This Privacy Statement explains how Quokka Wellness (the Organisation) will process your personal information and how you can exercise your rights as a data subject.
For the purposes of the GDPR, Quokka Wellness is the data controller. Quokka Wellness is based in Galway, Ireland and provides consultancy services in the areas of Workplace wellness and Digital wellness. Any queries relating to data protection can be addressed to Carrie Budds at firstname.lastname@example.org.
PURPOSE AND SCOPE
This Notice applies to our business practices, our website (Websites), which are accessible from https://quokkawellness.com and its sub-domains. As the Organisation is established in the Republic of Ireland, this document is written in the vein of Irish Data Protection Law and the Organisation falls under the jurisdiction of the Irish Data Protection Commission.
Laws that apply to us:
- General Data Protection Regulation (EU Regulation 679/2016)
- Data Protection Act 2018
- Regulations flowing from DPA 2018
- Data Protection Act 1988 Revised
- ePrivacy Regulations 2011 implementing EU Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD)
What are the data protection principles and rules?
We aim to comply with the following principles found in Data Protection Law:
Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
Purpose Limitation. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation – Personal Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.
Retention – Personal data should be kept in an identifiable format for no longer than is necessary.
Integrity and confidentiality – Personal data should be kept secure.
Accountability – Under the GDPR, we must not only comply with the above six general principles but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.
WHAT TYPE OF DATA IS COLLECTED?
We will collect personal data from you in accordance with the purposes outlined in this document. This will be basic personal data used to facilitate a service type relationship usually your name and contact details..
We also collect and receive data about you from third parties. This may be information given to us by your employer to facilitate the running of workshops. Any information which we receive in this way is set out in the Table to this privacy notice which gives you more details about information which we can receive from third parties.
Special Category Personal Data
We will not collect special category data from you unless you are an employee in which case we would be obliged to do so under law.
Criminal Conviction Data
We will not collect criminal conviction data from you.
Children’s Personal Data
Our services are not aimed at children, and we do not process the data of children.
WHAT IS MY DATA BEING USED FOR?
When you contact Quokka Wellness to avail of or enquire about any of our services via a form on our website or by phone, we will ask you to provide your name, email address, the company you work with, your work phone number, your job title and the number of employees working at your company.
This information provided will be used by Quokka Wellness to:
- Respond to your enquiries or provide customer support effectively,
- Create a customer file which will contain your future bookings on behalf of the company you work with,
- Provide you with advice, dependant on the information you have given,
- Communicate with you regarding other Quokka Wellness products and services.
- When we communicate with you regarding our products and services for the first time we will give you the option to “opt-in,” and on every subsequent communication there will be an option to “unsubscribe.”
When we operate workshops at the request of our clients, employees / workshop participants may be asked to provide information on their activity levels, general wellbeing and stress levels. If a workshop has a physical activity element we may be required to collect health data such as pre-existing conditions (for example heart health, diabetes) or physical injuries. This data will only be collected and processed with your explicit consent.
Where private personal data is collated, the employer may receive a company overview report containing only anonymised and aggregated data about the health and wellbeing of their employees as a whole.
Quokka Wellness will never share your personal or sensitive information with any other third party, including your employer, without your consent unless required to do so by law and unless you have consented to this disclosure or unless the third party is required to fulfil your order (in such circumstances, the third party is bound by similar data protection requirements).
In the case of employees of our clients / workshop attendees, Quokka Wellness has entered into an agreement with your employer to provide services and / or grant you access to surveys, and your employer is the data controller of your personal data. We will process your personal data on behalf of your employer and in accordance with its lawful instructions.
WHO HAS ACCESS TO MY DATA?
Access is restricted to essential personnel of Quokka Wellness who are bound by their professional ethics and/or confidentiality agreements.
From time to time we may receive a request from your employer to disclose your identity or we may consider it appropriate to disclosure your identity in the absence of such a request. We will consider this in accordance with our internal policy on revealing anonymity. Your identity will in general only be disclosed to your employer where it is necessary to do so for reasons of substantial public interest. This is only likely to occur in exceptional circumstances. For example, we may consider (based on your or others’ comments) that you or another person identified is experiencing or at risk of physical, mental or emotional harm (including self-harm) and requires support, and that there is a need to protect the well-being of you or another person, and furthermore that we cannot reasonably obtain your consent (for instance if you are away from your workplace and therefore not contactable for a period of time) or where seeking your consent would prejudice the purpose of the disclosure. By way of further example, we may consider (based on your or others’ comments) that disclosure of your identity to your employer is necessary to prevent or detect an unlawful act (such as fraud or other criminal act), and that we cannot request your consent since this would prejudice the purpose of the disclosure.
We may use trusted service providers who could be considered data processors, sub-processors or third parties. We require all third parties to have appropriate technical and operational security measures in place to protect your Personal Data, in line with Irish and EU laws on data protection. Any such organisation or individual will have access to personal information needed to perform these functions but may not use it for any other purpose.
We use the following categories of service providers including data processors in the course of our business:
- Cloud Web and App Hosting Services
- Cloud Data Sources
- One or More Contract Developers
- Professional Service Providers such as Lawyers, Solicitors and Accountants
- Financial Transaction Providers
- Telecoms Service and Carrier Providers
Where consent is required for our use of your personal data, by ticking the appropriate consent box or otherwise communicating your consent to us (whether by phone, email or other means), you consent to our use of that personal data as set out in this policy. If you disclose someone else’s personal data to us, you confirm that you have their consent to disclose this to us and for us to use and disclose it in accordance with this policy.
HOW LONG IS MY DATA HELD FOR?
We have a documented data retention schedule. Generally, we will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for and for up to seven (7) years afterwards or otherwise permitted by applicable laws. We may also retain your information during the period of time needed to complete our legitimate business operations, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We follow strict security procedures, where appropriate to risk, in the storage and disclosure of your Personal Data, and to protect it against accidental loss, destruction or damage. We take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data. The data you provide to us is protected using modern encryption, intrusion prevention, and account access techniques. We have put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.
We maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
Confidentiality means that only people who are authorised to use the data can access it.
Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
Availability means that authorised users should be able to access the data if they need it for authorised purposes.
WHAT ARE MY RIGHTS?
You have the following rights with regard your personal information:
- Access. You have the right to access information about the personal data we hold about you. We reserve the right to charge a reasonable fee in response to unreasonable or repetitive requests, or requests for further copies of the same information.
- Right to object to processing. You have the right to object to processing of your personal data where that processing is being undertaken by us on the basis of our (or a third party’s) legitimate interest. In such a case we are required to cease processing your data unless we can demonstrate compelling grounds which override your objection. You also have the right to object at any time to the processing by us of your personal data for direct marketing purposes.
- Rectification. You have the right to request that we rectify any inaccurate personal data that we hold about you.
- Erasure. You have the right to request that we erase any personal data that we hold about you, based on one of a number of grounds, including the withdrawal of your consent (where our processing of that data is undertaken on the basis of your consent), or if your object to our continued processing (as mentioned above). This right does not extend to information which is not personal data.
- Request to restriction of the processing. This enables you to ask us to restrict the processing of your personal data in certain circumstances, for example, if you want us to establish its accuracy or the reason for processing it.
- Portability. You have the right to obtain copies of your personal data to enable you to reuse your personal data across different services and with different companies.
- Change of preferences. You can change your data processing preferences at any time. For example, if you have given your consent to direct marketing, but have changed your mind, you have the ability to opt-out of receiving marketing communications by emailing us at <insert email> or clicking the relevant link in any communication you receive.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
If for any reason you are not happy with the way that we have handled your personal data, you also have the right to make a complaint to the Data Protection Commission.
Quokka Wellness WEBSITE
Like most websites, we gather statistical and other analytical information collected on an aggregate basis of all visitors to our website. We may collect this technical information from you when you visit our website and accept cookies. This information may include standard information from you (such as browser type and browser language), your Internet Protocol (“IP”) address, and the actions you take on our website (such as the web pages viewed and links clicked). We do note that your IP address is considered personal data under the GDPR.
Any external links to other websites are clearly identifiable as such, and we are not responsible for the content or the privacy policies of these other websites.
Cookies are small text files that are transferred to your computer’s hard drive through your web browser to enable us to recognise your browser and help us to track visitors to our site. Most web browsers automatically accept cookies, but, if you wish, you can set your browser to prevent it from accepting cookies. The “help” portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
We may use your Personal Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising. Where appropriate, you will be asked whether you wish to receive any marketing communications from us.
We will not share your Personal Data with any third party for marketing purposes.
You may object to direct marketing by using the contact details herein to opt-out or make use of the opt-out links on communications.
SALE OF BUSINESS
We reserve the right to transfer information (including your personal data) to a third party in the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets of our company in the following cases:
provided that the third party will only use your Personal Data for the purposes that you provided it to us.
You will be notified in the event of any such transfer and you will be afforded an opportunity to opt-in.
UPDATES TO THIS PRIVACY STATEMENT
We may change this privacy statement, however the “last updated” date will always be listed at the top of this page. Any changes will be effective immediately.
Creation date: 01 May 2020
Revision Date: 01 May 2021