Workplace Relations Commission (WRC) Data Protection Statement
1. Introduction
The Workplace Relations Commission (WRC) is an independent statutory body set up under the Workplace Relations Act 2015. Its core services include the provision of mediation, conciliation, facilitation and advisory services, adjudication on complaints and disputes, the monitoring of employment conditions to ensure the compliance and enforcement of employment rights legislation, the provision of information, and the processing of employment agency and protection of young persons (employment) licences.
2. Data Protection Legislation
Data protection legislation confers rights on individuals as well as responsibilities on those persons processing personal data. The EU General Data Protection Regulation (GDPR EU 2016/679) replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. The GDPR came into force on 25th May 2018. GDPR applies directly in Ireland (and across the EU), along with further national rules set out in the Irish Data Protection Act 2018.
The WRC is a Data Controller for the personal data that we process or “use” about you. This means that we have certain responsibilities under data protection laws. Part of these responsibilities include that we provide you with information about your personal data. This information is set out in this Data Protection Statement.
3. What is the WRC’s legal basis for processing your personal data?
The WRC is required by data protection law to indicate to you the legal basis which relates to our use of your personal data. These are (as relevant):
- Article 6(1)(e) GDPR - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official functions vested in the controller (i.e. the WRC).
- These functions are set out in the Workplace Relations Act 2015.
4. Why does the WRC need to use your personal data?
The WRC requires people who use its services to provide certain personal data in order to avail of these services. Your personal data may be exchanged with other Government Departments in certain circumstances where this is provided for by law. Where a complaint is made to the adjudication service any information sent to the WRC will be copied to the other party. Full details of the WRC’s data protection policy setting out how we will use your personal data as well as information regarding your rights as a data subject are available at [This Link]. Details of this policy are also available in hard copy upon request.
5. Who do I contact if I have a query about the WRC’s data protection policy?
The WRC has information on its website and you should refer to this in the first instance. Our website can be accessed at Workplace Relations Commission. If you cannot find the answer to your query on the website, then do not hesitate to contact the WRC at: personaldatarequest@workplacerelations.ie
6. Who is our Data Protection Officer?
Our Data Protection Officer is Celyna Coughlan who is DPO for the Department of Enterprise, Trade and Employment and its offices including the WRC. Please also see the Departments website for further information. You can access the Department’s website at: Department of Enterprise, Trade and Employment.
You can also contact our DPO by e-mailing: dataprotection@enterprise.gov.ie or by telephone on 01 631 2398.
7. Who do we share information with?
The WRC may share personal data with other parties in the course of our duties but only in circumstances where it is lawful to do so. For example, if you have made a complaint to the Adjudication Services, any information you send to the WRC will be copied to the other party.
Your Representatives
Where you have made a complaint to the Adjudication Service your representative as nominated by you, (such as a trade union, legal representatives or any other persons acting for you) will be sent documentation from the other party to the complaint/dispute.
Our People
To perform its duties, the WRC may need to share information internally e.g. Adjudication Services may exchange complaint details with Mediation only in the context of dispute resolution. The WRC may also need to share data to include WRC representatives such as employees, contractors, legal representatives, adjudication officers and mediators. This information will be shared only where it is lawful to do so.
Government Departments, Bodies or Agencies
The WRC is legally obligated to share personal data with other State bodies but only as outlined under the Workplace Relations Act. Recipients of this data may include Government Departments (e.g. the Department of Employment Affairs and Social Protection), agencies (e.g. the Labour Court, the Revenue Commissioners), An Garda Síochána. However, any personal data can only be shared strictly in compliance with the Act.
Where personal data is shared, the WRC will observe the following principles:
- The transfer is based on a legal obligation or the performance of a contract.
- Where data is transferred to another party, we ensure appropriate technical and organisational safeguards are in place to protect personal data.
- Where a third party is engaged to provide a service to us, they must take appropriate steps to protect your personal data, and only to use the personal data for the purpose of performing those specific services.
8. International transfers
The WRC does not transfer your personal data outside the EEA.
9. What are your rights as a data subject?
As a data subject (individual) you have a number of rights under data protection laws. It is important to note however that these rights are not absolute (i.e. they may be restricted or “limited” in certain cases). The WRC will inform you when you make a request to us in relation to your data protection rights where this occurs.
Your rights under data protection laws include the following:
Right of Access (Article 15 - GDPR)
You have the right to receive confirmation that your personal data is being processed. You are entitled to access to your personal data. You are also entitled to certain other details in relation to how personal data is used. A Subject Access Request Form can be found here [LINK] If what you require is a copy of your adjudication file you are entitled to a copy of the file outside the Data Protection legislation and may simply request a copy.
Right to Rectification (Article 16 - GDPR)
You have a right to request that the personal data held in relation to you is up to date and accurate. Where information is inaccurate or incomplete, you can request that the data be rectified. In some circumstances this may not be possible. For example, the adjudication function of the WRC is a quasi-judicial function and the right to rectification of documentary evidence contained in submissions or decisions may not apply.
Right to be Forgotten (Article 17 - GDPR)
The WRC processes personal data it collects because there is a statutory basis for the processing. The primary legal basis for our processing of personal data is on the basis of a legal obligation, as outlined under the Workplace Relations Act 2015. In this regard, some processing in relation to your data may not be subject to the right to erasure. Where the WRC receives requests from data subjects looking to exercise their right of erasure then it will carry out an assessment of whether the data can be erased. We may be unable to fulfil an erasure request if the processing of personal data is necessary for the following reasons:
- Compliance with a legal obligation or for the performance of a task carried out in the public interest.
