IMMA is committed to adhering to the requirements of the General Data Protection Regulations (GDPR) and other relevant legislation that governs obtaining, storage and disposal of personal data as defined by European and Irish legislation. You can click on the headings below to jump to the relevant section. You can also download this policy as a pdf here.
Any changes that we make to our Data Protection Policy in the future will be made on this page and, where appropriate, will be notified to users via email. The information on this page was last updated on 21 May 2018.
Contents (click to jump to)
The purpose of this policy document is to provide concise information regarding the Data Protection obligations of the Irish Museum of Modern Art (IMMA) and its subsidiary the Royal Hospital Kilmainham (t/a RHK) when dealing with the personal data of its employees, visitors, patrons, business partners, clients and service providers. IMMA is committed to adhering to the requirements of the General Data Protection Regulations (GDPR) and other relevant legislation that governs obtaining, storage and disposal of personal data as defined by European and Irish legislation.
IMMA makes no distinction between its employees and those who are not and acknowledges all rights of data subjects & entities and commits to treating all equally under this policy.
The scope of this policy covers both personal and sensitive personal data that may be provided by individuals or entities or is obtained during the course of its business, that relates to data subjects and is managed or stored electronically or in a manual data filing system.
All personal data and sensitive personal data will be treated with care and retained securely. IMMA is committed to ensuring that all personal data held by the museum is accurate, relevant and is retained no longer than is permitted by the original permissions under which it was provided and in any case in compliance with the Data Protection Regulations.
Personal Data will be securely controlled within the organisation and will not be shared with third parties unless Data Subjects have consented to this at the time of providing the data,
where data is processed on behalf of IMMA by a third party organisation on its behalf that in each case there is a formal written contract with the processor outlining their obligations in relation to the personal data, the specific purposes for which they are engaged and the agreement that they will process the data on behalf of IMMA in compliance with the European and Irish Data Protection Regulations.
This policy identifies that during the course of the museum’s activities, personal data will be provided to IMMA for use solely for the purposes that it was provided. IMMA is committed to ensuring that all staff are made aware, through regular training, of the guidelines under the Data Protection Regulations on how personal data must be managed and to be able to identify where a data protection issue may arise that could be contrary to the regulations. Should an issue be identified, all staff are instructed to notify and seek advice from the Data Protection Officer so that personal data is dealt with correctly and/or appropriate corrective action is taken.
When you give your personal details to IMMA, as an organisation we are committed to keeping these details private, safe and in a secure data storage system. IMMA is committed to ensuring that all personal data and non-personal data is securely stored and managed using the latest state of the art technology available, as required by the Data Protection Regulations. The security and capability of the data storage systems will be reviewed and integrity tested on a regular basis.
Data Breach or Data Loss
IMMA is committed to complying with the Data Protection Regulations and all recommendations set by the Data Protection Commissioner. As Data Controller, in the event of any loss or breach of security, or protocols that relate to a subject’s data being compromised IMMA undertakes to:
IMMA Protocol for action in the event of a breach or loss of data
Where an incident gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form, the data controller will give immediate consideration to informing those affected. Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures. In appropriate cases, the data controllers will also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Síochána, financial institutions, etc.
All incidents of loss of control of personal data, in manual or electronic form, by a third party contracted data processor will be reported to the IMMA Data Protection Officer as soon as the data processor becomes aware of the incident and to the Data protection Commissioner and in any case within 72 hours.
IMMA Protocol for action by third party data Processor in the event of a breach or loss of data.
Contact will be immediately made with the Data Protection Officer within IMMA.
Where the data concerned is encrypted or protected by technological security measures that make it unintelligible to any person who is not authorised to access it, IMMA may conclude after investigation that due to the security measures in place that there is no risk to the data being opened/read/utilized. Any loss of control has been contained and/or the data erased and put beyond use. This would mean that there is no need to inform the Office of the Data Protection Commissioner. Such a conclusion would only be justified where the security measures (such as encryption) were of a high standard.
