Privacy policy

McInnes Dunne Murphy LLP (“the Firm”) is committed to protecting the private and personal information of its clients by processing it responsibly and by using appropriate technical, administrative and physical security measures to safeguard the information. 

The Firm provides specialist employment law advice regarding workplace disputes, regulatory matters, and litigation to corporate and individual clients, and represents clients before the Workplace Relations Commission, the Labour Court, the Civil Courts, and other quasi-judicial fora. 

When a client engages the Firm to provide legal services, the client is giving us permission to hold such information and personal data as might be necessary for us to provide appropriate advice in our records. 

This policy sets out the basis on which any personal data we collect from a client, or from third parties in connection with the provision of advice to that client, will be processed by us. Clients should therefore read the following carefully to understand our practices regarding their personal data and how we will treat it. 

For the purpose of the Data Protection Acts 1988 - 2018 (as amended) and the General Data Protection Regulation (the GDPR) (the Acts), the Firm is the Data Controller. 

Our data protection contact in the first instance is John Dunne who may be contacted at (01) 6394690. 

What personal information do we collect from our clients/prospective employees? 

Clients may give us personal data by: 

Contacting us by phone or corresponding with us by e-mail or otherwise in writing. We request clients in general terms to disclose only as much information as is necessary for us to provide them with the advice sought. 

If clients engage us to perform legal services, we may collect personal data from them and/or from publicly available resources. 

Prospective employees: 

The type of information a prospective employee of the Firm may provide in their CV, or a cover letter, typically includes their name, address, e-mail address and phone number. CVs should also include information relevant to a prospective employee’s employment history, relevant experience and education (degrees obtained, places worked, positions held, relevant awards, and so forth). The Firm asks that prospective employees do not disclose sensitive personal information (including but not limited to gender, religion, philosophical or political beliefs, financial data) in their applications, however they may be asked to undergo a pre-employment medical check. 

What information about you does the Firm obtain from others? 

When individual and/or corporate clients engage the Firm’s services, we may obtain the following categories of personal data from others: - 

  • name; 

  • employer, job title and/or position and salary; 

  • contact details, including address, email address and phone number; 

  • documentation confirming identity, such as passport or driving licence; 

  • status as a director of a company; 

  • status as a beneficial owner of a company; 

  • financial information, including information necessary to make or receive payments to and from clients and for the purposes of fraud prevention; 

  • special category Personal Data, particularly information regarding any disability or mobility requirements a client might have, which we will only process on the basis of their consent and as necessary and appropriate; 

  • publicly available information; and 

  • any information which is provided to us by clients or on their behalf. 

 Why does the Firm collect this information? 

The Firm collects the information in order to provide legal advice to its clients, to represent its clients effectively in any court or quasi-judicial forum, and to improve its website. 

In particular the Firm will use this information: 

Client: 

  • To set a corporate or individual client up on its systems; 

  • To liaise with clients about work that the Firm is undertaking for them; 

  • To fulfil the Firm’s statutory function which includes an obligation to the Law Society to collect anti-money laundering documents. 

  • To ensure payment of the Firm’s invoices; 

Candidates: 

  • To create a candidate profile for a prospective employee; 

Website users: 

  • To administer and improve our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; 

  • As part of our efforts to keep our website safe and secure; 

     
    The legal bases for the processing of this personal data are:

  • Entering into and performing a contract: The Firm processes clients’ personal data where it is necessary to enter into and perform our contract with clients, and in particular: 

  • to incept individuals/corporate clients as our clients; 

  • to provide legal advice 

  • to manage and administer a client’s business relationship with the Firm, including processing payments, accounting, auditing, billing and collection and support services; and 

  • for purposes related and/or ancillary to any of the above or any other purpose for which a client’s personal data was provided to the Firm. It is necessary for us to process this personal data on this basis as it is necessary to provide our legal services to our clients. The consequence for not doing so is that the Firm will not be able to perform the legal services for which clients engage us. 

