Privacy Policy

Who We Are

Our website address is: https://ieo.ie.

We are committed to protecting your privacy and handling your personal data in accordance with the highest standards of data protection, including full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Irish Data Protection Act 2018. As the data controller, we determine the purposes and means of processing your personal data. Our Data Protection Officer (DPO) can be contacted at [[email protected]]

We process personal data on the following legal bases under GDPR Article 6:

  • Consent: Where you explicitly opt-in (e.g., for cookies or newsletter subscriptions).
  • Contract: To fulfill any services or agreements.
  • Legal obligation: To comply with applicable laws.
  • Legitimate interests: For site functionality, spam prevention, and security, balanced against your rights (e.g., we conduct a Legitimate Interests Assessment to ensure necessity and proportionality).

We minimize data collection to what is strictly necessary, ensure accuracy through regular reviews, and maintain robust security measures including encryption, access controls, and regular audits to protect against unauthorized access, loss, or breach. In the event of a data breach, we will notify affected individuals and the Data Protection Commission (DPC) within 72 hours as required by GDPR Article 33.

Comments

When visitors leave comments on the site, we collect the data shown in the comments form (e.g., name, email address, and comment content), as well as the visitor’s IP address and browser user agent string. This processing is based on our legitimate interest in facilitating user engagement and preventing spam (GDPR Article 6(1)(f)), with privacy impact assessments conducted to safeguard your rights.

An anonymized string created from your email address (a hash) may be provided to the Gravatar service to check if you are using it for profile pictures. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. We rely on Gravatar as a processor under a data processing agreement (DPA) that ensures GDPR-compliant safeguards. After approval of your comment, your profile picture is visible to the public in the context of your comment.

You have the right to object to this processing at any time (GDPR Article 21), and we will cease unless we demonstrate compelling legitimate grounds overriding your interests.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included, as this could reveal sensitive personal information. Visitors to the website can download and extract any location data from images. We process uploaded media based on your consent (GDPR Article 6(1)(a)) or legitimate interest in site functionality, and we pseudonymize or delete unnecessary metadata to minimize risks. You can request erasure of your uploaded media at any time.

Cookies

We use cookies to enhance your experience, but we prioritize transparency and user control in line with the ePrivacy Directive and GDPR. Our Cookie Policy (accessible via the site footer) details all cookies used, categorized as:

  • Strictly necessary: Essential for site operation (no consent required).
  • Functional/Preferences: For user convenience (e.g., saving comment details).
  • Analytics/Performance: For site improvement (consent-based).
  • Marketing/Targeting: For personalized content (opt-in only).

If you leave a comment on our site, you may opt-in to saving your name, email address, and website in cookies. These are for your convenience so you do not have to fill in your details again when leaving another comment. These cookies will last for one year and can be withdrawn via cookie settings.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

You can manage cookie preferences through our consent management platform at any time, and we honor Do Not Track (DNT) signals. Cookies from third parties (e.g., analytics tools) are governed by their respective DPAs.

Embedded Content from Other Websites

Articles on this site may include embedded content (e.g., videos, images, articles) from third-party sites such as YouTube or Vimeo. This embedded content behaves as if you visited the other website directly, potentially collecting data about you, using cookies, embedding additional third-party tracking, and monitoring your interactions—including if you are logged in to that website.

We disclose all third-party processors in our register of processing activities and ensure they are GDPR-compliant via DPAs, including Standard Contractual Clauses (SCCs) for any non-EU transfers (GDPR Chapter V). You can object to embedded content loading to prevent data sharing.

Who We Share Your Data With

We do not sell your data. Sharing is limited to necessary processors or recipients under strict DPAs, including:

  • Service providers for spam detection (e.g., Akismet), hosting (e.g., WordPress.com), and analytics (e.g., Google Analytics, with anonymized IP addresses).
  • Legal authorities if required by law (e.g., for fraud prevention).

If you request a password reset, your IP address will be included in the reset email sent via our email service provider (e.g., under DPA). No data is shared for marketing without explicit consent.

For international transfers (e.g., to US-based providers), we use adequacy decisions, SCCs, or Binding Corporate Rules to ensure equivalent protection levels.

How Long We Retain Your Data

We adhere to GDPR storage limitation (Article 5(1)(e)), retaining data only as long as necessary for the purposes outlined, with regular reviews and anonymization where possible.

  • Comments and metadata are retained indefinitely to recognize and approve follow-up comments automatically, avoiding moderation queues. You can request erasure.
  • For registered users, personal information in profiles is stored until account deletion, but username changes are restricted for security.
  • Cookies expire as stated above.
  • Logs (e.g., IP addresses) are retained for 30 days for security audits, then deleted.

We securely delete or anonymize data at the end of retention periods, and backups are encrypted.

What Rights You Have Over Your Data

Under GDPR Chapter III, you have comprehensive rights over your personal data. If you have an account or have left comments, you can:

  • Access (Article 15): Request confirmation of processing and a copy of your data.
  • Rectification (Article 16): Correct inaccurate data.
  • Erasure (“right to be forgotten”) (Article 17): Request deletion, except for legal obligations (e.g., tax records retained 7 years).
  • Restriction (Article 18): Limit processing during disputes.
  • Portability (Article 20): Receive your data in a structured, machine-readable format (e.g., JSON/CSV export).
  • Object (Article 21): To processing based on legitimate interests or for direct marketing.
  • Withdraw consent (Article 7): At any time, without affecting prior processing.

To exercise these rights, contact us at [insert email, e.g., [email protected]]. We respond within one month (extendable to three for complex cases) and provide these services free of charge unless requests are manifestly unfounded or excessive. All users can view, edit, or delete their personal information via the dashboard (except username).

Website administrators can access user data for operational purposes but are bound by confidentiality.

Where Your Data Is Sent

Visitor comments may be checked through an automated spam detection service (e.g., Akismet, hosted in the US under DPA and SCCs). We ensure all processors maintain GDPR-equivalent standards, with no transfers to high-risk countries without safeguards.

Security and Accountability

We implement technical and organizational measures (GDPR Article 32), including pseudonymization, regular testing, and staff training. Our privacy practices are documented in Records of Processing Activities (Article 30), available upon request.

Children’s Privacy

Our site is not directed at children under 18. We do not knowingly collect data from children without verifiable parental consent (GDPR Article 8). If we become aware of such data, we delete it promptly.

Changes to This Policy

We may update this policy to reflect legal changes or operational needs. We will notify you via email or site notice for material changes and obtain renewed consent where required. Last updated: [insert date].

Contact Us

For questions, rights requests, or complaints, email [[email protected]] or write to our DPO. If unsatisfied, you may complain to the Data Protection Commission (DPC) at [www.dataprotection.ie] or 1800 123 345.

This policy ensures transparency, fairness, and accountability in our data handling. Thank you for trusting us with your information.