ABOUT

Privacy Statement

What is the Purpose of this Privacy Statement?

The National Oil Reserves Agency (“NORA”) respects your right to privacy and is fully committed to keeping your information private. NORA’s Privacy Statement refers to our commitment to compliance with data protection legislation including the Irish Data Protection Acts and the EU General Data Protection Regulation. Any personal data which you volunteer to NORA will be treated with the highest standards of security and confidentiality.

Who does this Privacy Statement refer to?

This policy refers to visitors to the NORA website. Separate privacy statements are available for employees, secondees, contractors, suppliers, Board members and Shareholders and are made available by the DPO to individuals as required.

What data is included?

The NORA website is provided for informational purposes. We do not collect personal information of any kind from our websites except for data that is required to provide our site to you. If we receive personal information from you, we will only use it for the purpose for which it was provided or to communicate with you.

Why we collect your data?

We will only collect personal information from or about you which is necessary to:

Provide our website to you
Provide you with relevant information you may require relating to NORA
To communicate with you, including to respond to information requests / enquiries submitted.

How NORA collects your data?

We collect this data in a transparent way and only with the full knowledge of interested parties. Once this information is available to NORA, the following rules apply. We ensure all personal data is processed subject to sufficient organisational and technical safeguards to protect you.

Our data will be:

Accurate and kept up to date
Collected fairly and for lawful purposes only
Processed by NORA on the basis of either a valid contract, consent, legal compliance or legitimate interest
Protected against any unauthorised access or illegal processing by internal or external parties.

Our data will not be:

Communicated to any unauthorised internal or external parties
Stored for more than a specified amount of time
Transferred to organisations, states, or countries outside the European Economic area without adequate safeguards being put in place as required under Data Protection law.

Where consent is relied upon as a basis for processing of any personal data, you will be presented with an option to agree or disagree with the collection, use or disclosure of personal data. Once consent is obtained, it can be withdrawn at any stage.

What are the 7 principles we comply to?

Lawful, Fair and Transparent - Ensuring valid obtaining and processing of personal data
Purpose Limitation - Ensuring data is kept for one or more specified, explicit, and lawful purposes
Data Accuracy - Ensuring the data processed is accurate, complete and up to date
Data Minimisation - Ensuring the data processed is adequate, relevant, and not excessive
Storage Limitation - Ensuring personal data is kept for no longer than necessary
Integrity and Confidentially - Ensuring the safety & security of data
Accountability - Ensuring correct records are maintained

Who do we share your data with?

Your personal information may also be processed by other organisations on our behalf for the purposes outlined above. We may disclose your information to the following:

Other employees, the Data Protection Commission, HR Consultants or Recruitment agencies, IT providers, Government Departments.

Some of these parties may reside outside the European Economic Area (which currently comprises the Member states of the European Union plus Norway, Iceland, and Liechtenstein). If we do this, your information will be treated to the same standards adopted in Ireland. We may also disclose your information for the prevention and detection of crime and to protect the interests of NORA or others, or if required to do so by law or other binding request.

How we protect your data

NORA ensures all personal data is processed subject to sufficient organisational and technical safeguards to protect you. NORA’s commitment to protect your data:

Restrict and monitor access to sensitive data
Develop transparent data collection procedures
Train employees in data protection and security measures
Build secure networks to protect online data from cyberattacks
Establish clear procedures for reporting privacy breaches or data misuse
Include contract clauses or communicate statements on how we handle data
Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorisation etc.).

What is the legal basis for holding your data?

We collect your data based on the following legal basis:

Consent – where you have explicitly agreed to us processing your information for a specific reason such as explicit consent for us to process any special category of data about you
Contract – where you have entered into a service with us and the processing is necessary to perform this service
Compliance – the processing is necessary for compliance with a legal obligation we have such as keeping records for revenue or tax purposes or providing information to a public body or law enforcement agency. We may be required to process certain data to carry out our obligations under employment, social security or social protection law; this processing is necessary for the establishment, exercise or defence of legal claims.
Legitimate interest – the processing is necessary for the purposes of a legitimate interest pursued by us to safeguard the safety and security of our employees, property, buildings, information located or stored on the premises, and assets, and those of service providers, consultants, and advisors that assist us in carrying out its functions.
To ensure that complaints are managed effectively, to prevent fraud, and to keep you informed about relevant information.

Disciplinary Consequences

All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary proceedings and possibly legal action.

Where the lawful basis for processing your personal data is based on statutory or contractual requirement, we may be unable to obtain services from you without such information.

How long will we hold your personal data?

We will only retain personal data for as long as necessary for the purposes for which it was collected, as required by law or regulatory guidance to which we are subject or to defence any legal actions.

What are your rights?

I.I Right to Erasure

When have I the right to all my personal data being deleted by NORA?

You have the right to have your personal data deleted without undue delay if:

The personal data is no longer necessary in relation to the purpose(s) for which it was collected / processed
You are withdrawing consent and where there is no other legal ground for the processing
You object to the processing and there are no overriding legitimate grounds for the processing
The personal data has been unlawfully processed
The personal data must be erased so that NORA is in compliance with legal obligation
The personal data has been collected in relation to the offer of information society services with a child.

What happens if NORA has made my personal data public?

If we have made your personal data public, we, taking account of available technology and the cost of implementation, will take all reasonable steps, including technical measures, to inform those who are processing your personal data that you have requested the erasure.

What happens if NORA has disclosed my personal to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them of your request for erasure where possible. We will also confirm to you details of relevant third parties to whom the data has been disclosed where appropriate.

