The Toy Library

Oh no, something went wrong. Please check your network connection and try again.

Privacy Policy

Last updated: August 14th, 2024.

Schedule: Data Protection Act 2018 Compliance

Definitions

In this Schedule, the following words shall have the following meanings:

“Act”
means the Data Protection Act 2018

“Associate”
means any corporate or other form of organisation or any individual person with whom you have an association which does, or could, entail the transfer of personal data to us for processing.

“Directive”
means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

“DPC”
means the Data Protection Commission

“the Data Protection Regulations”
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“the Law”
means all or any of:
(a) the Data Protection Regulations,
(b) the Act,\ (c) the Data Protection Act 1988,
(d) the Data Protection Act 2003,
(e) regulations made under the Act,
(f) Directive.

"data controller", "data processor", “sub-processor”, "data subjects", "personal data", "process", "processed" and "processing" shall have the meanings respectively, as defined in the Act.

In this agreement, “personal data”, is limited to data which comes into the Agent's hands in some way connected to this agreement.

Data Protection

1.1. The obligations described in this Schedule are in addition to the Agent's obligations under the Law.
1.2. To enable the Agent to provide the Services under this agreement, you authorise the Agent to process personal data on behalf of Givers and requesters.
1.3. All parties agree that Givers and requesters are data controllers, and the Agent is the data processor in relation to personal data.
1.4. Details of the anticipated processing activities are set out at Appendix 1 to this Schedule.

How we shall process data

The Agent shall at all times comply with the provisions and obligations imposed by the Law and, in particular, shall:

1.5. process personal data only to the extent necessary to provide the Services;
1.6. ensure that every person processing personal data under this agreement does so strictly on a need-to-know basis, has received training on their obligations relating to handling of personal data and is bound by confidentiality obligations no less stringent than the Agent's confidentiality obligations under this agreement;
1.7. in order to use commonly accepted international communications and money transfer protocols, it will be necessary to use sub-contractors for certain service provision. The Agent shall not necessarily be aware of the identity of every organisation involved in the train of communications. When that happens, the Agent accepts full responsibility for their compliance with the Law;
1.8. subject to the exceptions mentioned in the last previous sub-paragraph, the Agent will not use subcontractors for personal data processing under this agreement without prior written consent of the givers and requesters;
1.9. wherever possible, enter into a written contract with each such sub-processor, which includes the same obligations on the sub-processor as those imposed on the Agent by givers and requesters under this agreement;
1.10. subject to the other provisions of this Schedule, not process personal data or permit any third party to process personal data outside of the European Economic Area (EEA) unless:

1.10.1 EU standard contractual clauses approved by the European Commission or the DPC are entered into between givers and requesters or their relevant Associate as data exporter, and the relevant recipient of the personal data as data importer; or
1.10.2 the recipient of the personal data has entered into a data processing agreement with givers and requesters; or
1.10.3 the recipient of the personal data is regulated within the United States of America solely by the U.S. Department of Commerce, is certified under the EU/US Privacy Shield framework, and continues to be certified for the period within which it processes the personal data; or
1.10.4 the recipient of the personal data has entered into binding corporate rules, which are valid in respect of the processing of personal data under this agreement and have been approved by the European Commission or the DPC; or
1.10.5 the transfer is to a recipient located within a jurisdiction whose law relating to the processing of personal data has been approved by the European Commission or the DPC (subject to any applicable restrictions).

1.11. have in place at all times appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by processing the personal data, to prevent accidental, unauthorised or unlawful destruction, loss, alteration, or access to personal data, including as a minimum whatever security measures givers and requesters notify and instruct the Agent to use. Examples of such measures are:

1.11.1 the pseudonymisation and encryption of personal data;
1.11.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
1.11.3 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing;

1.12. maintain a written record of all categories of processing activities carried out on the givers and requesters behalf and when the giver and requester asks, copy it to the giver and requester. The record shall contain:

1.12.1 The Agent's name and contact details and (where applicable) those of the Agent's approved sub-processors and details of their respective data protection officers;
1.12.2 the categories of personal data, data subjects and processing activities carried out on behalf of the giver and requester and their Associates;
1.12.3 where applicable, transfers of personal data to a third country (i.e. non-EU Member State) or an international organisation, including identification of that third country and documentation evidencing implementation of suitable safeguards; and
1.12.4 a general description of the technical and organisational security measures the Agent has installed as referred to in Article 32(1) of the Data Protection Regulations;

1.13. when the giver and requester ask, give to the giver and requester or to the DPC, access to the Agent's employees, data processing facilities, procedures, and records to inspect and audit compliance with the Law and the terms of this agreement. The Agent shall (and shall ensure any sub-processor shall) give all reasonable cooperation and assistance.
1.14. immediately tell the giver and requester (and in any event within 24 hours) after becoming aware of any actual or suspected unlawful destruction, loss, alteration, disclosure of, or access to, personal data transmitted, stored or otherwise processed by the giver and requester or any sub-processor under this agreement;
1.15. provide reasonable assistance to the giver and requester in:

1.15.1 responding to data subject's requests to exercise their rights under the Act;
1.15.2 responding to communications received from the DPC relating to the processing of personal data under this agreement, including notifying the giver and requester immediately of any such communication;
1.15.3 taking measures to address data security incidents, including, where appropriate, measures to mitigate their possible adverse effects;
1.15.4 promptly upon the the giver and requeste'r request, transfer personal data to a third party in compliance with a request from a data subject to exercise their right to data portability;
1.15.5 make available to the giver and requester on request all information necessary to demonstrate compliance with the obligations set out in this Schedule; and

Post termination

1.16. Upon termination of this agreement, the Agent and any sub-processor shall:

1.16.1 physically destroy all copies of media upon which any personal data was supplied and any further copies made by the Agent;
1.16.2 return all personal data stored in hard copy to the giver and requester;
1.16.3 delete all personal data stored in soft copy, by some method which prevents future re-activation of that data;

1.17. Where the Agent or their sub-processor is required to retain personal data in order to comply with applicable law, the Agent will tell the giver and requester and will retain such personal data only in the Agent's capacity as a data processor and shall comply with the Agent's obligations as a data processor, as far as applicable law permits.