However, where such an incident does occur, IMMA is committed to inform the data subject of the events.
Where it is clear that the personal data has been lost or compromised and cannot be recovered or controlled, the IMMA Data Protection Officer will gather a small team of trained staff to assess the potential exposure/loss. This team will assist with the practical matters associated with this investigation.
IMMA Procedure in the event of loss or control personal data
The IMMA investigation team, under the direction of the Data Protection Officer, will give immediate consideration to informing all data subjects who may be affected. At the direction of the Data Protection Officer, the team shall:
IMMA will seek to contain the matter and mitigate any further exposure of the personal data held. Depending on the nature of the threat to the personal data, this may involve a quarantine of some or all PCs, networks etc. and requesting that staff do not access PCs, networks etc. Similarly, it may involve a quarantine of manual records storage area/s and other areas as may be appropriate.
By way of a preliminary step, an audit of the records held or backup server/s should be undertaken to ascertain the nature of what personal data may potentially have been exposed.
Where data has been “damaged” (as defined in the Criminal Justice Act, 1991, e.g. as a result of hacking), the matter will be reported to An Garda Síochána. Failure to do so will constitute a criminal offence in itself (“withholding information”) pursuant to section 19 Criminal Justice Act, 2011.
Depending on the nature of the personal data at risk and particularly where sensitive personal data may be at risk, the assistance of An Garda Síochána should be immediately sought. This is separate from the statutory obligation to report criminal damage to data arising under section 19 Criminal Justice Act, 2011 as discussed above.
All incidents in which personal data has been put at risk will be reported to the Office of the Data Protection Commissioner and the data subject within 72 hours of the incident. Contact may be by e-mail (preferably), telephone or fax and must not involve the communication of personal data.
Where IMMA has contracted a third party service, such as a data storage facility or data processor, the contractor will report a data breach directly to the primary IMMA contact as a matter of urgent priority. This requirement will be clearly set out in the supplier contract. On receipt of any such breach by or affecting a third-party data processor, the above breach procedure will commence.
You have the right to data protection when your details or personal data is:
You have the right to ensure that the information IMMA manages or is stored about you is:
You have a range of rights on how your data is obtained and managed. IMMA is committed to upholding those rights. You have the right to have your details used in line with Data Protection Regulations.
As a data controller who holds information about an individual, IMMA must:
Information we must give you when we seek to obtain your data
As a data controller, when IMMA seeks to obtain personal information we must, at a minimum, give you:
When this information is sought from you in person, you must be given the name of the person collecting the information and the IMMA department they are collecting the information for.
You can ask for a copy of all your personal details held by IMMA on a computer or in manual form by writing to the Data Protection Officer (See How do I get Access to My Data below)
You should also be informed of, and given the chance to object to, any decisions about you that are automatically generated by a computer without any human involvement.
You have the right to have personal data transmitted to another data controller without hindrance, where technically feasible. This is only possible in relation to personal data given with consent, and does not apply to data generated by IMMA. When we receive a request from a data subject to transfer personal data to another entity we will comply with that request.
Data profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work; economic situation; health; personal preferences; interests; reliability or behaviour; location or movements”.
As a data subject you have the right not to be the subject of any decision based solely on automated processing, except where you have explicitly agreed or the profiling forms part of a contract.
International Data Transfers
Data transfers outside the EEA are prohibited unless the receiving country ensures appropriate safeguards to secure personal data and it is retained in compliance with the regulations. IMMA will not transfer any personal data outside of the EEA unless that country is approved by the Irish Data Protection Commissioner and only then if we have the permission of the data subject and that they have consented/requested the data transfer.
Data Privacy Impact Assessments
Data Privacy Impact Assessments (DPIAs) are obligatory impact assessments that must be undertaken at the early stages of any organisational changes involving ‘high risk’ to the data rights of individuals, but only where the organisation or change involves:
The Data Protection Commissioner is to produce guidelines for the requirements surrounding DPIAs.