I.II Right to Data Portability

When can I receive my personal data in machine readable format from NORA?

You will receive your personal data concerning you in a structured, commonly used, and machine-readable format if:

processing is based on consent or contract
processing is carried out by automated means.

Would NORA transfer the personal data to another service provider if I requested this?

We can transfer this data to another company selected by you on your written instruction where it is technically feasible taking account of the available technology and the feasible cost of transfer proportionate to the service we provide to you.

Under what circumstances can NORA refuse?

You will not be able to obtain, or have transferred in machine-readable format, your personal data if we are processing this data in the public interest or in the exercise of official authority vested in us.

Will NORA provide me with my personal data if the file contains the personal data of others?

We will only provide you with your personal data, ensuring we protect the rights and freedoms of others. Where personal data of another person may be on the same files as yours, we will redact the full details of the other person. Contact us at dpo@nora.ie

I.III Right for Automated Individual Decision-Making including Profiling

What are my rights in respect of Automated Decision making?

NORA does not have any automated decision-making processes. Where any such processes are introduced, NORA will provide you with the relevant information required under the “General Data Protection Regulation”.

I.IV Right to Object

Have I already been informed about my right to object?

We have informed you of your right to object prior to us collecting any of your personal data as stated in our privacy notice.

When can I object to NORA processing my personal data?

You can object on grounds relating to your situation.

NORA will stop processing your personal data unless:

we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights, and freedoms
the processing is for the establishment, exercise, or defence of legal claims.

What are my rights to object for direct marketing purposes?

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, we will no longer process this data for such purposes.

What are my rights to object in the use of information society services?

In the context of the use of information society services, you may exercise your right to object by automated means using technical specifications. Contact us at dpo@nora.ie

I.V Right to Restriction of Processing

When can I restrict processing?

You may have processing of your personal data restricted:

While we are verifying the accuracy of your personal data which you have contested
If you choose restricted processing over erasure where processing is unlawful
If we no longer need the personal data for its original purpose but are required to hold the personal data for defence of legal claims
Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override.

What if NORA has provided my personal data to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them about the restriction on the processing, unless it is impossible or involves disproportionate effort to do so.

How will I know if the restriction is lifted by NORA and/or relevant third parties?

We will inform on an individual basis when a restriction on processing has been lifted.

I.VI Right of Rectification Policy

What can I do if NORA is holding incorrect personal data about me?

Where you suspect that data we hold about you is inaccurate, we will on demand rectify any inaccuracies without undue delay and provide confirmation of same.

What happens if NORA has disclosed my personal to third parties?

Where we have disclosed inaccurate personal data to third parties, we will inform them and request confirmation that rectification has occurred. We will also provide you with details of the third parties to whom your personal data has been disclosed.

I.VII Right to withdraw Consent

Under what circumstances could I withdraw consent?

You can withdraw consent if we are processing your personal data based on your consent.

When can I withdraw consent?

You can withdraw consent at any time.

If I withdraw consent what happens to my current data?

Any processing based on your consent will cease upon the withdrawal of that consent. Your withdrawal will not affect any processing of personal data prior to your withdrawal of consent, or any processing which is not based on your consent.

I.VIII Right to lodge a complaint

Can I lodge a complaint with the Data Protection Commission?

You can lodge a complaint with the Data Protection Commission in respect of any processing by or on behalf of NORA of personal data relating to you.

How do I lodge a complaint?

Making a complaint is simple and free. All you need to do is write to the Data Protection Commission giving details about the matter. You should clearly identify the organisation or individual you are complaining about. You should also outline the steps you have taken to have your concerns dealt with by the organisation, and what response you received from them. Please also provide copies of any letters between you and the organisation, as well as supporting evidence / material.

What happens after I make the complaint?

The Data Protection Commission will then take the matter up with NORA on your behalf.

I.IX Right of Access Policy

When do I have the right to access my personal data from NORA

Where NORA process any personal data relating to you, you have the right to obtain confirmation of same from us, and to have access to your data.

What information will NORA provide to me?

If we are processing your personal data, you are entitled to access a copy of all such personal data processed by us. If requested, we will provide any of the following information:

why we are processing your personal data
the types of personal data concerned
the third parties or categories of third parties to whom the personal data have been or will be disclosed. We will information you if any of the third parties are outside the European Economic Area (EEA) or international organisations
how your personal data is safeguarded where we provide your personal data outside the European Economic Area or to an international organisation
the length of time we will hold your data or if not possible, the criteria used to determine that period

your rights to:

request any changes to inaccurate personal data held by us
have your personal data deleted on all our systems
restriction of processing of personal data concerning you
to object to such processing
data portability
your right to lodge a complaint with the Data Protection Commission info@dataprotection.ie
where we have collected your personal data from a third party, we will provide you with the information as to our source of your personal data

How long will it take to receive my personal data from NORA?

We will provide you with a copy of the personal data we are currently processing within one month of request. In rare situations if we are unable to provide you with the data within one month we will notify you, within 10 days of your request, explaining the reason for the delay and will commit to delivery within a further two months.

How much will it cost me to receive my personal data?

We will not charge for providing your personal data unless we believe the request is excessive and the cost of providing your data is disproportionate to your services provided.

Can I request additional copies of my personal data?

If you require additional copies, we will charge €20 to cover our administrative costs.

Can I receive my personal data electronically?

You can request your personal data by electronic means, and we will provide your personal data in a commonly used electronic form if technically feasible.

What will NORA do if another person’s personal data is shared with my personal data?

NORA will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required considering changes in the law and organisational or security changes.