Occupational Health Privacy Notice
Contents
1. Purpose
1.1. Legislation
1.2. Queries and Complaints
2. How do we collect your personal data?
3. What personal data do we collect?
4. How do we use your personal data?
5. How long do we retain your personal data?
6. Who do we share your personal data with?
7. International Transfers
8. Data Subject Rights
8.1. Right of Access
8.2. Right to Rectification
8.3. Right to Erasure
8.4. Right to Restriction
8.5. Right to Data Portability
8.6. Right to Object
8.7. Right to Withdraw Consent
8.8. Right to Object to Automated Decision Making
9. Changes to our Privacy Notice
1. Purpose
The purpose of this Privacy Notice is to outline how we collect, process and share personal data we hold about you. This Privacy Notice will outline the types of personal data we process about you and the legal basis we rely on to do so.
Cpl Occupational Health are committed to protecting and respecting your privacy. We wish to be transparent on how we collect, store and share personal data and to ensure that you understand your rights under the General Data Protection Regulation (“GDPR”).
In this Privacy Notice, we outline:
- The types of data we collect;
- How we use your personal data;
- Your rights in relation to the data we hold about you; and
- How to contact us if you have any questions about your data.
1.1. Legislation
All personal data we gather will be “processed” in accordance with all applicable data protection laws and principles, including the General Data Protection Regulation, the Data Protection Act 2018 and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“ePrivacy Directive”).
1.2. Queries and Complaints
If you are unhappy with the way we have handled your personal data and wish to complain, or if you would like further information about the way your personal data will be used, please contact us at the below:
Data Protection Officer
Cpl Occupational Health
Ground Floor, One Haddington Buildings, Haddington Road, Dublin 4, D04 X4C9, Ireland
Telephone: +353 1 614 6000
Email: dataprivacy@cpl.com
If you are unsatisfied with our use of your personal data or our response to any requests by you to exercise any of your rights, then you have the right to complain to the Data Protection Commission. See contact details below:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Email: info@dataprotection.ie
Telephone: +353 57 868 4800 / +353 761 104 800
2. How do we collect your personal data?
We collect personal data to enable the provision of services to support the Cpl Occupational Health purpose. The following non-exhaustive methods of data collection are an indication of ways in which we may obtain your information:
- We obtain data from your employer / prospective employer when they refer you for an Occupational Health Assessment.
- We obtain data directly from you when you complete a declaration.
- We obtain data during the provision of our Occupational Health Assessment.
It is important that the personal data you provide to us is up to date and accurate. As outlined in Section 7.2 of this notice, if the personal data we hold about you is inaccurate or incomplete, please contact us and we will update your data.
3. What personal data do we collect?
In order to provide our services, Cpl Occupational Health needs to collect various types of personal data. The type of personal data we collect on you will vary depending on the nature of our relationship with you. Below we have outlined a non-exhaustive list of the types of data we may collect while providing our Occupational Health services.
| Types of Data Collected |
|---|
|
4. How do we use your personal data?
The main purpose for which Cpl Occupational Health processes your personal data is to provide a service to you, or otherwise manage our relationship with you. The following section provides more detail on the purposes for which we process your personal data and the legal basis by which we do this.
| Process | Description | Lawful Basis for Processing |
|---|---|---|
| Occupational Health Services | To collect the data to assess your fitness to work and generate a report for your employer / prospective employer that outlines any restrictions or accommodations that need to be considered for your employment. | This processing is carried out with the explicit consent of the data subject. |
5. How long do we retain your personal data?
We only keep your personal data for as long as is necessary for the purpose for which it was originally obtained, and / or in accordance with any requirements imposed by the law. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period of personal data, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process your personal data and any legal requirements to retain your data. Outlined below is a general summary of our retention periods. Please note in some instances we may need to retain this data beyond the stated retention period, for example, if the data is necessary for the defence of a legal claim.
For the purposes of our Occupational Health services, we will retain your personal data for 10 years. However, for Pre-Employment Assessments, the data of unsuccessful applicants will be retained for one year before being deleted.
6. Who do we share your personal data with?
We may disclose your personal information to an outside organisation. Below is a list of the categories of recipients we share your personal data (as outlined above) with:
Your Employer / Prospective Employer
Where your employer / prospective employer has referred you for an Occupational Health Assessment, we will share a medical report with your fitness to work and setting out whether any restrictions or accommodations need to be considered for your employment.
Affiliate Clinics
In order to facilitate your Occupational Health Assessment, we will share your data with our Affiliate Clinics to allow their Occupational Health Physician(s) and Occupational Health Nurse(s) to carry out the assessment.
Your Representatives
Any party you have given us permission to speak to (such as a relative, friend or legal advisor) and other people or companies associated with you that are authorised by you to act on your behalf.
Our Representatives / Service Providers
Our employees, agents and contractors including companies that provide services in relation to telecommunications and postage, data storage, document production and destruction, IT and IT security, or design.
Government, Statutory and Regulatory Bodies
Where required by law, state regulators and authorities such as the Data Protection Commission and Law Enforcement Agencies such as An Garda Síochána.
We may also disclose your personal data to the following recipients or categories of recipients:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If Cpl Occupational Health or substantially all of its business or assets are acquired or transferred to a third party whether in the event of a merger, reorganisation, transfer of undertakings, receivership, liquidation or other winding up or any other similar circumstances, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any law, legal obligation or court order, or in order to enforce rights under the GDPR or other agreements.
