MSF Ireland's privacy notice
At MSF Ireland we make sure we protect the information you give us.
References to “we” or "us" are to MSF Ireland (Charity Registration Number: 20069360).
We collect information that helps us make informed decisions, fundraise more efficiently and give you the best possible experience on our Irish websites and from our communications.
This privacy policy is written in accordance with relevant data protection legislation including the Data Protection Acts 1998 and 2003, ePrivacy Regulations 2011 (S.I. 336 of 2011) and the General Data Protection Regulation (2016).
This privacy policy sets out how Médecins Sans Frontières collects, uses and stores personal data, including via its website, https://prod.msf.ie and its associated sites, including secure.msf.ie.
"When MSF was established in Ireland we made a commitment to match the dedication and versatility of our skilled teams in the field. As part of delivering on that promise we’re continually working to ensure our supporters in Ireland can continue to engage with MSF’s work across the world."
ISABEL SIMPSON DIRECTOR
If you’ve any questions please contact us.
Our privacy policy
We collect information:
- when you give it to us directly
- when you give it to us indirectly
- when you give it to us via social media
- when you use our websites or apps
Directly
You may give us personal information when you: use our site, donate, sign up for one of our events, communicate with us, request a speaker, sign up for email newsletters and leave a comment on one of our blogs or on our social media accounts.
Indirectly
We may get your personal information via a fundraising organisation or platform (eg Just Giving) if you’ve told them that you’re supporting MSF UK and with your consent. Please check their privacy policies when you give them your information.
Social media
We may get information about you from your social media accounts or services when you choose to interact with our sites, for example when you log in to leave a comment on or subscribe to one of our blogs. Facebook and Twitter are examples. We can do this if you’ve set your account settings to give us permission. Please check your settings and their privacy policies for more details.
In some cases we hold publicly available information from social media channels (such as social media handles or number of followers) on our social customer relationship management system ‘Prezly’. This provides us with an overview of who drives the conversation on topics that relate to our work. Should we want to reach out to a particular social media handle we would do so using the contact information they have provided publicly.
Our websites and apps
We use “cookies” to help us improve the performance of our UK websites and campaigns.
Cookies are small text files that websites send to your computer (or phone or tablet). They save and store information about how you use the websites.
We use them to give you a tailored experience on our websites. They make using our sites faster and easier. For example, when you donate on MSF UK, a cookie helps the site ‘remember’ which kind of donation you’ve chosen as you move through the site.
Our website also uses web third-party cookies that allow us to track conversions and activity on our website as well as generate advertisements that appear on Facebook, for example, and other search engines like Google for you and other potential users. Such third party cookies may collect or receive information through your use of our websites to provide advertisements and allow it to create lookalike audiences. We don't collect personal information via these cookies.
Find out more on our cookies notice.
If you enter your details onto one of our online donation form, and you don’t complete the donation, we may contact you via email to see if we can help with any problems you may be experiencing.
Similarly if you receive an email, open it, don’t open it, select a link, browse our website, we collect this information so we can see which stories are popular and which aren’t. This data is not used to identify you personally.
If you contact us for any reason we'll usually collect your:
- name
- phone number
- address
When you donate we may also ask for:
- your bank or credit card details (which are stored under PCI Compliance regulations).
- date of birth through our face-to-face fundraising to check you’re over 18.
We may also record:
- Your PPS number if you have sent us a completed and signed CHY Tax Relief Certificate.
When you sign up for a survey or fundraise for us we may also ask:
- what your interests are eg medical interests or countries we work in
- which age bracket you’re in
- what social media channels you use
If you sign up for our Access Campaign website your data will be collected by our Geneva office. Please read their policy to find out more about how they look after your data.
We use your data to:
- deal with your enquiries and requests
- process and acknowledge your donations
- keep a record of your engagement with us
- send you updates, marketing and fundraising communications
- understand how we can improve our services and information
- analyse our fundraising activity
We won’t sell your details to any third parties or other charities. Read our donor promise for more info.
How we use your data depends on why you’re providing it:
Online forms and feedback
We’ll use your personal information to respond to your questions, requests or register you for events.
Surveys
We use surveys to understand who visits our websites and how they use it, helping us to create better content for you and make our websites easier to use.
We may ask for your email address if you’re happy to be involved in future surveys or testing. We’ll only use this to ask you to help us with these types of requests.
Donations
We use your information to process and keep a record of your donation. We also use it to claim Gift Aid if you've selected this option.
Blogs
Any information you post on our blog sites may be published and moderated.
