Data Privacy Notice

Introduction

This privacy notice describes how GSJ Maintenance Ltd (hereinafter referred to as ‘GSJ’, ‘the Company’ or collectively as ‘we’, ‘us’ or ‘our’) collects and processes Personal Data in the course of our business.   GSJ Maintenance Ltd is an Irish registered company formed in 2013 by three Shareholders – Globalvia Inversiones Ireland, Sacyr Ireland and Jons Civil Engineering Ltd to fulfil the MMaRC Network A (“the Network”) Contract for the TII.  We are committed to lawfully and fairly processing the personal data of data subjects as set out in this document in accordance with applicable data protection laws.

 

Definitions

‘Personal Data’ means any information relating to an identified or identifiable person (‘Data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Special Categories of Data’ include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

 

Scope

This policy applies when GSJ collects any Personal Data relating to employees and stakeholders of the Company, members of the Board of Directors, all contractors, suppliers or any parties working on behalf of GSJ Maintenance Ltd and any third parties or members of the public who visit our website or correspond with us, where their details are legitimately obtained in the course of the Company’s everyday operations.

 

Purpose

This data privacy notice ensures GSJ Maintenance Ltd:

  • Complies with data protection law and follows best practice
  • Protects the rights of staff and all living persons whose data is processed
  • Is open and transparent about how personal data is processed and retained

 

Personal Data We May Collect

The following list is non-exhaustive of categories and types of data GSJ may collect:

Employment Information:

Information such as name, address, date of birth, gender, driving licence details, salary and bank account details, location information, work attendance records,  taxation details, PPSN number, educational or previous employment background, original employment applications, references and interview records, pre-employment medical screening, recorded health and safety incidents, details of approved absences (parental leave, study leave etc), details of sick leave, minutes of confidential meetings with the HR department, medical reviews, EAP (Employee Assistance Programme) recommendations and related HR support records, records of in-service courses attended; performance reviews; details of grievances brought to GSJ’s attention for procedural action or review; records of investigations and disciplinary meetings, work related photographic or filmed images of staff which may be used for industry specific media or for GSJ presentations or reports (e.g. weather events). Some employment information is mandatory in order to successfully complete setting up an employee (for example, PPSN for payroll) and any objection to supplying this information could result in the offer of employment being withdrawn.

Claims Information:

Any information provided by the claimant throughout the claims process including, for example, name, address, occupation, medical information and details of legal representatives acting on a claimant’s behalf, information obtained from the Incident Support Unit including emergency services personnel and third parties on scene, vehicle registration, insurance details, recovery company information and photographic evidence.

Third Party Information:

Personal Data supplied or referred by third parties including but not limited to MTCC, M50 Concession Ltd or Local Authorities in the pursuit of information or complaint resolution such as name, address, email address, phone number. Personal Data disclosed by CV referees, information obtained from sources such as LinkedIn and employment agency sites, information supplied by other companies on credit rating reference forms; information supplied by Debtors, Creditors and sub-contractors including contract and insurance details, payment arrangements and staff details provided directly for job-specific site inductions such as Safe Pass records, names and dates of birth.  The website for GSJ Maintenance Ltd uses cookies and the Cookies Policy is linked to the home page.

Special Categories of Data:

Sensitive data such as private medical information not related to work performance or absenteeism, trade union membership or family status, for example, is not normally sought by GSJ Maintenance Ltd. Details of any offence committed or alleged to have been committed, any proceedings for an offence or garda vetting may be required to be processed in accordance with employment law.

CCTV:

The camera systems installed in GSJ’s head office and two operating facilities are positioned mainly at the exterior of buildings and the perimeter walls or fencing.  Interior cameras are in use at an entrance and canteen of the company.  A vehicle camera system is installed on the Company’s crash cushion vehicle used during site maintenance works.  GSJ use CCTV solely for the purpose of ensuring the health, safety and security of staff and third parties and to safeguard property and equipment.  The cameras may record images of staff, contractors and third parties who visit GSJ’s premises or who are on site during works.  Recording equipment is isolated to secure locations and access to live view is strictly restricted to authorised personnel i.e. security gate operators and recordings may only be accessed by the Manager of each facility or the Landlord of any facility where the control room is managed by them.

Footage is retained for a period of time, up to 31 days, after which it is automatically erased except if required for the investigation of any incident. The length of time that recordings are stored varies depending on the capacity, picture quality and the number of cameras connected to the particular system.

Company Information:

Names, addresses and contact details of each member of the Board of Directors, committees and Stakeholders, records in relation to their appointments, Minutes of Meetings, records of travel expenses paid, PPS Numbers, tax or bank details.

 

How We Collect Personal Data

Personal data you give to us:

GSJ collects data primarily by retaining relevant data supplied by individuals directly in, for example, pursuit of employment (such as name, contact information, identification number, online identification or photographic I.D. or any demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details, hobbies, family information) or works contracts including details of sub-contractor staff inductions (including photographic I.D. verifications).  Contact information is also collected from direct enquiries to GSJ’s company email addresses and financial information provided by service providers set up as sole traders or partnerships; Personal data of individuals within suppliers’ organisations who facilitate the delivery of services to GSJ are also collected.

Personal data received from other sources:

Contact details are supplied by MTCC, Local Authorities s or M50 Concession Ltd in the context of providing responses to enquiries or complaints received from members of the public pertaining to the Network Area A of the MMaRC Contract; Personal Data may also be received from CV referees; by perusal of LinkedIn or other employment agency sites. Personal data may also be gathered as evidence for disciplinary action or termination.

