Purpose
The purpose of this data retention policy is to establish clear guidelines for the appropriate storage, retention, and disposal of data, ensuring compliance with legal requirements thus mitigating risks to unauthorized usage of user data.
General
Genealogical records, including family trees and associated data such as names, addresses, dates of birth, marriage dates, etc. are retained indefinitely unless requested otherwise by the customer or if they violate my terms of service.
Cookies and Analytics: I use cookies and analytics tools to improve user experience and service quality.
Data Security: I employ industry-standard security measures to protect user data from unauthorized access, disclosure, alteration, or destruction.
Third-Party Services: Any data shared with third-party services is subject to their respective privacy policies and data retention practices.
User Control: Users have the right to access, modify, or delete their data at any time. Requests for data deletion can be made through my platform.
Legal Obligations: I may retain certain data to comply with legal obligations, resolve disputes, enforce our policies, or for legitimate business purposes.
Updates to Policy: This Data Retention Policy may be updated periodically to reflect changes in legal requirements or our business practices. Users will be notified of any significant changes.
Legal Basis for Collection Personal Data
Under the General Data Protection Regulation (GDPR), the legal basis I rely on for processing personal data is as follows:
- To make an enquiry about my services.
- To fulfil a request(s) in the execution of my services, e.g. a genealogical or DNA project
- Run my business, i.e. produce invoices.
- Contact you about the progress of your project.
Type of Personal Data Collected
I currently collect and process the following information directly through the Contact Form on my website:
- Name and email address, phone number(s) where provided.
- Postal address (if required to send physical items, e.g. printed documents).
I also receive personal information indirectly, from the following sources:
- Online genealogical databases including, but not limited, to ancestry.co.uk, findmypast.ie, irishgenealogy.ie, etc.
- Direct to consumer DNA databases including, but not limited, Ancestry, 23andMe, MyHeritage, FamilyTree DNA, Living DNA and Gedmatch.
- Physical repositories including, but not limited to, the National Archives of Ireland, the National Library of Ireland, county, or church archives.
Third Party Services
Online genealogical databases as mentioned above are considered third party services that I need to access to fulfil my contractual obligations with you, e.g. search for relevant records and/or store personal data on such systems to build a private and unsearchable family tree for example.
Sharing personal data with these third parties entails providing identifiable information to external entities beyond the control of the original data holder. This comes with inherent risks, including potential breaches of privacy and security. I rely on the robust data privacy policies employed by these third parties to mitigate against those risks.
Storing of Personal Data and Data Retention
Your data is stored securely either in password protected electronic sources, e.g. email accounts, or in a non-public access location. User access is limited to me as the Data Controller.
My access to your DNA results on a third-party website, which you have consented to, will be revoked one month after the completion of the project.
Genealogical records and customer contact details are retained indefinitely unless requested otherwise by the customer or if they violate my terms of service. This is because most customers return for further work.
Information about individuals that is used in the creation of the genealogical ‘product,’ e.g. a family tree or a report, may be kept indefinitely as this is my creation and copyright. However, these items will be kept securely, in an electronic format that is password protected.
If you have given your consent that this material can be used for marketing purposes, I will change names and dates, etc. to ensure a appropriate anonymity.
Where agreed and/or requested, I will securely remove and delete any personal data in a secure manner in compliance with the GDPR.
Data Protection Rights
The below rights as set out by the Data Protection Regulation (GDPR) empower individuals to have control over their personal data and ensure that their privacy is protected:
- Right to Access – Individuals have the right to obtain confirmation from me, the Data Controller, as to whether personal data concerning you is being processed, and if so, access to that data.
- Right to Rectification – You can request the rectification of inaccurate personal data concerning you and have incomplete personal data completed.
- Right to Erasure (Right to be Forgotten): You have the right to request the erasure of your personal data when certain conditions are met, such as when the data is no longer necessary for the purpose for which it was collected.
- Right to Restriction of Processing: You can request the restriction of processing of your personal data under certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful.
- Right to Data Portability: You have the right to receive the personal data concerning yourself, which you have provided to me as the Data Controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another data controller without hindrance.
- Right to Object: You can object to the processing of your personal data in certain situations, such as for direct marketing purposes or where the processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
- Rights Related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject.
You are not required to pay any charge for exercising your rights. If you make a request, I have one month to respond to you.
Please contact me at info@cbgenealogy.ie for further information.
How to Complain
You can make a complaint directly to me at info@cbgenealogy.ie, which will be responded to within ten working days.
Additionally, if you have any concerns regarding your personal data, you can also complain directly to the Data Protection Commissioner at the following address:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Republic of Ireland