CRU/TBCSL Privacy notice
Introduction
This Privacy Notice explains how and why your personal data is processed by the separate departments at Trinity College Dublin’s Commercial Revenue Unit (“CRU”), encompassing Trinity Brand Commercial Services Ltd (“TBCSL”) and the steps taken by Trinity College Dublin (“Trinity College” / “the University”) as a data controller to safeguard individuals’ rights under data protection legislation, specifically the EU General Data Protection Regulation (“GDPR”) and Data Protection Acts 1988-2018.
Trinity College actively seeks to preserve the privacy rights of data subjects who share personal data with the University. Personal data which is collected by CRU will be treated with the highest standards of security and confidentiality by the University in compliance with data protection legislation.
This Privacy Notice explains the following:
• How CRU collects your personal data
• The purpose and legal basis for processing your personal data
• How Trinity College securely stores your personal data
• Details of third parties with whom Trinity College shares personal data
• Your rights under data protection legislation
How CRU collects your personal data
CRU collects various types of personal data in order to provide services to you in accordance with the purposes outlined in this Privacy Notice. This data may be collected directly from you, from other systems under the control of Trinity College or via contracted third parties. We collect personal data through various channels including but not limited to: email and phone enquiries, and website forms.
Purpose and legal basis for processing personal data
The personal data that we collect from you will only be processed by CRU for the specific and lawful purposes as outlined in this Privacy Notice. CRU will ensure that your data is processed fairly and lawfully in keeping with the principles of data protection as set out under Article 5 GDPR.
Personal data which you provide to CRU includes:
• Contact details
• Online registration / booking information
• Payment information
Specifically, your personal data may be processed by CRU for any of the following purposes:
• Book of Kells & Trinity Trails tickets – booking and administration
•Management of Accommodation on campus and at off-campus locations
• Catering – bookings & requests
• Marketing communications
• Trinity Gift Shop – processing customer contact details
• Venue / Facilities bookings & management (e.g. Conferences, Weddings)
Trinity College will only process your personal data where there exists a legal basis under Article 6 GDPR to support the processing. The legal basis will depend on the purpose for which the University processes personal data.
For example:
• Consent: The University relies on consent for marketing communications. Trinity College advertises products, services and events to individuals through a variety of different channels and relies on a person’s opt-in consent to do so. You can withdraw your consent to receive marketing communications at any time, including by clicking on the “unsubscribe” link included in any marketing communications that we send to you.
• Legitimate interests: Where it is necessary for the University to understand customers, promote services and operate effectively as a commercial organisation, provided in each instance that these activities are conducted lawfully and not outweighed by individuals’ privacy rights.
• Performance of a contract: This applies where Trinity College is required to process your data prior to / subsequent to entering into a contract with you. For example, where you have purchased a product or service from Trinity College and we need to use your contact details and payment information in order to process your order and provide you with services.
• Compliance with a legal obligation: Where the University is subject to legal obligation and must process your personal data in order to comply with that obligation.
How Trinity College securely stores your personal data
Personal data is stored confidentially and securely as required by the Trinity College Information Systems Security Policy and Data Protection Policy. The University is committed to ensuring that your data is safeguarded by appropriate technical and organisational security measures relevant to the processing in accordance with Article 32 GDPR requirements.
When we store your personal data on our systems the data will be stored either on University premises or on secure IT platforms within the European External Area (“EEA”) or external of the EEA which are subject to Chapter V GDPR requirements.
Details of third parties with whom Trinity College shares personal data
Trinity College will only share your data with third parties where necessary for the purposes of processing outlined in this Privacy Notice. In accordance with Article 28 GDPR, when we share your data with third parties Trinity College ensures that the data is processed according to specific instructions and that the same standards of confidentiality and security are maintained at all times.
CRU may share relevant personal data with the following categories of third parties:
• State or regulatory bodies
• IT or Cloud service providers that provide essential services to CRU
• Firms that provide professional services to CRU
• Firms that provide archiving and storage and disposal of confidential data
• An Garda Síochána when we are required to do so by law
How long Trinity College retains your data
In keeping with the data protection principle of storage limitation we will only retain your data for as long as is necessary for the purpose of providing services relevant to Trinity College requirements and in accordance with the Trinity College Records Management Policy.
Your rights under data protection law
You have the following rights over the way we process your personal data. For further information please see the Trinity College Data Subject Rights Requests Procedure.
Right of Access
You have the right to request a copy of the personal data which is processed by the University and to exercise that right easily and at reasonable intervals. The University’s Data Access Request Form is available to download here.
Rectification
You have the right to have inaccuracies in personal data that we hold about you rectified without delay.
Erasure
You have the right to have your personal data deleted where we no longer have any justification for retaining it, subject to exemptions such as the use of pseudonymised or anonymised data for scientific research purposes.
Object
You have the right to object to processing your personal data if you believe the processing to be disproportionate or unfair to you. Trinity College reserves the right to challenge any such request on the grounds that the processing is required, necessary and proportionate.
Restriction
You have the right to restrict the processing of your personal data if:
• you are contesting the accuracy of the personal data;
• the personal data is processed unlawfully;
• you need to prevent the erasure of the personal data in order to comply with legal obligations; or
• you have objected to the processing of the personal data and wish to restrict the processing until a legal basis for continued processing has been verified.
Further information
If you have any queries relating to the processing of your personal data for the purposes outlined above or you wish to make a request in relation to your rights or make a complaint you can contact the Trinity College Data Protection Officer:
Data Protection Officer, Secretary’s Office, Trinity College Dublin, Dublin 2, dataprotection@tcd.ie If you are not satisfied with the information we have provided to you in relation to the processing of your personal data or you are dissatisfied with how Trinity College is processing your data you can raise a query with the Data Protection Commission at: https://forms.dataprotection.ie/contact
Date: 10 January 2024