Data Protection Policy

1. Purpose

This Data Protection Policy (the 'Policy') sets out the obligations of Prime19 Innovation Limited (“Prime19”) regarding data protection and the rights of data subjects, e.g., customers, business contacts, etc., in respect of their personal data under the General Data Protection Regulation (EU Regulation 2016/679) and implementing legislation (“GDPR”), and any applicable national data protection laws, including the Data Protection Act 2018 (Ireland), and any relevant updates to Irish legislation. The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The GDPR defines 'special categories of personal data' as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. This Policy sets out Prime19's obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by Prime19, its employees, agents, contractors, or other parties working on behalf of Prime19. This Policy should be read in conjunction with related policies and procedures which Prime19 maintains regarding its compliance with the GDPR and applicable national data protection laws. Prime19 is committed not only to the letter of the law but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data and on respecting the legal rights, privacy, and trust of all individuals with whom it deals. In the course of its business, Prime19 processes personal data relating to various categories of individuals, including its employees, its clients, customers or affiliates of its clients, its partners, and its contractors. In all such circumstances, Prime19 must ensure that it processes such personal data in accordance with the GDPR and any equivalent laws that may be applicable in other jurisdictions in which Prime19 carries on its business, including international data protection laws applicable in jurisdictions outside the EU.

2. The Data Protection Principles

This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:

  1. Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  4. Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject; and
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. The Data Protection Act 2018 (Ireland) also requires that appropriate safeguards be implemented to ensure compliance with the principles of lawful processing under Irish law.

3. The Rights of Data Subjects

The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this Policy indicated for further details):

  • The right to be informed;
  • The right to rectification;
  • The right to erasure (also known as the 'right to be forgotten');
  • The right to restrict processing;
  • The right to data portability;
  • The right to object;
  • Rights with respect to automated decision-making and profiling.
These rights also apply under the Irish Data Protection Act 2018 and may be subject to specific national conditions and limitations.

4. Lawful, Fair and Transparent Data Processing

The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

  1. The data subject has given consent to the processing of their personal data for one or more specific purposes;
  2. The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;
  3. The processing is necessary for compliance with a legal obligation to which the data controller is subject;
  4. The processing is necessary to protect the vital interests of the data subject or of another natural person;
  5. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
  6. The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The Irish Data Protection Act 2018 further provides that, for processing based on legitimate interests, controllers must conduct a legitimate interests assessment (LIA).

For processing special categories of personal data (personal data relating to race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation), in addition to having a lawful basis, there is also a requirement to satisfy one of the following conditions due to the sensitive nature of the data:

  1. The data subject has given explicit consent;
  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
  3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. Processing relates to personal data which are manifestly made public by the data subject;
  6. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. Processing is necessary for reasons of substantial public interest;
  8. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards;
  9. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. The Irish Data Protection Act 2018 allows for further processing for public interest research or statistical purposes with additional safeguards.

5. Specified, Explicit and Legitimate Purposes

Prime19 processes the personal data as set out in this Policy. This includes:

  • Personal data collected directly from data subjects; and
  • Personal data obtained from third parties.
Prime19 only processes personal data for the specific purposes that it was collected for. Data subjects are kept informed at all times of the purpose or purposes for which Prime19 uses their personal data.

6. Adequate, Relevant and Limited Data Processing

Prime19 only processes the minimum amount of personal data needed to fulfil the specified purposes. Prime19 periodically reviews processing activities to check that the personal data held is still relevant and adequate for purposes specified, and anything no longer required is deleted.

7. Accuracy of data and keeping data up-to-date

Prime19 shall take reasonable steps to ensure that all personal data processed is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

8. Data Retention

Prime19 shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

9. Secure Processing

Prime19 shall ensure that all personal data processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Some of the safeguards Prime19 has in place include virus protection on hardware and software, password protection on all devices, using pseudonymisation and anonymisation techniques where practical to do so, security access controls, and processes. Prime19 will also ensure that all staff complete Data Protection training and will run awareness campaigns to maintain data protection knowledge throughout the business. Prime19 shall ensure that appropriate security measures are implemented to protect information accessed, processed, or stored where an employee is working remotely. These measures include controls around ensuring that all devices, including phones and laptops, have the latest operating system updates installed and are used and stored in a safe location. All Prime19 employees are required to use effective access controls (such as multi-factor authentication and strong passwords).