Warranty and acceptance of liability

1.18. The Agent represents and warrants that the information provided in any response to any request by the giver and requester shall be complete, true and accurate, and will not misrepresent the Agent's business or practices in respect of the Agent's ability to comply with the Law and the Agent's obligations under this agreement.
1.19. If any act or omission of the Agent's or their sub-processors results in data transmitted or processed under this agreement being lost or degraded so as to be unusable, then the Agent shall be liable to the giver and requester for the cost of reconstituting the data and/or the giver and requester’s and the giver and requester's Associate's costs in recreating such data.

Schedule 1

The Agent is committed to ensuring that the giver and requester's information is secure. In order to prevent unauthorised access or disclosure the Agent has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information the Agent collects online.

The Agent may change this Policy from time to time so please check this page occasionally to ensure that you are happy with any changes. By using the Agent's website, the giver and requester agreeing to be bound by this Policy.

Any questions regarding this Policy and our privacy practices should be sent by email to info@thetoylibrary.ie or by writing to The Toy Library CLG, 2 Daffodil Way, Forest Hill, Carrigaline, Co. Cork, Ireland.

Who are we (the Agent)?

The Agent is The Toy Library CLG. The Toy Library CLG is a limited company (Companies Registration Office no. 751311), and their registered offices are 2 Daffodil Way, Forest Hill, Carrigaline, Co. Cork, Ireland.

How does the Agent collect information from the giver and requester?

The Agent obtains information about the giver and requester when the giver and requester uses the Agent's website, submits an enquiry via the website, phone or email.

In particular, the Agent's website uses Plausible Analytics instead of Google Analytics. Even though the purpose of Plausible Analytics is to track the usage of a website, this can still be done without collecting any personal data or personally identifiable information (PII), without using cookies and while respecting the privacy of website visitors.

By using Plausible Analytics, all the site measurement is carried out absolutely anonymously. Cookies are not set and no personal data is collected. All data is in aggregate only. The website owner gets some actionable data to help them learn and improve, while the visitor keeps having a nice and enjoyable experience.

Further information as to how Plausible Analytics works is available at https://plausible.io/privacy-focused-web-analytics.

What information does the Agent collect?

The Agent collects the following information:
• Name and Last name
• Contact information including email, phone, and address when provided
• Listing location
• Other non-personal information relevant to the giver and requester's enquiry and usage of the Platform

What does the Agent do with the information gathered?

The Agent requires this information to understand the giver and requester's needs and provide the giver and requester with a better service, and in particular for the following reasons:
• Running the Platform
• Internal record keeping

The Agent does not monetise user data, i.e. they do not sell it to other parties or use it to increase sales of any product or services.

The Agent may at times use this data for research purposes (and specifically any analytics related to the usage of the platform to prove social impact), but this data will be used in aggregate and and in pseudonymized form if needed.

If the giver and requester are availing of Give and Request services through the website, the giver and requester's event details and personal information will be passed to the Giver and Requester as appropriate. This is solely for contact to be made to contact the giver and requester regarding the transaction and will not be used for marketing purposes.

The Agent may use the information to improve their products and services.

The Agent may periodically send promotional emails with regard to services which they think the giver and requester may find interesting using the email address which the giver and requester have provided, but only if the giver and requester have made an enquiry with the Agent, and only if the giver and requester have not opted out of receiving promotional emails.

From time to time, the Agent may also use the giver and requester's information to contact the giver and requester for market research purposes. The Agent may contact the giver and requester by email, phone, fax or mail.

The Agent may use the information to customise the website according to the giver and requester's interests.

The Agent will hold the giver and requester's personal information on the Agent's systems for as long as is necessary for the relevant activity. When the giver and requester have entered into a contract, the Agent will hold their data securely for 6 years to help support the Agent's financial reporting requirement.

Who has access to the giver and requester's information?

The Agent will not sell, distribute or lease the giver and requester's personal information to third parties unless the Agent has the giver and requester's permission or are required by law to do so. The Agent may use the giver and requester's personal information to send the giver and requester promotional information about third parties which the Agent thinks the giver and requester may find interesting if the giver and requester tell the Agent that they wish this to happen.

Website recording

The Agent's web site may also use visitor recording software. This software may record mouse clicks, mouse movements, page scrolling and any text keyed into website forms. The information collected does not include any sensitive personal data. Data collected by the website is for Agent’s internal use only. The information collected is used to improve the Agent's website usability and is stored and used for aggregated and statistical reporting.

Links to other websites

The Agent's website may contain links to enable you to visit other websites of interest easily. However, once the giver and requester have used these links to leave the Agent's site, the giver and requester should note that the Agent does not have any control over that other website. Therefore, the Agent cannot be responsible for the protection and privacy of any information which the giver and requester provide whilst visiting such sites and such sites are not governed by this privacy statement. The giver and requester should exercise caution and look at the privacy statement applicable to the website in question.

Controlling the giver and requester's personal information

If the giver and requester would like to remove personal details from the Agent's website, please contact info@thetoylibrary.ie.