- Archiving or statistical purposes in the public interest.
- The establishment, exercise or defence of legal claims.
Right to Restriction (Article 18 - GDPR)
The WRC will implement and maintain appropriate procedures to assess whether a data subjects request to restrict the processing of their data can be implemented. Where the request for restriction of processing is carried out then the WRC will write to the data subject to confirm the restriction has been implemented and when the restriction is lifted. Please note, in some circumstances requests may not be granted, i.e. where the personal data was used in legal proceedings.
Right to Data Portability (Article 20 - GDPR)
The WRC processes personal data its collects because there is a statutory basis for the processing as outlined under the Workplace Relations Act 2015. Where the WRC has collected personal data on data subjects by consent or by contract then the data subjects have a right to receive the data in electronic format to give to another data controller. It is expected that this right will apply only to a small number of data subjects.
Right to Object (Article 21 - GDPR)
Data subjects have a right to object to the processing of his or her personal data in specific circumstances. Where such an objection is received, WRC will assess each case on its merits. As the primary legal basis for our processing of personal data is on the basis of a legal basis as outlined under the Workplace Relations Act 2015, the right to object will most likely apply in very limited circumstances.
Right not to be subject to Automated Decision Making, including Profiling (Article 22 - GDPR)
The WRC does not carry out any fully automated decision making or profiling using personal data.
10. Responsibilities of the Workplace Relations Commission (WRC)
The WRC has responsibility for the following:
Ensuring Appropriate Technical and Organisational Measures
The WRC will implement appropriate technical and organisational measures to ensure protection of personal data.
Maintaining a Record of Data Processing Activities (ROPA)
The WRC will maintain an inventory of its data processing activities in the manner prescribed by Regulation. The will be reviewed and signed off by the Management Committee on an annual basis.
Implementing Appropriate Agreements with Third Parties
The WRC will ensure that where such transfer of personal data is required, appropriate agreements, including data sharing agreements, memoranda of understanding, bilateral agreements and contracts (collectively “agreements”) with all third parties shall specify the purpose of the transfer, the requirement for adequate security, right to terminate processing, restrict further transfer to other parties, ensure that responses will be given to requests for information and the right to audit.
Transfers of Personal Data Outside of the European Economic Area
No such transfer is envisaged. In the event that such an occasion arises the WRC will not transfer the personal data of data subjects outside of the European Economic Area unless an adequate level of protection is ensured.
Data Protection Impact Assessments (DPIAs)
The WRC will carry out a data impact assessment prior to any decision to implement new or significantly amend procedures and documentation in the context of its activities. As part of this process, a copy of the impact assessment shall be reviewed and signed-off with the WRC Data Protection Officer.
Personal Data Breaches
A personal data breach is defined in data protection law as meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. (e.g. the most common breach incidents that can occur are due to administrative error such as correspondence issuing to an unauthorised third party). The WRC deems any loss of personal data in paper or digital format to be a personal data breach.
The WRC has a protocol for dealing with personal data breaches. This protocol sets out the methodology for handling a personal data breach and for notification of the breach to Data Protection Commission and to data subjects where this is deemed necessary.
Governance
The WRC monitors compliance at Divisional and Management Committee level. In this regard, the Committee: receives
- Receives regular reports of data protection activities from WRC Divisions
- Receives regular reports from the Data Protection Liaison Officer
- Reviews data protection impact assessments and approves or requires further information or amendments where deemed appropriate to the design of data protection elements of projects
- Instigates investigations of data protection matters of interest
- Approves internal audits or compliance with this policy, and - any other such activities relating to data protection.
Responsibilities of Staff and Similar Parties
Any person (staff or contracted person) who processes personal data on behalf of the WRC has a responsibility to comply with this data protection policy. Further detail is available at https://www.workplacerelations.ie/en/Privacy-Policy/
Training and Awareness
All staff receive training on this policy. New staff receive training as part of their induction training process. Completion of this training is compulsory.
In addition, staff are also regularly reminded of their data protection obligations by way of e-mail updates on data protection matters from the WRC DPLO and the DPO
11. Making a Complaint
The WRC will implement and maintain a complaints process whereby data subjects will be able to contact the Data Protection Officer. The Data Protection Officer will work with the data subject to bring the complaint to a satisfactory conclusion for both parties. The data subject will be informed of their right to bring their complaint to the Data Protection Commissioner and their contact details.
12. Archives Policy (Data Storage and Retention)
In general, pending agreement with the Archives Office, personal data in paper format is not destroyed. Please note that all e-mails are archived after three months and are not generally available. This archives policy will be updated as soon as a new policy is approved by the Archives office.
13. Where do I send Subject Access requests?
Please send all your subject access requests to the WRC email address: personaldatarequest@workplacerelations.ie
To answer your request, we will ask you to provide identification for verification purposes.
14. How long will a request take to complete?
Upon receipt of a request, the WRC will comply with the request within the statutory timeframe provided for in the GDPR which is currently 30 days. If more time is required, you will be notified of the delay and the reasons for it. If your request is refused you will be notified within the relevant statutory timeframe of the reason for refusal.
A fee is not charged for requests. However, if the WRC considers your request to be unjustified or excessive, a reasonable fee may be charged (also applicable for multiple copies) or the request refused.
You are entitled to contact the Data Protection Commission if you have any complaints in relation to the enforcement of your rights.
The address for the Data Protection Commission is:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2 D02 RD28
Tel: 0761 -104800 or 057- 8684800
15. Changes to this Data Protection Statement
The WRC may update this data protection statement from time to time.
If we make changes, we will notify you prior to the changes taking effect by posting a statement on our website.
November 2021