Introduction

• LEAP delivers training through Networks of private sector companies, in a range of sectors and regions.
• LEAP also delivers training to individual companies and organisations in the form of “in-house” tailored training.
• LEAP is a QQI approved centre 
• You are asked to complete the Trainee Profile Form where you are asked to share certain personal details about your background. You are asked to complete the “Reaction to Learning From” when you have completed your training with us. You are asked to complete the “QQI Registration Form” if you are going forward for QQI certification.
• You may wish to review this Privacy Statement before completing these forms so that you are aware of how we comply with Data Protection Legislation in relation to your personal data.

About Us

• Our Data Protection Officer’s (DPO) contact details are as follows:

+ 353 91 755736 dpo@leapleadership.ie

Corporate House, Building 3, 

Ballybrit Business Park,

Ballybrit,

Galway H91K5YD

About this Privacy Statement

1. This Privacy Statement relates to our privacy practices and policies in place for the data we collect in the Trainee Profile Form, Reaction to Learning Form and QQI Registration Form. It sets out what personal data we  collect and process about you in connection with the services and functions of LEAP through our training programmes; where we obtain the data from; what we do with that data; how we comply with the data protection rules, who we transfer data to and how we deal with individuals’ rights in relation to their personal data. Links to all of this information may be accessed by clicking on the titles in the table of contents. Any personal data is collected and processed in accordance with Irish and EU data protection laws.

1. All our employees and contractors are required to comply with this Privacy Statement when they process personal data on our behalf. Any failure by LEAP employees or parties contracted to LEAP, to comply with the data protection rules (including as they are outlined in this Privacy Statement) may result in disciplinary action or sanction.

1. Please note that we may disclose individuals’ information to trusted third parties for the purposes set out and explained in this document. We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line with Irish and EU laws on data protection.

Data Controller

• Data protection provides rights to individuals with regard to the use of their personal information (personal data) by organisations, including LEAP. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.

• Compliance with the data protection rules is a legal obligation. In addition, our compliance with  the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.

• The data protection rules that apply to us are currently contained in the EU General  Data Protection Regulation (EU Regulation 679/2016) (the “GDPR”), in the Data Protection Act 2018, in the EPrivacy Regulations 2011 and in related legislation (together the “DPAs”).

• “Data controllers” are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed, who/which make independent decisions in relation to the personal data and/or who/which otherwise control that personal data.

• For the purposes of the GDPR, LEAP is the data controller with regard to the personal data described in this Privacy Statement.

What personal data does LEAP collect and why?

• “Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address or age range) or it can be an opinion about that person, their actions and behaviour.

• We set out in the table at Schedule 1 of this policy a description of the personal data that we collect in connection with our services and functions, why we are collecting this data, our legal  basis for processing this data and the length of time for which we retain your data. (The table is referred to below as our “Processing Description”.)

• We process the personal data for the purposes set out in our Processing Description and for any other purposes specifically permitted by the DPAs (or when applicable, the GDPR) or as required by law.

• We collect this information from you through our Trainee Profile Form and Reaction to Learning Form and QQI Registration Form which will be completed in hard copy or electronically.

Necessary Legitimate Interests

• GDPR allows for the use of personal data where its purpose is necessary, legitimate and is not outweighed by the interests, fundamental rights or freedoms of data subjects. This is known as the ‘necessary legitimate interests’ legal basis for processing personal data.

• We have conducted a ‘necessary legitimate interests’ balancing test which involved identifying the ‘necessary legitimate interests’ of us, those attending the courses (data subjects), and their organisations. We identified any potential inconveniences or risks to data subjects and concluded that the many identified legitimate interests outweighed any potential risks to data subjects (which are very low). We have ensured that we collect the minimum amount of personal data necessary to achieve our legitimate purposes.

• Our necessary legitimate interests balancing test will be reviewed annually.

• If you require further information from us regarding our legal basis of legitimate interests, please contact the Data Protection Officer (“DPO ”) whose details are set out below.

What are the data protection principles?

• The eight data protection principles apply to our organisation:

1. We process personal data fairly, lawfully and transparently. We have a valid legal basis for our processing of personal data. We are transparent with individuals about our processing of their personal data.

• We only collect personal data for specified, identified and necessary legitimate purposes.

• We only process the personal data that we have collected for the purposes which we have identified or for purposes that are compatible with the purposes that we have identified.

• The personal data that we collect, and process must be adequate, relevant and limited to what is necessary for the purposes.