Sharing and Disclosure of your Personal Data 

The Firm may disclose some or all of the personal data it collects from clients to certain trusted third parties in accordance with contractual arrangements it has in place with these third parties or as required by law, including: 

  • third parties such as barristers, doctors, foreign counsel, consultants, expert witnesses, advisors and technology service providers such as data room providers; 

  • other people in a corporate client’s organisation; 

  • the Firm’s auditors and professional advisors; 

  • suppliers and service providers to whom the Firm outsources support services; 

  • IT service providers; 

  • parties involved in hosting or organising events or seminars; and 

  • regulators and official authorities. 

Who does the Firm share this information with? 

The Firm may disclose some or all of the personal data it collects from clients to certain trusted third parties in accordance with contractual arrangements it has in place with these third parties, including: 

  • suppliers and service providers to whom the Firm outsources support services; 

  • Accounting service providers; 

  • IT service providers; and 

  • third parties involved in hosting or organising events or seminars. 

  • Barristers, consultants, expert witness (such as doctors and engineers). 

How long does the Firm keep hold of a client’s information? 

The Firm shall not retain personal data for longer than is required by the relevant statutory provision and generally retains personal data for a period of 7 years after a client ceases to be its client and the closure of the relevant matter. The Firm retains the personal data so that it may fulfil its obligation and duty as a law firm to protect its client’s interests, to protect the Firm’s interests as a law firm and as is required by legal and regulatory obligations to which the Firm is subject. 

What are a client’s rights with respect to their personal data? 

Data subjects that are clients have the following rights: 

  • The right to access the personal data the Firm holds about them. 

  • The right to require the Firm to rectify any inaccurate personal data about them without undue delay. 

  • The right to have the Firm erase any personal data the Firm holds about them in circumstances such as where it is no longer necessary for the Firm to hold 

  • the data subject has withdrawn their consent to the processing. 

  • The right to object to the Firm processing personal data about data subjects such as processing for profiling or direct marketing. 

  • The right to ask the Firm to provide the data subject’s personal data to them in a portable format or, where technically feasible, for the Firm to port that personal data to another provider provided it does not result in a disclosure of personal data relating to other people. 

  • The right to request a restriction of the processing of the data subject’s personal data. Where the Firm’s processing of your personal data is based on the data subject’s consent to that processing, the data subject has the right to withdraw that consent at any time but any processing that the Firm has carried out before the data subject withdrew their consent remains lawful. The data subject may exercise any of the above rights by contacting the Firm directly. The data subject may lodge a complaint with their local supervisory authority with respect to the Firm’s processing of their personal data. The local Supervisory Authority in Ireland is the Data Protection Commission. The website is www.dataprotection.ie

Right to data portability 

In accordance with the Acts, clients may ask for an electronic copy of their personal data that they have provided to the Firm and which the Firm holds electronically, or for the Firm to provide this directly to another party. This right only applies to personal data that clients have provided to the Firm– it does not extend to data generated by the Firm. In addition, the right to data portability also only applies where: 

  • the processing is based on client consent or for the performance of a contract; and 

  • the processing is carried out by automated means. 

Withdrawal of consent 

If clients no longer consent to the Firm’s processing of their personal data (in respect of any matter referred to in this Policy as requiring client consent), clients may request that the Firm ceases such processing by contacting John Dunne via email john@mcdm.ie

Breach reporting 

To the extent that the Firm is a data controller in respect of its clients’ personal data, the Firm will notify serious data breaches in respect of such personal data to the DPC without undue delay, and where feasible, not later than 72 hours after having become aware of same. If notification is not made after 72 hours, the Firm will record a reasoned justification for the delay; however, it is not necessary to notify the DPC where the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A data breach in this context means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

The Firm will keep a record of any data breaches, including their effects and the remedial action taken, and will notify clients of any data breach affecting their personal data (which poses a high risk to them) when we are required to do so under the Acts. The Firm will not be required to notify clients of a data breach where: 

  • the Firm has implemented appropriate technical and organisational measures that render the personal data unintelligible to anyone not authorised to access it, such as encryption; or 

  • the Firm has taken subsequent measures which ensure that the high risk to data subjects is not likely to materialise; or 

  • it would involve disproportionate effort; in which case the Firm may make a public communication instead. 

  • In the event of a data breach where the Firm is the data processor, the Firm will notify the relevant data controller of such breach as soon as reasonably practicable.