Direct marketing
We use direct marketing to let you know what MSF is doing and how your support makes a difference. We may use it for emergency fundraising or to ask for other support. We'll always respect your preferences and endeavour to send you information that you’ll find interesting, in the format you prefer.
We'll send you direct marketing by post unless you indicate that you don't want to hear from us this way. We send these communications on the basis of it being within our legitimate interests to do so or if you've consented to receive this. Please see the “Legal Basis for Processing Data” section below for more information on this.
We'll also send you direct marketing by e-mail, SMS and phone if you've consented to hear from us this way.
The types of marketing that you can expect to receive from MSF Ireland include:
- Our quarterly ‘Dispatches’ magazine
- Monthly email 'Frontline' updates
- Emergency appeals
- Event invites
Our email direct marketing has ways to opt out or update your preferences in the footer of each email. You can opt out at any time.
If you don’t want to hear from us, that’s fine. Just let us know on +353 (0)1 660 3337 or at fundraising@dublin.msf.org.
Social media
We may use publicly available information linked to your social media profile to anonymously target you with posts that may interest you.
We’ll never ask for personal or sensitive information on social media. We may repost or share your posts on social media if it relates to MSF and our work.
We may respond to questions, queries or comments left on our social media channels. We may use information found on your profile to help us answer these.
Check your social media accounts if you want to change the information you make public.
Our websites use sharing buttons which share our web pages to social media platforms. Use these buttons at your own discretion.
Social media platforms may track these shares through your accounts.
Trained staff
Your information is only accessible by trained staff, volunteers and contractors. We regularly review who has access to your information.
We do comprehensive checks on any contractors before we work with them. We always put a contract in place that sets out how they manage the personal data they collect or have access to.
Data processors
We use other companies to help us manage and store personal data and to carry out certain activities on our behalf. Our main data processors are listed below, but we may enlist the services of others from time to time:
- Fretwell – a direct mail partner
- Sooner Than Later – a direct mail partner
- Survey Monkey – surveys and competitions
- Taleo – Office staff recruitment portal
- Hero – Field staff recruitment and HR database
- CPM – our door to door recruitment agency
- Like Charity – our donor recruitment partner
- Dynamics - our in-house fundraising database
- Mango - our inbound call centre
- Contact Centre - our outbound call centre
We’ll only disclose your personal data to third parties, without your consent, when we have to by law, for example to authorised statutory agencies or authorities.
We use appropriate technical and organisational measures and precautions in order to protect your personal data and to prevent the loss, misuse or alteration of your personal data.
We have lots of technical measures, eg we encrypt our online forms and routinely monitor our network and we use industry standard SSL certificates and PCI compliance.
While we make sure to keep your data safe, no data transmission over the Internet is 100 percent secure. We can't guarantee the security of any information you send us and you do so at your own risk.
We keep your information for as long as it’s necessary. For example, we keep your financial data for at least seven years.
If you request to receive no further contact from us, we'll keep some basic information about you on our suppression list in order to avoid sending you unwanted materials in the future.
Organisations need a lawful basis to collect and use personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Four of these are relevant to the types of processing that MSF carries out.
This includes information that is processed on the basis of:
- A person’s consent (eg to send you direct marketing by e-mail or SMS);
- Processing that is necessary for compliance with a legal obligation (eg to process a gift aid declaration); and
- Our legitimate interests (please see below for more information).
Personal data may be legally collected and used if it's necessary for a legitimate interest of the organisation using the data, as long as its use is fair and doesn't adversely impact the rights of the individual concerned.
Our legitimate interests include:
- Charity Governance; including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes;
- Administration and operational management; including responding to solicited enquires, providing information and services, research, events management, the administration of volunteers and employment and recruitment requirements.
- Fundraising and Campaigning; including administering campaigns and donations, and sending direct marketing and thank you letters by post.
If you'd like to change our use of your personal data in this manner, please get in touch with us.
Contact us at fundraising@dublin.msf.org or 01 6603337 if you'd like to:
- Update your personal information
- Change your personal information
- Change your contact preferences
You have a number of rights under data protection legislation:
- You can request any information we hold on you. Email us at fundraising@dublin.msf.org and ask for it in writing. We'll supply any information you ask for as soon as possible, but this may take up to 30 days. You may be asked for proof of identity.
- You have the right to ask us to stop using or to restrict the processing of your personal data in certain cases, eg where it’s not needed to do what you provided it to us for, or if there is some disagreement about its accuracy or legitimate use.
- You can withdraw your consent to us processing your data at any time (where such processing is based on consent eg to send you electronic direct marketing).
- If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. To update your records please get in touch with us using the details above.
