Grants Data Protection Notice
Data protection is a fundamental right. As set out in Article 8 of the EU Charter of Fundamental Rights:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
The General Data Protection Regulation (GDPR) is designed to give individuals more control over their personal data. Enterprise Ireland became subject to the GDPR on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
The purpose of this notice is to inform grant applicants of what personal data Enterprise Ireland holds in relation to them, and, as may be appropriate, their employees, and related persons, and how Enterprise Ireland uses that personal data as controller.
PERSONAL DATA PROTECTION NOTICE relating to Enterprise Ireland’s Grant Administration Process
Enterprise Ireland (‘we’, ‘our’, ‘us’) takes data privacy seriously. In order to perform our public functions and to provide our services, we collect and process a certain amount of personal data. This Data Protection Notice relates to personal data collected by us in respect to the grant administration process and is intended to ensure that data subjects (who may be connected to client companies and third level institutions, or be entrepreneurs applying for grant funding) are aware of what personal data we hold in relation to them, and how we use that personal data as controller.
Please read the following carefully to understand our use of personal data.
1. What is Personal Data?
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Enterprise Ireland holds personal data received from a number of sources in connection with the performance of our public functions and the delivery of our various services to our clients. In some instances, personal data is provided directly to us by the data subject concerned (e.g. a business owner or sole trader). We may also receive personal data about a data subject indirectly. For example, an employer may provide employee personal data in connection with the grant or a representative of a number of data subjects may provide personal data in relation to one or more data subjects. By describing our activities below, we are able to identify where we may hold some or all of the following types of personal data:
Types of personal data collected
Date of birth
Photos / video
Directorships and shareholdings
Social media accounts
Grants and investment services administration required to support companies start, scale, internationalise and innovative, such as project review, due diligence activities and grant inspection.
Job Position / Job title
Grants and investment services administration required to support companies start, scale, internationalise and innovative. This includes Enterprise Ireland’s grant inspection activity which is required for grant drawdown.
PPS number, passport details
Grants administration for an entrepreneur where there is no CRO number available.
2. Purpose and Legal Basis for Processing
We will hold, process and may disclose personal data for the following purposes:
- To process grant applications;
- To review projects seeking Enterprise Ireland grant support;
- To administer approved grant funding to a company / entrepreneur including grant inspection activities required for grant drawdown;
- To support the auditing activities related to the expenditure of public and European funding;
- To ensure compliance with Government regulation on grant approval to companies, for example when grant support packages required Cabinet Approval;
- To provide training for personal and management development;
- To meet third party requirements and to share that data with third parties such as the European Commission or other EU funded agencies where the data is collected in connection with and for the purposes of a project or programme run or funded in whole or in part by the third party such as the EU or European Commission;
- To deliver industrial development supports or advice to the data subject, his/her employer or his/her company where the data subject is a director.
- This use of the personal data is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in us.
- To comply with our regulatory and professional requirements;
- To prevent and detect fraud, money laundering or other offences; and
- To exercise our right to defend, respond or conduct legal proceedings.
- This use of the personal data is necessary in order for us to comply with any legal or regulatory obligations.
- To carry out direct marketing in relation to our supports and events
- Where the data subject has given consent to the processing of their personal data for direct marketing – which they may withdraw at any time.
- Where consent is not required and the data subject has not objected, the use of the data is necessary for our legitimate interest in managing our business including legal, personnel, administrative and management purposes provided our interests are not overridden by your interests.
3. Special Categories of Personal Data
Certain categories of personal data are regarded as 'special'. We have provided the following list of what personal data are identified in the General Data Protection Regulation (GDPR) as special data for information purposes only. Special data includes information relating to an individual's:
- Physical or mental health;
- Religious, philosophical or political beliefs;
- Trade union membership
- Ethnic or racial origin;
- Biometric or genetic data; and
- Sexual orientation.
This list should not be read or understood as an indication of any policy of Enterprise Ireland to actively collect/process such data.
As part of Enterprise Ireland due diligence on a grant inspection in relation to employment grants, on occasion, though we have not requested them, we may receive salary certificates with Trade Union membership details. This processing is necessary for reasons of substantial public interest on the basis of law.
4. Where the data subject does not provide their Personal Data
If we cannot collect or process certain personal data, we may not be able to provide employers with a grant or an equity investment or other support or service. If you have any queries in respect of the consequences of not providing information or withdrawing your consent, please contact us (see Contact Us below).
