Table of Terms
Data Controller or data controller
IMIA is the party controlling data and the data controller as defined in the GDPR
Member or prospective member and/or contact persons for the member or prospective member
Specific elements of data we collect, e.g. name, address, date of birth would be three data sets
General Data Protection Regulation or GDPR
General Data Protection Regulation.
Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 and applicable Irish data protection legislation (currently the Irish Data Protection Act 2018) (the “Data Protection Legislation”)
Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects
relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
Sensitive Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
IMIA Privacy Statement and Use of Information Notice
This is your guide to how the IMIA manage your personal data. On the 25th May 2018 the General Data Protection Regulation (“GDPR”) takes effect. Under this regulation we need to provide you with information on the following:-
- Contact Details
- What information we collect about you
- For what processing purpose are we collecting information and under what legal basis
- The recipients of the data we collect from you
- Where information is processed outside the EEA and the safeguards in place
- The period of storage of personal data
- Your rights of access, rectification, erasure or restriction of processing
- Your right to withdraw consent where processing is on that basis
- Your right to lodge a complaint with the supervisory authority
- Where you are obliged to provide information the consequences of failure to do so
- Existence of automated decision making or profiling
- Information on further processing of data beyond the original reason for collection
IMIA are the Data Controller which means that we collect personal data from you (“Data Subject”) as our existing or prospective member or contact person for an existing or prospective member.
IMIA can be contacted as follows:-
Address: 87 Merrion Square, Dublin 2
Phone no.: +353 1 5692295
Objective of IMIA
The objectives of the Irish MiFID Industry Association (IMIA) are to:
- provide a central representation to the Central Bank of Ireland and other regulatory bodies on behalf of its members
- promote good industry practices on regulatory requirements
- host educational events on MiFID regulations and other regulatory issues impacting MiFID firms
- promote networking and peer interaction
The IMIA hosts monthly member meetings at which the above areas are discussed.
As part of our day to day business we need to collect personal data from our members to ensure that we can meet their needs for a range of services and provide them with information about our services.
Your privacy is important to us and it is our policy to respect the confidentiality of information and the privacy of individuals. This notice outlines how we manage your personal data and details your rights in respect of our processing of your personal data.
In order to provide services as a representative industry association to you, we require certain Personal Data and other information relating to your application for membership and / or your dealings with us or other relevant third parties. Personal data in this Notice means any information which the IMIA has or obtains or which you provide, such as your name, address, employer name, employer bank details and email address, from which you can be directly or indirectly personally identified.
Sensitive Personal Data
In general, personal information may be sensitive personal data such as data related to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, heath or sexual orientation. The IMIA do not collect any sensitive data currently from members.
IMIA will act as a data controller in relation to your personal data in compliance with the General Data Protection Regulation.
Why do we need to collect personal data for Data Subjects?
We need to collect certain personal information (“Data sets”) because we are providing you with a service which is industry representation and / or educational and training events. We need to process this information to fulfil our legal obligations under the contract you have entered into with us when you or your organisation joined as a member.
Additionally, we may obtain personal data about you through your use of our websites, apps, or using cookies on our websites, in particular by recording your activity and which pages you look at on our websites (please see below on Cookies)
Use of information and Lawful basis of processing
The IMIA will use your Personal Data for the following purposes: –
1. To fulfil our contractual obligations to you our client:
For the purposes of providing member representation services to you, and / or setting up and administering your membership;
To respond to or evaluate any queries, complaints or suggestions in relation to your contract, membership, transactions or other specific matters relating to same.
2. For legitimate purpose use such as:
- Providing third parties with details of memberships, responses to consultation papers or other regulatory engagements on behalf of all members e.g. Central Bank engagement;
- For audit, compliance, or reporting purposes;
- Records of communications whether that may be telephone or other electronic communications for confirmation of membership, training events, association meetings or other compliance purposes;
- For external advisory or legal purposes;
- Market research or statistical reporting purposes;
- For billing purposes of collection of fees owed to the firm;
- For administration purposes.
3. Where you have provided your consent such as:
- For marketing of third party products or services;
- For any other purpose for which you have provided your consent.
4. Where our use of your personal data requires consent, such consent will be provided explicitly by you.
If we rely on your consent as our legal basis for processing your personal data, you have the right to withdraw that consent at any time by contacting us using the contact details set out in this Privacy Notice.