IMMA is committed to complying with this principle and undertakes to carry out a DPIA on all new projects of data processing in particular using new technologies that could result in a high risk to the rights of data subjects. A copy of all DPIAs undertaken will be available and contained as part of the Data Protection Register.
Changes to consent for data collection
Consent to the collection and processing of personal data must now involve affirmative action. You must be required to directly opt in. Automatic opt-in, pre-ticked boxes or inactivity are no longer acceptable means of acquiring consent from data subjects.
Consent is defined as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
In addition to specifically opting-in to processing, as a data subject you must be advised of the reasons your data will be processed, including ‘legitimate interests’ processing. Legitimate interests include:
IMMA is committed to this requirement and will actively assess and change its current and future means of communication with our audience.
Privacy by Design, Privacy by Default
Privacy by design and default is a new concept that IMMA, as a data controller, is required to embed into our organisational processes, projects and changes. We are committed to:
IMMA is registered with the Office of the Data Protection Commissioner and as such will be able to demonstrate, on request, our compliance with the GDPR regulations. We will achieve this by:
Data Processors and GDPR
Third party data processors are used by IMMA but are strictly controlled through contracts of agreement for the prossessing of data obtained on our behalf. The data processors face new restrictions and obligations under GDPR. Specific obligations under GDPR include:
• Obtain IMMA (data controller) permission before using any sub- contracted data processors.
• Process data, only in accordance with IMMA (data controller) instructions.
• Maintain data processing records and make them available to the supervisory authority.
• Take appropriate security measures and notify the data controller of any breaches (see our data breach procedures).
• Comply with overseas data transfer rules.
Roles and Responsibilities within IMMA
The concept of accountability is a significant new addition that imposes additional obligations on data controllers and processors as per the below:
If you think that IMMA is holding some of your personal details or information about you, you can ask us to confirm this. You should apply in writing to the Data Protection Officer at IMMA. The written request for the information can be by postal letter, email or a letter handed in to the Museum, but it must be in writing. All applications must be accompanied by photographic identification, such as passport/driving licence/European identity card plus a recent utility bill or Government letter. Copies of the original documents will suffice.
On receipt of the application the Data Protection Officer will provide you with an acknowledgement of the request. This will be followed with a copy of all the data we have on you within 21 days. We must tell you which details we hold and the reason why we are holding this information. This information free of charge.
There may be occasions when the data we hold may be in a manual archival system that needs to be physically searched for your data references as the data may be have been obtained prior to May 2018. If this is the case we will let you know in writing and give an estimated time period that it will take to retrieve the information for you.
Please see the section on Accessing Your Information from the Data Protection Commissioner at the end of this policy.
Right to change or remove your details
If IMMA is legally retaining data about you that is not factually correct, you can ask us to change or, in some cases, remove these details.
Similarly, if you feel that IMMA does not have a valid reason for holding your personal data or that they we have taken these details in an unfair way, or they are being used in a manner that is exceeds the reasons for which they were obtained or retained, then you can also ask us to change or remove the data.
In both cases, you can write to the Data Protection Officer, explaining your concerns and outlining what data is incorrect. You should apply in writing to the Data Protection Officer at IMMA. The written request for the information can be by postal letter, email or a letter handed in to the Museum, but it must be in writing.
On receipt of the application, the Data Protection Officer will provide you with an acknowledgement of the request.
This will be followed by a confirmation that a copy of all the data we have on you has been corrected as requested or removed/deleted from retention within the IMMA data storage systems. We must do this within 40 days or explain why we have been unable do so.
There may be occasions when IMMA is required, on a legal basis, to retain personal data on a data subject. In response to the request to change or remove your retained data we must explain fully the legal basis under which we are required to retain that data. Such examples could be for pension/revenue purposes. Either way you will be fully informed.
There may be occasions when the data we hold may be in a manual archival system that needs to be physically searched for your data references as the data may be have been obtained prior to May 2018. If this is the case we will let you know in writing and give an estimated time period that it will take to retrieve the information for you. IMMA is committed to keeping you fully informed during any application for data information.
