PART 1 – WHO WE ARE AND HOW TO CONTACT US

1.1 Data Controller

Explore Inishowen CLG is the data controller responsible for your personal data. We are a non-profit organization whose function is to market the peninsula of Inishowen in County Donegal overseas and locally as a tourist destination.

1.2 Data Protection Officer

Our Data Protection Officer is Niall McCaughan. You can contact our DPO with any queries or concerns about data protection:

1.3 Supervisory Authority

The Data Protection Commission (DPC) is Ireland’s national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected.

If you have concerns about how we process your personal data, you have the right to lodge a complaint with the DPC:

PART 2 – PRIVACY POLICY AND STATEMENT

2.1 Introduction

Explore Inishowen CLG is a non-profit organization. Our function is to market the peninsula of Inishowen in County Donegal as a tourist destination. A core part of our business is to facilitate efforts to promote and publicize tourism products and services.

In order to provide effective services, we collect, process, and use certain types of information about people and organizations. This may include ‘personal data’ as defined by Data Protection Legislation and may relate to:

• Current, past, and prospective service providers (tourism businesses)
• Current, past, and prospective employees and volunteers
• Website users and newsletter subscribers
• Suppliers and contractors
• Members of the public who engage with our staff

This Privacy Policy explains in clear, plain language how we collect, use, store, and protect your personal data, and your rights regarding that data.

2.2 What Personal Data We Collect

We collect and process the following categories of personal data:

A. FROM TOURISM SERVICE PROVIDERS (for website listings):

• Business name and trading name
• Business address and location
• Contact person name
• Email address
• Telephone number
• Business description and services offered
• Business category (accommodation, activities, restaurants, etc.)
• Website and social media links
• Opening hours and seasonal information
• Images of business premises/services
• Pricing information (if provided)

B. FROM WEBSITE USERS AND NEWSLETTER SUBSCRIBERS:

• Name
• Email address
• IP address (collected automatically)
• Location data (general geographic area)
• Browser type and device information
• Pages visited and time spent on website
• Preferences and interests (if provided)

C. FROM EMPLOYEES, VOLUNTEERS, AND CONTRACTORS:

• Name, address, contact details
• PPS number (where required for payroll/tax purposes)
• Bank account details (for payment purposes)
• Employment history and references
• Qualifications and certifications
• Emergency contact information

D. AUTOMATICALLY COLLECTED DATA:

• Cookies and similar tracking technologies (see Cookie Policy)
• Website analytics data
• IP addresses
• Browser type and version
• Time zone settings
• Operating system and platform
• Clickstream data

We do not collect Special Categories of Personal Data (such as health information, religious beliefs, trade union membership, racial or ethnic origin, sexual orientation, or biometric data) unless absolutely necessary and with your explicit consent.

2.3 How We Collect Your Personal Data

We collect personal data through:

• Direct submission via online forms on our website
• Email communications
• Phone calls
• In-person meetings and events
• Business registration forms for service providers
• Newsletter subscription forms
• Cookies and automatic tracking technologies
• Third-party sources (such as publicly available business directories)

2.4 Legal Basis for Processing Your Personal Data

We only process your personal data where we have a legal basis to do so under Article 6 of the GDPR. The legal basis depends on the purpose for which we use your data:

A. CONSENT (Article 6(1)(a))

• Newsletter subscriptions
• Marketing communications
• Non-essential cookies
• Event photography/promotional materials

You have the right to withdraw consent at any time by contacting us or using the unsubscribe link in communications.

B. CONTRACT (Article 6(1)(b))

• Processing service provider listings on our website
• Fulfilling agreements with suppliers and contractors
• Managing employment relationships

C. LEGAL OBLIGATION (Article 6(1)(c))

• Tax and accounting records
• Employment law compliance
• Health and safety requirements
• Responding to lawful requests from authorities

D. LEGITIMATE INTERESTS (Article 6(1)(f))

• Website analytics to improve user experience
• Responding to enquiries
• Fraud prevention and security
• Network and information security
• Internal administration

Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms and determined that processing is necessary and proportionate.