10. Accountability and record-keeping

Prime19's Compliance Manager has overall responsibility for Data Protection in Prime19. Prime19 does not require a Data Protection Officer because Prime19 is not a public authority or body, the core activities of Prime19 are not processing operations which require regular and systematic monitoring of data subjects and the core activity of Prime19 is not to process large scale of special categories of personal data. The Compliance Manager shall be responsible for overseeing the implementation of this Policy, monitoring compliance with this Policy, Prime19's other data protection-related policies, the GDPR, and other applicable data protection legislation. The Compliance Manager is David Shiel and he can be contacted at DavidShiel@Prime19.ie.

Prime19 keeps a record of all personal data processing, which incorporates the following information:

  • The purposes for which Prime19 processes personal data;
  • Details of the categories of personal data processed by Prime19, and the categories of data subject to which that personal data relates;
  • Categories of recipients to whom the personal data will be disclosed;
  • Details of any transfers of personal data to non-EEA countries, including all mechanisms and security safeguards;
  • Details of how long personal data will be retained by Prime19; and
  • Detailed descriptions of all technical and organisational measures taken by Prime19 to ensure the security of personal data.
The Irish Data Protection Act 2018 also requires that these records be made available to the Data Protection Commission upon request.

11. Data Protection Impact Assessments

For any new processing activities and projects involving personal data and any changes to existing processing activities, an assessment must be carried out to determine whether it may result in a high risk to the rights and freedoms of data subjects. If so, Prime19 shall carry out a Data Protection Impact Assessment ('DPIA'). Prime19 has a DPIA procedure which is followed for the completion of all DPIA's. DPIAs shall be overseen by the Compliance Manager and shall address the following:

  • The type(s) of personal data that will be processed and detailed description of the processing activity involved;
  • The purpose(s) and legal basis for which personal data is to be processed;
  • Prime19's objectives of the project or processing activity;
  • How personal data is to be used;
  • The parties (internal and/or external) who are to be consulted;
  • The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
  • Risks posed to data subjects;
  • Risks posed both within and to Prime19;
  • Proposed measures to minimise and handle identified risks; and
  • Outcome of the full assessment.

12. Keeping Data Subjects Informed

Where personal data is collected in relation to data subjects, those data subjects will be informed of its purpose in accordance with the GDPR. The following information shall be provided to data subjects:

  • Details of the company;
  • The purpose(s) for which the personal data is being processed and the legal basis justifying that processing;
  • Where applicable, the legitimate interests upon which Prime19 is justifying its collection and processing of the personal data;
  • Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
  • Where the personal data is to be transferred to one or more third parties, details of those parties;
  • Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place;
  • Details of data retention;
  • Details of the data subject's rights under the GDPR;
  • Details of the data subject's right to withdraw their consent to Prime19's processing of their personal data at any time;
  • Details of the data subject's right to complain to the Data Protection Commission (the “supervisory authority” under the GDPR);
  • Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and
  • Details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.
  • Details of the data subject's right to data portability and their right to restriction of processing, where applicable.

13. Data Subject Access

Data subjects may make subject access requests (“SARs”) at any time to find out what personal data Prime19 holds about them, what it is doing with that personal data, and why. Data subjects wishing to make a SAR may do so in writing, by email to info@prime19.ie. Responses to SARs shall normally be made within one month of receipt, however, this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed. Prime19 does not charge a fee for the handling of normal SARs. Prime19 reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive. Prime19 has a Subject Access Request Procedure for handling SARs. The data subject's rights to object to processing and request erasure should also be highlighted in any responses.

14. Rectification of Personal Data

Data subjects have the right to require Prime19 to rectify any of their personal data that is inaccurate or incomplete.Prime19 shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing Prime19 of the inaccurate or incomplete data. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed. Rectification may be carried out in conjunction with the data subject's request to restrict processing.

15. Erasure of Personal Data

Data subjects have the right to request that Prime19 erases the personal data it holds about them in the following circumstances:

  • It is no longer necessary for Prime19 to process the personal data with respect to the purpose(s) for which it was originally collected or processed;
  • The data subject wishes to withdraw their consent to Prime19 processing their personal data;
  • The data subject objects to Prime19 processing their personal data (and there is no overriding legitimate interest or contractual obligation to allow Prime19 to continue doing so);
  • The personal data has been processed unlawfully; or
  • The personal data needs to be erased in order for Prime19 to comply with a particular legal obligation.
Unless Prime19 has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject's request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed. Any third parties

16. Restriction of Personal Data Processing

Data subjects may request that Prime19 restricts processing the personal data it holds about them. If a data subject makes such a request, unless Prime19 has reasonable grounds to continue processing the personal data, Prime19 shall process only the amount of personal data concerning that data subject (if any) that is necessary to comply with the data subject's request. Data subjects can also request restriction of processing in certain situations, such as if they contest the accuracy of the data

17. Data Portability

Where data subjects have given their consent to Prime19 to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between Prime19 and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers). To facilitate the right of data portability, Prime19 shall make available all applicable personal data to data subjects in a structured, commonly used and machine-readable format. Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller. All requests regarding data portability should be made to info@prime19.ie. These requests shall be complied with within one month of the data subject's request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.

