Privacy Statement - Green Biofuels Ireland

1. Our Privacy Policy

Green Biofuels Ireland Limited is a leading supplier of Bio Diesel, Glycerol, Potassium Sulphate, and other Biofuel products throughout Ireland. The General Data Protection Regulation 2016 (GDPR) is one of the most significant pieces of legislation affecting the way that Green Biofuels Ireland Limited carries out its information processing activities. The purpose of this Privacy Policy is to set out the relevant legislation and to describe the steps it is taking to ensure that it complies with it.
This Privacy Policy has been updated to ensure Green Biofuels Ireland Limited’s compliance with GDPR.
Green Biofuels Ireland Limited’s details for the purposes of this policy are as follows: Our registered and business address is Marshmeadows, New Ross, Co. Wexford. You can contact us by post at the above address, by email at admin@gbi.ie or by telephone on 00353 51 447628 (referred to as “GBIL”, “we”, “us” and “our”).

This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and your rights in relation to your personal data. GBIL is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. If you are a Customer, Supplier, Distributor, Consultant, Advisor, Agent or other party who provides us with personal data this Privacy Policy supplements any data protection provisions contained in any contract with you and is not intended to override them. Where there is no contract, this Privacy Policy governs the basis on which the personal data is collected and processed by us. Please read the following carefully to understand our views and practices regarding your personal data, how we will treat it and your data protection rights.
We are not required by law to have a data protection officer, so any enquiries about our use of your personal data should be addressed to the contact details of the relevant company above.

2. What personal data do we collect and process?

In operating its business GBIL will collect and gather the following categories of personal data:

➢ Identity Data such as first name, surname, gender, date of birth.
➢ Contact Data such as address, e-mail address, telephone number.
➢ Financial Data: such as your payment card details, bank details, VAT number, information about payments to and from you and other details of goods/ products you have purchased from us.
➢ Profile and Technical Data, in cases only where a GBIL website (www.gbi.ie) is used, such as your username and password, as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology.

3. What principles we apply to the collection and processing of personal data?

In relation to personal data, we are committed to:
➢ Processing personal data fairly and lawfully in line with individuals’ rights;
➢ Keeping all personal data confidential, safe and secure;
➢ Making sure the data is accurate and kept up to date;
➢ Making sure that any personal data processed for a specific purpose are adequate, relevant and not excessive for that purpose;
➢ Removing irrelevant information as necessary.

4. How we use your personal data?

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
➢ Where we need to perform the contract we are about to enter into or have entered into with you.
➢ Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
➢ Where we need to comply with a legal or regulatory obligation.

Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email or otherwise. In such cases, you have the right to withdraw your consent at any time by contacting us.
We do not request from you and we request you do not provide any special categories/sensitive personal data (e.g. personal data relating to racial or ethnic origin, political or religious opinions, membership of a trade union, physical or mental health or condition or sexual life or orientation). This type of personal data is subject to special protections under EU law.
We use your personal data in the following ways:
➢ We will collect and use your Identity; Contact; Profile and Financial Data to perform our contract with you (e.g. purchase of goods/services) and/or to comply with any legal or regulatory obligation.
➢ Only where our website(s) have been used, we will collect and use Profile and Technical for data analytics purposes to improve the Website, products/services, marketing, user/Customer relationships and experience. This is necessary for our legitimate interest to ensure any website content is presented in an effective manner for you and for your computer/device.
➢ Only where our website(s) have been used, we will collect and use Identity, Contact, Profile, Data to manage our relationship with you which will include notifying you about changes to our website, service, terms and/or Privacy Policy. This is necessary for us (i) to perform our contract with you; and (ii) to comply with a legal/regulatory obligation.
➢ We will collect and use Identity; Contact and Technical Data to administer and protect our business and our websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) which is necessary (i) for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) and (ii) to comply with a legal obligation.

5. Marketing

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you. However, you will receive marketing communications from us only if you have requested information from us or purchased services from us or if you provided us with your details when purchasing a product/service and, in each case, you have not opted out of receiving that marketing. You can opt out of any marketing communications from us at any time by notifying us on the details above.

6. How we use cookies

Please note that we use cookies when you use our website. A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to restrict, block or delete cookies. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.

7. Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

8. Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

9. Disclosure of personal data to others

Except as set out in this Privacy Policy, we do not disclose to any third party personal data that we collect or you provide to us. We may disclose your personal data to third parties expressly mentioned in this Privacy Policy and the following third parties:
➢ any third party that is necessary in the performance of our contract with you i.e. delivery companies, couriers, parties to whom you have expressly consented the information to be provided to for the performance of the contract;
➢ any member of our group of companies, which means our subsidiaries, our ultimate holding company and its subsidiaries, where it is necessary to do so for the provision of goods/services to and administration of the contract/operation of our business;
➢ we contract with other entities that perform certain tasks on our behalf and who are under our control (“Service Providers”). This is required in order to operate our business and provide and manage our websites. Such Service Providers include IT systems suppliers and support, data storage, IT developers, insurance, credit card companies, payment processors, and other service providers necessary for the performance of our contract with you;
➢ professional advisors such as accountants, auditors, lawyers, bankers, insurers, and other outside professional advisors;
➢ third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy;
➢ entities that regulate or have jurisdiction over our business. We will disclose your personal data in order to comply with any legal obligation, if we are ordered to do so by a court of competent jurisdiction, law enforcement, regulatory or administrative authorities or in order to enforce or apply our contract with you or to protect the rights, property, or safety of GBIL, our Customers, Suppliers, Distributors, Consultants, Agents or others. This includes exchanging personal data with third parties for the purposes of fraud protection and credit risk reduction. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our Service Providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. The Service Providers are bound by obligations of confidentiality.

10. International Data Transfers

Your personal data may be transferred, stored and accessed within the European Economic Area (“EEA”) or transferred to, stored in, and accessed from countries outside the EEA in order to fulfil the purposes described in this Privacy Policy. For transfers to countries outside the EEA, the data protection regime may be different than in the country in which you are located and will therefore be based on a legally adequate transfer method. Whenever GBIL transfers your personal data out of the EEA, we ensure a similar degree of protection is given to it by ensuring at least one of the following safeguards is implemented:
➢ Where the country has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
➢ We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
➢ Where service providers are based in the US, we may transfer data to them if they are part of the EU-U.S. Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
We will provide you on request a list of the countries located outside the EEA to which personal data may be transferred, and an indication of whether they have been determined by the European Commission to grant adequate protection to personal data. Where applicable, you are entitled, upon request to receive a copy of the relevant safeguard (for example, EC model contractual clauses) that has been taken to protect personal data during such transfer.

11. Data Security

We are committed to protecting the personal data you provide us. To prevent unauthorised access or disclosure of personal data under our control, GBIL has appropriate security systems in place to safeguard the personal data we collect. Encryption is also used on where security is particularly important.

12. Data Breach

It is GBIL’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our Data Breach policy which sets out the overall process of handling information security incidents.

13. Updating your personal data

It is important that the personal data we hold is accurate and current. Please keep us informed, using the relevant contact details if any of your personal data changes during your relationship with us. It is your responsibility to keep your personal data up to date at all times.

14. Data Retention

We retain personal data for no longer than is allowed under data protection law, the statute of limitations and any other relevant laws in place at the relevant time. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

15. Your Legal Rights

You have rights under applicable data protection law in relation to personal data, namely:
➢ Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
➢ Request correction of the personal data that we hold about you This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
➢ Request erasure of your personal data This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
➢ Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data.
➢ Request restriction of processing of your personal data This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish,
exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
➢ Request the transfer of your personal data to you or to a third party We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machinereadable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
➢ Withdraw consent at any time if and to the extent we are relying on consent as the legal basis to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights) except in cases where it is determined by GBIL that the request is “manifestly unfounded or excessive”, then GBIL is entitled to charge a fee for this information.

In order to exercise one or more of your rights in respect of your personal data, please contact us on the relevant company details above. We will respond to your request(s) as soon as reasonably practicable, but in any case within the legally required period of time. You have the right to make a complaint at any time to the Data Protection Commission, the Irish supervisory authority for data protection issues (https://www.dataprotection.ie). We would, however, appreciate the chance to deal with your concerns before you approach the Data Protection Commission so please contact us in the first instance on the contact details above.

16. Changes to our privacy policy

Our Privacy Policy is an evolving document. Any changes to our Privacy Policy shall be available on our website www.gbi.ie or available on request at the contact details listed above.

17. Contact us

If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact us using the relevant contact details above. You can also request to delete your account, erase your data, access your data and transfer your data using the above details.