2.5 How We Use Your Personal Data

We use personal data for the following purposes:

SERVICE PROVIDER LISTINGS:

• To display information about tourism businesses on our website
• To enable users to find and contact tourism service providers
• To promote tourism services in Inishowen
• To maintain accurate and up-to-date business directories

COMMUNICATIONS:

• To send our newsletter and event alerts to subscribers
• To respond to enquiries and requests for information
• To provide customer service and support
• To communicate with service providers about their listings

WEBSITE OPERATION AND IMPROVEMENT:

• To administer and maintain our website
• To analyze website traffic and user behavior
• To improve website design and functionality
• To troubleshoot technical issues
• To ensure website security

BUSINESS OPERATIONS:

• To manage relationships with suppliers and contractors
• To process payments
• To comply with legal and regulatory requirements
• To maintain financial records
• To manage employment and volunteer relationships

MARKETING AND PROMOTION:

• To promote Inishowen as a tourism destination
• To organize and promote events
• To produce marketing materials and publications
• To engage with media and press

2.6 Who We Share Your Personal Data With

We may share your personal data with the following categories of recipients:

SERVICE PROVIDERS AND PROCESSORS:

• Website hosting providers
• Email marketing platforms
• IT support and maintenance providers
• Analytics providers (e.g., Google Analytics)
• Cloud storage providers

LEGAL AND REGULATORY AUTHORITIES:

• When required by law or in response to legal requests
• To protect our rights, property, or safety
• To prevent fraud or criminal activity

TOURISM PROMOTION PARTNERS:

• Fáilte Ireland
• Tourism Ireland
• Donegal County Council
• Other tourism promotion bodies
• Media and press (with consent for promotional purposes)

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

2.7 International Transfers of Personal Data

Some of our service providers may be located outside the European Economic Area (EEA). Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• European Commission approved Standard Contractual Clauses (SCCs)
• Transfers to countries with adequacy decisions from the European Commission
• UK Extension to the EU-U.S. Data Privacy Framework (where applicable)

For example, if we use Google Analytics, data may be transferred to the United States. We rely on Google’s compliance with the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

You can obtain more information about international transfers and safeguards by contacting us.

2.8 How Long We Keep Your Personal Data

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.

RETENTION PERIODS:

Service Provider Listings:

• Active listings: For the duration of the business relationship
• After removal request: Up to 1 year for backup purposes
• Archived data: May be retained indefinitely for historical records

Newsletter Subscribers:

• Active subscriptions: Until you unsubscribe
• After unsubscription: Up to 30 days for processing, then permanently deleted

Website Analytics:

• Google Analytics: 26 months (configurable)
• Server logs: 12 months

Enquiries and Correspondence:

• General enquiries: 2 years
• Complaints: 6 years

Financial Records:

• 6 years after the end of the financial year (as required by Irish tax law)

Employment Records:

• Current employees: Duration of employment plus 6 years
• Former employees: 6 years after termination

Marketing Materials:

• Consent-based: Until consent is withdrawn
• Photography releases: Duration specified in consent form

When personal data is no longer needed, it will be securely deleted or anonymized so that you can no longer be identified from it.

2.9 Your Rights Under Data Protection Legislation

You have the following rights regarding your personal data:

A. RIGHT TO ACCESS (Article 15)

You have the right to request a copy of the personal data we hold about you, along with information about how we use it.

B. RIGHT TO RECTIFICATION (Article 16)

You can ask us to correct inaccurate or incomplete personal data.

C. RIGHT TO ERASURE (Article 17) – “Right to be Forgotten”

You can request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data has been processed unlawfully
• Deletion is required to comply with a legal obligation

This right is not absolute and may be limited by legal requirements to retain certain data.

D. RIGHT TO RESTRICTION OF PROCESSING (Article 18)

You can ask us to temporarily stop using your data in certain circumstances:

• You contest the accuracy of the data
• Processing is unlawful but you don’t want data deleted
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

E. RIGHT TO DATA PORTABILITY (Article 20)

Where processing is based on consent or contract and carried out by automated means, you can request to receive your personal data in a structured, commonly used, machine-readable format, or request that we transfer it to another controller.