18. Objections to Personal Data Processing

Data subjects have the right to object to Prime19 processing their personal data based on legitimate interests and direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes. Where a data subject objects to Prime19 processing their personal data based on its legitimate interests, Prime19 shall cease such processing immediately, unless it can be demonstrated that Prime19's legitimate grounds for such processing override the data subject's interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims. Where a data subject objects to Prime19 processing their personal data for direct marketing purposes, Prime19 shall cease such processing immediately. Where a data subject objects to Prime19 processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. Prime19 is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest

19. Organisational Measures

Prime19 ensures that the following measures are taken with respect to the processing of personal data:

  • All employees, agents, contractors, or other parties working on behalf of Prime19 are made fully aware of both their individual responsibilities and Prime19's responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;
  • Prime19 has access controls in place to ensure that only employees, agents, sub-contractors, or other parties working on behalf of Prime19 only have access to personal data necessary to carry out their assigned duties correctly and shall have access to personal data held by Prime19;
  • All employees, agents, contractors, or other parties working on behalf of Prime19 processing personal data are appropriately trained to do so, are appropriately supervised and all staff complete Data Protection training on an annual basis;
  • All employees, agents, contractors, or other parties working on behalf of Prime19 handling personal data are required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;
  • Technical and security safeguards are in place to ensure all personal data is sufficiently protected;
  • Methods of processing personal data shall be regularly evaluated and reviewed;
  • All personal data processed by Prime19 shall be reviewed periodically, and managed in accordance with Prime19's Data Retention Policy to ensure the principle of Data Minimisation is met;
  • All employees, agents, contractors, or other parties working on behalf of Prime19 handling personal data will be bound to do so in accordance with this Policy by contract; and
  • All agents, contractors, or other parties working on behalf of Prime19 handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of Prime19 arising out of this Policy and the GDPR.

20. Transferring Personal Data to a Country Outside the EEA

Prime19 may from time to time transfer ('transfer' includes making available remotely) personal data to countries outside of the EEA. The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

  • The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
  • The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner's Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
  • The transfer is made with the informed consent of the relevant data subject(s)
  • The transfer is necessary for the performance of a contract between the data subject and Prime19 (or for pre-contractual steps taken at the request of the data subject);
  • The transfer is necessary for important public interest reasons;
  • The transfer is necessary for the conduct of legal claims;
  • The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
  • The transfer is made from a register that, under Irish or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

21. Data Breach Notification

All personal data breaches and potential personal data breaches must be reported immediately to the Compliance Manager. If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), Prime19 (where Prime19 is the data controller), must ensure that the Data Protection Commission is informed of the breach without delay, and where feasible, within 72 hours after having become aware of it. In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, Prime19 (where Prime19 is the data controller), must ensure that all affected data subjects are informed of the breach directly and without undue delay. The Data Protection Commission requires all breaches that are likely to result in a risk to the rights and freedoms of data subjects to be reported to them using the below notification forms and sent to breaches@dataprotection.ie. All breach notifications must be notified using this Data Protection Breach Form. Data breach notifications must include the following information:

  • The categories and approximate number of personal data records concerned;
  • The contact details of Prime19's data protection officer (or another contact point where more information can be obtained);
  • How the breach happened, the likely consequences of the breach;
  • The risk rating and details of the measures taken, or proposed to be taken, by Prime19 to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

Appendix 1 - GDPR Roles and Responsibilities

One of the key attributes of an effective approach to data protection is a clear allocation of roles, each with a defined responsibility. It is important that everyone within Prime19 understands the part they must play in keeping the personal data we hold and process about individuals safe. This document should be aligned with others that set out how data protection is managed by the organisation. By ensuring that roles and responsibilities are clearly defined, Prime19 will be in a good position to prevent many data protection incidents affecting personal data from happening and to react effectively and appropriately if and when they do. All the Management Team have the following main responsibilities:

  • Ensure they are aware of and comply with all the GDPR policies of the organisation relevant to their role;
  • Approve all GDPR policies;
  • Report any actual or potential data security breaches;
  • Contribute to Data Protection Impact Assessments or audits where required; and
  • Be aware of any high risks relating to the processing of personal data.
An employee has the following main responsibilities:
  • Ensure they are aware of and comply with all data protection policies of the organisation relevant to their business role;
  • Report any actual or potential data breaches to the relevant area;
  • Contribute to Data Protection Impact Assessments where required; and
  • Report any Data Subject Access Requests to the relevant area.

