Ennovy Solutions Data Protection Policy

The General Data Protection Regulation and Data Protection Acts apply to the processing of personal data. This organisation is committed to complying with its legal obligations in this regard. The organisation collects and processes personal data relating to employees and the clients we represent in the course of business in a variety of circumstances, e.g., recruitment, training, payment, performance reviews, and to protect the legitimate interests of the organisation.

This policy covers any employee or client about whom this organisation processes data. This may include current and former employees and clients. Processing of data includes: collecting; recording; storing; altering; disclosing; destroying; and blocking.

Personal data kept by this organisation shall normally be stored on the employee’s personnel file and the client’s on our electronic database. Highly sensitive data, such as medical information, will be stored in a separate file, in order to ensure the highest levels of confidentiality. The organisation will ensure that only authorised personnel have access to an employee’s personnel file.

The organisation has appropriate security measures in place to protect against unauthorised access. These security measures include an encrypted database and encrypted computer access.

This organisation processes certain data relevant to the conducting of business in compliance with relevant legal obligations and, where necessary, to ensure protection of its legitimate business interests and the rights and entitlements of clients. We ensure that personal data is processed in accordance with the principles of data protection, as described in the GDPR and Data Protection Acts.

Personal data is normally obtained directly from the employees and clients concerned. In certain circumstances, it will, however, be necessary to obtain data from third parties, e.g., references from previous employers.



Personal data collected by the organisation is used for ordinary management purposes. Where there is a need to collect data for another purpose, the organisation shall inform the relevant party of this. In cases where it is appropriate to get consent to such processing, the organisation will do so.

Employees and clients are responsible for ensuring that they inform the company of any changes in their personal details, e.g. change of address. We endeavour to ensure personal data held by the organisation is up to date and accurate.

The organisation is under a legal obligation to keep certain data for a specified period of time. In addition, the organisation will need to keep personal data for a period of time in order to protect its legitimate interests. This period of time will be agreed with employees and clients alike.

The organisation provides e-mail facilities and access to the internet. In order to protect against the dangers associated with e-mail and internet use, screening software is in place to monitor e-mail and web usage. Mailboxes are only opened:



• upon specific authorisation by a manager in cases where the screening software or a complaint indicates that a particular mailbox may contain material that is dangerous or offensive;

• where there is a legitimate work reason or in the legitimate interest of the organisation.

Edward Kelly is the data protection officer for this organisation. He is responsible for assisting the organisation in monitoring and maintaining compliance with data protection legislation. All employees must co-operate with the data protection officer when carrying out their duties.

The data protection officer is also available to answer queries or deal with employees’ concerns about data protection.

Employees and candidates are entitled to request data held about them on computer or in relevant filing sets. The organisation will, in most circumstances provide this data within one month. In some cases, due to the complexity of the request or the number of requests being handled by the organisation, the organisation may require a further two months to provide this data. There is no charge for requesting this data.

An employee or client should make a request in writing to the data protection officer, stating the exact data required. Employees and clients are only entitled to access data about themselves and will not be provided with data relating to other employees or clients or third parties. It may be possible to block out data relating to a third party or conceal his or her identity, and if this is possible the organisation may do so.

Data that is classified as the opinion of another person will be provided unless it was given on the understanding that it will be treated confidentially. Employees who express opinions about clients in the course of their employment should bear in mind that their opinion may be disclosed in an access request.

In some circumstances where relevant exemptions apply, certain personal data may not be provided to an employee or client. An employee or client will be informed where personal data is not being disclosed on the basis of such an exemption.



An employee or client who is dissatisfied with the outcome of an access request has the option of using the organisation’s grievance procedure. He/she may also refer a complaint to the Data Protection Commissioner.

Employees and clients have the right to object to data processing that is causing them distress and/or correct personal data which is inaccurate. Where such objection is justified, the organisation will cease processing the data unless it has a legitimate interest that prevents this.

The organisation will make every effort to alleviate the distress caused to the individual.



An objection should be made in writing to the data protection officer, outlining the data in question and the harm being caused to the employee

This policy will be reviewed from time to time to take into account changes in the law and the experience of the policy in practice.