F. RIGHT TO OBJECT (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

G. RIGHT TO WITHDRAW CONSENT

Where processing is based on consent, you can withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

H. RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Article 22)

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

I. RIGHT TO LODGE A COMPLAINT

You have the right to lodge a complaint with the Data Protection Commission if you believe we have not complied with data protection law (see Section 1.3 for contact details).

2.10 How to Exercise Your Rights

To exercise any of these rights, please contact us using the details in Section 1.1 or 1.2.

When making a request, please:

• Provide enough information to identify yourself (e.g., name, email address, account details)
• Specify which right you wish to exercise
• Explain clearly what you are requesting

We will respond to your request without undue delay and within one month of receipt. This may be extended by two months for complex requests, in which case we will inform you and explain the reasons for the delay.

We may need to verify your identity before processing your request to protect your personal data from unauthorized access.

There is no fee for exercising your rights unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

2.11 Information We Will Not Provide

In certain circumstances, we may not be able to provide all requested information:

A. INFORMATION ABOUT OTHER PEOPLE

We cannot disclose personal data that identifies other individuals without their consent, unless it is reasonable to do so without consent.

B. LEGALLY PRIVILEGED INFORMATION

Communications with legal advisers that are subject to legal professional privilege need not be disclosed.

C. INFORMATION THAT WOULD HARM IMPORTANT INTERESTS

We may withhold information where disclosure would:

• Prejudice the prevention, detection, or investigation of offenses
• Prejudice the apprehension or prosecution of offenders
• Significantly harm our commercial interests
• Breach confidentiality obligations

D. MANIFESTLY UNFOUNDED OR EXCESSIVE REQUESTS

Requests that are clearly unreasonable, repetitive, or made in bad faith may be refused.

Where we refuse a request, we will explain the reasons in writing and inform you of your right to complain to the Data Protection Commission.

2.12 Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Our security measures include:

TECHNICAL MEASURES:

• Secure servers with encryption (SSL/TLS certificates)
• Password protection and access controls
• Regular security updates and patches
• Firewalls and antivirus software
• Secure backup procedures
• Data encryption in transit and at rest (where appropriate)

ORGANIZATIONAL MEASURES:

• Access limited to authorized staff on a need-to-know basis
• Staff training on data protection
• Confidentiality agreements with staff and contractors
• Regular review and updating of security measures
• Data protection policies and procedures
• Incident response plans

PHYSICAL MEASURES:

• Secure office premises
• Locked filing cabinets for physical records
• Visitor access controls
• Secure disposal of documents (shredding)

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

2.13 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Data Protection Commission without undue delay and within 72 hours of becoming aware of the breach (where feasible)
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, including facts, effects, and remedial action taken

A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

2.14 Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file stored on your device that helps us provide and improve our services.

We use the following types of cookies:

STRICTLY NECESSARY COOKIES:

These cookies are essential for the website to function and cannot be switched off. They are usually set in response to actions you take, such as setting privacy preferences or filling in forms.

PERFORMANCE COOKIES:

These cookies collect anonymous information about how visitors use our website, such as which pages are visited most often. This helps us improve website performance.

FUNCTIONALITY COOKIES:

These cookies remember choices you make (such as language preferences) to provide enhanced features.

MARKETING/TARGETING COOKIES (if used):

These cookies track your online activity to help advertisers deliver more relevant advertising or limit how many times you see an ad. We only use these with your consent.

COOKIE CONSENT:

When you first visit our website, you will see a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time through our Cookie Settings.

You can also control cookies through your browser settings. However, blocking some cookies may impact your experience of our website.

THIRD-PARTY COOKIES:

We may use third-party services that set their own cookies, including:

• Google Analytics (website analytics)
• Other third-party services as applicable

These third parties have their own privacy policies.

2.15 Links to Other Websites

Our website may contain links to other websites, including service provider websites, social media platforms, and partner organizations. We are not responsible for the privacy practices or content of these external websites.

When you click on a link to another website, you leave our website and this Privacy Policy no longer applies. We encourage you to read the privacy policy of every website you visit.

2.16 Children’s Privacy

Our website and services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16.

In accordance with the Data Protection Act 2018, the age of digital consent in Ireland is 16. This means that for online services that rely on consent as the legal basis for processing, consent must be given or authorized by a parent or guardian for children under 16.

If we become aware that we have collected personal data from a child under 16 without proper parental consent, we will take steps to delete that information.

2.17 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make significant changes, we will notify you by:

• Posting the updated policy on our website with a revised “Last updated” date
• Sending an email to newsletter subscribers (for material changes)
• Displaying a prominent notice on our website

We encourage you to review this Privacy Policy periodically. Your continued use of our website and services after changes are posted constitutes acceptance of the updated policy.

Previous versions of this Privacy Policy are available upon request.

2.18 Updates to Your Information

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

If you are a service provider with a listing on our website, you can update your information by:

• Logging into your account (if applicable)
• Contacting us directly at info@govisitinishowen.ie
• Calling +353 74 93 63451

PART 3 – SOCIAL MEDIA PRIVACY POLICY AND STATEMENT

3.1 General Social Media Statement

We maintain a presence on various social media platforms to promote Inishowen as a tourism destination and engage with our community. These platforms include (but are not limited to):

• Facebook
• Instagram
• Twitter/X
• Other platforms as applicable

When you interact with us on social media, both this Privacy Policy and the privacy policy of the relevant social media platform apply. We are not responsible for the privacy practices of social media platforms.

Personal data shared on social media platforms is public and may be seen by anyone. Please think carefully before posting personal information on social media.

3.2 What We Collect on Social Media

When you interact with our social media pages, we may collect:

• Your username/handle
• Comments, messages, and posts you make on our pages
• Publicly available profile information
• Engagement data (likes, shares, comments)
• Analytics data provided by the platform

We use this information to:

• Respond to comments and messages
• Engage with our community
• Monitor mentions of Inishowen
• Analyze the effectiveness of our social media presence
• Share user-generated content (with permission)

3.3 Facebook and Instagram Policy

Our Facebook and Instagram pages provide information and updates regarding tourism services, public and social festivals, and events in Inishowen.

COMMUNITY GUIDELINES:

To ensure that all discussions on our pages are productive, respectful, and consistent with our mission, we ask you to follow these guidelines:

• Be considerate and respectful of others. Vulgarity, threats, or abuse of language will not be tolerated
• Differing opinions and discussion of diverse ideas are encouraged, but personal attacks on anyone, including staff, will not be permitted
• Share freely and be generous, but be aware of copyright laws; be accurate and give credit where credit is due
• Stay on topic and keep discussions relevant to Inishowen tourism
• Refrain from using the pages for solicitation, commercial purposes, or to market products (unless invited to do so)
• Do not share personal or private information about yourself or others
• Respect the privacy of others; do not tag people without permission

CONTENT WE MAY REMOVE:

We reserve the right to remove comments or content that includes:

• Obscene, racist, or discriminatory content
• Personal attacks, insults, or threatening language
• Potentially libelous statements
• Plagiarized material or material in violation of any laws, including copyright
• Private, personal information published without consent
• Information or links unrelated to Inishowen tourism
• Commercial promotions or spam
• Misinformation or deliberately false information
• Content that violates Facebook’s/Instagram’s Community Standards

MONITORING AND RESPONSES:

• Our social media pages are monitored during office hours, Monday to Friday
• We welcome and will read all comments and messages
• Due to resource constraints, we may not be able to reply to all messages individually
• However, we will endeavor to pass on emerging themes or helpful suggestions to relevant people
• Response times may vary; we aim to respond within 2-3 business days

IMPORTANT NOTICES:

• Sending a message/post via Facebook or Instagram will not be considered as contacting us for official purposes
• We will not be obliged to monitor or respond to requests for information through social media channels
• For official enquiries, please use the contact details in Section 1.1
• Do not include sensitive personal information in your social media messages to us

DISCLAIMER:

• Explore Inishowen CLG is not responsible for the accuracy of content posted by any user in any forum
• Opinions expressed in comments on our social media forums do not necessarily represent those of Explore Inishowen CLG
• All comments, once posted, may become the property of the social media platform and are subject to their terms of service
• We may screenshot or share user comments for promotional purposes (with attribution and in accordance with platform rules)

3.4 Twitter/X Policy

Our Twitter/X account (@govisitinishowen) shares developments in Explore Inishowen CLG and tourism-related information.

