Ensuring your privacy and protecting your data is key to our business trust. Your data is key to your business – we will protect it like it was our own. We only send information that is relevant to you and your business. We only process the data that is required – no excess.
In most cases CommSec is the Data Controller of personal data processed as described in this Privacy Statement for the purposes of Irish Data Protection legislation and the General Data Protection Regulation in Europe (GDPR).
When providing services as CommSec, we are generally a Data Processor for our clients and a Data Controller for our suppliers and employees.
This Privacy Statement applies to the processing of personal data by CommSec in both its roles under the GDPR. Personal data includes any data about a person that enables them to be identified from that data.
This Privacy Statement describes our approach to privacy. It includes detailed information about the type of personal data that we process and how it is used and managed within CommSec.
In our business dealings and in operating the company we process personal data of clients, their customers, visitors to this website, attendees at events, suppliers, job seekers and our employees.
To provide leading security services to you or process your request, we may share your personal data:
- with our third parties including certain service providers we have retained in connection with the services we provide, such as security specialists, couriers, or other necessary entities;
- with government officials or other official bodies where it is our regulatory obligation to do so, such as the Revenue Commissioners;
- with service providers engaged within or outside of CommSec, e.g. data centre provider, to process personal data for any of the purposes listed above on our behalf and in accordance with our instructions only.
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any regulatory, accounting, or reporting requirements or until the end of the relevant retention period set by our clients.
To determine the appropriate retention period, we act under our clients’ instructions as a Data Processor. Where we are the Data Controller, we consider the potential risk of harm from unauthorised processing or disclosure of the personal data. We also consider the purposes for which it was collected and whether we can achieve the same goal through other means.
Upon expiry of the applicable retention period we will securely return it to our clients if requested, however, normally we destroy your personal data in accordance with applicable laws and regulations.
You have various rights with respect to our use of your personal data:
Access: You have the right to request a copy of the personal data that we hold about you. There are exceptions to this right, so that access may be denied if, for example, making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information. You are entitled to see the personal data held about you. If you wish to do this, please contact us using the contact details provided below.
Accuracy: We aim to keep your personal data accurate, current, and complete. We encourage you to contact us by emailing us at the contact details provided below to let us know if any of your personal data is not accurate or changes, so that we can keep your personal data up-to-date.
Objecting: In certain circumstances, you also have the right to object to our processing of your personal data and to ask us to block, erase and restrict your personal data. If you would like us to stop using your personal data, please contact us by emailing us at the contact details provided below.
Porting: You have the right to request that some of your personal data is provided to you, or to another data controller, in a commonly used, machine-readable format.
Erasure: You have the right to erase your personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data have been unlawfully processed.
Our Approach to Security
As a leading security service provider, we understand the risks associated with the processing of data.
Approach – We endeavour to use appropriate technical and physical security measures to protect your personal data which is transmitted, stored or otherwise processed by us, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. Our service providers are also selected carefully and required to use appropriate protective measures. When you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your information.
Limitations – As effective as modern security practices are, no physical or electronic security system is entirely secure. No data transmission over the Internet can be guaranteed to be 100% secure or confidential. Although we will do our best to protect your data, we cannot guarantee the security or confidentiality of your data transmitted to our site. Any transmission of data is at your own risk. Once we receive your data, we will use appropriate security measures to seek to prevent unauthorised access. We will continue to revise policies and implement additional security features as new technologies become available. In the unlikely event that there is an interception or unauthorised access to your personal data, we will not be liable or responsible for any resulting misuse of your personal information.
Safeguards – CommSec uses a variety of safeguards, personnel and processes that form defence in depth barriers to protect your data. Some of these safeguards we use are firewalls and information access controls. CommSec continuously evaluates our security posture to further enhance the security and confidentiality of your data. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.