- In some cases, you have the right to be forgotten (ie to have your personal data deleted from our database), or transferred to another organisation (“data portability”). Where you have requested that we don't send you marketing materials we'll need to keep some limited information in order to ensure that you're not contacted in the future.
Isabel Simpson is our data protection lead. You can contact her if you’ve any queries about data protection.
If you have any concerns about the way your data is being used or if you’d like to make a complaint please contact us using the details above. You are also entitled to make a complaint to the Data Protection Commissioner.
We change this Privacy Notice when we need to. If we make any significant changes in the way we treat your personal information we’ll make this clear on our websites or by contacting you directly.
This privacy notice was prepared to be as comprehensive as possible, but it doesn't include an exhaustive list of every aspect our collection and use of personal information. However, we'd be happy to provide any further information or explanation about our practices.
If you’ve any questions, comments or suggestions, please let us know by contacting us.
Médecins Sans Frontières (the Company, we, us, our) is committed to protecting the privacy and security of your personal information.
The Company is a "data controller" within the meaning of the GDPR. This means that we are responsible for deciding how we hold and use personal information about you. This Employee Privacy Notice (the Notice) details how we collect and use personal information about you during and after your working relationship with us in accordance with the GDPR.
For the purposes of this Notice:
GDPR means the General Data Protection Regulation (EU 2016/679) and any national implementing laws, as amended or updated from time to time;
Group Company means a company which is a Subsidiary or Holding Company of the Company or any Subsidiary of such Holding Company from time to time (and for this purpose Subsidiary and Holding Company have the meanings given to them respectively in sections 7 and 8 of the Companies Act 2014).
Please read the following carefully to understand how and why we are using such information and what your rights are under the applicable data protection legislation.
Scope
This Notice applies to you, whether you are a current (or former) employee, intern, agency worker, consultant, individual contractor or director of the Company. It also applies to third parties whose information you provide to us e.g. emergency contacts, beneficiaries of pension etc. Please ensure that you provide a copy of this Notice to any third parties whose personal data you provide to us.
Where we refer to 'employee personal data' or 'employment' in this Notice we do so for convenience only and this should in no way be interpreted as purporting to confer employment status on non-employees to whom this Notice also applies. This Notice does not form part of any contract of employment and does not confer any contractual rights on you or place any contractual obligation on us.
This Notice applies to all personal data collected, maintained, transmitted, stored, retained, or otherwise used (i.e. processed) by us regardless of the media on which that personal data is stored. We may update this Notice at any time and will notify you in writing of any changes as soon as reasonably practical.
Data Protection Principles
The Company is committed to complying with the GDPR. Any personal information that we hold about you must be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes that we have told you about and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purposes we have told you about; and
- Kept securely.
What is Personal Data?
'Personal Data' is defined as any information relating to a living individual from whom that individual can be identified directly from that data or indirectly in conjunction with other information. It does not include data where the identity has been removed (anonymous data). We will collect, hold and use the following categories of Personal Data about you as set out in Appendix 1 of this Notice.
Purpose and Basis for Processing
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information for the following purposes:
- To perform the contract we have entered into with you.
- To comply with a legal obligation;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. In this instance a legitimate interest assessment (LIA) will have been conducted to (i) identify a legitimate interest; (ii) show that the processing is necessary to achieve it; and (iii) balance it against your interests, rights and freedoms. You may request a copy of this LIA from the Senior Information Risk Owner (email office@dublin.msf.org).
In particular, we will hold, process and may disclose personal data provided by you for the following purposes:
Category of Personal Data |
Purpose/Basis for Processing |
---|---|
|
|
|
|
|
|
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety or our workers).
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with this Notice, where this is required or permitted by law.
Special Categories of Personal Data
Certain categories of your personal data are regarded as 'special' including information relating to an individual's:
- Physical or mental health, including any medical condition, health and sickness records;Religious, philosophical or political beliefs;
- Trade union membership;
- Ethnic or racial origin;
- Biometric or genetic data; and
- Sexual orientation.
We only process such data where necessary for the purpose of carrying out the obligations, and exercising specific rights, of the Company or of an employee under employment law or for the assessment of your working capacity. See Appendix 1.
Information about Criminal Convictions
Information about criminal convictions warrants a higher level of protection under data protection legislation. We will only process data relating to your criminal convictions or involvement in criminal proceedings when permitted by law, or where provided voluntarily by you. We may engage a third party to conduct background checks on candidates, to the extent permitted by law and as required by the Company.
