Last Updated: September 28, 2020
Personal Data Privacy Statement Scansmart
Eason Electronic International is a registered Irish company and is the data (joint) controller of your personal data that you submit via the Scansmart app. You can contact David Cooke on firstname.lastname@example.org
Our outsourced Data Protection Officer is Cillian Mac Giollarnath he can be reached at email@example.com to answer any queries you have about how we manage your personal data or to exercise your legal rights.
The business premises that you visit when using the Scansmart app jointly determine the means of processing, as such they are joint data controllers as defined under Article 26 of GDPR.
How does it work?
- Retail business’s contract Scansmart to offer to their customers a digital check-in service to support HSE contact tracing people who may have come into contact on their premises with a confirmed COVID 19 case.
- Scansmart provide the business with a QR Code which is unique to their location.
(This is a just an example of a QR Code.)
- This premises specific QR Code is displayed at the entrances to the premises. Customers can scan (open their phone camera and point the camera at the code) the QR code. The phone decodes this and the customers phone will prompt them to open their internet browser at check-in.scansmart.io
- The internet page on your phone will display the name and the address of the business and the customer is invited to submit “Full Name” and “Phone Number”. While we encourage you to use your full legal name, a name you are known as, a nickname or your first name would be fine. It is crucial that you submit an accurate phone number. When you submit this information, a webpage will confirm that you have been checked in.
- Some business owners will instruct us to enable authentication of your details. This means that in some cases you will receive a text message to the phone number you supplied to confirm that it was you that submitted the information. Some business owners may enable a function that will send a text to you to prompt you to prepare to leave the premises in accordance with any legislative rules on duration of visits, active at the time and applicable to the location of the premises.
- The personal data you submit is then downloaded to a server controlled by Scansmart in Ireland. The data is stored in SQL format with the following fields.
|Name||Premises||Date||Check in Time||Phone number|
|David Cooke||Murphy’s Pub||10/10/2020||19.46||085 555 1234|
- In the event of the business being informed by the HSE of a positive case of COVID 19 at their premises we will send the HSE the names and phone numbers of those who we have recorded at being at the business premises at the same time.
- We delete your personal data in accordance with the below
What data do we collect.
In the text boxes on the app you are invited to provide us with your name and your phone number.
Your location will be identified as each QR Code that you scan to your phone to use the app is specific to a geographic location.
The time and date you entered your details into the app will be recorded.
We have no access to your GPS data, your emails, messages, photos or videos on your phone.
We have no access or control over your phone’s camera or microphone.
We have no access or control over any of your phone’s apps.
Who has access to your personal data?
Scansmart has access to your personal data you supplied, and have the ability to amend or delete your personal data. Access to your personal data is monitored and limited to relevant and appropriate personnel whose role is necessary to access the personal data. Access to the database storing your personal data is managed using unique usernames and passwords.
The business premises has access only to a section of the database managed by Scansmart. That section is limited to the part that records the name and phone number of people who attend their business premises. Access to your personal data is monitored and limited to relevant and appropriate personnel whose role is necessary to access the personal data. The business premises has no ability to amend or delete your personal data.
No third parties have access to your personal data.
Each of the joint controllers of your personal data are responsible for the access privileges, security and use of your personal data, all limited to the use of your personal data to support contact tracing in the management of COVID 19.
If you feel your personal data has been misused by the business, or us, you can notify your concerns to our Data Protection Officer at firstname.lastname@example.org
The Purpose of us processing your personal data?
To ensure that if a fellow customer, at the time you attend the business premises, is diagnosed positive with COVID 19 that you will be informed of the risk that you may have been infected and so seek early medical advice and attention as required.
How long do we retain your personal data?
We do not delete your personal data until such a time that the COVID 19 emergency phase is discontinued. We estimate this is to be when the legislation introduced by the Irish government on 20th March 2020 is repealed or revoked. Ten days following that repeal/revocation date we will delete all data collected for the purpose of the processing outlined in this notice.
We do not automatically delete your personal data after the incubation period of COVID 19 (2- 10 days, W.H.O.) has passed as we realise that you may frequent the same business premises time and again, for instance your local supermarket, so for your convenience we retain your personal data from the first visit so that each subsequent time you visit the business location you only need to scan the QR code and not repeatedly enter your personal data.
We will however immediately delete any valid requests for deletion made via email to our Data Protection Officer on email@example.com
Legal basis for processing your personal data.
When you provide us the personal data
The processing of personal data is governed primarily by the GDPR and the Irish Data Protection Acts 1988 to 2018 in Ireland. The legal basis for us processing your data is GDPR Article 6.1 (a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
This consent is captured by the voluntarily acts you take to scan the QR code, type in your name and phone number and submit that information.
Where a business make it a condition of entry to their premises that you supply your name and phone number via the Scansmart app then the legal basis to process this data falls under Article 6.1 “processing is necessary for compliance with a legal obligation to which the controller is subject”.
The legal obligation in this case is the responsibility for businesses to protect their employees under the Safety, Health and Welfare at Work Act 2005. In the event you do not supply the personal data the business can refuse you entry. COVID 19 mitigation related legislation may, depending on locations and premises type obligate the business owner to collect your personal data for to support contact tracing.
When we share your personal data with any third parties.
In the event of the HSE informing one of our client business’s that a person who attend their premises has tested positive we, under instruction from the business, will send on a file to the HSE with all the phone numbers and names of the people who attended the premises at the same time as the confirmed case did.
That file will contain personal data, the name and phone number of the person(s) who attended the premises along with the time and date that the person signed in, using the Scansmart app.
The HSE will then determine what to do with this personal data within the strict parameters of its usage being limited to contact tracing and testing for COVID 19.
Personal data will only be provided to An Garda Siochana or other authorised statutory authorities under a valid court order.
International transfers of your personal data.
We do not transfer, or store, your data outside of the EU.
How do we safeguard your personal data?
We have put in place appropriate security measures that are designed to prevent unauthorised access to, and misuse of, your personal data. All our staff have been trained in data protection awareness and GDPR compliance practice.
We have instructed and have agreements with the business premises that your data will not be used for any other reason other than that to support COVID 19 contact tracing carried out by, or on the behalf of the HSE.
How can you access, amend or delete the personal data that you have given to us?
When we hold your personal data, you have various rights in relation to it. When you make a request under the following rights we will respond to your request within one month (although we may be allowed to extend this period in certain cases).
Right to rectification: If we have any your personal data captured incorrectly you have the right to have it rectified.
Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities you may withdraw your consent at any time.
Right for a copy of your data: you have the right to ask us to confirm what information we hold about you at any time and request a copy of it.
Right to erasure (delete): In certain situations (for example, where we have processed your data unlawfully or where the lawful basis is on Consent), you have the right to direct us to erase your personal data.
Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object.
Right to lodge a complaint with the Data Protection Commission: You have the right to lodge a complaint with the Data Protection Commission they can be contacted at LoCall 1890 25 22 31 or through their online form here.
What are cookies and how do we use them?
A “cookie” is a bite-sized piece of data that is stored on your computer’s hard drive. They are used by nearly all websites and do not harm your system. We use them to track your activity to help ensure you get the smoothest possible experience when visiting our website. We can use the information from cookies to ensure we recognise you on any repeat visit to a premises. We do not use any advertising cookies.
If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings.