Privacy Notice
Updated on 29 April 2024
First Due Diligence
First Due Diligence Limited provide an online software service to manage identity based due diligence processes including AML management services for Customers. We are committed to protecting the privacy of personal data that we process and this statement summarises our approach. While providing personal data to us in the course of business with us or using our website, we will manage your data in accordance with European and national law.
This is a summary document to provide a clear indication of our processing activities and to inform you of your rights. For more detailed information relating to our data protection arrangements please contact our Data Protection Representative at privacy@firstdd.com.
1. THE PERSONAL DATA THAT WE PROCESS AND WHY
Type of personal data processed; Identity based due diligence information uploaded to the system in the course of a Customers or Users use of the System.
We are a Processor of Personal data that we process on behalf of our customers. This includes personal data entered onto a customer account on the first System in the course of a customer’s use of the system.
Legal basis for processing;
– Subject to a contract with our the Controller to process data
– Our legitimate interest*
Type of personal data processed; Persons name, address, electronic contact details, unique subject identities generated by us to identify Subjects, and other data necessary to manage a relationship.
We are a controller of personal data obtained to manage our relationship with Customers, Users, suppliers and others that use or are engaged to deliver the Services.
Legal basis for processing; We process on one or more of the following basis;
– Performance of a contract with the engaging party
– Consent of a Subject
– A legal obligation
– Our legitimate interest*
Type of personal data processed;
Name, address, electronic contact details, employment details and other information necessary for employment or fulfilling a person’s role.
We are a controller of;
Personal data obtained in the course of employment or otherwise for company staff.
We process on one or more of the following basis;
– Performance of a contract with the Subject
– Consent of a Subject
– A legal obligation
– The vital interest of the Subject
– Our legitimate interest*
The type of data processed; Data provided by Customer in the course of delivery of the Service. This may include system content including End Client data.
Legal basis for processing; We process this data as a Processor on behalf of Customer.
* Our legitimate interest is to provide an online software service to enable or manage identity based due diligence monitoring and related processes for Customers, and to provide Subjects with access to their personal data to exercise their rights.
2. WHERE YOU ARE AN END CLIENT OF OUR CUSTOMER - WE ARE A DATA PROCESSOR
We provide an online due diligence service to our Customers. If you are a Subject of personal data processed on our systems on behalf of our Customers, our Customer is the Controller of your data and we process under their instruction.
Our Customer is the Data Controller and determines the purpose and means of processing. This means that they control why, what and how your data is collected, retained, shared or otherwise used. The Controller is responsible for ensuring the lawful processing of your data, and informing you of such processing and of your rights.
If you would like to know more about your personal data or how to exercise your rights relating to data that is processed on our due diligence services you will need to contract the Controller.
You may see a list of your rights below.
3. WHERE WE ARE A CONTROLLER
The following information relates to personal data for which we are a Controller
a. Transferring your data to a third party
There are many activities of the business that require your data to be transferred to a third party. They may include the following categories of recipients; Revenue, a state regulator or individuals appointed to maintain regulatory compliance, auditors, advisors, Insurance providers, professional advisors, the collection or transfer of debt, IT and support providers, and electronic payment organisations.
Personal data shall only be transferred for specific purposes that are in the legitimate interest of the business, are subject to a contract with you, are in your vital interest, or are required by law. We may also transfer personal data upon your request or with your consent.
b. Where you have provided consent
Where we are processing data based on your consent you may withdraw that consent at any time.
c. International transfer
We do not transfer personal data to any recipients outside of the EEA European Economic Area unless such transfer is upon a Subject’s request, the Subject is party to an agreement that requires the transfer of data outside of the EEA, or in the course of debt recovery.
Where customers, their undertakings, or their representatives are outside of the EEA we may transfer data for the purpose of operation of the relationship with such persons, or as obliged to do so by applicable law.
Where we are a Processor of personal data, the Controller is responsible for the purpose and means of transfer, including any international transfer.
d. Information relating to children and vulnerable persons
The processing of personal data relating to minors receives special attention under Data Protection Regulation and we shall treat this information with particular care. Children are defined as under 16’s in Ireland. Information obtained about children shall comply with the requirement for parental consent and shall receive additional consideration while planning an operational process.
e. Special (Sensitive) data
We recognises special categories of data, specifically personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic or biometric data, or a subject’s health or sexual life. The processing of these categories of information shall typically require consent. Relevant health details may be required for the purpose of employment or insurance.
f. Your rights
In addition to the right to be informed about the processing of personal data Controlled by us, subjects also have the right to:
1. Information on whether we have Personal Data relating to a subject, the categories of data and the purpose of processing.
2. Access your personal data. Where the format is not reasonably understood, this shall be delivered in an intelligible format.
3.Have inaccurate, incomplete or out-of-date personal data that we hold about you corrected or deleted.
4. Withdraw consent for your personal data to be processes – where it was obtained from you on the basis of consent.
5. Be informed if a failure to provide personal data will have any direct and material personal consequences.
6. Make a submission on any automated decisions making processes or profiling of you.
7. Transfer your data to another controller.
8. Have your personal data excluded from certain categories of processing.
9. Lodge a complaint with the Data Protection Commissioner. Contact details for the DPC can be found at www.dataprotection.ie.
Please note;
– There are some limitations to these rights.
– You can contact us to exercise these rights in branch or by e-mail on dataprotection@firstdd.com.
– We will require proof of your identity prior to discussing or providing access to your personal data.
g. Data Retention
We retain personal data that you submit to us only for as long as is necessary for the purposes for which it was obtained, or as required by law. We reserves the right to delete personal data prior to the conclusion of the retention period.
Storage of personal data
| Purpose of processing | Duration | Criteria for the storage of personal data |
|---|---|---|
| Processing on behalf of Controllers | – | Managed by the Controller |
Customer representative details for | 6 years | From the completion or termination of the provision of service to Customer, or as otherwise required for legal or accounting purposes |
| Direct marketing data | 1 year | From the last communication |
| CCTV | 1 month | From recording. Up to 6 years in the event of an incident where a material risk of a liability exists |
| Incidents or complaint reports | permament | |
| Supplier representative details for the purpose of administration of the service | 6 years | From the completion or termination of the agreement to supply, or as otherwise required for legal of accounting purposes. |
| Documentation relating to revenue | – | Stored as mandated by law plus 12 months |
Nothing in this section creates an obligation upon us to retain personal data on behalf of a Subject.
4 CONSIDERING YOUR RIGHTS
This notice is designed to provide you with concise information relating to the processing of personal data and your rights. We may update this summary Notice from time to time and will record the effective date of the most recent update at the top of the published Notice.
Please contact your Data Controller for more detail or if you would like to further understand your rights and entitlements.
5 MAKING A COMMENT OR COMPLAINT
We are actively interested in getting feedback from you to understand if there are any elements of our processes that may give rise to a legitimate concern to data Subjects. If you would like to raise a concern, or make a complaint;
If you would like to make a complaint to the Data Protection Commission you may lodge it at
https://www.dataprotection.ie/en/individuals/raising-concern-commission.
6 WEBSITE USAGE & COOKIES
Please see our Website Terms of Use and Cookies Notice for more information relating to your usage of our website.
7 TRACKING
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