Garda vetting procedure
The Company is a "relevant organisation" within the meaning of the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 – 2016 (the Vetting Act) and is therefore required to complete vetting checks on individuals engaged by the Company who will be working or carrying out activities with children or vulnerable adults (the Relevant Activity). We therefore envisage that we will hold and process information about criminal convictions in relation to persons working and volunteering for us who are engaged in a Relevant Activity. As such, where your role involves a Relevant Activity, we may be required by law to process criminal offence data relating to you. We will only collect criminal offence data where permitted by law or where provided voluntarily by you. We process your personal information in this way to comply with our legal obligations under the Vetting Act. If you do not provide us with the requested information, we may not be able to continue to work with you.
The vetting procedure is conducted by the National Vetting Bureau to establish whether there is any criminal record or specified relevant information relating to the individuals engaged in the Relevant Activity. Following completion of the vetting process by the Bureau, a disclosure will be made to the authorised liaison person (email HRAdministrator@dublin.msf.org) in the Company of details of all convictions and pending prosecutions and a statement of specified information or a statement that there is no criminal record or specified information relating to the person being vetted. Specified information can include any information which leads to a bona-fide belief that the person poses a threat to children or vulnerable people.
For more information on the vetting process, see a copy of the Company's Vetting policy which is available from hradministrator@dublin.msf.org.
Consent
In principle, we do not rely on your consent for data use. We may, however, from time to time, (i) ask for your consent to use your personal data for a specific purpose; and/or (ii) process your personal data (including "special data") in order to protect your vital interests or the interests of another. If we do so, we will provide you with full details of the data that we would like and the reason we need it so you can carefully consider whether you wish to consent. We will also inform you about the fact that you can revoke your consent at any time and how you should do that.
Please be assured that withholding your consent will never have an impact on your employment with us or otherwise negatively affect you.
Where you do not provide us with your Personal Data
If you do not provide us with your personal data we may not be able to process your job application, suitability for a particular role, your pay or other benefits, comply with our legal obligations or manage our business. We will tell you when we ask for information which is a statutory or contractual requirement or needed to comply with our legal obligations.
Security and Storage of Personal Data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, sued or accessed in an unauthorised way, altered or disclosed.
We securely store your personal data in a centralised database and the MSF HR System (HERO), with controlled access to such database. Access to personal data (including special data) in both electronic and paper form is restricted to members of the Human Resources Team and employees who have a legitimate and justifiable reason to view such data.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Recipients of Your Personal Data
We may disclose your personal data to a Group Company including, without limitation, for the following reasons: in order to run global processes, carry out group wide reporting, or take decisions about hiring or promotion.
It may be necessary from time to time for us to disclose personal data to third parties or agents, including without limitation to the following:
- Third parties to assist in the administration, processing and management of certain activities, for example payroll processing, pertaining to past, current and prospective employee;
- Individuals or companies employed by the Company to carry out specific services, functions or consultancy work including external reference agencies and other financial institutions;
- An Garda Síochána where necessary for Garda vetting purposes;
- The MSF Association UK/IE;
- The Company's fundraising team;
- Partners within the MSF Movement;
- Relatives or legal representatives of past, current and prospective employees;
- Regulatory bodies to whom we are obliged or required to disclose information including Workplace Relations Commission, Courts and Court-appointed persons;
- Insurance or assurance companies and health insurance providers or trade unions;
- Legal and medical practitioners;
- Pension providers;
- Potential purchasers or bidders;
- Relevant Government departments and agencies; and
- Other support service providers necessary to assist the Company with the above.
We will inform you in advance if we intend to further process or disclose your personal data for a purpose other than the purposes set out above. We take all reasonable steps, as required by law, to ensure the safety, privacy and integrity of such data and information and, where appropriate, enter into contracts with such third parties to protect the privacy and integrity of such data and any information supplied.
Transfer of Personal Data outside the EEA
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA), for the purposes described above. Due to the global nature of our work, your personal data may be disclosed to Group Companies outside the EEA, including the USA. It may also be processed by personnel operating outside the EEA who work for us or for one of our suppliers who act on our behalf. We will ensure suitable safeguards are in place to protect the privacy and integrity of your personal data in such circumstances including standard contractual clauses under Article 46.2 or adequacy decision under Article 45 of the GDPR. You can obtain information and a copy of documentation pertaining to these safeguards from the Human Resources Team (email HRAdministrator@dublin.msf.org) where applicable.
Data Retention
Data will be stored for as long as required to satisfy the purpose for which the data was collected and used, unless a longer period is necessary for our legal, accounting or reporting obligations or for the exercise or defence of legal claims. Usually, we retain your data for the duration of your employment with us.
