time to complete your request, we will notify you of the reasons for the delay within one calendar month.
Please note that these rights are not absolute, and restrictions may apply. Where we refuse or are otherwise unable to fulfil your request, we will provide you with our reasoning for doing so.
9.1 Withdrawing Consent/Object to Processing
You have the right to withdraw consent at any time or object to our processing of your data by emailing donorcare@focusireland.ie or dpo@focusireland.ie.
If you have signed up to receive marketing communications from us, you can unsubscribe at any time from receiving future emails by clicking the ‘Unsubscribe’ link at the bottom of every email.
9.2 Right to Complain to the Data Protection Commissioner (DPC)
The Data Protection Commissioner (DPC) is the supervisory authority or regulator for data protection in Ireland. You can make a complaint to the DPC if you feel your data protection rights have been infringed or you are not satisfied with how we process your personal data.
If you have any concerns over the processing of your data, you should first try to resolve the issue by contacting your manager or our Data Protection Officer.
If you wish to complain to the DPC, you can find their contact details on Homepage | Data Protection Commission.
10 Security of your Data
The security and protection of your personal data is very important to Focus Ireland. We take measures to protect all personal data we are trusted with.
Where we hold physical or hard copy records, we ensure they are stored securely in locked cabinets or rooms. We have CCTV and alarm monitoring in operation at our premises.
We have measures to protect digital data on our IT systems and devices for example Laptops and PCs are encrypted. Multi-Factor Authentication (MFA) in use. Mobile devices are password protected or have FaceID/TouchID activated. Access control in place to restrict access on a need-to-know basis. Firewalls, Antivirus protection, Endpoint protection and Back-ups in place.
All employees receive regular training in data protection, IT and cyber security. This is also part of our employee induction training for new employees.
11 Updates to this Notice
Updates to this notice will be available here. This notice was last updated May 2024
Version Control:
Version | Effective Date | Reason for change |
1 | May 2024 | Redrafted |