What personal data does Reboot collect and why? 

“Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address?

We set out in the table at Schedule 1 of this policy a description of the personal data that we collect in connection with our services and functions, why we are collecting this data, our legal basis for processing this data and the length of time for which we retain your data. 

(The table is referred to below as our “Processing Description”.)

 We process the personal data for the purposes set out in our Processing Description and for any other purposes specifically permitted by the DPAs (or when applicable, the GDPR) or as required by law. 

We collect this information from you through our Booking Form. 

Reboot is mandated by the South West Mayo Development Company (LEADER) to effectively monitor the performance of the training programmes funded by Reboot. Reboot performs compliance reviews, evaluations of the training programmes, as well as quality assurance and attendance at training verifications. 

Lawful basis for processing personal data 

GDPR allows for the use of personal data where its purpose is necessary, legitimate and is not outweighed by the interests, fundamental rights or freedoms of data subjects. This is known as the ‘necessary legitimate interests’ legal basis for processing personal data. 

The legal basis for processing trainee personal data for the purpose of delivering training is ‘necessary legitimate interests’. 

We have conducted a ‘necessary legitimate interests’ balancing test which involved identifying the ‘necessary legitimate interests’ of us, those attending the courses (data subjects), the Networks, the and the interests of the general public in our being able to process the personal data necessary to provide funding to Reboot activities and to ensure that funding is being used appropriately etc. We also identified any potential inconveniences or risks to data subjects and concluded that the many identified legitimate interests outweighed any potential risks to data subjects (which are very low). We have ensured that we collect the minimum amount of personal data necessary to achieve our legitimate purposes. 

Our necessary legitimate interests balancing test will be reviewed as necessary.


The legal basis for processing personal data for marketing in Reboot is ‘consent’

Reboot is fully committed to keeping your personal information safe and ensuring your rights are protected. 

You can ‘opt-in’ to receive updates and information from Reboot on both the services and achievements of our Reboot Networks. The ‘opt-in’ process is explicit and is obtained only through a clear and affirmative action. 

When you ‘opt-in’, we record and save the first name and email you input. Your ‘consent’ can be withdrawn at any time using the ‘unsubscribe’ option in the footer of any correspondence received from us. 

If you require further information from us regarding our legal basis for processing personal data, please contact the Data Protection Officer (“DPO”) whose details are set out below. 


What are the data protection principles? 

The eight data protection principles apply to our organisation: 

  1. We process personal data fairly, lawfully and transparently. We have a valid legal basis for our processing of personal data. We are transparent with individuals about our processing of their personal data. 
  2. We only collect personal data for specified, identified and necessary legitimate purposes.
  3. We only process the personal data that we have collected for the purposes which we have identified or for purposes that are compatible with the purposes that we have identified. 
  4. The personal data that we collect, and process must be adequate, relevant and limited to what is necessary for the purposes. 
  5. The personal data that we collect, and process must be accurate and (where necessary) kept up todate. 
  6. We do not keep personal data any longer than is necessary, bearing the purpose for which we collected it. This includes that we keep personal data in a form which permits identification of the data subject for no longer than is necessary.
  7. We keep personal data safe and secure from unauthorised access, deletion, disclosure or other unauthorised uses. This includes not just keeping data safe and secure from persons outside our organisation, but also from people within our organisation who have no need to access or use the personal data. We are also careful when transferring personal data outside the European Economic Area (“EEA”, being the EU plus Norway, Liechtenstein and Iceland), and make sure that we have a valid legal basis on which to transfer that data. Transfer can include using a cloud server that is located outside the EU or allowing people who are located outside the EEA access to personal data that is stored within the EEA. 
  8. We comply with data subjects’ rights of information about, and (separately) access to, their personal data and with their other data protection rights, including rights to correct or erase their personal data, rights “to be forgotten”, rights to object to processing (including profiling), rights against automated decision-making and (under the GDPR) rights to data portability. 


Security of your personal data 

We take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. 

We have procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself. In addition, we have appropriate written agreements in place with all our data processors. 

We maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows: A. Confidentiality means that only people who are authorised to use the data can access it. B. Integrity means that personal data should be accurate and suitable for the purpose for which it is processed. C. Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on Reboot’s central computer system instead of individual PCs or devices. 8 

We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage. 


Your data protection rights 

Under certain circumstances, by law you have the right to: a) Request information about whether we hold personal data about you, and, if so, what that data is and why we are holding/using it. b) Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. c) Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected. d) Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). e) Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. f) Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your personal data or profiling of you. g) Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. h) Request transfer of your personal data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically usable format.


Requests by data subjects to exercise their rights

 We have appointed a DPO to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the DPO. 

Data subjects must make a formal request for personal data we hold about them or otherwise to exercise their data protections rights whether to make an access request or otherwise by contacting our Data Protection Officer. 

Our DPO can be contacted as follows: – Email [email protected]