You can ask us not to use your personal data other than for the main purpose for which the data was obtained or retained. An example of this could be for marketing. You can do this by simply writing to the Data Protection Officer and outlining your views.
On receipt of the application, the Data Protection Officer will provide you with an acknowledgement of the request.
This will be followed by a confirmation that the data we have will only be used as requested. We must do this within 40 days.
From 25 May 2018 IMMA cannot use your data for different purpose unless you were informed at the time of giving your data and you have given permission for your data at that time to be used for information or services initiated by IMMA.
There may be occasions when IMMA is required, by legal authority, to share data on a data subject. In response to the request to not share or use your retained data we must explain fully the legal basis under which we are required to use/share the data. Such examples could be for pension/revenue purposes. Either way you will be fully informed
Right to remove your details from a direct marketing list
If IMMA holds personal data about you for direct marketing purposes, you can ask us to remove your data. You can most immediately and most easily do this by clicking on the ‘Unsubscribe’ link which you will find on the bottom of any of our marketing emails. You can also control what information you receive from IMMA by managing you list preferences. You will receive an automatic confirmation email that your removal has been successful.
If you experience any difficulty with this process you can request removal in writing to the Data Protection Officer. The written request for removal can be by postal letter, email or a letter handed in to the museum, but it must be in writing.
On receipt of the application the Data Protection Officer will provide you with an acknowledgement of the request.
This will be followed by a confirmation that the request for removal has been complied with. IMMA undertakes to comply with the request as soon as possible and in any case within 40 days.
IMMA Data Protection Officer
Irish Museum Of Modern Art
Or by emailing
IMMA is committed to protecting the data rights of its staff, visitors, patrons, business partners and service providers. With this in mind we have published some further guidelines below from the Office of the Data Protection Commissioner. These guidelines are incorporated into the Data Protection Policy above along with the seven key principles of the IMMA Data Protection Guidelines. The guidelines will also assist you in preparing a written application. Please remember to include as much detail as possible in all data requests, this will help facilitate all applications.
General Data Protection Regulation (GDPR) and the Data Protection Acts 1988 and 2003 imposes obligations on data controllers to process personal data entrusted to them in a manner that respects the rights of data subjects. Data controllers are under a specific obligation to take appropriate measures to protect the security of such data.
GDPR relies on seven ‘principles’ contained in Article 5, which will regulate the processing of personal data. We have incorporated these principles into the policy above, in the section Expansion of the data protection principles under GDPR
In summary.these are:
1. Lawful, Fair and Transparent Processing
Processing personal data needs to be based on one or several lawful processing conditions (see below). The Data Subject should have full and transparent knowledge of the identity of the parties to the processing, the purposes of the processing, the recipients of personal data, the existence of Data Subject rights and freedoms, and how to contact the Controller.
2. Specified and Lawful Purpose
Personal data must be processed only on the basis of one or several specified purposes. Organisations should not collect any piece of data that does not fit the collection purpose.
3. Minimisation of Processing
Processing of personal data should be adequate, relevant and restricted to what is necessary. Not only will this relieve the organisation of the burden of performing actions on personal data, which are not required or necessary, but it will also reduce the overall risk of data breaches. Businesses collect and compile data for various reasons such as understanding behaviour and patterns. Based on this principle an organisation must ensure they are only collecting the minimum amount of data required for their purpose.
Personal data shall be accurate, kept up to date and fit for purpose. Organisations should rectify any incorrect data and erase any data, which is known to be erroneous or obsolete.
5. Storage Limitation or Retention
Personal data shall be kept in a form which permits the identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed. Anonymisation or deletion is encouraged in order to minimise the length of time that personal data is held by the organisation. Some identifiable data may be kept for statistical, scientific or historical research purposes. It may also be in the public interest to keep such data. This includes implementing and enforcing data retention policies and not allowing data to be saved in multiple locations. Users should not save data to local devices or move data to an external device. Having multiple copies of the same data significantly reduces the organisations ability to comply with GDPR.