Statutory retention periods apply to certain records (for example, per legislation, employers are obliged to keep records of their employees' working time for a period of three years). As statutory retention periods can vary depending on the type of data, please refer to our Information and Records Management Policy available from hradminstrator@dublin.msf.org.to find out more. Our retention practices are reviewed and updated from time to time in line with legal requirements and best practice.
Your Data Rights
You have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions such as when the processing of your data is necessary to comply with a legal obligation or for the exercise or defence of legal claims.
Under certain circumstances, by law you have the right to:
Your Right |
What this Means |
---|---|
Right to Withdraw Consent |
If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time (see Contact Us below). However, the withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent. |
Right of Access |
You can request a copy of the personal data we hold about you (a data subject access request). |
Right to Rectification |
You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete. |
Right to Erasure (‘Right to be Forgotten’) |
You have the right to request that your personal data be deleted in certain circumstances including:
However, this right does not apply where, for example, the processing is necessary:
|
Right to Restriction of Processing |
You can ask that we restrict your personal data (i.e. keep but not use) where:
We can continue to use your personal data:
|
Right to Data Portability |
Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where:
|
Right to Object |
You have a right to object to the processing of your personal data in those cases where we are processing your personal data in reliance on our legitimate interests. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate interests which override your interests and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes. |
Right to Complain |
You have the right to lodge a complaint with your local supervisory authority, the Office of the Data Protection Commission, Canal House, Station Road, Portarlington R32 AP23, Co. Laois. The Irish Office of the Data Protection Commission can also be contacted at info@dataprotection.ie |
If you wish to exercise any of your rights in this regard please contact the Human Resources Team. We will respond to your request as soon as practicable. We may request proof of identification to verify your request.
We will respond to any valid requests within one month, unless it is particularly complicated or you have made repeated requests in which case we will respond, at the latest, within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request.
Further Information
If you require any further clarification regarding this Notice, please contact the Human Resources Team.
Appendix 1
General Personal Data
- Personal- contact/identifying details including name, address, email address, date of birth, photograph, civil status, gender, nationality, domestic partners, dependents;
- Emergency Contact - name and contact details of emergency contacts (as set out above, you must provide a copy of this Notice to any third parties whose personal data you provide to us);
- Professional - Curriculum Vitae and/or application form, previous employment background, references from previous employers, record of interview/interview notes, selection and verification records, educational details, professional and/or academic transcripts, professional certifications, special skills including (driver) licenses, language skills, memberships of committees or other bodies;
- Financial - salary and benefit details including bank details, PPS number, tax information;
- Employment - work contact details (corporate email address and telephone number), identification number, photograph, details regarding the job function, primary work location, working hours, employment status, your terms and conditions of employment or engagement, contract of employment, signed confidentiality agreement, immigration status, work permit details, job description, history and details of current position;
- Premises and IT access - information required to access company systems and applications such as email account and system passwords, login and access records ,download and print records, call recordings, records of email and internet usage in accordance with our email and internet policy
- Fees, remuneration and benefits – fees/payment and benefits package, base salary, bonus, compensation type, long term incentives, pension scheme, PRSA, health insurance scheme (and any third party beneficiaries), company credit card data, salary reviews;
- Leave - including documentation which may be provided in connection with any statutory leave, sick leave, holiday and family related leave records, garden leave, and any other type of leave such as unpaid leave and study leave;
- Performance management - performance assessments/meetings (including probationary assessments), colleague and manager feedback, appraisals, outputs from talent programs and formal and informal performance management processes;
- Training and development - such as data relating to training and development needs or training received;
- Disciplinary and grievance - such as any personal data contained in records of allegations, investigation and proceeding records and outcomes;
- General correspondence/meetings - relating to grievance and/or disciplinary processes, misconduct or performance issues, data arising in connection with litigation and complaints, involvement in incident reporting and disclosures;
- Termination - for example, dates and reason for leaving, termination agreements and payments, exit interviews and references; and
- Incapacity - any accommodations or adjustments in connection with any incapacity.
Special Categories of Personal Data
We may also collect, hold and use the following "special categories" of more sensitive personal information:
- Physical or mental health data - such as information about your physical or mental health or condition; for example, we record your days of sickness, or workplace adjustments due to health reasons.
- Other special categories of personal data - such as racial or ethnic origin; religious or similar beliefs; membership of a trade union; the commission or alleged commission of any offence; and any proceedings for any offence committed or alleged to have been committed, the disposal of those proceedings or the sentence of any court in those proceedings.
Special categories of personal data will only be collected and used in so far as such is necessary for the purposes of carrying out an obligation in the field of employment/social security/social protection law, or exercising specific rights or when the use is authorized by law or for the assessment of working capacity.