1. Introduction
1.1. Purpose of this privacy policy
In its everyday business operations, Colas Ireland processes personal data. In doing so, we make sure to comply with the applicable legislation – the European Union General Data Protection Regulation (“GDPR”) and Irish laws and guidance on data protection.
Therefore, this privacy policy aims at informing you as to how we look after your privacy when we process your personal information.
Please refer to the glossary below to understand the meaning of some of the terms used in this privacy policy.
This policy is intended for external individuals (users of Colas Ireland’s website, and individuals involved or part of contractual of pre-contractual business relationships with Colas, e.g prospective, current customers, sub-contractors) who are neither employees nor applicants for a position within Colas Ireland. This website is not intended for children, and we do not knowingly collect data relating to children.
1.2. About Us
In this policy, “Colas Ireland” refers to Colas Bitumen Emulsions entities (West, East, South), Colas Contracting Limited, Chemoran Limited, Atlantic Bitumen Company Limited, SIACBP, VIAE and I.C.B Emulsions Ltd.
Throughout this policy, “we,” “us” and “our” refer to Colas Ireland.
Colas Ireland is the controller for the personal data we process about you, unless otherwise stated. In this respect, Colas Ireland takes all necessary measures to protect your personal data in accordance with the applicable legislation.
1.3. Contact Us
To take all appropriate safeguards to protect your personal information, we have appointed a Chief Privacy Officer (“CPO”). If you have any questions about this policy or request to exercise, please contact our CPO using one of the channels set out below:
Email Address: data.protection@colas.ie
Postal Address: Unit G1, Maynooth Business Campus Maynooth, County Kildare, Ireland.
However, if you remain dissatisfied with our response, you can make a compliant about the way we process your personal data to the Data Protection Commission (“DPC”: www.https://www.dataprotection.ie/). We would however appreciate the chance to deal with your concerns before you approach the DPC.
1.4. Third parties’ websites
This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
1.5. Definitions
In this policy, the
“Data” means “personal data,” as defined below;
“Controller” means Colas Ireland, deciding how and why personal data is processed;
“Customers” refers to any individual that in the past, currently or may in the future purchase goods or services from Colas Ireland on her/his behalf or on behalf of a company;
“Personal data” is defined as any information that can be used to identify or contact a single person (“data subject”), such as a name, an identification number, location data, an online identifier. It does not include data where the identity has been removed (anonymous data);
“Processing activities” means any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, consultation, use.
2. The data we collect about you
We may process (e.g. collect, store, transfer) the following categories of personal data about you:
Identity Data, such as first name, last name, username or similar identifier, title, and gender; pictures and videos;
Contact Data, such as billing address, delivery address, email address and telephone numbers; Financial Data, such as bank account and payment card details;
Transaction Data, such as details about payments to and from you and other details of products and services you have purchased from us;
Profile Data, such as your purchases or orders made by you, your interests, feedback and survey responses;
Marketing and Communications Data, such as your preferences in receiving marketing from us and our third parties and your communication preferences;
Technical Data, such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology
on the devices you use to access this website. Technical data also includes cookies (please see our Cookie Policy).
3. How is your personal data collected?
Most of the aforementioned personal information we process is provided to us directly by you in either of the following situations:
Direct interactions: You may provide us with personal data when you:
- request information to us;
- represent your organisation;
- wish to enter, or have entered, into a commercial relationship with us on behalf of your organisation. During pre-contractual negotiations and during the signature and execution of a contract, we may collect personal data about you;
- wish to attend, or have attended, an event organised by us;
- make a complaint to us; or
- give up feedback or contact us.
Indirectly by automated technologies: When you visit our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. Please see our Cookie Policy for further details.
Moreover, our closed-circuit televisions (“CCTV”) in our various premises also collect pictures and videos of you when you come to one of our locations. Please see our CCTV Policy for further details.
Indirectly through third-parties or publicly available sources: We may receive personal data about you from the following parties:
- Analytics providers, such as Google Analytics;
- Search information providers, such as the Companies Registration Office, based inside the EU.
4. What do we use your personal data for?
The table below sets out a description of all the purposes we process your personal data for, and the legal bases we rely on to do so. Colas Ireland only processes the personal data that is relevant and necessary to fulfil the purposes described below.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using it. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
PURPOSE OF THE PROCESSING ACTIVITY | TYPE OF PERSONAL DATA THAT WE CAN PROCESS | LAWFUL BASIS FOR THE PROCESSING ACTIVITIES |
To manage our business relationships (negotiation , pre contractual relationship, conclusion and execution of contracts) 1 , including notably: (a) Notifying you about changes to our terms or privacy policy; (b) Manage payments, fees and charges; (d) Asking you to leave a review or take a survey. | – Identity – Contact – Profile – Marketing and Communications – Financial – Transaction | (i) Performance of a contract with you; (ii) Necessary to comply with legal obligations; (iii) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services; to recover debts due to us, etc). |
To administer and protect our business and this website (including trouble shooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | – Identity – Contact – Technical | (i) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise); (ii) Necessary to comply with legal obligation. |
To use data analytics to improve our website, products/ services, marketing, customer relationships and experiences | – Technical | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy). |
To make suggestions and recommendations to you about goods or services that may be of interest to you | – Identity – Contact – Technical – Profile | Necessary for our legitimate interests (to develop our products/services and grow our business). |
To respond to your queries and requests related to your personal data | – Identity – Contact – Financial – Profile – Marketing and Communications – Transaction | Necessary to comply with our legal obligations and to respond to you (e.g. if you fill in the CCTV Request form contained in the CCTV Policy). |
CCTV | – Identity – Contact | Necessary for our legitimate interests (ensure safety and security of individuals, protect our goods and premises, etc; please see our CCTV Policy). |
1 Colas Ireland will endeavour, where possible, to ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the applicable data protection regulation and guidance.