• The personal data that we collect, and process must be accurate and (where necessary) kept up to-date.

• We do not keep personal data any longer than is necessary, bearing the purpose for which we collected it. This includes that we keep personal data in a form which permits identification of the data subject for no longer than is necessary.

• We keep personal data safe and secure from unauthorised access, deletion, disclosure or other unauthorised uses. This includes not just keeping data safe and secure from persons outside our organisation, but also from people within our organisation who have no need to access or use the personal data. We are also careful when transferring personal data outside the European Economic Area (“EEA”, being the EU plus Norway, Liechtenstein and Iceland), and make sure that we have a valid legal basis on which to transfer that data. Transfer can include using a cloud server that is located outside the EU or allowing people who are located outside the EEA access to personal data that is stored within the EEA.

• We comply with data subjects’ rights of information about, and (separately) access to, their personal data and with their other data protection rights, including rights to correct or erase their personal data, rights “to be forgotten”, rights to object to processing (including profiling), rights against automated decision-making and (under the GDPR) rights to data portability.

Security of your personal data

• We take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

• We have procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor  if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself. In addition, we have appropriate written agreements in place with all our data processors.

• We maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

1. Confidentiality means that only people who are authorised to use the data can access it.

• Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

• Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on LEAP’s central computer system instead of individual PCs or devices.

• We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage. The data you provide to us is transferred to an application which is protected using SSL (Secure Sockets Layer) technology. SSL is the industry standard method of encrypting personal information and credit card details so that they can be securely transferred over the Internet.

How long will we keep your personal data?

In Schedule 1 we have set out in the Processing Description the length of time for which we will keep your personal data. After this time your personal data is permanently deleted from our records.

Will we share your data with anyone else?

• Your personal data may also be shared with LEAP third parties for the purposes outlined in Schedule 1. We are required by the Department of Education and Skills to carry out monitoring and compliance activities and we may engage with third parties to carry out these activities on our behalf.

• We may pass your details to another agency but only if it is required by law, pursuant to our statutory functions, or if that agency is relevant to your enquiry.

Your data protection rights

Under certain circumstances, by law you have the right to:

• Request information about whether we hold personal data about you, and, if so, what that data is and why we are holding/using it.

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.

• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.

• Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your personal data or profiling of you.

• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

• Request transfer of your personal data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

Requests by data subjects to exercise their rights

• We have appointed a DPO to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the DPO.

• Data subjects must make a formal request for personal data we hold about them or otherwise to exercise their data protections rights whether to make an access request or otherwise by contacting our Data Protection Officer.

• Our DPO can be contacted as follows: – Telephone: 091 755736 Email: dpo@leapleadership.ie, Post: Corporate House, Building 3, Ballybrit Business Park, Ballybrit, Galway H91K5YD

• Note also that data subjects have the right to make a complaint at any time to a data protection supervisory authority in relation to any issues related to our processing of their personal data. As our organisation is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner. You can also contact the Data Protection Commissioner as follows:

• Go to their website www.dataprotection.ie
• Phone on +353 761 104 800 or +353 57 8684 800
• Email info@dataprotection.ie
• Postal address: Data Protection Commission , 21 Fitzwilliam Square Dublin 2, D02 RD28.

Changes to the Privacy Statement

Our Privacy Statement may change from time to time and any changes to the Statement will be posted on this page. This Privacy Statement was revised in September 2019 to reflect changes to the legal basis for processing and retention periods.

Schedule 1 – Processing Description

What personal data we take	Purposes of processing	Legal basis for processing	Retention period
First name and surname   Contact details (phone number and email address)	To contact you following completion of your training programme to carry out compliance, monitoring or evaluation activities.	Legitimate interests	Electronically only, no longer than 3 years from the end of the calendar year preceding the completion of your training programme.   Full compliance by 31st December 2019.
Gender Age range NQF Level Achieved   Employment status and details relating to this	For aggregated evaluation of the quality and impact of training.   For aggregated and statistical reporting to the Department of Education and Skills.   For aggregated and statistical reporting in the LEAP Annual Report and other publications.	Legitimate interests	Electronically only, no longer than 3 years from the end of the calendar year preceding the completion of your training programme.   Full compliance by 31st December 2019.
First name and surname   Contact details (phone number and email address)   PPS Number   Date of Birth	To contact you following completion of your training programme to carry out compliance, monitoring or evaluation activities.	Legitimate interests	Electronically only, no longer than 3 years from the end of the calendar year preceding the completion of your training programme.   Full compliance by 31st December 2019.