IMIA undertake to keep your Personal Data and all related information held private and confidential and we shall not use or disclose to any third party other than as disclosed above except where obliged by a court or regulatory body.
5. What legal obligations do we have?
Your relationship with the IMIA is governed by a contract which provides you with the terms and conditions of the membership we provide to you. Our relationship will continue until the termination of the contract. As part of fulfilling that contract we need to collect, use, store, disseminate, share and delete personal data sets about you within the IMIA and with external third parties. Our obligations will extend beyond the contract termination where we are obligated under legislation to retain records for set periods of time.
6. Data we collect from you
The Firm collect several pieces of personal information from you over the course of our contractual relationship. The specific core data sets are listed in Appendix A. These can vary over time and we may tailor this to your specific circumstances.
7. Who do we share your personal information with?
The Firm shares personal information with specified third parties who support important processing functions that we carry out. We may act as Joint Controllers for service administration on banking and membership services and for administration of member accounts. Third parties act on our instructions and have appropriate security measures in place to ensure data is kept confidential. Where we engage third parties we will have a contract in place to govern our relationship, we may have a Service Level Agreement in place to monitor third party performance, we may have accepted terms and conditions of usage in place for various IT Software providers or specific agreements where third parties act as processers or joint controllers. Examples of third parties who may act as processors on our behalf: –
- We use services such as banks to process banking transactions.
- We use Information Technology firms to maintain our systems.
- We utilise IT software firms to provide administration systems.
- We engage the services of professional firms such as solicitors, accountants, auditors, and other consultants to act on our behalf.
- We may be obliged under legislation to provide information to the Central Bank of lreland, Revenue, Pensions Authority, an Garda Siochana, Courts, Companies Registration Office or other bodies as required under legislation.
Where information may be processed outside the EEA
IMIA currently do not process personal data outside the EEA.
Where we may need to share information with organisations who are located or undertaking processing outside the EEA in the future we will advise members through a revised privacy notice.
This may mean that your personal information may be processed in countries such as the U.S.A. We will only transfer personal information to a country outside the EEA if that country provides an adequate level of protection as set by the European Commission or where the transfer is made under a legally binding agreement containing model contractual clauses, EU-US Privacy Shield frameworks or other similar approved mechanisms. We will endeavour where possible to put measures in place to protect such data.
The period of storage and retention of personal data
IMIA provide membership services to the Irish MiFID Industry firms located in Ireland. We will maintain documents for the period of membership and for one year after membership expires or is otherwise cancelled. In exceptional circumstances, storage periods may extend beyond the above-noted periods.
How we store personal data
Safeguarding the privacy of your information is important to us, whether you interact with us personally, by phone, by mail, over the internet or any other electronic medium.
We hold personal data in a combination of secure computer storage facilities and paper-based files and other records and take steps to protect the personal data we hold from misuse, loss, unauthorised access, modification or disclosure.
When we consider that personal data is no longer needed, we will remove any details that will identify you or we will securely destroy the records. However, we may need to maintain records for a significant period of time in line with our regulatory obligations. For example, we are subject to certain anti-money laundering laws which require us to retain verification of identity records for a period of five years after our business relationship with you has ended.
If we hold any personal data in the form of a recorded communication, by telephone, electronic, in person or otherwise in relation to our regulatory obligations as detailed above, this information will be held in line with local regulatory requirements which will generally be 5 years after our business relationship with you has ended.
Where you have opted out of receiving marketing communications, we will hold your details on our suppression list so that we know you do not want to receive these communications.
Management and Safeguarding of personal data
We always take appropriate technical and organisational measures to ensure that your information is secure. In particular, we handle personal data to respect the confidentiality of member information and the privacy of individuals. We regard breaches of your privacy very seriously and will impose appropriate penalties, including dismissal where necessary. We have appointed a Data Protection Officer to ensure that our management of personal data is in accordance with this Privacy Notice and the applicable legislation.
