Effective as of 17^th November 2022 Who we are “Data controllers” are the people or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed, and make independent decisions in relation to the Personal Data and/or who/which otherwise control that Personal Data. For the purposes of the GDPR, Saoirse Housing Association Clg. (‘SDVS’’) is the data controller with regard to the Personal Data described in this Data Protection Notice. The mission of Saoirse Domestic Violence Services is to reach and support an ever-increasing number of families in Irish Society, who deserve respect, dignity, safety, and freedom from domestic violence. Through our team of professional, caring and committed people our primary focus remains our commitment to continuous improvement in all aspects of our operations and the services we offer to our clients and the community. Data Protection queries can be directed to: XpertDPO Email Address: dpo@xpertdpo.com Address: 20 Harcourt St, Saint Kevin’s, Dublin, D02 H364, Ireland Telephone Number: +353 1 678 8997 Purpose and Scope of this Notice The purpose of this Data Protection Notice is to provide you, as our data subject, with a statement regarding the Data Protection and Privacy practices and obligations of SDVS and an explanation of your rights as a data subject. This Notice applies to our organisational practices and our website, which is accessible from https://sdvs.ie/. Please note a separate Data Protection Notice is given to clients with further information contained within it. As SDVS is established in the Republic of Ireland, this document is written in the vein of Irish Data Protection Law, and SDVS falls under the jurisdiction of the Irish Data Protection Commission. This Data Protection Notice sets out what Personal Data we collect and process about you in connection with the services and functions of the Organisation. We are not responsible for the content or the privacy notices for any websites to which we may provide external links. Laws that apply to us: • General Data Protection Regulation (EU Regulation 679/2016) • Irish Data Protection Acts 1988 to 2018 • Regulations flowing from DPA 2018 • ePrivacy Regulations 2011 implementing EU Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD)

• Charities Act 2009
• Children First Act 2015.

Why and how do we ensure compliance?  Data protection and privacy laws provide rights to individuals with regard to the use of their Personal Data by organisations, including our organisation. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of Personal Data. We must comply with data protection and privacy laws because the law requires us to but we also would like you to have confidence in dealing with us, and compliance with data protection law helps us to maintain a positive reputation in relation to how we handle Personal Data. We are required to demonstrate accountability for our data protection obligations. This means that we must be able to show how we comply with the applicable data protection and privacy laws, and that we have in fact complied with the laws. We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our systems and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by acting if our representatives, including employees or contractors, fail to follow the rules. We also have certain obligations in relation to keeping records about our data processing. Who must comply? All Staff (Full time, part time and temporary) Third-Party contractors and clients are required to comply with our Data Protection Policies and Procedures which inform this Data Protection Notice when they process Personal Data on our behalf. What are the data protection principles and rules? We aim to comply with the following principles found in Data Protection Law:

• Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
• Purpose Limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimisation – Personal Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
• Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.
• Retention – Personal data should be kept in an identifiable format for no longer than is necessary.
• Integrity and confidentiality – Personal data should be kept secure.
• Accountability – Under the GDPR, we must not only comply with the above six general principles, but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.

What types of personal data will we process? Personal Data We will collect personal data with you in accordance with the purposes outlined in this Notice. This will be data used to facilitate a service relationship usually your name and contact details and other forms of data as listed below depending on your engagement with our service. Any personal information which you volunteer to SDVS through the use of our web form or via email will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1988 to 2018 and the General Data Protection Regulation (GDPR). The types of Data we collect Information which may be sought and recorded at the time of first engagement and may be collated and compiled during the course of our engagement with you. Please note a separate Data Protection Notice is given to clients. These records may include:

• Name, title, address, contact details
• Complaints and feedback data
• Website / Technical Data including information about how you use our website
• Data sent via email, text, or other electronic communications.

For organisations and donors, we may also collect:

• Business/Professional Data including information that we need to provide our service/s for example the name and nature of your business.
• Transaction Data including payment details and details of service/s we provide, data around donations made.