5. Recipients of personal data
We may share your personal data with the parties set out below for the purposes set out in the table above:
- Within the Colas Group (fur further details, please see section 10 of this policy).
- External Third Parties:
o Service providers who provide services such as IT services;
o Professional advisers including lawyers, bankers, auditors and insurers who provide services such as consultancy, banking, legal, insurance and accounting;
o Regulators and other authorities who require reporting of processing activities in certain circumstances.
o Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets.
Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. Data retention: How long will you use my personal data for?
We only retain your personal data for as long as necessary to fulfil the purposes we process it for, unless the applicable regulations provide otherwise.
To determine the appropriate retention period for personal data, we consider the applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means.
7. Safeguards: Examples of our actions to protect your privacy
Colas Ireland takes data privacy very seriously. The following actions are examples of the safeguards we have implemented to ensure that we comply at all times with the data protection’s requirements:
- training in data protection is regularly provided to our staff;
- all staff involved in handling personal data understand their responsibilities for following good data protection practice;
- regular reviews of policies and procedures involving personal data are carried out; privacy by design approach is adopted for all new or changed systems and processes.
8. Security and Confidentiality
The protection and proper use of your personal data is extremely important to Colas Ireland. Therefore, we take all appropriate security measures to protect personal data from unauthorised access, unlawful processing, accidental loss or damage and unauthorised destruction.
We protect personal data with specific security measures, including:
- limitation of access to data : access by the staff is limited and appropriate security measures are in place to avoid unauthorised sharing of information;
- safe and irrecoverable deletion of data : when personal data is deleted this should be done safely such that the data is irrecoverable. Appropriate back-up and disaster recovery solutions are in place;
- breach procedure : we have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so;
- training : we provide our employees with data protection awareness training.
9. Your Rights
Under the GDPR, you are entitled to exercise the following rights in relation to your personal data:
• Right of access: You have the right to know whether we process personal information about you and, where that is the case, to ask us a copy of your personal data. On this occasion, we will also provide you with information about your personal information and our processing activities, as under Article 15 (1) of the GDPR (e.g. the purposes of the processing, the categories of personal data concerned);
- Right to rectification of your personal data: You can request us the rectification of inaccurate personal data. In addition, you can provide us with supplementary information if the personal data we process is incomplete;
- Right to erasure: You can ask us to erase your personal data. We have the obligation to delete your date in the following circumstances:
o when the personal data is no longer necessary for the original reason for which we processed it;
o youinitiallyconsentedtotheprocessingofyourdata,butyoudecidetowithdrawnyour consent;
o you have objected to the use of your data, and your interests outweigh those of Colas Ireland using it; o you have objected to the use of your data for direct marketing purposes; or o your personal data has been unlawfully processed; or o we have a legal obligation to erase your personal data.
- Right to object: In certain circumstances, you have the right to object to processing of your personal data. It means that you can ask us to stop using your personal information. You can object to processing when we process your information because the process forms part of our public tasks, or is in our legitimate interests. However, we may not stop the processing if we believe we have legitimate reasons to continue using your personal data.
Please note that you can also object to processing when your personal data are processed for direct marketing purposes;
- Right to restriction of processing your personal data: You can ask us to restrict the processing of your personal data where one of the following applies: o when you have challenged the accuracy of your personal data; o where the processing of your personal data is unlawful but you do not want us to erase it;
o wherewenolongerneedyourdatabutyouwantustokeepitinordertocreate,exercise or defend legal claims; or you have exercised your right to object to processing.
We will inform you before the restriction of processing is lifted.
- Right to data portability: You have the right to ask us to provide you with the personal information we process about you. Moreover, you can ask us to transfer your personal data to another controller where it is technically feasible, but also if the processing activities concerned are based on your consent and are carried out by automated means;
• Right to withdraw consent: You have the right to withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you wish to exercise this right.
If you want to exercise any of the rights set out above, please contact our CPO using the contact details provided in the introduction of this policy.
We will process your request within undue delay and in accordance with our legal obligations and the GDPR requirements.
10. International Transfers of Personal Data
As a matter of principle, we do not transfer your personal data outside the European Union. However, under certain circumstances we may transfer some data outside the European Union, such as for missions abroad or in case of expatriation or if you apply for a job offer in a country outside the European Union.
In this context, some of your personal data will be transmitted to relevant persons or service providers. These service providers may not necessarily be located in a European Union country, or a country considered appropriate in terms of in terms of personal data security by the European Union. Accordingly, any such transfer may involve higher risks to your rights and freedoms and to the security of your data.
11. Status of this policy
Colas Ireland is committed to ongoing review, monitoring and periodic auditing of the control process to ensure compliance with the data protection policies and procedures and any related documentation. This policy is reviewed and updated when necessary to reflect customer feedback, changes in our process and services or legal changes.
This policy was reviewed and updated 28th March 2023.