5. Recipients of Personal Data
In order to provide our services and to comply with legal obligations imposed on us, it may be necessary from time to time for us to disclose personal data to third parties, including without limitation to the following:
- with our agents and third parties who provide services to us to help us administer and audit our services;
- with regulatory bodies and law enforcement bodies, including an Garda Síochána (where we are required to do so to comply with a relevant legal and regulatory obligation);
- relevant Government departments and agencies and relevant European Union agencies.
6. Transfer of Personal Data outside the EEA
The personal data that we collect may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"), for the purposes described above. Those countries may not provide an adequate level of protection in relation to processing personal data. Due to the global nature of our business, certain personal data may be disclosed to staff members of Enterprise Ireland working outside the EEA: To view a list of Enterprise Ireland overseas office, click here. To the limited extent that it is necessary to transfer personal data outside of the EEA, we will ensure appropriate safeguards are in place to protect the privacy and integrity of such personal data, including standard contractual clauses under GDPR Article 46.2 or adequacy decision under GDPR Article 45. Please contact us if you wish to obtain information concerning such safeguards (see Contact Us below).
7. Data Retention
We will store personal data only for as long as necessary for the purpose(s) for which it was obtained. The criteria used to determine our retention periods include (i) the length of time we have an ongoing relationship and/or provide our services; (ii) whether there is a legal requirement to which we are subject; and (iii) whether the retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations). Please contact us if you wish to obtain further information concerning our retention periods (see Contact Us below).
8. Data Rights
You have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions. We will respond to any valid requests within one month, unless it is particularly complicated or you have made repeated requests in which case we will respond, at the latest, within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request.
If you wish to exercise any of these rights, please contact us (see Contact Us below). We may request proof of identification to verify your request.
What this means
Right to withdraw consent
If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time (see Contact Us below). However, the withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent.
Right of Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.
Right to Erasure (‘Right to be Forgotten’)
You have the right to request that your personal data be deleted in certain circumstances including:
- The personal data are no longer needed for the purpose for which they were collected;
- You withdraw your consent (where the processing was based on consent);
- You object to the processing and there are no overriding legitimate grounds justifying us processing the personal data (see Right to Object below);
- The personal data have been unlawfully processed; or
- To comply with a legal obligation.
However, this right does not apply where, for example, the processing is necessary:
- To comply with a legal obligation; or
- For the establishment, exercise or defence of legal claims.
Right to Restriction of Processing
You can ask that we restrict your personal data (i.e., keep but not use) where:
- The accuracy of the personal data is contested;
- The processing is unlawful but you do not want it erased;
- We no longer need the personal data but you require it for the establishment, exercise or defence of legal claims; or
- You have objected to the processing and verification as to our overriding legitimate grounds is pending.
We can continue to use your personal data:
- Where we have your consent to do so;
- For the establishment, exercise or defence of legal claims;
- To protect the rights of another; or
- For reasons of important public interest.
Right to Data Portability
Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where:
- The processing is carried out by automated means; and
- The processing is based on your consent or on the performance of a contract with you.
Right to Object
You have a right to object to the processing of your personal data in those cases where we are processing your personal data in reliance on our legitimate interests, for the performance of a task carried out in the public interest or in the exercise of our official authority. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate grounds which override your interests and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes.
You have a right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affects you other than where the decision is:
- Necessary for entering into a contract, or for performing a contract with you;
- Based on your explicit consent – which you may withdraw at any time; or
- Is authorized by EU or Member State law.
Where we base a decision solely on automated decision-making, you will always be entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward.
Right to Complain
You have the right to lodge a complaint with the Data Protection Authority, in particular in the Member State of your residence, place of work or place of an alleged infringement, if you consider that the processing of your personal data infringes the GDPR
Please see the below contact details for the Irish Data Protection Authority:
Data Protection Commissioner
+353 (0)761 104 800
9. Change of Purpose
We will only use personal data for the purposes for which we collected it outlined in Section 2 above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to obtain information as to how the processing for the new purpose is compatible with our original purpose, please contact us (see Contact Us below).
If we need to use your personal data for an unrelated purpose, we will notify you and provide an explanation of the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is permitted by applicable data protection laws.
10. Contact Us
If you require any further clarification regarding this Data Protection Notice, please contact:
Data Protection Officer
Data Protection and Freedom of Information Office
Eastpoint Business Park
Last Updated: 17th of May, 2018