Personal Data Protection Process

1. Introduction

This personal data protection document describes the procedures of Prime19 Innovation Limited (“Prime19”) regarding data protection and the rights of data subjects in respect of personal data which is collected on YourRetrofit.ie (“YourRetrofit.ie”). In this context, a “data subject” refers to the users of the YourRetrofit website and “personal data” is defined in accordance with GDPR as outlined in Prime19's Data Protection Policy. The aim of this document is to provide a clear description of the manner in which personal data is collected, processed, transferred, stored and disposed of specifically in relation to any personal data which is collected on the YourRetrofit.ie website. For further details on Prime19's obligations regarding data protection and the rights of data subjects, please refer to the full Data Protection Policy.

2. Personal Data Collection

On the YourRetrofit website, personal data is collected from the data subject at two possible points as outlined below:

  1. Registration on the YourRetrofit.ie
  2. Post-registration on the YourRetrofit.ie

Registration on YourRetrofit

At the point of registration on the YourRetrofit.ie platform, several personal datapoints are collected. The scope of personal data collected depends on the registration route chosen by the data subject. Currently there are three distinct registration routes which a data subject can choose as outlined below: i. Registration with MPRN number and proof of MPRN file (i.e. utility bill, dwelling report) ii. Registration with either BER number or MPRN number (no proof file required) iii. Registration using modelled BER approach (property specific questions) The personal datapoints which are collected via these three registration routes are detailed in the following subsections. All of the personal data outlined is stored on Prime19's server for the YourRetrofit.ie platform which is hosted on Azure's app service.

Registration with MPRN number and proof of MPRN file

  1. Email
  2. Address
  3. Password
  4. MPRN number
  5. Proof of MPRN file (i.e. utility bill, dwelling report)
  6. User Consent for SEAI to release BER datafile

Registration with either BER number or MPRN number

  1. Email
  2. Address
  3. Password
  4. BER or MPRN number

Registration using modelled BER approach

  1. Email
  2. Address
  3. Password
  4. MPRN number (optional)
  5. Dwelling type
  6. Year of construction band (i.e. 1980-1990)
  7. Number of storeys
  8. Main heating fuel (i.e. mains gas)
  9. Size of property

This is a comprehensive list of the personal data which is collected at the point of registration on the YourRetrofit.ie platform.

Post Registration on YourRetrofit

In addition to the datapoints which are collected at the point of registration, there are several personal datapoints which can be collected from the data subject post-registration. These datapoints are listed below:

  1. First name and last name (partner callback request)
  2. Phone number (partner callback request)
  3. Mortgage balance
  4. Remaining mortgage term
  5. Mortgage interest rate
  6. Property value

These datapoints are not collected for all data subjects on YourRetrofit.ie, but only for those who engage with certain features of the platform such as the mortgage savings calculator, the payback period calculator and the partner callback form.

3. Personal Data Processing and Transfer

Regarding the personal data described in section 2., Prime19 does not share or sell individual information to any third party for marketing purposes. Prime19 does not disclose any personally identifiable information about data subjects without their consent, except in the circumstances described below:

  • Requests by government agencies: We may reveal any data we possess to law enforcement, regulatory, or other government entities (including their officers) if we receive an inquiry or investigation or if we determine, in our exclusive discretion, that it is necessary or appropriate for an investigation or activity that is or might be illegal, or if we believe that failure to disclose may expose us or you to legal liability.
  • Lawful disclosures: We will make necessary disclosures if we are obligated by law or authorised to do so under any statute, legal regulation, or court order.
  • Third party service providers: We may enlist the assistance of third-party service providers to assist us with certain operational aspects (such as distributing our email products or conducting surveys). Depending on the services rendered, some of these providers may receive your information. These third-party service providers are bound by data protection and confidentiality agreements that restrict their use and disclosure of any information obtained through their relationship with us to business related to us exclusively, consistent with this policy.

