GMIT holds and processes personal data about many different types of people such as its current, past or prospective employees, applicants, students, alumni, suppliers, contractors, members of the public, etc.
The Institute processes this personal data to carry out its business and administrative functions and to comply with statutory requirements.
This personal data is subject to data protection legislation.
General Data Protection Regulation (GDPR)
Effective from 25th May 2018, the GDPR brings new and enhanced rights for individuals whose data is processed in GMIT.
Individuals are referred to as 'data subjects'.
The GDPR places obligations on GMIT and the way it handles personal data. In turn, the staff and students of the Institute have responsibilities to ensure personal data is processed fairly, lawfully and securely. This means that personal data should only be processed if we have a valid condition of processing (e.g. consent obtained from the data subject, or a contract with them, etc) and we have provided information to the individuals concerned about how and why we are processing their information (i.e. a privacy notice). There are restrictions on what we are allowed to do with personal data such as passing personal information on to third parties, transferring information outside the EU or using it for direct marketing.
Read more on GDPR (External website)
Individuals have the right to know what GMIT does with their personal data. This information is provided in privacy notices/statements.
GMIT is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
GMIT is developing a number of policies that must be adhered to in order to comply with GDPR. All data protection related policies will be available here shortly.
Data Protection Principles
- Personal data shall only be processed fairly, lawfully and in a transparent manner (Principle of Lawfulness, Fairness and Transparency);
- Personal data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes (Principle of Purpose Limitation);
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Principle of Data Minimisation);
- Personal data shall be accurate, and where necessary, kept up-to-date (Principle of Accuracy);
- Personal data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which the personal data is processed (Principle of Data Storage Limitation);
- Personal data shall be processed in a secure manner, which includes having appropriate technical and organisational measures in place to prevent and / or identify unauthorised or unlawful access to, or processing of, personal data; and prevent accidental loss or destruction of, or damage to, personal data (Principles of Integrity and Confidentiality);
Organisations are responsible for, and must be able to demonstrate compliance with, these principles (Principle of Accountability).
Data Subject Rights
Data subjects have a number of rights under the GDPR:
- The right to information. Data subjects have the right to be provided with certain information about the data processing done within the Institute. GMIT provides this information in its Privacy Notices.
- The right to obtain access to personal data. Data subjects have the right to be provided with a copy of their personal data along with certain details in relation to the processing of their personal data. CLICK HERE to find out how to make an access request
- The right to rectification. Data subjects have the right to have inaccurate personal data that the Institute holds in relation to them rectified. In some circumstances, if the personal data is incomplete, an individual can require the controller to complete the data, or to record a supplementary statement.
- The right to be forgotten (erasure). Individuals have the right to have their data erased in certain situations such as where the data is no longer required for the purpose for which it was collected, the individual withdraws consent or the information is being processed unlawfully. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research. Individuals can ask the controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved or the processing is unlawful.
- The right to object and restrict processing. Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right.
- Rights in relation to automated decision making, including profiling. Data subjects have the right not to be subjected to processing which is wholly automated unless one of a number of limited exceptions applies.
- Right to data portability. Data subjects have the right to request information in a structured, commonly used and machine-readable form so that it can be sent to another data controller. This only applies to personal data that is processed by automated means (not paper records); to personal data which the data subject has provided to the controller, and only when it is being processed on the basis of consent or a contract.
These are not absolute rights and do not always apply. There continues to be a number of exemptions to these rights to ensure, for example, legal requirements can be met.
To exercise your rights, contact the Data Protection Officer directly.
Data Protection Officer
GMIT Galway Campus
Tel: +353 (0)91 742769