The internet is an open medium and we cannot guarantee that any information you send to us by email or via our sites will not be intercepted or tampered with; any transmission is at your own risk. To help protect your personal data and minimise the risk of it being intercepted by unauthorised third parties our secure servers employ Secure Socket Layer v3 (SSL) or Transport Layer Security v1 (TLS) encryption when you submit information to us through our sites. This security is signified by the “https” and the padlock on the URL bar. Some older browsers do not allow the use of current SSL technology and we therefore recommend that you use an up to date browser. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Your rights as a data subject
The data protection laws give you certain rights in relation to the data we hold on you. These are
Your rights of access, rectification, erasure or restriction of processing
You have a number of rights under the GDPR which allow you to exercise control over the way in which your personal data is processed. You can exercise these rights free of charge and within one month (30 calendar days) of your request being received. In exceptional cases only, we may charge a reasonable administration fee and we may extend the period for a further two months in relation to complex cases. You will be informed if any of these apply to your request within one month. We are obliged to verify your identity once a request is received. We may refuse your request only where we have reasonable grounds to do so in that it is manifestly unfounded or excessive.
Right of Access
You have the right to obtain confirmation whether or not personal data concerning you is being processed and be provided with access to this data. You have the right to receive copies of the information we have about you. 2.Right of Rectification
You have the right to have inaccurate personal data rectified without undue delay and the right to have incomplete data completed.
Right to be Forgotten
You have the right to data erasure, the right to be forgotten entitles you to have the Data Controller erase personal data, cease further dissemination of the data, and stop processing of the data. The conditions for erasure, include that the data is no longer relevant to the original purposes for processing, or you withdraw consent. IMIA must compare your rights to “the public interest in the availability of the data” when considering such requests.
GDPR introduces data portability – the right for you to receive the personal data concerning you, which you have previously provided in a ‘commonly used and machine readable format‘ and have the right to transmit that data to another controller.
Right to Object
You have the right to object to processing based on your particular situation where this is based on performance of a task carried out in the public interest, official authority vested in the Data Controller or where it is necessary for the purposes of the legitimate interests of the Data Controller or third party. This includes profiling based on those provisions or for direct marketing purposes.
Right to restriction of processing
You have the right to restriction of processing where the accuracy of your data is contested by you, where the processing is unlawful, but erasure has been opposed, in defence of legal claims or where objection has been lodged pending the verification of legitimate overriding grounds by the Data Controller.
Your right to lodge a complaint with the supervisory authority
If you are unhappy with any aspect of our privacy policies and procedures and are not satisfied with the IMIA’s responses, you are entitled to lodge a complaint with the Office of the Data Protection Commissioner: –
Office of the Data Protection Commissioner Phone: +353 57 868 4800
Canal House +353 761 104 800
Station Road Lo Call: 1 890 252 231
Portarlington Fax: +353 57 868 4757
Where you are obliged to provide information the consequences of failure to do so
As outlined in this notice the IMIA collect, process, use, disseminate, store and delete personal information collected from you as part of membership services. When you enter a contract with us by availing of membership services we need to collect information to perform our part of the contract. As such if you fail to provide information as requested by us we will be unable to provide the requested service. If you are an existing member and fail to provide additional information as requested we may be unable to continue to provide you with a membership service and we may terminate our contract.
Existence of automated decision making or profiling
Information on further processing of data beyond the original reason for collection
The IMIA will collect, use, disseminate, store and delete your personal information for the purposes outlined above. Where we intend to further process data for a different reason other than for the reason it was collected in the first place we will seek your consent to do so. Examples of this may be where we engage a third party marketing company to contact you to market industry related products provided by another firm.
Security and Confidentiality
The IMIA will take all reasonable measures using technological methods and internal policies and procedures to ensure the protection of your data. We do this by ensuring our data and premises are physically protected and access is restricted to secure areas. Access to our systems is only provided to authorised persons and we employ security techniques when sending data externally.
Updates to our Data Protection Notice
We will keep this notice under regular review and will update it from time to time to reflect changes in the way we process personal information. The most recent version will be available at www.IMIA.ie
Appendix A: Data Sets *
1. Member Firm/Employer Name
2. Member Firm Name
3, Member Firm Address
4. Member Firm Employee Email Address
5. Firm Finanical Details: Account Number, Sort Code, IBAN
6. Firm Employee Job Title
7. Firm Employee Telephone Number
Important Notice: The data sets will vary per MEMBER, we will not hold all of the data sets listed for all MEMBERS.