WHAT WE TWEET:

• Press releases about Explore Inishowen CLG initiatives
• Event information and announcements
• Alerts about new content on our website
• Tourism tips and highlights
• Practical information relevant to tourism in Inishowen
• Weather and seasonal updates
• Responses to queries and mentions

RETWEETS AND FOLLOWS:

• We may retweet relevant appropriate announcements, particularly from tourism partners, government bodies, and local organizations
• If we retweet content, it does not necessarily imply endorsement
• We are not obliged to follow any of our followers
• Following a Twitter account does not imply endorsement of any kind

SERVICE AVAILABILITY:

• Twitter/X may occasionally be unavailable, and we accept no responsibility for lack of service
• Our Twitter account is normally updated and monitored during office hours, Monday to Friday
• We welcome and will read all @ messages and mentions
• Due to resource constraints, we may not reply to all messages

IMPORTANT NOTICES:

• Sending a message via Twitter/X will not be considered as contacting us for official purposes
• We will not be obliged to monitor or respond to requests for information through Twitter/X
• Please do not include personal/private information in your tweets to us
• For official enquiries, please use the contact details in Section 1.1

PRIVACY AND LIABILITY:

• Explore Inishowen CLG is not responsible, liable for, and does not endorse the privacy practices of Twitter/X or any linked websites
• Your use of Twitter/X and any linked websites is at your own risk
• We assume no responsibility or liability for any injury, loss, or damage incurred as a result of any use or reliance upon information and material contained within or downloaded from Twitter/X or linked websites

3.5 User-Generated Content

We love seeing photos and content that showcase Inishowen! If you share content about Inishowen on social media:

WITH HASHTAGS:

By using our designated hashtags (e.g., #VisitInishowen, #InishowenPeninsula), you grant us permission to reshare your content on our channels (with attribution).

TAGGING US:

If you tag our account, we may engage with, like, comment on, or share your content.

PERMISSION:

We will always aim to credit the original creator when sharing user-generated content. If you prefer that we do not share your content, please let us know by:

• Stating so in your post/caption
• Making your account private
• Contacting us directly

REMOVAL REQUESTS:

If we have shared your content and you would like it removed, please contact us and we will remove it promptly.

3.6 Social Media Competitions and Promotions

From time to time, we may run competitions, giveaways, or promotions on social media. These will have separate terms and conditions that explain:

• How to enter
• What personal data we collect
• How winners are selected
• Prize details
• How we use data collected during the promotion

Participation in these promotions is voluntary and subject to the specific terms and conditions.

3.7 Social Media Analytics

We use analytics tools provided by social media platforms (Facebook Insights, Instagram Insights, Twitter Analytics) to understand how users engage with our content.

This helps us:

• Understand what content is most popular
• Identify the best times to post
• Measure the reach of our campaigns
• Improve our social media strategy

Analytics data is typically aggregated and anonymized, but may include demographic information (age ranges, locations, interests) about our followers.

APPENDIX: DEFINITIONS

Data Controller: The organization that determines the purposes and means of processing personal data. Explore Inishowen CLG is the data controller for the personal data described in this policy.

Data Processor: An organization that processes personal data on behalf of a data controller (e.g., our website hosting provider).

Data Subject: An identified or identifiable natural person (i.e., you, the individual whose personal data we process).

Personal Data: Any information relating to an identified or identifiable natural person. This includes names, email addresses, phone numbers, IP addresses, and any other data that can identify you directly or indirectly.

Processing: Any operation performed on personal data, including collection, recording, storage, alteration, retrieval, use, disclosure, erasure, or destruction.

Special Categories of Personal Data: Sensitive personal data requiring extra protection, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

Third Party: Any person or organization other than the data subject, data controller, data processor, or persons authorized to process data under the direct authority of the controller or processor.

END OF PRIVACY POLICY