Data Protection Policy

Celtic Tabletop & DagdaCon Data Protection Policy

This policy is designed to provide a clear and concise guide to the data protection obligations of Celtic Tabletop. As a data controller, we are responsible for managing, processing, and storing personal data. This document outlines our commitment to compliance with relevant data protection legislation.

This policy will be reviewed and amended as needed.

1. Definitions

For consistency, the following definitions apply throughout this policy:

  • Data: Includes both automated data (held on a computer) and manual data (held in a relevant filing system).

  • Personal Data: Any information relating to a living individual who can be identified, either directly or indirectly.

  • Sensitive Personal Data: Personal data related to specific aspects of a person's identity, such as ethnic origin, political opinions, religious beliefs, or health information.

  • Data Controller: The legal entity responsible for the acquisition, processing, and use of personal data. In this context, Celtic Tabletop is the data controller.

  • Data Subject: A living individual to whom personal data relates.

  • Data Processor: A person or entity who processes personal data on behalf of Celtic Tabletop based on a formal, written contract.

  • Staff: Any director, committee member, or volunteer of Celtic Tabletop, or any person acting in an official capacity on our behalf.

2. Scope

This policy covers all personal and sensitive personal data held by Celtic Tabletop, whether in manual or automated form. All such data will be treated with equal care.

3. Rationale

As a data controller, Celtic Tabletop and all its staff and volunteers must comply with the data protection rules set out in relevant Irish and EU legislation, including the General Data Protection Regulation (GDPR) 2016/679 and the Irish Data Protection Acts (1988-2018).

This policy applies to all personal data we collect, process, and store in the course of our activities, such as:

  • Processing orders from our website (e.g., names, addresses, emails).

  • Coordinating volunteers (e.g., information on a volunteer's physical or mental well-being where necessary).

  • Managing event registrations.

4. Our Role as a Data Controller

In our daily activities, Celtic Tabletop acquires, processes, and stores personal data. We are committed to ensuring all staff have sufficient awareness of data protection legislation to identify and address any issues.

We regularly exchange personal data with data subjects and, where applicable, with data processors on their behalf. This policy provides guidelines for this exchange and a procedure for staff to follow if they are unsure about disclosing data.

Third-Party Processors

We may engage third-party service providers (data processors) to process personal data. In all cases, a formal, written contract will be in place outlining their obligations, required security measures, and the specific purpose for which they are engaged. We reserve the right to audit their data management activities.

5. The Data Protection Rules

As a data controller, Celtic Tabletop ensures all data is managed according to these key rules:

1. Be obtained and processed fairly and lawfully. We will make data subjects aware of who we are, why we are collecting their data, and who it may be disclosed to. We will seek informed consent where possible and ensure all processing is carried out as part of our lawful activities.

2. Be obtained only for one or more specified, legitimate purposes. We will obtain data only for specific, lawful, and clearly stated purposes. Data subjects have the right to question why we hold their data, and we will be able to clearly state the purpose.

3. Not be further processed in a manner incompatible with the specified purpose(s). Any use of data will be compatible with the purposes for which it was originally acquired.

4. Be kept safe and secure. We will implement high standards of security to protect personal data under our care, including using privacy by design and by default principles. Access to data will be limited to authorized staff with appropriate password access. In the event of a data breach, we will notify the appropriate authorities and data subjects without undue delay.

5. Be kept accurate, complete, and up-to-date where necessary. We will ensure that our data is accurate and up-to-date through regular reviews and audits.

6. Be adequate, relevant, and not excessive. The data we collect will be relevant and necessary for the purposes for which it was collected.

7. Not be kept for longer than is necessary. We will not retain personal data for longer than is required to satisfy its specified purpose. Once the retention period has passed, we will securely destroy, erase, or otherwise render the data unusable.

8. Be managed in a way that allows for easy access. In the event of a Subject Access Request (SAR), we have procedures in place to retrieve and provide a copy of the personal data to the data subject in a timely and efficient manner.

6. Data Subject Access Requests (SARs)

Any data subject can make a formal request to access their personal data held by Celtic Tabletop. We will ensure all such requests are forwarded to the appropriate contact and processed as quickly and efficiently as possible, but within no more than one month from receipt of the request.

Conclusion

This policy is intended to provide a concise overview of our approach to data protection. It is important to note that this is not a definitive statement of the law. If you have any further questions about this policy or our practices, please don't hesitate to ask.