- To protect our rights, property or safety, our customers, or others. This includes exchanging information with other companies and organisations for the maintenance and security of the site and services.
7. International Transfers
On occasion, we may need to transmit your personal data outside of the European Economic Area. In these circumstances, we will ensure that the transfer complies with our data protection obligations, and we will ensure that the transfer agreement is based on an approved transfer mechanism, such as the European Commission’s standard contractual clauses or an adequacy decision.
8. Data Subject Rights
As a data subject, you will have the following rights in relation to the processing of your personal data. Please note that these rights are not absolute, and restrictions may apply in certain situations.
Please send all requests to dataprivacy@cpl.com with as much detail as possible about your requirements to allow us to deal with your request efficiently. Before fulfilling your request, we may ask you to provide identification to enable us to verify your identity.
Upon receipt of a valid request, we will have one calendar month to respond to your request, with the possibility of extending by two further months. If we require more time to deal with your request, we will notify you of the delay and the reasons behind it within 30 days of the receipt of the request. If we refuse your request, we will also notify you within 30 days of the receipt of the request accompanied by the reasons for the refusal.
You are entitled to contact the Data Protection Commission if we refuse your request.
8.1. Right of Access
You have the right to know what personal data we hold about you, why we hold the data and how we process your personal data.
When submitting your request, please provide us with information to help us verify your identity and as much detail as possible to help us identify the information you wish to access (i.e. date range, subject of the request).
If the request is submitted by a third party (such as a solicitor) on your behalf, the request will be required to include written authorisation from you for the provision of specific data to the third party.
Please note that an access request is free of charge, however, where we determine a request to be unjustified or excessive, we may charge you a reasonable fee.
8.2. Right to Rectification
You have a right to request that the personal data held in relation to you is up to date and accurate.
Where information is inaccurate or incomplete, we encourage you to contact us to have this information rectified. Upon receipt of your request, we will ensure that the personal data is rectified and as up to date as is reasonably possible.
8.3. Right to Erasure
You have the right to seek the erasure of personal data by on you in the following circumstances:
- Personal data is no longer required for the purposes for which it was obtained.
- Where the use of the data is only lawful based on consent, you withdraw consent to the processing and no other lawful basis exists.
- The personal data is being used unlawfully.
- You object to the use of your personal data and there are no overriding legitimate grounds for the use of the data.
- Your personal data requires deletion in line with legal requirements.
However, we will be unable to fulfil an erasure request if the personal data is required for any of the below activities:
- Compliance with a legal obligation, such as the performance of a contract or compliance with certain legislation.
- For the performance of a task carried out in the public interest.
- Archiving, research or statistical purposes in the public interest.
- The establishment, exercise or defence of legal claims.
8.4. Right to Restriction
You have the right to restrict the extent for which your personal data is being used by us in circumstances where:
- You believe the personal data is not accurate (restriction period will exist until we update your information).
- The processing of personal data is unlawful, but you wish to restrict the use of the data rather than erase it.
- Where personal data is no longer required by us, but you require the retention of the data for the establishment, exercise, or defence of a legal claim.
- You have a pending objection to the future use of your personal data.
When the use of your data has been restricted, your personal data will only be further used:
- With your consent.
- For the establishment, exercise or defence of legal claims.
- For the protection of the rights of other people.
- For reasons important to the public interest, such as for the protecting against cross-border threats or ensuring high standards of quality and safety of health care.
We will contact you to confirm where the request for restriction is fulfilled and will only lift the restriction after we have informed you that we are doing so.
8.5. Right to Data Portability
You have the right to the provision of all personal data, which you provided to us, provided to you in a structured, commonly used and machine-readable format where:
- The lawfulness of the use of your personal data by us is reliant on the basis of a contract.
- The lawfulness of the use of your personal data by us is reliant on the provision of your consent.
- The data is being utilised by fully automated means.
You may also request that we send this personal data to another legal entity where technically feasible.
We will only refuse such a request if the data being requested may adversely affect the rights and freedoms of others.
8.6. Right to Object
You have the right to object to the further use of your personal data where:
- The lawfulness of the use of your personal data by us is reliant on the basis of our legitimate interests.
- Where the data is non-sensitive and being used for reasons in the public interest.
- Where the data is being used for direct marketing purposes.
If you wish to object to the use of your data, please contact us with your request. We will then stop using the data or personal data unless it is required for legal proceedings.
8.7. Right to Withdraw Consent
Where we are processing your personal data based on your consent, you will have the right to withdraw your consent at any time. If you wish to withdraw your consent, please contact us with your request. We will then stop the further processing of your personal data.
8.8. Right to Object to Automated Decision Making
You have a right not to be subject to a decision based solely on automated processing or profiling, where such decisions would have a legal effect or significant impact on you.
Currently, we do not employ any systems which use automated decision making or profiling on data.
Where we (or one of our third-party processors) use profiling, which produces legal effects for you or otherwise significantly affects you, you will have the right to object to such processing.
9. Changes to our Privacy Notice
We will review this Privacy Notice regularly and reserve the right to make changes at any time to take into account changes in our business, legal requirements, and the manner in which we process personal data. This Privacy Notice was last updated on 11/03/2025.