 

Legal Bases for Processing Personal Data

GSJ must have a legal basis for processing your Personal Data. In most cases the legal basis will be one of the following:

  • For retaining accurate employee records in compliance with Employment Law;
  • To process payments;
  • For GSJ’s legitimate interests  such as the protection of property, staff, the IT network and facilities and for the efficient management of the Company’s business and reporting obligatons (where these are documented to not affect the rights and freedoms of data subjects in any significant way) and the legitimate interests of GSJ’s client;
  • To comply with legal obligations such as due diligence and reporting obligations;

Special Categories of Personal Data may be processed:

  • on the basis of consent where explicit consent is required by law. Data subjects may withdraw consent at any time by contacting us using the details provided at the end of this privacy notice;
  • where legislation permits us to process such data (for example, when processing is necessary for insurance purposes); or
  • to establish, exercise or defend legal claims

 

How We May Use Your Personal Data

  • To investigate enquiries on your behalf;
  • To process insurance claims for damage on the Network;
  • To verify the credentials and identification of sub-contractor staff inducted for job-specific works;
  • To ensure staff training certification is up to date as required by law;
  • To perform administrative activities in connection with our services;
  • To ensure the security of data held by the company and for fraud monitoring and prevention;
  • To carry out location checks during weather events;
  • To carry out background checks and conduct due diligence;
  • To comply with legal and professional obligations and to cooperate with regulatory bodies;
  • To exercise, defend or protect GSJ’s legal rights or the rights of our client or third parties;
  • To record a data subject’s site visit for safety requirements;
  • To facilitate payroll, BIK, fuel cards, insurance, pensions and any other employment benefits or other requirements as set out in contracts of employment;
  • For vital interests where the processing is necessary to protect the interests of the data subject or another natural person;

 

Disclosure of Your Personal Data

Where appropriate and in accordance with GDPR and applicable Data Protection Laws, GSJ may share Personal Data with third parties under the following circumstances:

  • With any of our Trusted Service Providers for the uses and purposes set out above;
  • To our client, intermediaries, advisors or stakeholders for the purpose of fulfilling our contractual and reporting obligations and efficiently delivering our services;
  • To trusted third party service providers who perform functions on our behalf such as lawyers, technical support and IT consultants carrying out testing and development work on our business technology system;
  • To third party service providers such as entities providing email delivery, auditing or other services;
  • In the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business;
  • To taxation or other authorities when the law or other regulation requires us to share your data;
  • If we are obliged to disclose your Personal Data under applicable law or regulation; and
  • In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies* without the consent of the data subject. Under these circumstances, GSJ Maintenance Ltd will disclose the data requested. However, we will ensure the request is legitimate, seeking assistance from the company’s legal advisors where necessary.

[*NOTE: GSJ does not process personal data relating to criminal convictions and offences or related security measures unless under the control of official authority or where processing is authorised by Union or Member State law.]

 

Security and Retention

GSJ Maintenance Ltd maintains appropriate technical and organisational security measures to protect the security of your data against loss, misuse, unauthorised access, disclosure or alteration. These measures are aimed at ensuring the ongoing integrity, confidentiality, availability and resilience of Personal Data.  We evaluate these measures regularly to ensure the security of the processing activities.

Personal Data is retained for no longer than is necessary for the purpose for which it was obtained by us, or as required contractually or permitted for legal, regulatory, fraud prevention and legitimate business purposes including, if relevant, to deal with any claim or dispute that might arise in connection with the provision of our services. GSJ has a standard retention policy framework in this regard.  We may retain aggregated or anonymised data (which is not treated as Personal Data under this privacy notice) for longer.

 

Choices and Access

You have the right to request the following:- to access, review, correct, update, suppress, object to or request deletion or restrict the processing of your Personal Data. If you require any information regarding retention periods, you may contact us at the email or postal address provided in the Enquiries and Contact Information section below.

For your protection, we may need to verify your identity before facilitating your request.   We will respond to your request within one month to either confirm that your request is in place or to offer a legitimate reason why your request cannot be processed at that time.  We are committed to working with you to obtain a fair resolution of any concern or complaint about your privacy.  If, however, you believe that we have not been able to assist with your enquiry satisfactorily, you have the right to make a complaint to the Data Protection Commission at info@dataprotection.ie and www.dataprotection.ie

 

Data Destruction

While GSJ endeavours to permanently erase personal data once it reaches the end of its retention period or where we receive a valid request to do so, some data may still exist within our systems, for example if it is waiting to be overwritten or anonymised. In such instances this data has been put beyond use – meaning that, while it still exists on the archive system, it cannot be readily accessed by any of our operational systems, processes or staff.

 

Cross Border Transfer

GSJ Maintenance Ltd does not normally transfer any Personal Data to any country that is not regarded as ensuring an adequate level of protection for Personal Data under European Union law. Should any such transfer be required, GSJ will take steps to ensure that it is managed carefully in accordance with applicable data protection law.

 

Changes to our Privacy Policy

We reserve the right to modify this privacy policy at any time and we will provide the most up to date version on our website www.gsj.ie . If you would like to be included on a mailing list to receive revised versions, please contact us.

 

Enquiries and Contact Information

If you have any questions or comments regarding this privacy notice please contact our GDPR Compliance Representative, GSJ Maintenance Ltd, Luttrellstown Road, Diswellstown, Castleknock, Dublin 15 or by email at info@gsj.ie.

 

 

If you wish to contact the office of the Data Protection Commission,  you may do so in the following ways:

 

  • Phone: (+353) 57 8684800
  • Lo Call Number: 1890 252 231
  • Fax: (+353) 57 868 4757
  • Email: info@dataprotection.ie
  • Post: 21 Fitzwilliam Square, Dublin 2, D02 RD28, Ireland