Personal data is shared with our partners on YourRetrofit.ie where explicit consent is provided by the data subject. This applies in relation to the following features on the YourRetrofit.ie platform:

  1. Partner consultation appointment
  2. Partner callback form
In both cases, personal data is only shared with the third-party partner where explicit consent has been provided by the data subject.

Processing of BER datafile from SEAI

As outlined in section 2., one of the registration routes available on YourRetrofit.ie involves the collection of the data subject's MPRN number and a proof of MPRN file (i.e. utility bill). In this scenario, the data subject must also consent for the SEAI to release their BER datafile to Prime19 and for the SEAI to retain the evidence of ownership submitted with this consent for audit purposes.

This is required as part of the Trusted Partner agreement Prime19 has with the SEAI to access the DEAP 4 Building Energy Rating (BER) datafile for the data subject's property. As part of this agreement, Prime19 (the Trusted Partner) must transfer the following personal data to the SEAI in relation to this registration route:

  1. MPRN number
  2. Evidence of Consent (declaration of consent, utility bill)
As emphasized above, the data subject's consent to release their BER datafile is captured at the point of registration. Once this has been captured, a unique consent token is generated and stored on Prime19's server which serves as proof of the data subject's declaration of consent. The data is shared by Prime19 with the SEAI via their Trusted Partner API service to access the BER datafile. Prime19 stores all personal data in relation to this on their server to permit the future audit of files conducted by the SEAI. The SEAI will also retain the uploaded files on their internal secure SharePoint site to allow them to conduct any audits of the consent management process. All data sent as part of the API request is encrypted in-transit.

The diagram below outlines the processing of the BER datafile and the transfer of personal data to the SEAI for this specific registration route:

User provides their MPRN and proof file as part of registration
->
User must consent for SEAI to release their BER datafile to complete registration
->
On registration the user's personal data is stored on Prime19's server
->
User's MPRN number, consent token and proof of MPRN fiel are shared with the SEAI via API
->
SEAI verify the proof of MPRN file and subsequently release the BER datafile to Prime19

Processing of MPRN or BER number

In the second registration route outlined in 2., the data subject provides their MPRN or BER number. This personal data is used to access additional datapoints relating to the property's energy efficiency to enhance the modelling of the BER datafile. These datapoints are accessed via an API which is provided by the SEAI as part of the Trusted Partner agreement.

Unlike the API to release the entire BER datafile, the data subject does not need to provide consent as this data is publicly available. Similarly, the SEAI do not store any of the personal data sent via the API request as consent from the data subject is not required. Prime19 uses the data retrieved from this endpoint to enhance their modelled BER approach and generate a more accurate representation of the property's BER profile. All data sent as part of the API request is encrypted in-transit.

4. Personal Data Storage

As mentioned previously in section 2., all personal data collected on the YourRetrofit.ie platform is stored on Prime19's server which is hosted on Azure App Service. Access to this service is limited to employees of Prime19 who are required to use effective access controls such as multi-factor authentication and strong passwords. In addition, the back-end server has limited access to a minimum number of IP addresses to prevent unauthorized access from an undesirable. Access to the service is frequently updated and refreshed to account for rotation of staff etc. All data stored on the server is hosted within the EU and all data is encrypted at rest and in-transit. All application secrets such as database credentials, API tokens, and private keys are encrypted and stored securely and do not cross any network boundaries. As part of the Azure app service, virtual machine instances and runtime software are regularly updated to address any vulnerabilities. Azure app service also protects YourRetrofit.ie from all unencrypted (HTTP) connections and unsecured requests are turned away.

5. Personal Data Disposal

Prime19 shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay. Prime19 upholds the rights of the data subject in accordance with our data protection policy and subject access request procedure, which are available upon request. These rights include:

  • Right of access: You can ask for a copy of the information we hold about you
  • Right of rectification: You can request to correct any incomplete or inaccurate data we hold about you.
  • Right of data portability: You can request to have the data we hold about you transferred to another organisation.
  • Right to object: You can object to specific types of processing, such as direct marketing.
  • Right to restrict processing: You may have the right to restrict the processing of your data in certain circumstances.
  • Right not to be subject to a decision based solely on automated processing: You have the right to not be subject to a decision which is carried out without human intervention and where it produces legal effects or significantly affects you.
  • Right to erasure: In specific circumstances, you can ask for the data we hold about you to be erased from our records.
If a data subject would like to exercise any of these rights, they can contact Prime19 at info@prime19.ie. This is clearly outlined in the YourRetrofit.ie privacy policy