6. Security and Confidentiality
Appropriate technical and organisational measures should be implemented to ensure a level of security appropriate to the volume and format of the data, its sensitivity, and the risks associated with it. Technical measures such as password protection on files and encryption should be used as necessary.
7. Liability and Accountability
The Data Controller and the Data Processor will be required to demonstrate their compliance with the GDPR. GDPR requires that organisation respond to data requests from data subjects regarding what data is available about them. An organisation must be able to promptly correct or erase that data if desired (the ‘right to be forgotten’). Organisations not only need to have a process in place to manage the request but also need to have a full audit trail to support data requests.
What is the role of the Data Protection Commissioner?
The Data Protection Commissioner aims to make sure that your rights are being upheld and that data controllers respect data protection rules. If you think that an organisation or person is breaking these rules and you are not satisfied with their response to your concerns, you can complain to the Commissioner.
Accessing Your Personal Information – How can I see what information a body or company holds about me?
Under Section 3 of the Data Protection Acts, you have a right to find out, free of charge, if a person (an individual or an organisation) holds information about you. You also have a right to be given a description of the information and to be told the purpose(s) for holding your information.
You must make the request in writing. The person must send you the information within 21 days.
Under Section 4 of the Data Protection Acts, 1988 and 2003, you have a right to obtain a copy, clearly explained, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation. All you need to do is write to the organisation or entity concerned and ask for it under the Data Protection Acts.
Your request could read as follows:
I wish to make an access request under Section 4 of the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form in relation to…. (Fill in as much information as possible to assist the organisations to locate the data that you are interested in accessing e.g. customer account number, staff number, or PPS number (if you are writing to a public sector organisation such as the Revenue Commissioners or the Department of Social Protection)).
You should also include any additional details that would help to locate your information – for example, a customer account number or staff number. You may be asked for evidence of your identity. This is to make sure that personal information is not given to the wrong person. When requesting some types of record, such as credit history or Garda records, it may also be useful to provide a list of previous addresses, previous names and your date of birth. You may be asked to pay a fee, but this cannot exceed €6.35.
Once you have made your request, and paid any appropriate fee, you must be given the information within 40 days (most organisations manage to reply much sooner).
Right to object
A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you unnecessary damage or distress, you may ask the data controller not to use your personal details.
This right does not apply if:
You can also object to use of your personal details for direct marketing purposes if these details are taken from the electoral register or from information made public by law, such as a shareholders’ register. There is no charge for objecting.
Right to freedom from automated decision making.
Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated by a computer, unless you agree to this. For example, such decisions may be about your work performance, creditworthiness or reliability.
Right to refuse direct marketing calls or mail.
If you do not want to receive direct marketing telephone calls, you should contact your service provider. They will make a note of your request in the National Directory Database (NDD) ‘opt-out’ register. It is an offence to make direct marketing calls to any phone number listed in the NDD. If you have not included your phone number in this register, you can also refuse such calls by simply asking the caller not to phone you again.
An organisation must get your permission before they contact you by fax machine or automated dialling for direct marketing purposes.
An organisation must also get your permission before they send marketing emails to your computer or before they send marketing text messages to your mobile phone.
The Commissioner will investigate your complaint and try to resolve the matter in the best way possible. If this is not possible, you may ask the Commissioner to make a formal decision on whether the data controller has violated your rights. However, the Commissioner cannot award you compensation. If the Commissioner agrees with your complaint, he will try to make sure that the data controller obeys the law and puts matters right. If the Commissioner rejects your complaint, he will let you know in writing. If you are not happy with the Commissioner’s decision, you can appeal the decision in the Circuit Court.
When should I contact the Data Protection Commissioner?
If you are not happy with how your details are being used, you should contact the organisation in question. If you believe that the organisation or individual is still not respecting your data protection rights, you should contact the Office of the Data Protection Commissioner to ask for help. www.dataprotection.ie