How and why we use your data

• To provide you with information around the services we offer
• To manage and respond to requests you have, and in order to identify you
• To deal with any complaints / compliments and feedback
• In order to improve and develop our service/s
• Collection and management of donations
• To run and manage awareness raising and advocacy campaigns
• To communicate with you and send you emails based on your preferences
• To be able to understand use of our website
• For routine management and administration of Saoirse Domestic Violence Services’ financial affairs, including the payment of invoices, the compiling of annual financial accounts and complying with audits.
• To comply with legal and statutory obligations if required by any law enforcement agency, regulator (e.g., Charities Regulator), court, or other authority (where we have a legal obligation to do so).

Legal Bases for processing your data We use your personal data for the purposes outlined above. In doing so we rely on a number of separate and overlapping legal bases to lawfully process your personal data. These may include:

• Necessary for the execution of contractual obligations
• In the Vital Interests of the data subject – Saoirse provides a range of domestic violence support services to vulnerable women and children, so it is in the vital interests of the clients that we process certain data in order to provide safe, available and professional services with 24-hour staffing / management communication.
• Where necessary for us to comply with a legal obligation, or to establish, exercise or defend legal claims.

How long do we keep your data We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. By law we have to keep basic information (including Contact, Identity, Financial and Transaction Data) for 6 years in order to be compliant with relevant legislation. Third Parties and Disclosures of your Personal Data SDVS will only share your data where we have a lawful purpose to do so. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. SDVS has a duty to report any issues relating to child protection or adult safeguarding if we believe that either you or someone else is at risk of significant harm. We may also disclose data where there is another legal reason or requirement to disclose your personal information, such as a court order or serious case review. Any criminal conviction or offence data is shared in line with the Law Enforcement Directive (2016). We may also share your data for the purposes of fraud prevention. With your consent, we may also share your data with other parties, including but not limited to:

• The Health Service Executive (HSE), your GP and/or medical practitioners, pharmacy workers, social workers
• Your legal representative/s
• Your family and/or friends.

International Transfers Where there are external third parties we use who are based outside the EU / European Economic Area (EEA), SDVS ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission, or;
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. Security features Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so. If you have concerns about a potential data confidentiality breach, please contact us on dpo@xpertdpo.com. SDVS stores data in a secure setting, and our data is only accessible to personnel who are authorised to use it. Employees are required to maintain the confidentiality of any data to which they have access.

Information on Consent

By consenting, where this is the appropriate and identified lawful basis for processing, to our processing your Personal Data in line with our Data Protection Notice you are giving us permission to process your Personal Data. You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of Personal Data relating to you. If you have any queries relating to withdrawing your consent, please contact our Data Protection Officer using the contact details set out below. Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal. Your Rights Under certain circumstances, and dependent on legal basis under which your personal data is processed, by law you have the right to:

• Request information about whether we hold Personal Data about you, and, if so, what that Personal Data is and why we are holding/using it.
• Request access to your Personal Data (commonly known as a “Data Subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
• Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
• Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
• Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your Personal Data or profiling of you.
• Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request transfer of your Personal Data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

How do you exercise your rights?

We monitor compliance with our data protection obligations with this Notice and our related policies. If you have any questions about this Notice or about our data protection compliance, please contact our Data Protection Officer. If you wish to exercise your rights, please contact our Data Protection Officer who will respond to the request within one calendar month. Data Protection queries can be directed to: XpertDPO Email Address: dpo@xpertdpo.com Address: 20 Harcourt St, Saint Kevin’s, Dublin, D02 H364, Ireland Telephone Number: +353 1 678 8997 Your Right to Lodge a Complaint You as the Data Subject have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. We would like to hear from you first if you have a complaint about how we use your data so that we may rectify the issue. As our organisation is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner. You can contact the Data Protection Commissioner as follows: Website: www.dataprotection.ie Phone: +353 57 8684800 or +353 (0)761 104 800 Email: info@dataprotection.ie Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland Updates Our practices as described in this Data Protection Notice may be changed, but any changes will be posted, and changes will only apply to activities and information on a going forward, not retroactive basis. You are encouraged to review this Notice periodically to make sure that you understand how any personal information you provide will be used. Any changes to this Data Protection Notice will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.